Add support for CLASSIFY

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@1610 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
2004-09-08 20:13:31 +00:00 · 2004-09-08 20:13:31 +00:00 · 31d3885f4e
commit 31d3885f4e
parent 876b519b1a
3 changed files with 65 additions and 25 deletions
--- a/Shorewall2/firewall
+++ b/Shorewall2/firewall
@ -2175,13 +2175,20 @@ setup_ecn() # $1 = file name
 }

 #
-# Process a TC Rule - $marking_chain is assumed to contain the name of the
+# Process a TC Rule - $MARKING_CHAIN is assumed to contain the name of the
 #                     default marking chain
 #
 process_tc_rule()
 {
-    chain=$marking_chain
-    
+    chain=$MARKING_CHAIN
+
+    verify_designator() {
+	[ "$chain" = tcout ] && \
+	    fatal_error "Chain designator not allowed when source is \$FW; rule \"$rule\""
+	chain=$1
+	mark="${mark%:*}"
+    }
+
    add_a_tc_rule() {
 	r=

@ -2230,28 +2237,30 @@ process_tc_rule()
 	[ "x$port"   = "x-"  ] || r="${r}--dport $port "
 	[ "x$sport"  = "x-"  ] || r="${r}--sport $sport "

-	run_iptables2 -t mangle -A $chain $r -j MARK --set-mark $mark
+	case $chain in
+	    tcpost)
+		run_iptables2 -t mangle -A tcpost $r -j CLASSIFY --set-class $mark
+		;;
+	    *)
+		run_iptables2 -t mangle -A $chain $r -j MARK --set-mark $mark
+		;;
+	esac

    }

    if [ "$mark" != "${mark%:*}" ]; then
-
-	[ "$chain" = tcout ] && \
-	    fatal_error "Chain designator not allowed when source is \$FW; rule \"$rule\""
-	
 	case "${mark#*:}" in
 	    p|P)
-		chain=tcpre
+		verify_designator tcpre
 		;;
 	    f|F)
-		chain=tcfor
+		verify_designator tcfor
 		;;
 	    *)
-		fatal_error "Invalid chain designator: (${mark#*:}) in rule \"$rule\""
+		chain=tcpost
 		;;
 	esac

-	mark="${mark%:*}"
    fi

    for source in $(separate_list ${sources:=-}); do
@ -2278,6 +2287,7 @@ setup_tc1() {
    run_iptables -t mangle -N tcpre
    run_iptables -t mangle -N tcfor
    run_iptables -t mangle -N tcout
+    run_iptables -t mangle -N tcpost
    #
    # Process the TC Rules File
    #
@ -2292,9 +2302,10 @@ setup_tc1() {
    # Link to the TC mangle chains from the main chains
    #

-    run_iptables -t mangle -A FORWARD    -j tcfor
-    run_iptables -t mangle -A PREROUTING -j tcpre
-    run_iptables -t mangle -A OUTPUT     -j tcout
+    run_iptables -t mangle -A FORWARD     -j tcfor
+    run_iptables -t mangle -A PREROUTING  -j tcpre
+    run_iptables -t mangle -A OUTPUT      -j tcout
+    run_iptables -t mangle -A POSTROUTING -j tcpost

    run_user_exit tcstart

@ -6832,7 +6843,7 @@ do_initialize() {
    [ -z "$BOGON_LOG_LEVEL" ]   && BOGON_LOG_LEVEL=info

    MARK_IN_FORWARD_CHAIN=$(added_param_value_no MARK_IN_FORWARD_CHAIN $MARK_IN_FORWARD_CHAIN)
-    [ -n "$MARK_IN_FORWARD_CHAIN" ] && marking_chain=tcfor || marking_chain=tcpre
+    [ -n "$MARK_IN_FORWARD_CHAIN" ] && MARKING_CHAIN=tcfor || MARKING_CHAIN=tcpre
    if [ -n "$TC_ENABLED" ]; then
 	CLEAR_TC=$(added_param_value_yes CLEAR_TC $CLEAR_TC)
    else
--- a/Shorewall2/releasenotes.txt
+++ b/Shorewall2/releasenotes.txt
@ -437,3 +437,19 @@ New Features:
    with the exception of the /etc/shorewall/netmap file, anywhere that
    a network address may appear an IP address range of the form <low
    address>-<high address> may also appear.
+
+15) Support has been added for the iptables CLASSIFY target. That
+    target allows you to classify packets for traffic shaping directly
+    rather than indirectly through fwmark. Simply entry the
+    <major>:<minor> classification in the first column of
+    /etc/shorewall/tcrules:
+
+    Example:
+
+	#MARK/      SOURCE       DEST      PROTO     PORT(S)
+	#CLASSIFY
+	1:30	    -		 -	   tcp	     25
+
+    Marking using the CLASSIFY target always occurs in the POSTROUTING
+    chain of the mangle table and is not affected by the setting of
+    MARK_IN_FORWARD_CHAIN in shorewall.conf.
--- a/Shorewall2/tcrules
+++ b/Shorewall2/tcrules
@ -14,16 +14,29 @@
 # Columns are:
 #
 #
-#	MARK		The mark value which is an
-#			integer in the range 1-255
+#	MARK/		a) A mark value which is a integer in the range 1-255
+#       CLASSIFY
+#			   May optionally be followed by ":P" or ":F"
+#			   where ":P" indicates that marking should occur in
+#			   the PREROUTING chain and ":F" indicates that marking
+#			   should occur in the FORWARD chain. If neither
+#			   ":P" nor ":F" follow the mark value then the chain is
+#			   determined by the setting of MARK_IN_FORWARD_CHAIN in
+#			   /etc/shorewall/shorewall.conf.
 #
-#			May optionally be followed by ":P" or ":F"
-#			where ":P" indicates that marking should occur in
-#			the PREROUTING chain and ":F" indicates that marking
-#			should occur in the FORWARD chain. If neither
-#			":P" nor ":F" follow the mark value then the chain is
-#			determined by the setting of MARK_IN_FORWARD_CHAIN in
-#			/etc/shorewall/shorewall.conf.
+#			b) A classification of the form <major>:<minor> where
+#		    	   <major> and <minor> are integers. Corresponds to 
+#			   the 'class' specification in these traffic shaping
+#			   modules:
+#
+#				- atm
+#				- cbq
+#				- dsmark
+#				- pfifo_fast
+#				- htb
+#				- prio
+#
+#			   Marking always occurs in the POSTROUTING chain.
 #
 #	SOURCE 		Source of the packet. A comma-separated list of
 #			interface names, IP addresses, MAC addresses