From 273c89a753498c97dc61de01480346c3066b004f Mon Sep 17 00:00:00 2001 From: Tom Eastep Date: Fri, 18 Mar 2016 11:42:58 -0700 Subject: [PATCH] Implement MARK and CONNMARK in the rules file. Signed-off-by: Tom Eastep --- Shorewall/Perl/Shorewall/Rules.pm | 48 +++++++++++++++++++++++- Shorewall/manpages/shorewall-rules.xml | 41 ++++++++++++++++++++ Shorewall6/manpages/shorewall6-rules.xml | 41 ++++++++++++++++++++ 3 files changed, 129 insertions(+), 1 deletion(-) diff --git a/Shorewall/Perl/Shorewall/Rules.pm b/Shorewall/Perl/Shorewall/Rules.pm index b0ad73dc3..e2a698a11 100644 --- a/Shorewall/Perl/Shorewall/Rules.pm +++ b/Shorewall/Perl/Shorewall/Rules.pm @@ -2517,6 +2517,44 @@ sub process_rule ( $$$$$$$$$$$$$$$$$$$$ ) { my $exceptionrule = ''; my $usergenerated; my $prerule = ''; + # + # Subroutine for handling MARK and CONNMARK. + # + sub handle_mark( $$$ ) { + my ( $target, $param, $marktype ) = @_; + my $and_or = $param =~ s/^([|&])// ? $1 : ''; + + require_capability( 'MARK_ANYWHERE', "The $target action", 's' ); + + fatal_error "Mark Ranges are not supported in the rules file" if $param =~ /-/; + # + # A Single Mark + # + my $mark = $param; + my $val; + + if ( supplied $mark ) { + if ( $marktype == SMALLMARK ) { + $val = verify_small_mark( $mark ); + } else { + $val = validate_mark( $mark ); + } + } else { + $val = numeric_value( $mark = $globals{TC_MASK} ); + } + + $target = join( ' ', $target, $and_or eq '|' ? '--or-mark' : $and_or ? '--and-mark' : '--set-mark' ); + + ( $mark, my $mask ) = split '/', $mark; + + if ( supplied $mask ) { + $target = join( ' ', $target , join( '/', $mark , $mask ) ); + } else { + $target = join( ' ', $target , $mark ); + } + + $target; + }; if ( $inchain = defined $chainref ) { ( $inaction, undef, undef, undef ) = split /:/, $normalized_action = $chainref->{action}, 4 if $chainref->{action}; @@ -2602,7 +2640,7 @@ sub process_rule ( $$$$$$$$$$$$$$$$$$$$ ) { $action = 'LOG'; } elsif ( ! ( $actiontype & (ACTION | INLINE | IPTABLES | TARPIT ) ) ) { fatal_error "'builtin' actions may only be used in INLINE rules" if $actiontype == USERBUILTIN; - fatal_error "The $basictarget TARGET does not accept a parameter" unless $param eq ''; + fatal_error "The $basictarget TARGET does not accept a parameter" unless $param eq '' || $actiontype & OPTIONS; } } # @@ -2648,6 +2686,10 @@ sub process_rule ( $$$$$$$$$$$$$$$$$$$$ ) { $action = "AUDIT --type $param"; } , + CONNMARK => sub() { + $action = handle_mark( 'CONNMARK', $param, HIGHMARK ); + } , + REDIRECT => sub () { my $z = $actiontype & NATONLY ? '' : firewall_zone; if ( $dest eq '-' ) { @@ -2715,6 +2757,10 @@ sub process_rule ( $$$$$$$$$$$$$$$$$$$$ ) { } }, + MARK => sub() { + $action = handle_mark( 'MARK', $param, HIGHMARK ); + } , + TARPIT => sub { require_capability 'TARPIT_TARGET', 'TARPIT', 's'; diff --git a/Shorewall/manpages/shorewall-rules.xml b/Shorewall/manpages/shorewall-rules.xml index 91cff1f48..767dcd3b3 100644 --- a/Shorewall/manpages/shorewall-rules.xml +++ b/Shorewall/manpages/shorewall-rules.xml @@ -328,6 +328,18 @@ + + CONMARK({mark}) + + + Added in Shorewall 5.0.7, CONNMARK is identical to MARK + with the exception that the mark is assigned to connection to + which the packet belongs is marked rather than to the packet + itself. + + + CONTINUE @@ -546,6 +558,35 @@ + + MARK({mark}) + + + where mark is a packet mark + value. + + Added in Shorewall 5.0.7, MARK requires "Mark in filter + table" support in your kernel and iptables. + + Normally will set the mark value of the current packet. + If preceded by a vertical bar ("|"), the mark value will be + logically ORed with the current mark value to produce a new + mark value. If preceded by an ampersand ("&"), will be + logically ANDed with the current mark value to produce a new + mark value. + + Both "|" and "&" require Extended MARK Target + support in your kernel and iptables. + + The mark value may be optionally followed by "/" and a + mask value (used to determine those bits of the connection + mark to actually be set). When a mask is specified, the result + of logically ANDing the mark value with the mask must be the + same as the mark value. + + + NFLOG[(nflog-parameters)] diff --git a/Shorewall6/manpages/shorewall6-rules.xml b/Shorewall6/manpages/shorewall6-rules.xml index 85f750616..07b65803b 100644 --- a/Shorewall6/manpages/shorewall6-rules.xml +++ b/Shorewall6/manpages/shorewall6-rules.xml @@ -303,6 +303,18 @@ + + CONMARK({mark}) + + + Added in Shorewall 5.0.7, CONNMARK is identical to MARK + with the exception that the mark is assigned to connection to + which the packet belongs is marked rather than to the packet + itself. + + + CONTINUE @@ -523,6 +535,35 @@ + + MARK({mark}) + + + where mark is a packet mark + value. + + Added in Shorewall 5.0.7, MARK requires "Mark in filter + table" support in your kernel and iptables. + + Normally will set the mark value of the current packet. + If preceded by a vertical bar ("|"), the mark value will be + logically ORed with the current mark value to produce a new + mark value. If preceded by an ampersand ("&"), will be + logically ANDed with the current mark value to produce a new + mark value. + + Both "|" and "&" require Extended MARK Target + support in your kernel and iptables. + + The mark value may be optionally followed by "/" and a + mask value (used to determine those bits of the connection + mark to actually be set). When a mask is specified, the result + of logically ANDing the mark value with the mask must be the + same as the mark value. + + + NFLOG[(nflog-parameters)]