extern/shorewall_code
1
0
Fork 1
mirror of https://gitlab.com/shorewall/code.git synced 2024-12-15 10:51:02 +01:00
Code Issues Packages Projects Releases Wiki Activity

Allow marking packets in the FORWARD chain

Browse Source 
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@368 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
teastep 2002-12-16 19:25:20 +00:00
parent ede456adf6
commit fa843d4139
2 changed files with 44 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

28
Shorewall/firewall
View File

@ -1724,7 +1724,7 @@ process_tc_rule()
{ {
add_a_tc_rule() { add_a_tc_rule() {
r= r=
chain=tcpre [ -n "$MARK_IN_FORWARD_CHAIN" ] && chain=tcfor || chain=tcpre
if [ "x$source" != "x-" ]; then if [ "x$source" != "x-" ]; then
case $source in case $source in
@ -1775,7 +1775,13 @@ setup_tc1() {
# #
# Create the TC mangle chains # Create the TC mangle chains
# #
run_iptables -t mangle -N tcpre
if [ -n "$MARK_IN_FORWARD_CHAIN" ]; then
run_iptables -t mangle -N tcfor
else
run_iptables -t mangle -N tcpre
fi
run_iptables -t mangle -N tcout run_iptables -t mangle -N tcout
# #
# Process the TC Rules File # Process the TC Rules File
@ -1790,7 +1796,12 @@ setup_tc1() {
# #
# Link to the TC mangle chains from the main chains # Link to the TC mangle chains from the main chains
# #
run_iptables -t mangle -A PREROUTING -j tcpre
if [ -n "$MARK_IN_FORWARD_CHAIN" ]; then
run_iptables -t mangle -A FORWARD -j tcfor
else
run_iptables -t mangle -A PREROUTING -j tcpre
fi
run_iptables -t mangle -A OUTPUT -j tcout run_iptables -t mangle -A OUTPUT -j tcout
run_user_exit tcstart run_user_exit tcstart
@ -1836,12 +1847,19 @@ refresh_tc() {
echo "Refreshing Traffic Control Rules..." echo "Refreshing Traffic Control Rules..."
delete_tc delete_tc
if mangle_chain_exists tcpre; then if mangle_chain_exists tcpre; then
# #
# Flush the TC mangle chains # Flush the TC mangle chains
# #
run_iptables -t mangle -F tcpre if [ -n "$MARK_IN_FORWARD_CHAIN" ]; then
run_iptables -t mangle -F tcfor
else
run_iptables -t mangle -F tcpre
fi
run_iptables -t mangle -F tcout run_iptables -t mangle -F tcout
# #
# Process the TC Rules File # Process the TC Rules File
@ -4416,6 +4434,7 @@ do_initialize() {
TCP_FLAGS_DISPOSITION= TCP_FLAGS_DISPOSITION=
TCP_FLAGS_LOG_LEVEL= TCP_FLAGS_LOG_LEVEL=
RFC1918_LOG_LEVEL= RFC1918_LOG_LEVEL=
MARK_IN_FORWARD_CHAIN=
stopping= stopping=
have_mutex= have_mutex=
masq_seq=1 masq_seq=1
@ -4526,6 +4545,7 @@ do_initialize() {
fi fi
[ -z "$RFC1918_LOG_LEVEL" ] && RFC1918_LOG_LEVEL=info [ -z "$RFC1918_LOG_LEVEL" ] && RFC1918_LOG_LEVEL=info
MARK_IN_FORWARD_CHAIN=`added_param_value_no MARK_IN_FORWARD_CHAIN $MARK_IN_FORWARD_CHAIN`
} }

20
Shorewall/shorewall.conf
View File

@ -475,4 +475,24 @@ TCP_FLAGS_LOG_LEVEL=info
RFC1918_LOG_LEVEL=info RFC1918_LOG_LEVEL=info
#
# Mark Packets in the forward chain
#
# When processing the tcrules file, Shorewall normally marks packets in the
# PREROUTING chain. To cause Shorewall to use the FORWARD chain instead, set
# this to "Yes". If not specified or if set to the empty value (e.g.,
# MARK_IN_FORWARD_CHAIN="") then MARK_IN_FORWARD_CHAIN=No is assumed.
#
# Marking packets in the FORWARD chain has the advantage that inbound
# packets destined for Masqueraded/SNATed local hosts have had their destination
# address rewritten so they can be marked based on their destination. When
# packets are marked in the PREROUTING chain, packets destined for
# Masqueraded/SNATed local hosts still have a destination address corresponding
# to the firewall's external interface.
#
# Note: Older kernels do not support marking packets in the FORWARD chain and
# setting this variable to Yes may cause startup problems.
MARK_IN_FORWARD_CHAIN=No
#LAST LINE -- DO NOT REMOVE #LAST LINE -- DO NOT REMOVE