diff --git a/Shorewall/firewall b/Shorewall/firewall index da0f89dd0..6f92364ce 100755 --- a/Shorewall/firewall +++ b/Shorewall/firewall @@ -1724,7 +1724,7 @@ process_tc_rule() { add_a_tc_rule() { r= - chain=tcpre + [ -n "$MARK_IN_FORWARD_CHAIN" ] && chain=tcfor || chain=tcpre if [ "x$source" != "x-" ]; then case $source in @@ -1775,7 +1775,13 @@ setup_tc1() { # # Create the TC mangle chains # - run_iptables -t mangle -N tcpre + + if [ -n "$MARK_IN_FORWARD_CHAIN" ]; then + run_iptables -t mangle -N tcfor + else + run_iptables -t mangle -N tcpre + fi + run_iptables -t mangle -N tcout # # Process the TC Rules File @@ -1790,7 +1796,12 @@ setup_tc1() { # # Link to the TC mangle chains from the main chains # - run_iptables -t mangle -A PREROUTING -j tcpre + + if [ -n "$MARK_IN_FORWARD_CHAIN" ]; then + run_iptables -t mangle -A FORWARD -j tcfor + else + run_iptables -t mangle -A PREROUTING -j tcpre + fi run_iptables -t mangle -A OUTPUT -j tcout run_user_exit tcstart @@ -1836,12 +1847,19 @@ refresh_tc() { echo "Refreshing Traffic Control Rules..." delete_tc + + if mangle_chain_exists tcpre; then # # Flush the TC mangle chains # - run_iptables -t mangle -F tcpre + if [ -n "$MARK_IN_FORWARD_CHAIN" ]; then + run_iptables -t mangle -F tcfor + else + run_iptables -t mangle -F tcpre + fi + run_iptables -t mangle -F tcout # # Process the TC Rules File @@ -4416,6 +4434,7 @@ do_initialize() { TCP_FLAGS_DISPOSITION= TCP_FLAGS_LOG_LEVEL= RFC1918_LOG_LEVEL= + MARK_IN_FORWARD_CHAIN= stopping= have_mutex= masq_seq=1 @@ -4526,6 +4545,7 @@ do_initialize() { fi [ -z "$RFC1918_LOG_LEVEL" ] && RFC1918_LOG_LEVEL=info + MARK_IN_FORWARD_CHAIN=`added_param_value_no MARK_IN_FORWARD_CHAIN $MARK_IN_FORWARD_CHAIN` } diff --git a/Shorewall/shorewall.conf b/Shorewall/shorewall.conf index fe355ec7b..5524dcfcc 100755 --- a/Shorewall/shorewall.conf +++ b/Shorewall/shorewall.conf @@ -475,4 +475,24 @@ TCP_FLAGS_LOG_LEVEL=info RFC1918_LOG_LEVEL=info +# +# Mark Packets in the forward chain +# +# When processing the tcrules file, Shorewall normally marks packets in the +# PREROUTING chain. To cause Shorewall to use the FORWARD chain instead, set +# this to "Yes". If not specified or if set to the empty value (e.g., +# MARK_IN_FORWARD_CHAIN="") then MARK_IN_FORWARD_CHAIN=No is assumed. +# +# Marking packets in the FORWARD chain has the advantage that inbound +# packets destined for Masqueraded/SNATed local hosts have had their destination +# address rewritten so they can be marked based on their destination. When +# packets are marked in the PREROUTING chain, packets destined for +# Masqueraded/SNATed local hosts still have a destination address corresponding +# to the firewall's external interface. +# +# Note: Older kernels do not support marking packets in the FORWARD chain and +# setting this variable to Yes may cause startup problems. + +MARK_IN_FORWARD_CHAIN=No + #LAST LINE -- DO NOT REMOVE