holm/shorewall_code
1
0
Fork 0
forked from extern/shorewall_code
Code Pull Requests Activity

Remove IPMARK support

Browse Source
This commit is contained in:
Tom Eastep 2009-05-03 08:38:27 -07:00
parent 626b60ff0e
commit 16826aeb31
8 changed files with 160 additions and 286 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

74
Shorewall/Perl/Shorewall/Tc.pm
View File

@ -103,12 +103,6 @@ our @tccmd = ( { match => sub ( $ ) { $_[0] eq 'SAVE' } ,
mask => '' ,
connmark => 0
} ,
{ match => sub ( $ ) { $_[0] =~ /^IPMARK/ },
target => 'IPMARK' ,
mark => NOMARK,
mask => '',
connmark => 0
} ,
{ match => sub ( $ ) { $_[0] =~ '\|.*'} ,
target => 'MARK --or-mark' ,
mark => HIGHMARK ,
@ -299,43 +293,6 @@ sub process_tc_rule( $$$$$$$$$$$$ ) {
}
$sticky++;
} elsif ( $target eq 'IPMARK ' ) {
my ( $srcdst, $mask1, $mask2, $shift ) = ('src', 255, 0, 0 );
require_capability 'IPMARK_TARGET', 'IPMARK', 's';
if ( $cmd =~ /^IPMARK\((.+?)\)$/ ) {
my $params = $1;
my $val;
my ( $sd, $m1, $m2, $s , $bad ) = split ',', $params;
fatal_error "Invalid IPMARK parameters ($params)" if $bad;
fatal_error "Invalid IPMARK parameter ($sd)" unless ( $sd eq 'src' || $sd eq 'dst' );
$srcdst = $sd;
if ( defined $m1 && $m1 ne '' ) {
$val = numeric_value ($m1);
fatal_error "Invalid Mask ($m1)" unless defined $val && $val && $val <= 0xffffffff;
$mask1 = $m1;
}
if ( defined $m2 && $m2 ne '' ) {
$val = numeric_value ($m2);
fatal_error "Invalid Mask ($m2)" unless defined $val && $val <= 0xffffffff;
$mask2 = $m2;
}
if ( defined $s ) {
$val = numeric_value ($s);
fatal_error "Invalid Shift Bits ($s)" unless defined $val && $val < 128;
$shift = $s;
}
} else {
fatal_error "Invalid MARK/CLASSIFY ($cmd)" unless $cmd eq 'IPMARK';
}
$target = "IPMARK --addr $srcdst --and-mask $mask1 --or-mask $mask2 --shift $shift";
}
if ( $rest ) {
@ -616,7 +573,7 @@ sub validate_tc_class( $$$$$$ ) {
flow => '' ,
pfifo => 0,
occurs => 1,
src => 1,
src => 0,
};
$tcref = $tcref->{$classnumber};
@ -631,37 +588,38 @@ sub validate_tc_class( $$$$$$ ) {
if ( $option eq 'default' ) {
fatal_error "Only one default class may be specified for device $device" if $devref->{default};
fatal_error "The $option option is not valid with 'occurs" if $tcref->{occurs} > 1;
fatal_error q(The 'default' option is not valid with 'occurs') if $tcref->{occurs} > 1;
$devref->{default} = $classnumber;
} elsif ( $option eq 'tcp-ack' ) {
fatal_error "The $option option is not valid with 'occurs" if $tcref->{occurs} > 1;
fatal_error q(The 'tcp-ack' option is not valid with 'occurs') if $tcref->{occurs} > 1;
$tcref->{tcp_ack} = 1;
} elsif ( $option =~ /^tos=0x[0-9a-f]{2}$/ ) {
fatal_error "The $option option is not valid with 'occurs" if $tcref->{occurs} > 1;
fatal_error q(The 'tos' option is not valid with 'occurs') if $tcref->{occurs} > 1;
( undef, $option ) = split /=/, $option;
push @{$tcref->{tos}}, "$option/0xff";
} elsif ( $option =~ /^tos=0x[0-9a-f]{2}\/0x[0-9a-f]{2}$/ ) {
fatal_error "The $option option is not valid with 'occurs" if $tcref->{occurs} > 1;
fatal_error q(The 'tos' option is not valid with 'occurs') if $tcref->{occurs} > 1;
( undef, $option ) = split /=/, $option;
push @{$tcref->{tos}}, $option;
} elsif ( $option =~ /^flow=(.*)$/ ) {
fatal_error "The 'flow' option is not allowed with 'pfifo'" if $tcref->{pfifo};
fatal_error q(The 'flow' option is not allowed with 'pfifo') if $tcref->{pfifo};
$tcref->{flow} = process_flow $1;
} elsif ( $option eq 'pfifo' ) {
fatal_error "The 'pfifo'' option is not allowed with 'flow='" if $tcref->{flow};
fatal_error q(The 'pfifo'' option is not allowed with 'flow=') if $tcref->{flow};
$tcref->{pfifo} = 1;
} elsif ( $option =~ /^occurs=((\d+)([ds]?))$/ ) {
my $val = $2;
$occurs = numeric_value($val);
fatal_error "Invalid 'occurs'" if $3 && ! $devref->{classify};
$tcref->{src} = 0 if $3 eq 'd';
fatal_error "Invalid 'occurs' ($val)" unless defined $occurs && $occurs > 0 && $occurs <= 256;
$tcref->{src} = 1 if $3 eq 's';
fatal_error q(The 'occurs' option is only valid for IPv4) if $family == F_IPV6;
fatal_error "Invalid 'occurs' ($val)" unless defined $occurs && $occurs > 1 && $occurs <= 256;
fatal_error "Invalid 'occurs' ($val)" if $occurs > ( $config{WIDE_TC_MARKS} ? 8191 : 255 );
fatal_error "Duplicate 'occurs'" if $tcref->{occurs} > 1;
if ( $occurs > 1 ) {
fatal_error "The 'occurs' option is not valid with 'default'" if $devref->{default} == $classnumber;
fatal_error "The 'occurs' option is not valid with 'tos'" if @{$tcref->{tos}};
}
fatal_error q(Duplicate 'occurs') if $tcref->{occurs} > 1;
fatal_error q(The 'occurs' option is only valid with 'classify') unless $devref->{classify};
fatal_error q(The 'occurs' option is not valid with 'default') if $devref->{default} == $classnumber;
fatal_error q(The 'occurs' option is not valid with 'tos') if @{$tcref->{tos}};
$tcref->{occurs} = $occurs;
} else {
fatal_error "Unknown option ($option)";

