Tighten up HIGH_ROUTE_MARKS and OUTPUT chain

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@7823 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb

Shorewall-common/changelog.txt

@@ -12,6 +12,8 @@ Changes in 4.1.2
 
 6)  Correct Jabber macro names.
 
+7)  Tighten up HIGH_ROUTE_MARKS in the OUTPUT chain.
+
 Changes in 4.1.1
 
 1)  Fix ULOG/NFLOG output.

Shorewall-common/releasenotes.txt

@@ -86,51 +86,59 @@ Other changes in Shorewall 4.1.2.
 
     Messages in the log are always timestamped.
 
+Migration Issues.
+
+1)  Previously, when HIGH_ROUTE_MARKS=Yes, Shorewall allowed mark
+    values < 256 to be assigned in the OUTPUT chain. This has been
+    changed so that only high mark values may be assigned
+    there. Traffic shaping rules for traffic originating on the
+    firewall must be coded in the POSTROUTING table.
+
 New Features in Shorewall 4.1.
 
-1) Shorewall 4.1 contains experimental support for multiple Internet
+1)  Shorewall 4.1 contains experimental support for multiple Internet
-   providers through a single ethernet interface. Configuring two
+    providers through a single ethernet interface. Configuring two
-   providers through a single interface differs from two providers
+    providers through a single interface differs from two providers
-   through two interfaces in several ways.
+    through two interfaces in several ways.
 
-   a) Only ethernet (or ethernet-like) interfaces can be used. For
+    a) Only ethernet (or ethernet-like) interfaces can be used. For
-      inbound traffic, the MAC addresses of the gateway routers is used
+       inbound traffic, the MAC addresses of the gateway routers is used
-      to determine which provider a packet was received through. Note
+       to determine which provider a packet was received through. Note
-      that only routed traffic can be categorized using this technique.
+       that only routed traffic can be categorized using this technique.
 
-   b) You must specify the address on the interface that corresponds to
+    b) You must specify the address on the interface that corresponds to
-      a particular provider in the INTERFACE column by following the
+       a particular provider in the INTERFACE column by following the
-      interface name with a colon (":") and the address.
+       interface name with a colon (":") and the address.
  
-   c) Entries in /etc/shorewall/masq must be qualified by the provider
+    c) Entries in /etc/shorewall/masq must be qualified by the provider
-      name (or number).
+       name (or number).
 
-   d) This feature requires Realm Match support in your kernel and
+    d) This feature requires Realm Match support in your kernel and
-      iptables. If you use a capabilities file, you need to regenerate
+       iptables. If you use a capabilities file, you need to regenerate
-      the file with Shorewall 4.0.6 or Shorewall-lite 4.0.6.
+       the file with Shorewall 4.0.6 or Shorewall-lite 4.0.6.
  
-   e) You must add route_rules entries for networks that are accessed
+    e) You must add route_rules entries for networks that are accessed
-      through a particular provider.
+       through a particular provider.
 
-   f) If you have additional IP addresses through either provider,
+    f) If you have additional IP addresses through either provider,
-      you must add route_rules to direct traffic FROM each of those
+       you must add route_rules to direct traffic FROM each of those
-      addresses through the appropriate provider.
+       addresses through the appropriate provider.
 
-    Example:
+     Example:
 
-    Providers Blarg (1) and Avvanta (2) are both connected to
+     Providers Blarg (1) and Avvanta (2) are both connected to
-    eth0. The firewall's IP address with Blarg is 206.124.146.176/24
+     eth0. The firewall's IP address with Blarg is 206.124.146.176/24
-    (gateway 206.124.146.254) and the IP address from Avvanta is
+     (gateway 206.124.146.254) and the IP address from Avvanta is
-    130.252.144.8/24 (gateway 130.252.144.254). We have a second IP
+     130.252.144.8/24 (gateway 130.252.144.254). We have a second IP
-    address (206.124.146.177) from Blarg.
+     address (206.124.146.177) from Blarg.
 
-    /etc/shorewall/providers:
+     /etc/shorewall/providers:
 
        #PROVIDER   NUMBER  MARK    DUPLICATE INTERFACE            GATEWAY
        Blarg       1       1       main      eth0:206.124.146.176 206.124.146.254 ...
        Avvanta     2       2       main      eth0:130.252.144.8   130.252.144.254 ...
 
