forked from extern/shorewall_code
Add MANGLE_ENABLED option
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@8351 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
parent
4676e5b8b7
commit
2a6b894bd4
@ -8,6 +8,10 @@ Changes in 4.1.7
|
||||
|
||||
4) Add CONNBYTES column to tcrules.
|
||||
|
||||
5) Fix a couple of 4.1.6 bugs.
|
||||
|
||||
6) Add MANGLE_ENABLED option.
|
||||
|
||||
Changes in 4.1.6
|
||||
|
||||
1) Deprecate IMPLICIT_CONTINUE=Yes
|
||||
|
@ -1882,6 +1882,7 @@ do_initialize() {
|
||||
VERSION_FILE=
|
||||
LOGRULENUMBERS=
|
||||
ORIGINAL_POLICY_MATCH=
|
||||
ORIGINAL_MANGLE_ENABLED=
|
||||
|
||||
ensure_config_path
|
||||
|
||||
@ -1962,6 +1963,7 @@ do_initialize() {
|
||||
fi
|
||||
|
||||
ORIGINAL_POLICY_MATCH=$POLICY_MATCH
|
||||
ORIGINAL_MANGLE_ENABLED=$MANGLE_ENABLED
|
||||
|
||||
ADD_IP_ALIASES="$(added_param_value_yes ADD_IP_ALIASES $ADD_IP_ALIASES)"
|
||||
|
||||
@ -2126,6 +2128,19 @@ do_initialize() {
|
||||
KEEP_TC_RULES=$(added_param_value_no KEEP_TC_RULES $KEEP_TC_RULES)
|
||||
DELETE_THEN_ADD=$(added_param_value_yes DELETE_THEN_ADD $DELETE_THEN_ADD)
|
||||
|
||||
if [ -n "$MANGLE_ENABLED" ] ; then
|
||||
case $MANGLE_ENABLED in
|
||||
Yes|yes)
|
||||
;;
|
||||
No|no)
|
||||
MANGLE_ENABLED=
|
||||
;;
|
||||
*)
|
||||
startup_error "Invalid value ($MANGLE_ENABLED) for MANGLE_ENABLED";
|
||||
;;
|
||||
esac
|
||||
fi
|
||||
|
||||
[ "$PROGRAM" = compiler ] && [ -n "$USE_ACTIONS" ] && lib_load actions "USE_ACTIONS=Yes"
|
||||
|
||||
[ -n "$XCONNMARK_MATCH" ] || XCONNMARK=
|
||||
@ -2164,7 +2179,8 @@ do_initialize() {
|
||||
fi
|
||||
|
||||
if [ -n "$TC_ENABLED" ];then
|
||||
[ -n "$MANGLE_ENABLED" ] || startup_error "Traffic Shaping requires mangle support in your kernel and iptables"
|
||||
[ -n "$ORIGINAL_MANGLE_ENABLED" ] || startup_error "Traffic Shaping requires mangle support in your kernel and iptables"
|
||||
[ -n "$MANGLE_ENABLED" ] || startup_error "Traffic Shaping requires MANGLE_ENABLED=Yes in shorewall.conf"
|
||||
fi
|
||||
|
||||
[ "x${SHOREWALL_DIR}" = "x." ] && SHOREWALL_DIR="$PWD"
|
||||
|
@ -149,7 +149,25 @@ New Features in 4.1.7.
|
||||
|
||||
1000000::O:P - Connection has sent at least 1,000,000
|
||||
packets in the direction of the original
|
||||
connection.
|
||||
connection.
|
||||
|
||||
3) A new MANGLE_ENABLED option is added to shorewall.conf. The default
|
||||
setting is 'Yes' which causes Shorewall to assume responsibility for
|
||||
the Netfilter mangle table.
|
||||
|
||||
When MANGLE_ENABLED is set to 'No', Shorewall assumes no
|
||||
responsibility for that table. In this setting:
|
||||
|
||||
a) Shorewall doesn't alter the mangle table.
|
||||
b) You may not use Shorewall Traffic Shaping (TC_ENABLED must be
|
||||
set to 'No'.
|
||||
c) The tcrules file is ignored.
|
||||
d) The providers file must be empty.
|
||||
e) All entries in tcdevices must specify the 'classify' option and
|
||||
traffic classification may only occur using the tcfilters file.
|
||||
|
||||
This allows for another application running on your firewall to
|
||||
take over the mangle table and use it for it's own purposes.
|
||||
|
||||
New Features in Shorewall 4.1.
