diff --git a/Shorewall/Perl/Shorewall/Tc.pm b/Shorewall/Perl/Shorewall/Tc.pm
index fadfb6cb9..a4585a79b 100644
--- a/Shorewall/Perl/Shorewall/Tc.pm
+++ b/Shorewall/Perl/Shorewall/Tc.pm
@@ -44,33 +44,40 @@ our $VERSION = '4.4_13';
our %tcs = ( T => { chain => 'tcpost',
connmark => 0,
- fw => 1
+ fw => 1,
+ fwi => 0,
} ,
CT => { chain => 'tcpost' ,
target => 'CONNMARK --set-mark' ,
connmark => 1 ,
- fw => 1
+ fw => 1 ,
+ fwi => 0,
} ,
C => { target => 'CONNMARK --set-mark' ,
connmark => 1 ,
- fw => 1
+ fw => 1 ,
+ fwi => 1 ,
} ,
P => { chain => 'tcpre' ,
connmark => 0 ,
- fw => 0
+ fw => 0 ,
+ fwi => 0 ,
} ,
CP => { chain => 'tcpre' ,
target => 'CONNMARK --set-mark' ,
connmark => 1 ,
- fw => 0
+ fw => 0 ,
+ fwi => 0 ,
} ,
F => { chain => 'tcfor' ,
connmark => 0 ,
- fw => 0
+ fw => 0 ,
+ fwi => 0 ,
} ,
CF => { chain => 'tcfor' ,
connmark => 1 ,
fw => 0 ,
+ fwi => 0 ,
} ,
);
@@ -218,12 +225,23 @@ sub process_tc_rule( ) {
}
}
+ if ( $dest ) {
+ if ( $dest eq $fw ) {
+ $chain = 'tcin';
+ $dest = '';
+ } else {
+ $chain = 'tcin' if $dest =~ s/^($fw)://;
+ }
+ }
+
if ( $designator ) {
$tcsref = $tcs{$designator};
if ( $tcsref ) {
if ( $chain eq 'tcout' ) {
fatal_error "Invalid chain designator for source $fw" unless $tcsref->{fw};
+ } elsif ( $chain eq 'tcin' ) {
+ fatal_error "Invalid chain designator for dest $fw" unless $tcsref->{fwi};
}
$chain = $tcsref->{chain} if $tcsref->{chain};
@@ -1350,6 +1368,46 @@ sub setup_traffic_shaping() {
}
}
+#
+# Process a record in the secmarks file
+#
+sub process_secmark_rule() {
+ my ( $secmark, $chain, $source, $dest, $proto, $dport, $sport, $mark ) = split_line( 2, 8 , 'Secmarks file' );
+
+ my %chns = ( T => [ 'tcpost' , POSTROUTE_RESTRICT ] ,
+ P => [ 'tcpre' , PREROUTE_RESTRICT ] ,
+ F => [ 'forward' , NO_RESTRICT ] ,
+ I => [ 'tcin' , , INPUT_RESTRICT ] ,
+ O => [ 'tcout' , , OUTPUT_RESTRICT ] );
+
+ my ( $chain1 , $restriction ) = @{$chns{$chain}};
+
+ fatal_error "Invalid or missing CHAIN ( $chain )" unless $chain1;
+
+ my $target = $mark eq 'SAVE' ? 'CONNSECMARK --save' :
+ $mark eq 'RESTORE' ? 'CONNSECMARK --restore' :
+ "SECMARK --selctx $secmark";
+
+ my $disposition = $target;
+
+ $disposition =~ s/ .*//;
+
+ expand_rule( ensure_mangle_chain( $chain1 ) ,
+ $restriction,
+ do_proto( $proto, $dport, $sport ) .
+ do_test( $mark, $globals{TC_MASK} ) ,
+ $source ,
+ $dest ,
+ '' ,
+ $target ,
+ '' ,
+ $disposition,
+ '' );
+
+ progress_message "Secmarks rule \"$currentline\" $done";
+
+}
+
#
# Process the tcrules file and setup traffic shaping
#
@@ -1362,6 +1420,7 @@ sub setup_tc() {
if ( have_capability( 'MANGLE_FORWARD' ) ) {
ensure_mangle_chain 'tcfor';
ensure_mangle_chain 'tcpost';
+ ensure_mangle_chain 'tcin';
}
my $mark_part = '';
@@ -1388,6 +1447,7 @@ sub setup_tc() {
add_rule( $mangle_table->{FORWARD}, "-j MARK --set-mark 0${mask}" ) if $config{FORWARD_CLEAR_MARK};
add_jump $mangle_table->{FORWARD} , 'tcfor', 0;
add_jump $mangle_table->{POSTROUTING} , 'tcpost', 0;
+ add_jump $mangle_table->{INPUT} , 'tcin' , 0;
}
}
@@ -1456,10 +1516,20 @@ sub setup_tc() {
clear_comment;
}
- }
+
+ if ( my $fn = open_file 'secmarks' ) {
+
+ first_entry "$doing $fn...";
+
+ process_secmark_rule while read_a_line;
+
+ clear_comment;
+ }
+ }
add_rule ensure_chain( 'mangle' , 'tcpost' ), $_ for @deferred_rules;
+
handle_stickiness( $sticky );
}
diff --git a/Shorewall/changelog.txt b/Shorewall/changelog.txt
index 378c07ebc..fcf7eea19 100644
--- a/Shorewall/changelog.txt
+++ b/Shorewall/changelog.txt
@@ -10,6 +10,8 @@ Changes in Shorewall 4.4.13
5) Re-implement optional interface handling.
