forked from extern/shorewall_code
Allow SAME in the OUTPUT chain
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@9531 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
parent
1f7d8964c3
commit
1705c42746
@ -103,6 +103,7 @@ sub setup_route_marking() {
|
||||
|
||||
my $chainref = new_chain 'mangle', 'routemark';
|
||||
my $chainref1 = new_chain 'mangle', 'setsticky';
|
||||
my $chainref2 = new_chain 'mangle', 'setsticko';
|
||||
|
||||
my %marked_interfaces;
|
||||
|
||||
@ -116,6 +117,7 @@ sub setup_route_marking() {
|
||||
unless ( $marked_interfaces{$interface} ) {
|
||||
add_rule $mangle_table->{PREROUTING} , "-i $interface -m mark --mark 0/$mask -j routemark";
|
||||
add_jump $mangle_table->{PREROUTING} , $chainref1, 0, "-i ! $interface -m mark --mark $mark/$mask ";
|
||||
add_jump $mangle_table->{OUTPUT} , $chainref2, 0, "-m mark --mark $mark/$mask ";
|
||||
$marked_interfaces{$interface} = 1;
|
||||
}
|
||||
|
||||
@ -763,13 +765,14 @@ sub lookup_provider( $ ) {
|
||||
#
|
||||
sub handle_stickiness() {
|
||||
my $setstickyref = $mangle_table->{setsticky};
|
||||
my $setstickoref = $mangle_table->{setsticko};
|
||||
my $tcpreref = $mangle_table->{tcpre};
|
||||
my $tcoutref = $mangle_table->{tcout};
|
||||
my %marked_interfaces;
|
||||
my $sticky = 1;
|
||||
|
||||
fatal_error "There are SAME tcrules but no 'track' providers" unless @routemarked_providers;
|
||||
|
||||
my $stickyref = ensure_mangle_chain 'sticky';
|
||||
|
||||
for my $providerref ( @routemarked_providers ) {
|
||||
my $interface = $providerref->{interface};
|
||||
@ -777,6 +780,7 @@ sub handle_stickiness() {
|
||||
my $mark = $providerref->{mark};
|
||||
|
||||
for ( grep /-j sticky/, @{$tcpreref->{rules}} ) {
|
||||
my $stickyref = ensure_mangle_chain 'sticky';
|
||||
my $rule1;
|
||||
my $list = sprintf "sticky%03d" , $sticky++;
|
||||
|
||||
@ -786,7 +790,7 @@ sub handle_stickiness() {
|
||||
|
||||
if ( $chainref->{name} eq 'sticky' ) {
|
||||
$rule1 = $_;
|
||||
$rule1 =~ s/-j sticky/-m recent --name $list --update --seconds 120 -j MARK --set-mark $mark/;
|
||||
$rule1 =~ s/-j sticky/-m recent --name $list --update --seconds 300 -j MARK --set-mark $mark/;
|
||||
} else {
|
||||
$rule1 = $_;
|
||||
$rule1 =~ s/-j sticky/-m mark --mark $mark -m recent --name $list --set/;
|
||||
@ -800,6 +804,32 @@ sub handle_stickiness() {
|
||||
|
||||
}
|
||||
}
|
||||
|
||||
for ( grep /-j sticko/, @{$tcoutref->{rules}} ) {
|
||||
my $rule1;
|
||||
my $list = sprintf "sticky%03d" , $sticky++;
|
||||
my $stickoref = ensure_mangle_chain 'sticko';
|
||||
|
||||
for my $chainref ( $stickoref, $setstickoref ) {
|
||||
|
||||
add_command( $chainref, qq(if [ -n "\$${base}_IS_UP" ]; then) ), incr_cmd_level( $chainref ) if $providerref->{optional};
|
||||
|
||||
if ( $chainref->{name} eq 'sticko' ) {
|
||||
$rule1 = $_;
|
||||
$rule1 =~ s/-j sticko/-m recent --name $list --rdest --update --seconds 300 -j MARK --set-mark $mark/;
|
||||
} else {
|
||||
$rule1 = $_;
|
||||
$rule1 =~ s/-j sticko/-m mark --mark $mark -m recent --name $list --rdest --set/;
|
||||
}
|
||||
|
||||
$rule1 =~ s/-A //;
|
||||
|
||||
add_rule $chainref, $rule1;
|
||||
|
||||
decr_cmd_level( $chainref), add_command( $chainref, "fi" ) if $providerref->{optional};
|
||||
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
|
@ -286,7 +286,12 @@ sub process_tc_rule( $$$$$$$$$$$$ ) {
|
||||
}
|
||||
|
||||
if ( $target eq 'sticky ' ) {
|
||||
fatal_error "SAME rules are only allowed in the PREROUTING chain" if $chain ne 'tcpre';
|
||||
if ( $chain eq 'tcout' ) {
|
||||
$target = 'sticko';
|
||||
} else {
|
||||
fatal_error "SAME rules are only allowed in the PREROUTING and OUTPUT chains" if $chain ne 'tcpre';
|
||||
}
|
||||
|
||||
$sticky++;
|
||||
}
|
||||
|
||||
|
@ -85,9 +85,10 @@ New Features in Shorewall 4.4
|
||||
are routed through one provider and some through another.
