Tighten up HIGH_ROUTE_MARKS and OUTPUT chain

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@7823 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
2007-12-04 00:02:35 +00:00 · 2007-12-04 00:02:35 +00:00 · 07f9b2a846
commit 07f9b2a846
parent 7ed8c1c08f
4 changed files with 52 additions and 40 deletions
--- a/Shorewall-common/changelog.txt
+++ b/Shorewall-common/changelog.txt
@ -12,6 +12,8 @@ Changes in 4.1.2
 6)  Correct Jabber macro names.
 7)  Tighten up HIGH_ROUTE_MARKS in the OUTPUT chain.
 Changes in 4.1.1
 1)  Fix ULOG/NFLOG output.
--- a/Shorewall-common/releasenotes.txt
+++ b/Shorewall-common/releasenotes.txt
@ -86,6 +86,14 @@ Other changes in Shorewall 4.1.2.
    Messages in the log are always timestamped.
 Migration Issues.
 1)  Previously, when HIGH_ROUTE_MARKS=Yes, Shorewall allowed mark
    values < 256 to be assigned in the OUTPUT chain. This has been
    changed so that only high mark values may be assigned
    there. Traffic shaping rules for traffic originating on the
    firewall must be coded in the POSTROUTING table.
 New Features in Shorewall 4.1.
 1)  Shorewall 4.1 contains experimental support for multiple Internet
@ -193,5 +201,5 @@ New Features in Shorewall 4.1.
    DNS/ACCEPT	     DNS(ACCEPT)
    NFQUEUE/3	     NFQUEUE(3)
-    The old syntax is still be accepted but will cease to be documented
+    The old syntax will still be accepted but will cease to be documented
    in some future Shorewall release.
--- a/Shorewall-perl/Shorewall/Tc.pm
+++ b/Shorewall-perl/Shorewall/Tc.pm
@ -267,8 +267,10 @@ sub process_tc_rule( $$$$$$$$$$ ) {
 	    validate_mark $mark;
-	    fatal_error 'Marks < 256 may not be set in the PREROUTING chain when HIGH_ROUTE_MARKS=Yes'
+	    if ( $config{HIGH_ROUTE_MARKS} ) {
-		if $cmd && $chain eq 'tcpre' && numeric_value( $cmd ) <= 0xFF && $config{HIGH_ROUTE_MARKS};
+		fatal_error 'Marks < 256 may not be set in the PREROUTING or OUTPUT chains when HIGH_ROUTE_MARKS=Yes'
 		    if $cmd && ( $chain eq 'tcpre' || $chain eq 'tcout' ) && numeric_value( $cmd ) <= 0xFF;
 	    }
 	}
    }
--- a/Shorewall-shell/lib.tcrules
+++ b/Shorewall-shell/lib.tcrules
@ -320,8 +320,8 @@ process_tc_rule()
 	    target="MARK --or-mark"
 	    mark=${mark#|}
 	    validate_mark $mark
-	    if [ $((${mark%/*})) -lt 256 -a $((${mark%/*})) -ne 0 -a -n "$HIGH_ROUTE_MARKS" -a $chain = tcpre ]; then
+	    if [ $((${mark%/*})) -lt 256 -a $((${mark%/*})) -ne 0 -a -n "$HIGH_ROUTE_MARKS" ] && [ $chain = tcpre -o $chain = tcout ]; then
-		fatal_error "Marks < 256 may not be set in the PREROUTING chain when HIGH_ROUTE_MARKS=Yes"
+		fatal_error "Marks < 256 may not be set in the PREROUTING or OUTPUT chains when HIGH_ROUTE_MARKS=Yes"
 	    fi
 	    ;;
 	\&*)
@ -330,7 +330,7 @@ process_tc_rule()
 	    target="MARK --and-mark"
 	    mark=${mark#&}
 	    validate_mark $mark
-	    if [ $((${mark%/*})) -lt 256 -a $((${mark%/*})) -ne 0 -a -n "$HIGH_ROUTE_MARKS" -a $chain = tcpre ]; then
+	    if [ $((${mark%/*})) -lt 256 -a $((${mark%/*})) -ne 0 -a -n "$HIGH_ROUTE_MARKS" ] && [ $chain = tcpre -o $chain = tcout ]; then
 		fatal_error "Marks < 256 may not be set in the PREROUTING chain when HIGH_ROUTE_MARKS=Yes"
 	    fi
 	    ;;
@ -345,7 +345,7 @@ process_tc_rule()
 			    fatal_error "Invalid mark value ($mark) in rule \"$rule\""
 			    ;;
 		    esac
-		elif [ $((${mark%/*})) -ne 0 -a -n "$HIGH_ROUTE_MARKS" -a $chain = tcpre ]; then
+		elif [ $((${mark%/*})) -lt 256 -a $((${mark%/*})) -ne 0 -a -n "$HIGH_ROUTE_MARKS" ] && [ $chain = tcpre -o $chain = tcout ]; then
 		    fatal_error "Marks < 256 may not be set in the PREROUTING chain when HIGH_ROUTE_MARKS=Yes"
 		fi
 	    fi