+6) Add secmark config file.
+
Changes in Shorewall 4.4.12
1) Fix IPv6 shorecap program.
diff --git a/Shorewall/configfiles/secmarks b/Shorewall/configfiles/secmarks
new file mode 100644
index 000000000..64ecb3dab
--- /dev/null
+++ b/Shorewall/configfiles/secmarks
@@ -0,0 +1,9 @@
+#
+# Shorewall version 4 - Secmarks File
+#
+# For information about entries in this file, type "man shorewall-secmarks"
+#
+############################################################################################################
+#SECMARK CHAIN SOURCE DEST PROTO DEST SOURCE MARK
+# PORT(S) PORT(S)
+
diff --git a/Shorewall/releasenotes.txt b/Shorewall/releasenotes.txt
index 9db34030e..1def73986 100644
--- a/Shorewall/releasenotes.txt
+++ b/Shorewall/releasenotes.txt
@@ -166,6 +166,12 @@ VI. PROBLEMS CORRECTED AND NEW FEATURES IN PRIOR RELEASES
The named chain contains accounting rules but no JUMP or COUNT
specifies that chain as the target.
+3) Shorewall now supports the SECMARK and CONNSECMARK targets for
+ manipulating the SELinux context of packets.
+
+ See the shorewall-secmarks and shorewall6-secmarks manpages for
+ details.
+
----------------------------------------------------------------------------
I V. R E L E A S E 4 . 4 H I G H L I G H T S
----------------------------------------------------------------------------
diff --git a/Shorewall6/secmarks b/Shorewall6/secmarks
new file mode 100644
index 000000000..08e2a5b68
--- /dev/null
+++ b/Shorewall6/secmarks
@@ -0,0 +1,8 @@
+#
+# Shorewall6 version 4 - Secmarks File
+#
+# For information about entries in this file, type "man shorewall-secmarks"
+#
+############################################################################################################
+#SECMARK CHAIN SOURCE DEST PROTO DEST SOURCE MARK
+# PORT(S) PORT(S)
diff --git a/manpages/shorewall-secmarks.xml b/manpages/shorewall-secmarks.xml
new file mode 100644
index 000000000..5dcb14682
--- /dev/null
+++ b/manpages/shorewall-secmarks.xml
@@ -0,0 +1,278 @@
+
+
+
+
+ shorewall-secmarks
+
+ 5
+
+
+
+ secmarks
+
+ Shorewall file
+
+
+
+
+ /etc/shorewall/secmarks
+
+
+
+
+ Description
+
+ The secmarks file is used to associate an SELinux context with
+ packets.
+
+ The columns in the file are as follows.
+
+
+
+ SECMARK -
+ {SAVE|RESTORE|context}
+
+
+
+
+ SAVE
+
+
+ If an SELinux context is associated with the packet, the
+ context is saved in the connection.
+
+
+
+
+ RESTORE
+
+
+ If an SELinux context is not currently associated with
+ the packet, then the saved context (if any) is associated with
+ the packet.
+
+
+
+
+ context
+
+
+ An SELinux context.
+
+
+
+
+
+
+
+ CHAIN - {P|I|F|O|T}
+
+
+
+ P - PREROUTING
+
+ I - INPUT
+
+ F - FORWARD
+
+ O - OUTPUT
+
+ T - POSTROUTING
+
+
+
+
+
+
+
+ SOURCE - {-interface|[interface:]address-or-range[,address-or-range]...}[exclusion]
+
+
+ May be:
+
+
+
+ An interface name - matches traffic entering the firewall
+ on the specified interface. May not be used in classify rules or
+ in rules using the T in the CHAIN column.
+
+
+
+ A comma-separated list of host or network IP addresses or
+ MAC addresses.
