Add IPMARK target support -- first phase

2009-04-19 08:42:49 -07:00 · 2009-04-19 08:42:49 -07:00 · 2ce042d044
commit 2ce042d044
parent 3cb7186e90
3 changed files with 51 additions and 0 deletions
--- a/Shorewall/Perl/Shorewall/Config.pm
+++ b/Shorewall/Perl/Shorewall/Config.pm
@ -236,6 +236,7 @@ our %capdesc = ( NAT_ENABLED     => 'NAT',
 		 TIME_MATCH      => 'Time Match',
 		 GOTO_TARGET     => 'Goto Support',
 		 LOGMARK_TARGET  => 'LOGMARK Target',
+		 IPMARK_TARGET   => 'IPMARK Target',
 		 CAPVERSION      => 'Capability Version',
 	       );
 #
@ -601,6 +602,7 @@ sub initialize( $ ) {
 	       TIME_MATCH => undef,
 	       GOTO_TARGET => undef,
 	       LOGMARK_TARGET => undef,
+	       IPMARK_TARGET => undef,
 	       CAPVERSION => undef,
 	       );
    #
@ -1941,6 +1943,8 @@ sub determine_capabilities( $ ) {
 	}

 	$capabilities{CLASSIFY_TARGET} = qt1( "$iptables -t mangle -A $sillyname -j CLASSIFY --set-class 1:1" );
+	$capabilities{IPMARK_TARGET}   = qt1( "$iptables -t mangle -A $sillyname -j IPMARK --addr src" );
+	
 	qt1( "$iptables -t mangle -F $sillyname" );
 	qt1( "$iptables -t mangle -X $sillyname" );

--- a/Shorewall/Perl/Shorewall/Tc.pm
+++ b/Shorewall/Perl/Shorewall/Tc.pm
@ -103,6 +103,12 @@ our @tccmd = ( { match     => sub ( $ ) { $_[0] eq 'SAVE' } ,
 		mask      => '' ,
 		connmark  => 0
 		} ,
+	      { match     => sub ( $ ) { $_[0] =~ /^IPMARK/ },
+		target    => 'IPMARK' ,
+		mark      => NOMARK,
+		mask      => '',
+		connmark  => 0
+	        } ,
 	      { match     => sub ( $ ) { $_[0] =~ '\|.*'} ,
 		target    => 'MARK --or-mark' ,
 		mark      => HIGHMARK ,
@ -293,6 +299,43 @@ sub process_tc_rule( $$$$$$$$$$$$ ) {
 			}

 			$sticky++;
+		    } elsif ( $target eq 'IPMARK ' ) {
+			my ( $srcdst, $mask1, $mask2, $shift ) = ('src', 255, 0, 0 );
+
+			require_capability 'IPMARK_TARGET', 'IPMARK', 's';
+
+			if ( $cmd =~ /^IPMARK\((.+?)\)$/ ) {
+			    my $params = $1;
+			    my $val;
+
+			    my ( $sd, $m1, $m2, $s , $bad ) = split ',', $params;
+
+			    fatal_error "Invalid IPMARK parameters ($params)" if $bad;
+			    fatal_error "Invalid IPMARK parameter ($sd)" unless ( $sd eq 'src' || $sd eq 'dst' );
+			    $srcdst = $sd;
+
+			    if ( defined $m1 && $m1 ne '' ) {
+				$val = numeric_value ($m1);
+				fatal_error "Invalid Mask ($m1)" unless defined $val;
+				$mask1 = $m1;
+			    }
+
+			    if ( defined $m2 && $m2 ne '' ) {
+				$val = numeric_value ($m2);
+				fatal_error "Invalid Mask ($m2)" unless defined $val;
+				$mask2 = $m2;
+			    }
+				
+			    if ( defined $s ) {
+				$val = numeric_value ($s);
+				fatal_error "Invalid Shift Bits ($s)" unless defined $val;
+				$shift = $s;
+			    }
+			} else {
+			    fatal_error "Invalid MARK/CLASSIFY ($cmd)" unless $cmd eq 'IPMARK';
+			}
+			    
+			$target = "IPMARK --addr $srcdst --and-mask $mask1 --or-mask $mask2 --shift $shift";
 		    }

 		    if ( $rest ) {
--- a/Shorewall/lib.base
+++ b/Shorewall/lib.base
@ -758,6 +758,7 @@ determine_capabilities() {
    TIME_MATCH=
    GOTO_TARGET=
    LOGMARK_TARGET=
+    IPMARK_TARGET=

    chain=fooX$$

@ -851,6 +852,7 @@ determine_capabilities() {
 	fi

 	qt $IPTABLES -t mangle -A $chain -j CLASSIFY --set-class 1:1 && CLASSIFY_TARGET=Yes
+	qt $IPTABLES -t mangle -A $chain -j IPMARK --addr src && IPMARK_TARGET=Yes
 	qt $IPTABLES -t mangle -F $chain
 	qt $IPTABLES -t mangle -X $chain
 	qt $IPTABLES -t mangle -L FORWARD -n && MANGLE_FORWARD=Yes
@ -945,6 +947,7 @@ report_capabilities() {
 	report_capability "Time Match" $TIME_MATCH
 	report_capability "Goto Support" $GOTO_TARGET
 	report_capability "LOGMARK Target" $LOGMARK_TARGET
+	report_capability "IPMARK Target" $IPMARK_TARGET
    fi

    [ -n "$PKTTYPE" ] || USEPKTTYPE=
@ -1000,6 +1003,7 @@ report_capabilities1() {
    report_capability1 TIME_MATCH
    report_capability1 GOTO_TARGET
    report_capability1 LOGMARK_TARGET
+    report_capability1 IPMARK_TARGET
    
    echo CAPVERSION=$SHOREWALL_CAPVERSION
 }