|
||||
|
||||
To work around this issue, the SAME target has been added to
|
||||
/etc/shorewall/tcrules. SAME may currently be used only in the
|
||||
PREROUTING chain and causes matching connections from an individual
|
||||
local system to all use the same provider.
|
||||
/etc/shorewall/tcrules. SAME may be used in the PREROUTING and
|
||||
OUTPUT chains. When used in PREROUTING, it causes matching
|
||||
connections from an individual local system to all use the same
|
||||
provider.
|
||||
|
||||
For example:
|
||||
|
||||
@ -95,5 +96,18 @@ New Features in Shorewall 4.4
|
||||
|
||||
If a host in 192.168.1.0/24 attempts a connection on TCP port 80 or
|
||||
443 and it has sent a packet on either of those ports in the last
|
||||
two minutes then the new connection will use the same provider as
|
||||
five minutes then the new connection will use the same provider as
|
||||
the connection over which that last packet was sent.
|
||||
|
||||
When used in the OUTPUT chain, it causes all matching connections
|
||||
to an individual remote system to all use the same provider.
|
||||
|
||||
For example:
|
||||
|
||||
SAME $FW - tcp 80,443
|
||||
|
||||
If the firewall attempts a connection on TCP port 80 or
|
||||
443 and it has sent a packet on either of those ports in the last
|
||||
five minutes to the same remote system then the new connection will
|
||||
use the same provider as the connection over which that last packet
|
||||
was sent.
|
||||
|
@ -241,16 +241,28 @@
|
||||
providers are configured, this can lead to problems when some of
|
||||
the connections are routed through one provider and some through
|
||||
another. The SAME target allows you to work around that problem.
|
||||
SAME may currently be used only in the PREROUTING chain and
|
||||
causes matching connections from an individual local system to
|
||||
all use the same provider. For example: <programlisting>#MARK/ SOURCE DEST PROTO DEST
|
||||
SAME may be used in the PREROUTING and OUTPUT chains. When used
|
||||
in PREROUTING, it causes matching connections from an individual
|
||||
local system to all use the same provider. For example:
|
||||
<programlisting>#MARK/ SOURCE DEST PROTO DEST
|
||||
#CLASSIFY PORT(S)
|
||||
SAME:P 192.168.1.0/24 0.0.0.0/0 tcp 80,443</programlisting>
|
||||
If a host in 192.168.1.0/24 attempts a connection on TCP port 80
|
||||
or 443 and it has sent a packet on either of those ports in the
|
||||
last two minutes then the new connection will use the same
|
||||
provider as the connection over which that last packet was sent.
|
||||
</para>
|
||||
last five minutes then the new connection will use the same
|
||||
provider as the connection over which that last packet was
|
||||
sent.</para>
|
||||
|
||||
<para>When used in the OUTPUT chain, it causes all matching
|
||||
connections to an individual remote system to all use the same
|
||||
provider. For example:<programlisting>#MARK/ SOURCE DEST PROTO DEST
|
||||
#CLASSIFY PORT(S)
|
||||
SAME $FW 0.0.0.0/0 tcp 80,443</programlisting>
|
||||
If the firewall attempts a connection on TCP port 80 or 443 and
|
||||
it has sent a packet on either of those ports in the last five
|
||||
minutes to the same remote system then the new connection will
|
||||
use the same provider as the connection over which that last
|
||||
packet was sent. </para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
|
Loading…
Reference in New Issue
Block a user