2
Shorewall/changelog.txt
View File

@ -13,6 +13,8 @@ Changes in Shorewall 4.3.10
6) Fix handling of 'all' in the SOURCE of DNAT- rules.
7) Remove IPMARK support.
Changes in Shorewall 4.3.9
1) Logging rules now create separate chain.

180
Shorewall/releasenotes.txt
View File

@ -77,15 +77,7 @@ released late in 2009.
iptables-restore v1.3.5: Bad mac address `-j'
2. Previously, Shorewall has treated traffic shaping class IDs as
decimal numbers (or pairs of decimal numbers). That worked fine
until IPMARK was implemented. IPMARK requires Shorewall to generate
class Ids in numeric sequence. In 4.3.9, that didn't work correctly
because Shorewall was generating the sequence "..8,9,10,11..." when
the correct sequence was "...8,9,a,b,...". Shorewall now treats
class IDs as hex, like 'tc' and 'iptables' do.
3. Previously, when 'all' appeared in the SOURCE column of a DNAT-
2. Previously, when 'all' appeared in the SOURCE column of a DNAT-
rule, no rule was generated to redirect output from the firewall
itself.
@ -127,7 +119,75 @@ None.
column) must be >= 65536 (0x10000) and must be a multiple of 65536
(0x1000, 0x20000, 0x30000, ...).
2) In the 'shorewall compile' command, the filename '-' is now causes
2) The IPMARK implementation in 4.3.9 has been replaced with a
different facility that is much more efficient. A feature similar
to IPMARK will be re-introduced once there is a useable IPCLASSIFY
implementation (Like IPMARK but sets the classid directly).
16) There has been a desire in the user community to limit traffic by
IP address using Shorewall traffic shaping. Heretofore, that has
required a very inefficient process:
a) Define a tcclass for each internal host (two, if shaping both in
and out).
b) Define a tcrule for each host to mark to classify the packets
accordingly.
Beginning with Shorewall 4.3.10, this process is made easier, at
least for download traffic where shaping occurs on the firewall's
internal interface(s).
The new facility has two components:
a) A new 'occurs' OPTION in /etc/shorewall/tcclasses.
b) New semantic behavior for entries in /etc/shorewall/tcrules that
refer to a class defined with 'occurs'.
The 'occurs' option causes the class definition to be replicated
many times. The synax is:
occurs=<number>[d|s]
The 'd' and 's' specify whether the occuring class should have one
occurrance for each destination IP address (d) or each source IP
address (s). The default is 'd'.
When 'occurs' is used:
a) The associated device must have the 'classify' option.
b) The class may not be the default class.
c) The class may not have any 'tos=' options (including
'tcp-ack').
The 'RATE' and 'CEIL' parameters apply to each instance of the
class. So the total RATE represented by an entry with 'occurs' will
be the listed RATE multiplied by the 'occurs' number.
Example:
#DEVICE MARK RATE CEIL PRIORITY OPTIONS
1:100 - 1kbit 230kbit 4 occurs=32d
The above defines 32 classes. Each class has a guaranteed rate
of 1kbit/second.
An example of a tcfilter that refers to this class is:
#INTERFACE: SOURCE DEST PROTO DEST SOURCE
#CLASS PORT(S) PORT(S)
1:100 - 192.168.1.0/27
Traffic destined for each of the 32 addresses in 192.168.1.0/27
will be directed to a separate class.
Filters that refer to an occuring class may not specify a PROTO or
PORT(S).
