diff --git a/Shorewall-core/lib.base b/Shorewall-core/lib.base
index 6974662c5..0cd8ee22b 100644
--- a/Shorewall-core/lib.base
+++ b/Shorewall-core/lib.base
@@ -28,7 +28,7 @@
#
SHOREWALL_LIBVERSION=40500
-SHOREWALL_CAPVERSION=40500
+SHOREWALL_CAPVERSION=40501
[ -n "${g_program:=shorewall}" ]
diff --git a/Shorewall-core/lib.cli b/Shorewall-core/lib.cli
index 907be9423..80544e815 100644
--- a/Shorewall-core/lib.cli
+++ b/Shorewall-core/lib.cli
@@ -1956,6 +1956,7 @@ determine_capabilities() {
BASIC_FILTER=
CT_TARGET=
STATISTIC_MATCH=
+ IMQ_TARGET=
chain=fooX$$
@@ -2083,6 +2084,7 @@ determine_capabilities() {
qt $g_tool -t mangle -F $chain
qt $g_tool -t mangle -X $chain
qt $g_tool -t mangle -L FORWARD -n && MANGLE_FORWARD=Yes
+ qt $g_tool -t mangle -A $chain -j IMQ --todev 0 && IMQ_TARGET=Yes
fi
qt $g_tool -t raw -L -n && RAW_TABLE=Yes
@@ -2264,6 +2266,7 @@ report_capabilities() {
report_capability "ipset V5" $IPSET_V5
report_capability "Condition Match" $CONDITION_MATCH
report_capability "Statistic Match" $STATISTIC_MATCH
+ report_capability "IMQ Target" $IMQ_TARGET
if [ $g_family -eq 4 ]; then
report_capability "iptables -S" $IPTABLES_S
@@ -2350,6 +2353,7 @@ report_capabilities1() {
report_capability1 BASIC_FILTER
report_capability1 CT_TARGET
report_capability1 STATISTIC_MATCH
+ report_capability1 IMQ_TARGET
echo CAPVERSION=$SHOREWALL_CAPVERSION
echo KERNELVERSION=$KERNELVERSION
diff --git a/Shorewall/Perl/Shorewall/Config.pm b/Shorewall/Perl/Shorewall/Config.pm
index c56ca1dbe..d615c5d9e 100644
--- a/Shorewall/Perl/Shorewall/Config.pm
+++ b/Shorewall/Perl/Shorewall/Config.pm
@@ -291,6 +291,7 @@ my %capdesc = ( NAT_ENABLED => 'NAT',
CT_TARGET => 'CT Target',
STATISTIC_MATCH =>
'Statistics Match',
+ IMQ_TARGET => 'IMQ Target',
CAPVERSION => 'Capability Version',
KERNELVERSION => 'Kernel Version',
);
@@ -464,7 +465,7 @@ sub initialize( $ ) {
STATEMATCH => '-m state --state',
UNTRACKED => 0,
VERSION => "4.4.22.1",
- CAPVERSION => 40500 ,
+ CAPVERSION => 40501 ,
);
#
# From shorewall.conf file
@@ -690,6 +691,7 @@ sub initialize( $ ) {
BASIC_FILTER => undef,
CT_TARGET => undef,
STATISTIC_MATCH => undef,
+ IMQ_TARGET => undef,
CAPVERSION => undef,
KERNELVERSION => undef,
);
@@ -2775,6 +2777,10 @@ sub Statistic_Match() {
qt1( "$iptables -A $sillyname -m statistic --mode nth --every 2 --packet 1" );
}
+sub Imq_Target() {
+ qt1( "$iptables -t mangle -A $sillyname -j IMQ --todev 0" );
+}
+
our %detect_capability =
( ACCOUNT_TARGET =>\&Account_Target,
AUDIT_TARGET => \&Audit_Target,
@@ -2796,6 +2802,7 @@ our %detect_capability =
HASHLIMIT_MATCH => \&Hashlimit_Match,
HEADER_MATCH => \&Header_Match,
HELPER_MATCH => \&Helper_Match,
+ IMQ_TARGET => \&Imq_Target,
IPMARK_TARGET => \&IPMark_Target,
IPP2P_MATCH => \&Ipp2p_Match,
IPRANGE_MATCH => \&IPRange_Match,
@@ -2967,6 +2974,7 @@ sub determine_capabilities() {
$capabilities{BASIC_FILTER} = detect_capability( 'BASIC_FILTER' );
$capabilities{CT_TARGET} = detect_capability( 'CT_TARGET' );
$capabilities{STATISTIC_MATCH} = detect_capability( 'STATISTIC_MATCH' );
+ $capabilities{IMQ_TARGET} = detect_capability( 'IMQ_TARGET' );
qt1( "$iptables -F $sillyname" );
diff --git a/Shorewall/Perl/Shorewall/Tc.pm b/Shorewall/Perl/Shorewall/Tc.pm
index a25b4e5be..6e43fa9c3 100644
--- a/Shorewall/Perl/Shorewall/Tc.pm
+++ b/Shorewall/Perl/Shorewall/Tc.pm
@@ -379,7 +379,7 @@ sub process_tc_rule( ) {
$val = numeric_value ($s);
fatal_error "Invalid Shift Bits ($s)" unless defined $val && $val >= 0 && $val < 128;
$shift = $s;
- }
+ }
} else {
fatal_error "Invalid MARK/CLASSIFY ($cmd)" unless $cmd eq 'IPMARK';
}
@@ -460,6 +460,10 @@ sub process_tc_rule( ) {
} else {
$target .= " --hl-set $param";
}
+ } elsif ( $target eq 'IMQ' ) {
+ assert( $cmd =~ /^IMQ\((\d+)\)$/ );
+ require_capability 'IMQ_TARGET', 'IMQ', 's';
+ $target .= " --todev $1";
}
if ( $rest ) {
@@ -1977,7 +1981,13 @@ sub setup_tc() {
mark => NOMARK,
mask => '',
connmark => 0
- }
+ },
+ { match => sub( $ ) { $_[0] =~ /^IMQ\(\d+\)$/ },
+ target => 'IMQ',
+ mark => NOMARK,
+ mask => '',
+ connmark => 0
+ },
);
if ( my $fn = open_file 'tcrules' ) {
diff --git a/manpages/shorewall-tcrules.xml b/manpages/shorewall-tcrules.xml
index cc356f703..af61d155d 100644
--- a/manpages/shorewall-tcrules.xml
+++ b/manpages/shorewall-tcrules.xml
@@ -458,6 +458,16 @@ SAME $FW 0.0.0.0/0 tcp 80,443
is set to number. The valid range of
values for number is 1-255.
+
+
+ IMQ(number)
+
+ Added in Shorewall 4.5.1. Specifies that the packet should
+ be passed to the IMQ identified by
+ number. Requires IMQ Target support
+ in your kernel and iptables.
+
diff --git a/manpages6/shorewall6-tcrules.xml b/manpages6/shorewall6-tcrules.xml
index 1c97dd88f..b55d2e7bd 100644
--- a/manpages6/shorewall6-tcrules.xml
+++ b/manpages6/shorewall6-tcrules.xml
@@ -355,6 +355,16 @@ SAME $FW 0.0.0.0/0 tcp 80,443
set to number. The valid range of
values for number is 1-255.
+
+
+ IMQ(number)
+
+ Added in Shorewall 4.5.1. Specifies that the packet should
+ be passed to the IMQ identified by
+ number. Requires IMQ Target support
+ in your kernel and ip6tables.
+