-    /etc/shorewall/masq:
+     /etc/shorewall/masq:
 
        #INTERFACE          SOURCE          ADDRESS
        eth0(Blarg)         130.252.144.8   206.124.146.176
@@ -138,7 +146,7 @@ New Features in Shorewall 4.1.
        eth0(Blarg)         eth1            206.124.146.176
        eth0(Avvanta)       eth1            130.252.144.8
 
-    /etc/shorewall/route_rules:
+     /etc/shorewall/route_rules:
 
 	#SOURCE		DEST			PROVIDER	PRIORITY
 	-		206.124.146.0/24	Blarg		1000
@@ -193,5 +201,5 @@ New Features in Shorewall 4.1.
     DNS/ACCEPT	     DNS(ACCEPT)
     NFQUEUE/3	     NFQUEUE(3)
     
-    The old syntax is still be accepted but will cease to be documented
+    The old syntax will still be accepted but will cease to be documented
     in some future Shorewall release.

Shorewall-perl/Shorewall/Tc.pm

@@ -267,8 +267,10 @@ sub process_tc_rule( $$$$$$$$$$ ) {
 
 	    validate_mark $mark;
 
-	    fatal_error 'Marks < 256 may not be set in the PREROUTING chain when HIGH_ROUTE_MARKS=Yes'
+	    if ( $config{HIGH_ROUTE_MARKS} ) {
-		if $cmd && $chain eq 'tcpre' && numeric_value( $cmd ) <= 0xFF && $config{HIGH_ROUTE_MARKS};
+		fatal_error 'Marks < 256 may not be set in the PREROUTING or OUTPUT chains when HIGH_ROUTE_MARKS=Yes'
+		    if $cmd && ( $chain eq 'tcpre' || $chain eq 'tcout' ) && numeric_value( $cmd ) <= 0xFF;
+	    }
 	}
     }
 

Shorewall-shell/lib.tcrules

@@ -320,8 +320,8 @@ process_tc_rule()
 	    target="MARK --or-mark"
 	    mark=${mark#|}
 	    validate_mark $mark
-	    if [ $((${mark%/*})) -lt 256 -a $((${mark%/*})) -ne 0 -a -n "$HIGH_ROUTE_MARKS" -a $chain = tcpre ]; then
+	    if [ $((${mark%/*})) -lt 256 -a $((${mark%/*})) -ne 0 -a -n "$HIGH_ROUTE_MARKS" ] && [ $chain = tcpre -o $chain = tcout ]; then
-		fatal_error "Marks < 256 may not be set in the PREROUTING chain when HIGH_ROUTE_MARKS=Yes"
+		fatal_error "Marks < 256 may not be set in the PREROUTING or OUTPUT chains when HIGH_ROUTE_MARKS=Yes"
 	    fi
 	    ;;
 	\&*)
@@ -330,7 +330,7 @@ process_tc_rule()
 	    target="MARK --and-mark"
 	    mark=${mark#&}
 	    validate_mark $mark
-	    if [ $((${mark%/*})) -lt 256 -a $((${mark%/*})) -ne 0 -a -n "$HIGH_ROUTE_MARKS" -a $chain = tcpre ]; then
+	    if [ $((${mark%/*})) -lt 256 -a $((${mark%/*})) -ne 0 -a -n "$HIGH_ROUTE_MARKS" ] && [ $chain = tcpre -o $chain = tcout ]; then
 		fatal_error "Marks < 256 may not be set in the PREROUTING chain when HIGH_ROUTE_MARKS=Yes"
 	    fi
 	    ;;
@@ -345,7 +345,7 @@ process_tc_rule()
 			    fatal_error "Invalid mark value ($mark) in rule \"$rule\""
 			    ;;
 		    esac
-		elif [ $((${mark%/*})) -ne 0 -a -n "$HIGH_ROUTE_MARKS" -a $chain = tcpre ]; then
+		elif [ $((${mark%/*})) -lt 256 -a $((${mark%/*})) -ne 0 -a -n "$HIGH_ROUTE_MARKS" ] && [ $chain = tcpre -o $chain = tcout ]; then
 		    fatal_error "Marks < 256 may not be set in the PREROUTING chain when HIGH_ROUTE_MARKS=Yes"
 		fi
 	    fi