holm/shorewall_code
1
0
Fork 0
forked from extern/shorewall_code
Code Pull Requests Activity

1) Avoid multiple pri 65535 fw filters

Browse Source 
2) Fix tcdevices > 9
3) Add some decimal/binary comments

Signed-off-by: Tom Eastep <teastep@shorewall.net>
This commit is contained in:
Tom Eastep 2009-05-06 09:47:13 -07:00
parent c5a98fe4da
commit 202d5f800e
1 changed files with 17 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

18
Shorewall/Perl/Shorewall/Tc.pm
View File

@ -156,6 +156,7 @@ our @deferred_rules;
# default => <default class mark value>
# redirected => [ <dev1>, <dev2>, ... ]
# nextclass => <number>
# occurs => Has one or more occurring classes
# }
#
our @tcdevices;
@ -700,6 +701,7 @@ sub validate_tc_class( ) {
warning_message "MARK ($mark) is ignored on an occurring class" if $mark ne '-';
$tcref->{occurs} = $occurs;
$devref->{occurs} = 1;
} else {
fatal_error "Unknown option ($option)";
}
@ -948,7 +950,7 @@ sub setup_traffic_shaping() {
my $dev = chain_base( $device );
my $devref = $tcdevices{$device};
my $defmark = in_hexp ( $devref->{default} || 0 );
my $devnum = $devref->{number};
my $devnum = in_hexp $devref->{number};
emit "if interface_is_up $device; then";
@ -971,6 +973,20 @@ sub setup_traffic_shaping() {
);
}
if ( $devref->{occurs} ) {
#
# The following command succeeds yet generates an error message and non-zero exit status :-(. We thus run it silently and check
# the result. Note that since this is normally the first filter added after the root qdisc was added, the 'ls|grep' test is fairly robust
#
emit( qq(if ! qt \$TC filter add dev $device parent $devnum:0 prio 65535 protocol ip fw; then) ,
qq( if ! \$TC filter list dev $device | grep -q 65535; then) ,
qq( error_message "ERROR: Command '\$TC add dev $device parent $devnum:0 prio 65535 protocol ip fw' failed"),
qq( stop_firewall),
qq( exit 1),
qq( fi),
qq(fi) );
}
for my $rdev ( @{$devref->{redirected}} ) {
emit ( "run_tc qdisc add dev $rdev handle ffff: ingress" );
emit( "run_tc filter add dev $rdev parent ffff: protocol ip u32 match u32 0 0 action mirred egress redirect dev $device > /dev/null" );