Note that this feature is not applicable to output traffic where
SNAT is being used because all outgoing packets have the same
SOURCE IP address.
3) In the 'shorewall compile' command, the filename '-' now causes
the compiled script to be written to Standard Out. As a side
effect, the effective VERBOSITY is set to -1 (silent).
@ -144,7 +204,7 @@ None.
issued by /sbin/shorewall (/sbin/shorewall6) when a compilation
begins.
3) Supplying an interface name in the SOURCE column of
4) Supplying an interface name in the SOURCE column of
/etc/shorewall/masq is now deprecated. Entering the name of an
interface there will result in a compile-time warning.
@ -464,101 +524,3 @@ None.
In other words, the utilities will be located via the current PATH
setting.
16) There has been a desire in the user community to limit traffic by
IP address using Shorewall traffic shaping. Heretofore, that has
required a very inefficient process:
a) Define a tcclass for each internal host (two, if shaping both in
and out).
b) Define a tcrule for each host to mark to classify the packets
accordingly.
Beginning with Shorewall 4.3.9, this process is made easier IF YOU
ARE WILLING TO INSTALL xtables-addons. The feature requires IPMARK
support in iptables[6] and your kernel. That support is available
in xtables-addons.
The new facility has two components:
a) A new IPMARK MARKing command in /etc/shorewall/tcrules.
b) A new 'occurs' OPTION in /etc/shorewall/tcclasses.
The IPMARK target assigns a mark to each matching packet based on
the either the source or destination IP address. By default, it
assigns a mark value equal to the low-order 8 bits of the source
address.
The syntax is as follows:
IPMARK[([{src|dst}][,[<mask1>][,[<mask2>][,[<shift>]]]])]
Default values are:
src
<mask1> = 0xFF
<mask2> = 0x00
<shift> = 0
'src' and 'dst' specify whether the mark is to be based on the
source or destination address respectively.
The selected address is first LANDed with <mask1> then LORed with
<mask2>.
The result is then shifted <shift> bits to the right.
Example:
IPMARK(dst, 0XFF00, 0x8000,8)
Destination IP address is 192.168.4.3 = 0xc0a80403
0xc0a80403 LAND 0xFF00 = 0x0400
0x0400 LOR 0x80 = 0x8400
0x8400 >> 8 = 0x84
Mark = 0x84 = 132
The 'occurs' option causes the class definition to be replicated
many times. The synax is:
occurs=<number>
When 'occurs' is used:
a) The associated device may not have the 'classify' option.
b) The class may not be the default class.
c) The class may not have any 'tos=' options (including
'tcp-ack').
The 'RATE' and 'CEIL' parameters apply to each instance of the
class. So the total RATE represented by an entry with 'occurs' will
be the listed RATE multiplied by the 'occurs' number.
Example:
#DEVICE MARK RATE CEIL PRIORITY OPTIONS
eth0 100 1kbit 230kbit 4 occurs=32
The above defines 32 classes with MARK values 100-131. Each
class has a guaranteed rate of 1kbit/second.
As part of this change, the generation of class ids from mark
values has been changed. The class number is now
( <devnum> << 10 ) | <mask>
/sbin/shorewall has an 'encode' and 'decode' command to translate a
device number, mark pair to/from a classid:
encode <devnum> <mark>
decode <classnum>
Example:
$ shorewall decode 3172
Device = 3 Mark = 100
$ shorewall encode 3 100
Class number = 3172
$

