forked from extern/shorewall_code
Disallow 'occurs' with 'classify'; allow '<devname>:<classnum>' in tcclasses
This commit is contained in:
parent
13d3f86e23
commit
2db6130c26
@ -569,9 +569,14 @@ sub validate_tc_class( $$$$$$ ) {
|
|||||||
( $device, my ($number, $rest ) ) = split /:/, $device, 3;
|
( $device, my ($number, $rest ) ) = split /:/, $device, 3;
|
||||||
fatal_error "Invalid INTERFACE:CLASS ($devclass)" if defined $rest;
|
fatal_error "Invalid INTERFACE:CLASS ($devclass)" if defined $rest;
|
||||||
|
|
||||||
|
if ( $device =~ /^(\d+|0x[\da-fA-F]+)$/ ) {
|
||||||
( $number , $classnumber ) = ( hex_value $device, hex_value $number );
|
( $number , $classnumber ) = ( hex_value $device, hex_value $number );
|
||||||
|
|
||||||
( $device , $devref) = dev_by_number( $number );
|
( $device , $devref) = dev_by_number( $number );
|
||||||
|
} else {
|
||||||
|
$classnumber = hex_value $number;
|
||||||
|
($device, $devref ) = dev_by_number( $device);
|
||||||
|
$number = $devref->{number};
|
||||||
|
}
|
||||||
|
|
||||||
if ( defined $number ) {
|
if ( defined $number ) {
|
||||||
fatal_error "Invalid interface/class number ($devclass)" unless defined $classnumber && $classnumber;
|
fatal_error "Invalid interface/class number ($devclass)" unless defined $classnumber && $classnumber;
|
||||||
@ -653,6 +658,7 @@ sub validate_tc_class( $$$$$$ ) {
|
|||||||
$tcref->{src} = 1 if $3 eq 's';
|
$tcref->{src} = 1 if $3 eq 's';
|
||||||
|
|
||||||
fatal_error q(The 'occurs' option is only valid for IPv4) if $family == F_IPV6;
|
fatal_error q(The 'occurs' option is only valid for IPv4) if $family == F_IPV6;
|
||||||
|
fatal_error q(The 'occurs' option may not be used with 'classify') if $devref->{classify};
|
||||||
fatal_error "Invalid 'occurs' ($val)" unless defined $occurs && $occurs > 1 && $occurs <= 256;
|
fatal_error "Invalid 'occurs' ($val)" unless defined $occurs && $occurs > 1 && $occurs <= 256;
|
||||||
fatal_error "Invalid 'occurs' ($val)" if $occurs > ( $config{WIDE_TC_MARKS} ? 8191 : 255 );
|
fatal_error "Invalid 'occurs' ($val)" if $occurs > ( $config{WIDE_TC_MARKS} ? 8191 : 255 );
|
||||||
fatal_error q(Duplicate 'occurs') if $tcref->{occurs} > 1;
|
fatal_error q(Duplicate 'occurs') if $tcref->{occurs} > 1;
|
||||||
@ -723,8 +729,7 @@ sub process_tc_filter( $$$$$$ ) {
|
|||||||
$tcref = $tcref->{$classnum};
|
$tcref = $tcref->{$classnum};
|
||||||
|
|
||||||
fatal_error "Unknown CLASS ($devclass)" unless $tcref && $tcref->{occurs};
|
fatal_error "Unknown CLASS ($devclass)" unless $tcref && $tcref->{occurs};
|
||||||
|
fatal_error "Filters may not specify an occurring CLASS" if $tcref->{occurs} > 1;
|
||||||
my $occurs = $tcref->{occurs};
|
|
||||||
|
|
||||||
my $rule = "filter add dev $device protocol ip parent $devnum:0 prio 10 u32";
|
my $rule = "filter add dev $device protocol ip parent $devnum:0 prio 10 u32";
|
||||||
|
|
||||||
@ -743,31 +748,13 @@ sub process_tc_filter( $$$$$$ ) {
|
|||||||
unless ( $proto eq '-' ) {
|
unless ( $proto eq '-' ) {
|
||||||
$protonumber = resolve_proto $proto;
|
$protonumber = resolve_proto $proto;
|
||||||
fatal_error "Unknown PROTO ($proto)" unless defined $protonumber;
|
fatal_error "Unknown PROTO ($proto)" unless defined $protonumber;
|
||||||
fatal_error "PROTO not permitted in this rule" unless $occurs == 1;
|
|
||||||
$rule .= "\\\n match ip protocol $protonumber 0xff" if $protonumber;
|
$rule .= "\\\n match ip protocol $protonumber 0xff" if $protonumber;
|
||||||
}
|
}
|
||||||
|
|
||||||
if ( $portlist eq '-' && $sportlist eq '-' ) {
|
if ( $portlist eq '-' && $sportlist eq '-' ) {
|
||||||
if ( $occurs == 1 ) {
|
|
||||||
emit( "\nrun_tc $rule\\" ,
|
emit( "\nrun_tc $rule\\" ,
|
||||||
" flowid $devref->{number}:$class" ,
|
" flowid $devref->{number}:$class" ,
|
||||||
'' );
|
'' );
|
||||||
} else {
|
|
||||||
my $offset = $tcref->{src} ? 12 : 16;
|
|
||||||
my $tnum = $devref->{tablenumber}++;
|
|
||||||
my $bucket;
|
|
||||||
|
|
||||||
emit( "\nrun_tc filter add dev $device parent $devnum:0 protocol ip prio 10 handle $tnum: u32 divisor $occurs" );
|
|
||||||
|
|
||||||
for ( my $i = 0; $i < $occurs; $i++ ) {
|
|
||||||
$class = in_hexp $classnum++;
|
|
||||||
$bucket = in_hexp $i;
|
|
||||||
emit( "run_tc filter add dev $device protocol ip parent $devnum:0 prio 10 u32 ht $tnum:$bucket match u32 0x00000000 0x000000 at 12 flowid $devref->{number}:$class" );
|
|
||||||
}
|
|
||||||
|
|
||||||
emit( "\nrun_tc $rule\\",
|
|
||||||
" link $tnum: hashkey mask ff at $offset\\" );
|
|
||||||
}
|
|
||||||
} else {
|
} else {
|
||||||
fatal_error "Ports may not be specified without a PROTO" unless $protonumber;
|
fatal_error "Ports may not be specified without a PROTO" unless $protonumber;
|
||||||
our $lastrule;
|
our $lastrule;
|
||||||
|
Loading…
Reference in New Issue
Block a user