holm/shorewall_code
1
0
Fork 0
forked from extern/shorewall_code
Code Pull Requests Activity

Add support for CLASSIFY

Browse Source 
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@1610 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
teastep 2004-09-08 20:13:31 +00:00
parent 876b519b1a
commit 31d3885f4e
3 changed files with 65 additions and 25 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

43
Shorewall2/firewall
View File

@ -2175,13 +2175,20 @@ setup_ecn() # $1 = file name
} }
# #
# Process a TC Rule - $marking_chain is assumed to contain the name of the # Process a TC Rule - $MARKING_CHAIN is assumed to contain the name of the
# default marking chain # default marking chain
# #
process_tc_rule() process_tc_rule()
{ {
chain=$marking_chain chain=$MARKING_CHAIN
verify_designator() {
[ "$chain" = tcout ] && \
fatal_error "Chain designator not allowed when source is \$FW; rule \"$rule\""
chain=$1
mark="${mark%:*}"
}
add_a_tc_rule() { add_a_tc_rule() {
r= r=
@ -2230,28 +2237,30 @@ process_tc_rule()
[ "x$port" = "x-" ] || r="${r}--dport $port " [ "x$port" = "x-" ] || r="${r}--dport $port "
[ "x$sport" = "x-" ] || r="${r}--sport $sport " [ "x$sport" = "x-" ] || r="${r}--sport $sport "
run_iptables2 -t mangle -A $chain $r -j MARK --set-mark $mark case $chain in
tcpost)
run_iptables2 -t mangle -A tcpost $r -j CLASSIFY --set-class $mark
;;
*)
run_iptables2 -t mangle -A $chain $r -j MARK --set-mark $mark
;;
esac
} }
if [ "$mark" != "${mark%:*}" ]; then if [ "$mark" != "${mark%:*}" ]; then
[ "$chain" = tcout ] && \
fatal_error "Chain designator not allowed when source is \$FW; rule \"$rule\""
case "${mark#*:}" in case "${mark#*:}" in
p|P) p|P)
chain=tcpre verify_designator tcpre
;; ;;
f|F) f|F)
chain=tcfor verify_designator tcfor
;; ;;
*) *)
fatal_error "Invalid chain designator: (${mark#*:}) in rule \"$rule\"" chain=tcpost
;; ;;
esac esac
mark="${mark%:*}"
fi fi
for source in $(separate_list ${sources:=-}); do for source in $(separate_list ${sources:=-}); do
@ -2278,6 +2287,7 @@ setup_tc1() {
run_iptables -t mangle -N tcpre run_iptables -t mangle -N tcpre
run_iptables -t mangle -N tcfor run_iptables -t mangle -N tcfor
run_iptables -t mangle -N tcout run_iptables -t mangle -N tcout
run_iptables -t mangle -N tcpost
# #
# Process the TC Rules File # Process the TC Rules File
# #
@ -2292,9 +2302,10 @@ setup_tc1() {
# Link to the TC mangle chains from the main chains # Link to the TC mangle chains from the main chains
# #
run_iptables -t mangle -A FORWARD -j tcfor run_iptables -t mangle -A FORWARD -j tcfor
run_iptables -t mangle -A PREROUTING -j tcpre run_iptables -t mangle -A PREROUTING -j tcpre
run_iptables -t mangle -A OUTPUT -j tcout run_iptables -t mangle -A OUTPUT -j tcout
run_iptables -t mangle -A POSTROUTING -j tcpost
run_user_exit tcstart run_user_exit tcstart
@ -6832,7 +6843,7 @@ do_initialize() {
[ -z "$BOGON_LOG_LEVEL" ] && BOGON_LOG_LEVEL=info [ -z "$BOGON_LOG_LEVEL" ] && BOGON_LOG_LEVEL=info
MARK_IN_FORWARD_CHAIN=$(added_param_value_no MARK_IN_FORWARD_CHAIN $MARK_IN_FORWARD_CHAIN) MARK_IN_FORWARD_CHAIN=$(added_param_value_no MARK_IN_FORWARD_CHAIN $MARK_IN_FORWARD_CHAIN)
[ -n "$MARK_IN_FORWARD_CHAIN" ] && marking_chain=tcfor || marking_chain=tcpre [ -n "$MARK_IN_FORWARD_CHAIN" ] && MARKING_CHAIN=tcfor || MARKING_CHAIN=tcpre
if [ -n "$TC_ENABLED" ]; then if [ -n "$TC_ENABLED" ]; then
CLEAR_TC=$(added_param_value_yes CLEAR_TC $CLEAR_TC) CLEAR_TC=$(added_param_value_yes CLEAR_TC $CLEAR_TC)
else else

16
Shorewall2/releasenotes.txt
View File

@ -437,3 +437,19 @@ New Features:
with the exception of the /etc/shorewall/netmap file, anywhere that with the exception of the /etc/shorewall/netmap file, anywhere that
a network address may appear an IP address range of the form <low a network address may appear an IP address range of the form <low
address>-<high address> may also appear. address>-<high address> may also appear.
15) Support has been added for the iptables CLASSIFY target. That
target allows you to classify packets for traffic shaping directly
rather than indirectly through fwmark. Simply entry the
<major>:<minor> classification in the first column of
/etc/shorewall/tcrules:
Example:
#MARK/ SOURCE DEST PROTO PORT(S)
#CLASSIFY
1:30 - - tcp 25
Marking using the CLASSIFY target always occurs in the POSTROUTING
chain of the mangle table and is not affected by the setting of
MARK_IN_FORWARD_CHAIN in shorewall.conf.

31
Shorewall2/tcrules
View File

@ -14,16 +14,29 @@
# Columns are: # Columns are:
# #
# #
# MARK The mark value which is an # MARK/ a) A mark value which is a integer in the range 1-255
# integer in the range 1-255 # CLASSIFY
# May optionally be followed by ":P" or ":F"
# where ":P" indicates that marking should occur in
# the PREROUTING chain and ":F" indicates that marking
# should occur in the FORWARD chain. If neither
# ":P" nor ":F" follow the mark value then the chain is
# determined by the setting of MARK_IN_FORWARD_CHAIN in
# /etc/shorewall/shorewall.conf.
# #
# May optionally be followed by ":P" or ":F" # b) A classification of the form <major>:<minor> where
# where ":P" indicates that marking should occur in # <major> and <minor> are integers. Corresponds to
# the PREROUTING chain and ":F" indicates that marking # the 'class' specification in these traffic shaping
# should occur in the FORWARD chain. If neither # modules:
# ":P" nor ":F" follow the mark value then the chain is #
# determined by the setting of MARK_IN_FORWARD_CHAIN in # - atm
# /etc/shorewall/shorewall.conf. # - cbq
# - dsmark
# - pfifo_fast
# - htb
# - prio
#
# Marking always occurs in the POSTROUTING chain.
# #
# SOURCE Source of the packet. A comma-separated list of # SOURCE Source of the packet. A comma-separated list of
# interface names, IP addresses, MAC addresses # interface names, IP addresses, MAC addresses