|
||||
|
||||
|
@ -181,6 +181,8 @@ DONT_LOAD=
|
||||
|
||||
AUTO_COMMENT=Yes
|
||||
|
||||
MANGLE_ENABLED=Yes
|
||||
|
||||
###############################################################################
|
||||
# P A C K E T D I S P O S I T I O N
|
||||
###############################################################################
|
||||
|
@ -2215,7 +2215,7 @@ sub create_netfilter_load() {
|
||||
|
||||
push @table_list, 'raw' if $capabilities{RAW_TABLE};
|
||||
push @table_list, 'nat' if $capabilities{NAT_ENABLED};
|
||||
push @table_list, 'mangle' if $capabilities{MANGLE_ENABLED};
|
||||
push @table_list, 'mangle' if $capabilities{MANGLE_ENABLED} && $config{MANGLE_ENABLED};
|
||||
push @table_list, 'filter';
|
||||
|
||||
$mode = NULL_MODE;
|
||||
@ -2305,7 +2305,7 @@ sub create_chainlist_reload($) {
|
||||
|
||||
unless ( @chains ) {
|
||||
@chains = qw( blacklst ) if $filter_table->{blacklst};
|
||||
push @chains, 'mangle:' if $capabilities{MANGLE_ENABLED};
|
||||
push @chains, 'mangle:' if $capabilities{MANGLE_ENABLED} && $config{MANGLE_ENABLED};
|
||||
$chains = join( ',', @chains ) if @chains;
|
||||
}
|
||||
|
||||
|
@ -302,7 +302,7 @@ stop_firewall() {
|
||||
run_stop_exit
|
||||
EOF
|
||||
|
||||
if ( $capabilities{MANGLE_ENABLED} ) {
|
||||
if ( $capabilities{MANGLE_ENABLED} && $config{MANGLE_ENABLED} ) {
|
||||
emit <<'EOF';
|
||||
run_iptables -t mangle -F
|
||||
run_iptables -t mangle -X
|
||||
|
@ -356,7 +356,8 @@ sub initialize() {
|
||||
DELETE_THEN_ADD => undef,
|
||||
MULTICAST => undef,
|
||||
DONT_LOAD => '',
|
||||
AUTO_COMMENT => '' ,
|
||||
AUTO_COMMENT => undef ,
|
||||
MANGLE_ENABLED => undef ,
|
||||
#
|
||||
# Packet Disposition
|
||||
#
|
||||
@ -1929,6 +1930,7 @@ sub get_configuration( $ ) {
|
||||
default_yes_no 'AUTO_COMMENT' , 'Yes';
|
||||
default_yes_no 'MULTICAST' , '';
|
||||
default_yes_no 'MARK_IN_FORWARD_CHAIN' , '';
|
||||
default_yes_no 'MANGLE_ENABLED' , 'Yes';
|
||||
|
||||
$capabilities{XCONNMARK} = '' unless $capabilities{XCONNMARK_MATCH} and $capabilities{XMARK};
|
||||
|
||||
@ -1990,6 +1992,8 @@ sub get_configuration( $ ) {
|
||||
$config{TC_ENABLED} = '';
|
||||
}
|
||||
|
||||
fatal_error "TC_ENABLED=$config{TC_ENABLED} is not allowed with MANGLE_ENABLED=No" if $config{TC_ENABLED} && ! $config{MANGLE_ENABLED};
|
||||
|
||||
default 'RESTOREFILE' , 'restore';
|
||||
default 'IPSECFILE' , 'zones';
|
||||
default 'DROP_DEFAULT' , 'Drop';
|
||||
|
@ -463,6 +463,8 @@ sub setup_providers() {
|
||||
progress_message2 "$doing $fn ...";
|
||||
require_capability( 'MANGLE_ENABLED' , 'a non-empty providers file' , 's' );
|
||||
|
||||
fatal_error "A non-empty providers file is not permitted with MANGLE_ENABLED=No" unless $config{MANGLE_ENABLED};
|
||||
|
||||
emit "\nif [ -z \"\$NOROUTES\" ]; then";
|
||||
|
||||
push_indent;
|
||||
|
@ -826,7 +826,7 @@ sub setup_traffic_shaping() {
|
||||
#
|
||||
sub setup_tc() {
|
||||
|
||||
if ( $capabilities{MANGLE_ENABLED} ) {
|
||||
if ( $capabilities{MANGLE_ENABLED} && $config{MANGLE_ENABLED} ) {
|
||||
ensure_mangle_chain 'tcpre';
|
||||
ensure_mangle_chain 'tcout';
|
||||
|
||||
@ -867,23 +867,25 @@ sub setup_tc() {
|
||||
setup_traffic_shaping;
|
||||
}
|
||||
|
||||
if ( my $fn = open_file 'tcrules' ) {
|
||||
if ( $config{TC_ENABLED} ) {
|
||||
if ( my $fn = open_file 'tcrules' ) {
|
||||
|
||||
first_entry( sub { progress_message2 "$doing $fn..."; require_capability 'MANGLE_ENABLED' , 'a non-empty tcrules file' , 's'; } );
|
||||
first_entry( sub { progress_message2 "$doing $fn..."; require_capability 'MANGLE_ENABLED' , 'a non-empty tcrules file' , 's'; } );
|
||||
|
||||
while ( read_a_line ) {
|
||||
while ( read_a_line ) {
|
||||
|
||||
my ( $mark, $source, $dest, $proto, $ports, $sports, $user, $testval, $length, $tos , $connbytes ) = split_line1 2, 11, 'tcrules file';
|
||||
my ( $mark, $source, $dest, $proto, $ports, $sports, $user, $testval, $length, $tos , $connbytes ) = split_line1 2, 11, 'tcrules file';
|
||||
|
||||
if ( $mark eq 'COMMENT' ) {
|
||||
process_comment;
|
||||
} else {
|
||||
process_tc_rule $mark, $source, $dest, $proto, $ports, $sports, $user, $testval, $length, $tos, $connbytes;
|
||||
if ( $mark eq 'COMMENT' ) {
|
||||
process_comment;
|
||||
} else {
|
||||
process_tc_rule $mark, $source, $dest, $proto, $ports, $sports, $user, $testval, $length, $tos, $connbytes;
|
||||
}
|
||||
|
||||
}
|
||||
|
||||
}
|
||||
|
||||
clear_comment;
|
||||
clear_comment;
|
||||
}
|
||||
}
|
||||
|
||||
for ( @deferred_rules ) {
|
||||
|
Loading…
Reference in New Issue
Block a user