38
docs/traffic_shaping.xml
View File

@ -522,6 +522,44 @@ ppp0 6000kbit 500kbit</programlisting>
role="bold">class</emphasis> per interface.</para>
</note>
</listitem>
<listitem>
<para>occurs=&lt;number&gt;[d|s] - Causes the class definition
to be replicated for a total of <emphasis>number</emphasis>
rules. Each occurance has a successively higher class
number.</para>
<para>When 'occurs' is used:</para>
<itemizedlist>
<listitem>
<para>The associated device must have the 'classify'
option.</para>
</listitem>
<listitem>
<para>The class may not be the default class.</para>
</listitem>
<listitem>
<para>The class may not have any 'tos=' options (including
'tcp-ack').</para>
</listitem>
</itemizedlist>
<para>The 'RATE' and 'CEIL' parameters apply to each instance of
the class. So the total RATE represented by an entry with
'occurs' will be the listed RATE multiplied by
<emphasis>number</emphasis>.</para>
<para>The <emphasis role="bold">d</emphasis> and <emphasis
role="bold">s</emphasis> options are used to specify whether the
instances of the class will be assigned by DESTINATION IP
address (<emphasis role="bold">d</emphasis>) or SOURCE IP
address (<emphasis role="bold">s</emphasis>). The default is
<emphasis role="bold">d</emphasis>. See the <ulink
url="shorewall-tcfilters.html">tcfilters</ulink> (5).</para>
</listitem>
</itemizedlist>
</listitem>
</itemizedlist>

25
manpages/shorewall-tcclasses.xml
View File

@ -291,19 +291,20 @@
<varlistentry>
<term><emphasis
role="bold">occurs</emphasis>=<emphasis>number</emphasis></term>
role="bold">occurs</emphasis>=<emphasis>number</emphasis>[<emphasis
role="bold">d</emphasis>|<emphasis
role="bold">s</emphasis>]</term>
<listitem>
<para>Typically used with an IPMARK entry in tcrules. Causes
the rule to be replicated for a total of
<emphasis>number</emphasis> rules. Each rule has a
successively class number and mark value.</para>
<para>Causes the class definition to be replicated for a total
of <emphasis>number</emphasis> rules. Each occurance has a
successively higher class number.</para>
<para> When 'occurs' is used:</para>
<para>When 'occurs' is used:</para>
<itemizedlist>
<listitem>
<para>The associated device may not have the 'classify'
<para>The associated device must have the 'classify'
option.</para>
</listitem>
@ -320,7 +321,15 @@
<para>The 'RATE' and 'CEIL' parameters apply to each instance
of the class. So the total RATE represented by an entry with
'occurs' will be the listed RATE multiplied by
<emphasis>number</emphasis>. </para>
<emphasis>number</emphasis>.</para>
<para>The <emphasis role="bold">d</emphasis> and <emphasis
role="bold">s</emphasis> options are used to specify whether
the instances of the class will be assigned by DESTINATION IP
address (<emphasis role="bold">d</emphasis>) or SOURCE IP
address (<emphasis role="bold">s</emphasis>). The default is
<emphasis role="bold">d</emphasis>. See the <ulink
url="shorewall-tcfilters.html">tcfilters</ulink> (5).</para>
</listitem>
</varlistentry>
</variablelist>