+
+
+
+ An interface name followed by a colon (":") followed by a
+ comma-separated list of host or network IP addresses or MAC
+ addresses.
+
+
+
+ MAC addresses must be prefixed with "~" and use "-" as a
+ separator.
+
+ Example: ~00-A0-C9-15-39-78
+
+ You may exclude certain hosts from the set already defined
+ through use of an exclusion (see shorewall-exclusion(5)).
+
+
+
+
+ DEST - {-|{interface|[interface:]address-or-range[,address-or-range]...}[exclusion]
+
+
+ May be:
+
+
+
+ An interface name. May not be used in the PREROUTING or
+ INPUT chains. The interface name may be optionally followed by a
+ colon (":") and an IP address list.
+
+
+
+ A comma-separated list of host or network IP addresses.
+ The list may include ip address ranges if your kernel and
+ iptables include iprange support.
+
+
+
+ You may exclude certain hosts from the set already defined
+ through use of an exclusion (see shorewall-exclusion(5)).
+
+
+
+
+ PROTO - {-|tcp:syn|ipp2p|ipp2p:udp|ipp2p:all|protocol-number|protocol-name|all}
+
+
+ Protocol - ipp2p requires
+ ipp2p match support in your kernel and iptables.
+
+
+
+
+ PORT(S) (Optional) - [-|port-name-number-or-range[,port-name-number-or-range]...]
+
+
+ Destination Ports. A comma-separated list of Port names (from
+ services(5)), port numbers or port
+ ranges; if the protocol is icmp, this column is interpreted as the
+ destination icmp-type(s). ICMP types may be specified as a numeric
+ type, a numberic type and code separated by a slash (e.g., 3/4), or
+ a typename. See http://www.shorewall.net/configuration_file_basics.htm#ICMP.
+
+ If the protocol is ipp2p,
+ this column is interpreted as an ipp2p option without the leading
+ "--" (example bit for bit-torrent).
+ If no PORT is given, ipp2p is
+ assumed.
+
+ This column is ignored if PROTOCOL = all but must be entered
+ if any of the following field is supplied. In that case, it is
+ suggested that this field contain "-"
+
+
+
+
+ SOURCE PORT(S) (Optional) -
+ [-|port-name-number-or-range[,port-name-number-or-range]...]
+
+
+ Source port(s). If omitted, any source port is acceptable.
+ Specified as a comma-separated list of port names, port numbers or
+ port ranges.
+
+
+
+
+ MARK - [!]value[/mask][:C]
+
+
+ Defines a test on the existing packet or connection mark. The
+ rule will match only if the test returns true.
+
+ If you don't want to define a test but need to specify
+ anything in the following columns, place a "-" in this field.
+
+
+
+ !
+
+
+ Inverts the test (not equal)
+
+
+
+
+ value
+
+
+ Value of the packet or connection mark.
+
+
+
+
+ mask
+
+
+ A mask to be applied to the mark before testing.
+
+
+
+
+ :C
+
+
+ Designates a connection mark. If omitted, the packet
+ mark's value is tested.
+
+
+
+
+
+
+
+
+
+ FILES
+
+ /etc/shorewall/secmarks
+
+
+
+ See ALSO
+
+ shorewall(8), shorewall-accounting(5), shorewall-actions(5),
+ shorewall-blacklist(5), shorewall-hosts(5), shorewall-interfaces(5),
+ shorewall-maclist(5), shorewall-masq(5), shorewall-nat(5),
+ shorewall-netmap(5), shorewall-params(5), shorewall-policy(5),
+ shorewall-providers(5), shorewall-proxyarp(5), shorewall-route_rules(5),
+ shorewall-routestopped(5), shorewall-rules(5), shorewall.conf(5),
+ shorewall-tcclasses(5), shorewall-tcdevices(5), shorewall-tcrules(5),
+ shorewall-tos(5), shorewall-tunnels(5), shorewall-zones(5)
+
+
diff --git a/manpages6/shorewall6-secmarks.xml b/manpages6/shorewall6-secmarks.xml
new file mode 100644
index 000000000..314590655
--- /dev/null
+++ b/manpages6/shorewall6-secmarks.xml
@@ -0,0 +1,277 @@
+
+
+
+
+ shorewall6-secmarks
+
+ 5
+
+
+
+ secmarks
+
+ Shorewall6 file
+
+
+
+
+ /etc/shorewall6/secmarks
+
+
+
+
+ Description
+
+ The secmarks file is used to associate an SELinux context with
+ packets.
+
+ The columns in the file are as follows.
+
+
+
+ SECMARK -
+ {SAVE|RESTORE|context}
+
+
+
+
+ SAVE
+
+
+ If an SELinux context is associated with the packet, the
+ context is saved in the connection.
