Add tos file processing

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@5686 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
2007-03-25 19:27:25 +00:00 · 2007-03-25 19:27:25 +00:00 · 307e82a2f4
commit 307e82a2f4
parent b56a534dc4
2 changed files with 42 additions and 6 deletions
--- a/New/Shorewall/Chains.pm
+++ b/New/Shorewall/Chains.pm
@ -43,6 +43,8 @@ our @EXPORT = qw( STANDARD
 		  LOGRULE
 		  NO_RESTRICT
 		  PREROUTE_RESTRICT
+		  INPUT_RESTRICT
+		  OUTPUT_RESTRICT
 		  POSTROUTE_RESTRICT
 		  
 		  add_command
@ -209,7 +211,11 @@ our %targets = ('ACCEPT'       => STANDARD,
 #
 use constant { NO_RESTRICT        => 0,
 	       PREROUTE_RESTRICT  => 1,
-	       POSTROUTE_RESTRICT => 2 };
+	       INPUT_RESTRICT     => 4,
+	       OUTPUT_RESTRICT    => 8,
+	       POSTROUTE_RESTRICT => 16,
+	       ALL_RESTRICT       => 12
+	       };
 #
 # Used to sequence 'exclusion' chains with names 'excl0', 'excl1', ...
 #
@ -1068,7 +1074,7 @@ sub expand_rule( $$$$$$$$$$ )
    if ( $iiface ) {
 	fatal_error "Unknown Interface ($iiface): \"$line\"" unless known_interface $iiface;

-	if ( $restriction == POSTROUTE_RESTRICT ) {
+	if ( $restriction & POSTROUTE_RESTRICT ) {
 	    #
 	    # An interface in the SOURCE column of a masq file
 	    #
@ -1081,6 +1087,8 @@ sub expand_rule( $$$$$$$$$$ )
 	    #
 	    $loopcount++;
 	} else {
+	    fatal_error "Source Interface ( $iiface ) not allowed when the source zone is $firewall_zone: $line" 
+		if $restriction & OUTPUT_RESTRICT;
 	    $rule .= "-i $iiface ";
 	}
    }
@ -1091,7 +1099,7 @@ sub expand_rule( $$$$$$$$$$ )
    if ( $dest ) {
 	if ( $dest eq '-' ) {
 	    $dest = '';
-	} elsif ( $restriction == PREROUTE_RESTRICT && $dest =~ /^detect:(.*)$/ ) {
+	} elsif ( ( $restriction & PREROUTE_RESTRICT ) && $dest =~ /^detect:(.*)$/ ) {
 	    #
 	    # DETECT_DNAT_IPADDRS=Yes and we're generating the nat rule
 	    #
@ -1131,7 +1139,7 @@ sub expand_rule( $$$$$$$$$$ )
    if ( $diface ) {
 	fatal_error "Unknown Interface ($diface) in rule \"$line\"" unless known_interface $diface;

-	if ( $restriction == PREROUTE_RESTRICT ) {
+	if ( $restriction & PREROUTE_RESTRICT ) {
 	    #
 	    # ADDRESS 'detect' in the masq file.
 	    #
@ -1141,6 +1149,8 @@ sub expand_rule( $$$$$$$$$$ )
 	    $rule .= '-d $dest';
 	    $loopcount++;
 	} else {
+	    fatal_error "Destination Interface ( $diface ) not allowed when the destination zone is $firewall_zone: $line"
+		if $restriction & INPUT_RESTRICT;
 	    $rule .= "-o $diface ";
 	}
    }   
--- a/New/Shorewall/Rules.pm
+++ b/New/Shorewall/Rules.pm
@ -72,9 +72,35 @@ sub process_tos() {

 	while ( $line = <TOS> ) {
 	    
-	    my ($source, $dest, $proto, $sports, $ports ) = split_line 5, 'tos file';
+	    my ($src, $dst, $proto, $sports, $ports , $tos ) = split_line 6, 'tos file';
 	    
-	    ### Fixme ###
+	    fatal_error "TOS field required: $line" unless $tos ne '-';
+
+	    my $chainref;
+
+	    my $restriction = NO_RESTRICT;
+
+	    my ( $srczone , $source ) = split /:/, $src;
+	    
+	    if ( $srczone eq $firewall_zone ) {
+		$chainref    = $outtosref;
+		$src         = $source || '-';
+		$restriction = OUTPUT_RESTRICT;
+	    } else {
+		$chainref = $pretosref;
+	    }
+	    
+	    expand_rule 
+		$chainref ,
+		$restriction ,
+		do_proto( $proto, $ports, $sports ) ,
+		$src ,
+		$dst ,
+		'' ,
+		"-j TOS --set-tos $tos" ,
+		'' ,
+		'' ,
+		'';
 	}

 	close TOS;