25
manpages/shorewall-tcfilters.xml
View File

@ -1,4 +1,6 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.4//EN"
"http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd">
<refentry>
<refmeta>
<refentrytitle>shorewall-tcfilters</refentrytitle>
@ -38,7 +40,11 @@
url="shorewall-tcdevices.html">shorewall-tcdevices</ulink>(5)
followed by a <replaceable>class</replaceable> number defined for
that interface in <ulink
url="shorewall-tcclasses.html">shorewall-tcclasses</ulink>(5).</para>
url="shorewall-tcclasses.html">shorewall-tcclasses</ulink>(5). If
the class is defined with the <option>occurs</option> option then
the filter will use the low-order byte of the SOURCE or DESTINATION
IP address to assign traffic to individual occurances of the
class.</para>
</listitem>
</varlistentry>
@ -79,7 +85,8 @@
role="bold">all}</emphasis></term>
<listitem>
<para>Protocol.</para>
<para>Protocol. May not be specified in CLASS has the
<option>occurs</option> option.</para>
</listitem>
</varlistentry>
@ -92,7 +99,8 @@
<para>Destination Ports. A Port name (from services(5)) or a
<emphasis>port number</emphasis>; if the protocol is <emphasis
role="bold">icmp</emphasis>, this column is interpreted as the
destination icmp-type(s).</para>
destination icmp-type(s). Requires that the PROTO be tcp, udp or
sctp.</para>
</listitem>
</varlistentry>
@ -102,7 +110,8 @@
role="bold">-</emphasis>|<emphasis>port-name-or-number</emphasis>]</term>
<listitem>
<para>Source port.</para>
<para>Source port. Requires that the PROTO be tcp, udp or
sctp.</para>
</listitem>
</varlistentry>
</variablelist>
@ -139,12 +148,6 @@
<para><ulink
url="http://shorewall.net/traffic_shaping.htm">http://shorewall.net/traffic_shaping.htm</ulink></para>
<para><ulink
url="http://shorewall.net/MultiISP.html">http://shorewall.net/MultiISP.html</ulink></para>
<para><ulink
url="http://shorewall.net/PacketMarking.html">http://shorewall.net/PacketMarking.html</ulink></para>
<para>shorewall(8), shorewall-accounting(5), shorewall-actions(5),
shorewall-blacklist(5), shorewall-ecn(5), shorewall-exclusion(5),
shorewall-hosts(5), shorewall-interfaces(5), shorewall-ipsec(5),
@ -155,4 +158,4 @@
shorewall-tcclasses(5), shorewall-tcdevices(5), shorewall-tos(5),
shorewall-tunnels(5), shorewall-zones(5)</para>
</refsect1>
</refentry>
</refentry>