+
+
+
+
+ RESTORE
+
+
+ If an SELinux context is not currently associated with
+ the packet, then the saved context (if any) is associated with
+ the packet.
+
+
+
+
+ context
+
+
+ An SELinux context.
+
+
+
+
+
+
+
+ CHAIN - {P|I|F|O|T}
+
+
+
+ P - PREROUTING
+
+ I - INPUT
+
+ F - FORWARD
+
+ O - OUTPUT
+
+ T - POSTROUTING
+
+
+
+
+
+
+
+ SOURCE - {-interface|[interface:]address-or-range[,address-or-range]...}[exclusion]
+
+
+ May be:
+
+
+
+ An interface name - matches traffic entering the firewall
+ on the specified interface. May not be used in classify rules or
+ in rules using the T in the CHAIN column.
+
+
+
+ A comma-separated list of host or network IP addresses or
+ MAC addresses.
+
+
+
+ An interface name followed by a colon (":") followed by a
+ comma-separated list of host or network IP addresses or MAC
+ addresses.
+
+
+
+ MAC addresses must be prefixed with "~" and use "-" as a
+ separator.
+
+ Example: ~00-A0-C9-15-39-78
+
+ You may exclude certain hosts from the set already defined
+ through use of an exclusion (see shorewall6-exclusion(5)).
+
+
+
+
+ DEST - {-|{interface|[interface:]address-or-range[,address-or-range]...}[exclusion]
+
+
+ May be:
+
+
+
+ An interface name. May not be used in the PREROUTING or
+ INPUT chains. The interface name may be optionally followed by a
+ colon (":") and an IP address list.
+
+
+
+ A comma-separated list of host or network IP addresses.
+ The list may include ip address ranges if your kernel and
+ iptables include iprange support.
+
+
+
+ You may exclude certain hosts from the set already defined
+ through use of an exclusion (see shorewall6-exclusion(5)).
+
+
+
+
+ PROTO - {-|tcp:syn|ipp2p|ipp2p:udp|ipp2p:all|protocol-number|protocol-name|all}
+
+
+ Protocol - ipp2p requires
+ ipp2p match support in your kernel and iptables.
+
+
+
+
+ PORT(S) (Optional) - [-|port-name-number-or-range[,port-name-number-or-range]...]
+
+
+ Destination Ports. A comma-separated list of Port names (from
+ services(5)), port numbers or port
+ ranges; if the protocol is icmp, this column is interpreted as the
+ destination icmp-type(s). ICMP types may be specified as a numeric
+ type, a numberic type and code separated by a slash (e.g., 3/4), or
+ a typename. See http://www.shorewall.net/configuration_file_basics.htm#ICMP.
+
+ If the protocol is ipp2p,
+ this column is interpreted as an ipp2p option without the leading
+ "--" (example bit for bit-torrent).
+ If no PORT is given, ipp2p is
+ assumed.
+
+ This column is ignored if PROTOCOL = all but must be entered
+ if any of the following field is supplied. In that case, it is
+ suggested that this field contain "-"
+
+
+
+
+ SOURCE PORT(S) (Optional) -
+ [-|port-name-number-or-range[,port-name-number-or-range]...]
+
+
+ Source port(s). If omitted, any source port is acceptable.
+ Specified as a comma-separated list of port names, port numbers or
+ port ranges.
+
+
+
+
+ MARK - [!]value[/mask][:C]
+
+
+ Defines a test on the existing packet or connection mark. The
+ rule will match only if the test returns true.
+
+ If you don't want to define a test but need to specify
+ anything in the following columns, place a "-" in this field.
+
+
+
+ !
+
+
+ Inverts the test (not equal)
+
+
+
+
+ value
+
+
+ Value of the packet or connection mark.
+
+
+
+
+ mask
+
+
+ A mask to be applied to the mark before testing.
+
+
+
+
+ :C
+
+
+ Designates a connection mark. If omitted, the packet
+ mark's value is tested.
+
+
+
+
+
+
+
+
+
+ FILES
+
+ /etc/shorewall6/secmarks
+
+
+
+ See ALSO
+
+ shorewall6(8), shorewall6-actions(5), shorewall6-blacklist(5),
+ shorewall6-hosts(5), shorewall6-interfaces(5), shorewall6-maclist(5),
+ shorewall6-params(5), shorewall6-policy(5), shorewall6-providers(5),
+ shorewall6-route_rules(5), shorewall6-routestopped(5),
+ shorewall6-rules(5), shorewall6.conf(5), shorewall6-tcclasses(5),
+ shorewall6-tcdevices(5), shorewall6-tcrules(5), shorewall6-tos(5),
+ shorewall6-tunnels(5), shorewall6-zones(5)
+
+