Tighten up HIGH_ROUTE_MARKS and OUTPUT chain

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@7823 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
2007-12-04 00:02:35 +00:00 · 2007-12-04 00:02:35 +00:00 · 07f9b2a846
commit 07f9b2a846
parent 7ed8c1c08f
4 changed files with 52 additions and 40 deletions
--- a/Shorewall-common/changelog.txt
+++ b/Shorewall-common/changelog.txt
@ -12,6 +12,8 @@ Changes in 4.1.2

 6)  Correct Jabber macro names.

+7)  Tighten up HIGH_ROUTE_MARKS in the OUTPUT chain.
+
 Changes in 4.1.1

 1)  Fix ULOG/NFLOG output.
--- a/Shorewall-common/releasenotes.txt
+++ b/Shorewall-common/releasenotes.txt
@ -86,6 +86,14 @@ Other changes in Shorewall 4.1.2.

    Messages in the log are always timestamped.

+Migration Issues.
+
+1)  Previously, when HIGH_ROUTE_MARKS=Yes, Shorewall allowed mark
+    values < 256 to be assigned in the OUTPUT chain. This has been
+    changed so that only high mark values may be assigned
+    there. Traffic shaping rules for traffic originating on the
+    firewall must be coded in the POSTROUTING table.
+
 New Features in Shorewall 4.1.

 1)  Shorewall 4.1 contains experimental support for multiple Internet
@ -193,5 +201,5 @@ New Features in Shorewall 4.1.
    DNS/ACCEPT	     DNS(ACCEPT)
    NFQUEUE/3	     NFQUEUE(3)
    
-    The old syntax is still be accepted but will cease to be documented
+    The old syntax will still be accepted but will cease to be documented
    in some future Shorewall release.
--- a/Shorewall-perl/Shorewall/Tc.pm
+++ b/Shorewall-perl/Shorewall/Tc.pm
@ -267,8 +267,10 @@ sub process_tc_rule( $$$$$$$$$$ ) {

 	    validate_mark $mark;

-	    fatal_error 'Marks < 256 may not be set in the PREROUTING chain when HIGH_ROUTE_MARKS=Yes'
-		if $cmd && $chain eq 'tcpre' && numeric_value( $cmd ) <= 0xFF && $config{HIGH_ROUTE_MARKS};
+	    if ( $config{HIGH_ROUTE_MARKS} ) {
+		fatal_error 'Marks < 256 may not be set in the PREROUTING or OUTPUT chains when HIGH_ROUTE_MARKS=Yes'
+		    if $cmd && ( $chain eq 'tcpre' || $chain eq 'tcout' ) && numeric_value( $cmd ) <= 0xFF;
+	    }
 	}
    }

--- a/Shorewall-shell/lib.tcrules
+++ b/Shorewall-shell/lib.tcrules
@ -320,8 +320,8 @@ process_tc_rule()
 	    target="MARK --or-mark"
 	    mark=${mark#|}
 	    validate_mark $mark
-	    if [ $((${mark%/*})) -lt 256 -a $((${mark%/*})) -ne 0 -a -n "$HIGH_ROUTE_MARKS" -a $chain = tcpre ]; then
-		fatal_error "Marks < 256 may not be set in the PREROUTING chain when HIGH_ROUTE_MARKS=Yes"
+	    if [ $((${mark%/*})) -lt 256 -a $((${mark%/*})) -ne 0 -a -n "$HIGH_ROUTE_MARKS" ] && [ $chain = tcpre -o $chain = tcout ]; then
+		fatal_error "Marks < 256 may not be set in the PREROUTING or OUTPUT chains when HIGH_ROUTE_MARKS=Yes"
 	    fi
 	    ;;
 	\&*)
@ -330,7 +330,7 @@ process_tc_rule()
 	    target="MARK --and-mark"
 	    mark=${mark#&}
 	    validate_mark $mark
-	    if [ $((${mark%/*})) -lt 256 -a $((${mark%/*})) -ne 0 -a -n "$HIGH_ROUTE_MARKS" -a $chain = tcpre ]; then
+	    if [ $((${mark%/*})) -lt 256 -a $((${mark%/*})) -ne 0 -a -n "$HIGH_ROUTE_MARKS" ] && [ $chain = tcpre -o $chain = tcout ]; then
 		fatal_error "Marks < 256 may not be set in the PREROUTING chain when HIGH_ROUTE_MARKS=Yes"
 	    fi
 	    ;;
@ -345,7 +345,7 @@ process_tc_rule()
 			    fatal_error "Invalid mark value ($mark) in rule \"$rule\""
 			    ;;
 		    esac
-		elif [ $((${mark%/*})) -ne 0 -a -n "$HIGH_ROUTE_MARKS" -a $chain = tcpre ]; then
+		elif [ $((${mark%/*})) -lt 256 -a $((${mark%/*})) -ne 0 -a -n "$HIGH_ROUTE_MARKS" ] && [ $chain = tcpre -o $chain = tcout ]; then
 		    fatal_error "Marks < 256 may not be set in the PREROUTING chain when HIGH_ROUTE_MARKS=Yes"
 		fi
 	    fi