51
manpages/shorewall-tcrules.xml
View File

@ -51,10 +51,7 @@
role="bold">/</emphasis><emphasis>mask</emphasis>]|<emphasis
role="bold">CONTINUE</emphasis>|<emphasis
role="bold">SAME</emphasis>|<emphasis
role="bold">COMMENT</emphasis>|<emphasis
role="bold">IPMARK</emphasis>[([(<emphasis
role="bold">src</emphasis>|<emphasis
role="bold">dst</emphasis>}][,[<emphasis>mask1</emphasis>][,[<emphasis>mask2</emphasis>][,[<emphasis>shift</emphasis>]]]]])]}[<emphasis
role="bold">COMMENT</emphasis>}[<emphasis
role="bold">:</emphasis>{<emphasis role="bold">C</emphasis>|<emphasis
role="bold">F</emphasis>|<emphasis role="bold">P</emphasis>|<emphasis
role="bold">T</emphasis>|<emphasis role="bold">CF</emphasis>|<emphasis
@ -279,52 +276,6 @@ SAME $FW 0.0.0.0/0 tcp 80,443</programlisting>
<para>To stop the comment from being attached to further rules,
simply include COMMENT on a line by itself.</para>
</listitem>
<listitem>
<para><emphasis role="bold">IPMARK</emphasis> Assigns a mark
to each matching packet based on the either the source or
destination IP address. By default, it assigns a mark value
equal to the low-order 8 bits of the source address. Default
values are:</para>
<simplelist>
<member>src</member>
<member><emphasis>mask1</emphasis> = 0xFF</member>
<member><emphasis>mask2</emphasis> = 0x00</member>
<member><emphasis>shift</emphasis> = 0</member>
</simplelist>
<para>'src' and 'dst' specify whether the mark is to be based on
the source or destination address respectively. The selected
address is first LANDed with <emphasis>mask1</emphasis> then
LORed with <emphasis>ma<emphasis>s</emphasis>k2</emphasis>. The
result is then shifted <emphasis>shift</emphasis> bits to the
right.</para>
<para>Example:</para>
<blockquote>
<para><simplelist>
<member>IPMARK(dst, 0XFF00, 0x8000,8)</member>
<member>Destination IP address is 192.168.4.3 =
0xc0a80103</member>
</simplelist>Meaning:</para>
<simplelist>
<member>0xc0a80403 LAND 0xFF00 = 0x0400</member>
<member>0x0400 LOR 0x80 = 0x8400</member>
<member>0x8400 &gt;&gt; 8 = 0x84</member>
<member>Mark = 0x84 = 132</member>
</simplelist>
</blockquote>
</listitem>
</orderedlist>
</listitem>
</varlistentry>

51
manpages6/shorewall6-tcrules.xml
View File

@ -50,10 +50,7 @@
role="bold">SAVE</emphasis>[<emphasis
role="bold">/</emphasis><emphasis>mask</emphasis>]|<emphasis
role="bold">CONTINUE</emphasis>|<emphasis
role="bold">COMMENT</emphasis>|<emphasis
role="bold">IPMARK</emphasis>[([(<emphasis
role="bold">src</emphasis>|<emphasis
role="bold">dst</emphasis>}][,[<emphasis>mask1</emphasis>][,[<emphasis>mask2</emphasis>][,[<emphasis>shift</emphasis>]]]]])]}[<emphasis
role="bold">COMMENT</emphasis>}[<emphasis
role="bold">:</emphasis>{<emphasis role="bold">C</emphasis>|<emphasis
role="bold">F</emphasis>|<emphasis role="bold">P</emphasis>|<emphasis
role="bold">T</emphasis>|<emphasis role="bold">CF</emphasis>|<emphasis
@ -244,52 +241,6 @@
<para>To stop the comment from being attached to further rules,
simply include COMMENT on a line by itself.</para>
</listitem>
<listitem>
<para><emphasis role="bold">IPMARK</emphasis> Assigns a mark
to each matching packet based on the either the source or
destination IP address. By default, it assigns a mark value
equal to the low-order 8 bits of the source address. Default
values are:</para>
<simplelist>
<member>src</member>
<member><emphasis>mask1</emphasis> = 0xFF</member>
<member><emphasis>mask2</emphasis> = 0x00</member>
<member><emphasis>shift</emphasis> = 0</member>
</simplelist>
<para>'src' and 'dst' specify whether the mark is to be based on
the source or destination address respectively. The selected
address is first LANDed with <emphasis>mask1</emphasis> then
LORed with <emphasis>ma<emphasis>s</emphasis>k2</emphasis>. The
result is then shifted <emphasis>shift</emphasis> bits to the
right.</para>
<para>Example:</para>
<blockquote>
<para><simplelist>
<member>IPMARK(dst, 0XFF00, 0x8000,8)</member>
<member>Destination IP address is 192.168.4.3 =
0xc0a80103</member>
</simplelist>Meaning:</para>
<simplelist>
<member>0xc0a80403 LAND 0xFF00 = 0x0400</member>
<member>0x0400 LOR 0x80 = 0x8400</member>
<member>0x8400 &gt;&gt; 8 = 0x84</member>
<member>Mark = 0x84 = 132</member>
</simplelist>
</blockquote>
</listitem>
</orderedlist>
</listitem>
</varlistentry>