From 3f903fe3f1c5167e42a70d635f7716bca3eb0ec9 Mon Sep 17 00:00:00 2001 From: Tom Eastep Date: Thu, 7 Jul 2011 06:33:13 -0700 Subject: [PATCH] Allow IPv6 Address as the third argument to TPROXY - also update the manpages to describe TPROXY Signed-off-by: Tom Eastep --- Shorewall/Perl/Shorewall/IPAddrs.pm | 1 + Shorewall/Perl/Shorewall/Tc.pm | 14 +++++++- manpages/shorewall-tcrules.xml | 54 +++++++++++++++++++---------- manpages6/shorewall6-tcrules.xml | 50 ++++++++++++++++++-------- 4 files changed, 86 insertions(+), 33 deletions(-) diff --git a/Shorewall/Perl/Shorewall/IPAddrs.pm b/Shorewall/Perl/Shorewall/IPAddrs.pm index d126526d8..3baba11cc 100644 --- a/Shorewall/Perl/Shorewall/IPAddrs.pm +++ b/Shorewall/Perl/Shorewall/IPAddrs.pm @@ -536,6 +536,7 @@ sub valid_6address( $ ) { } return 0 if @address > $max; + return 0 unless $address =~ /^[a-f:]+$/; return 0 unless ( @address == $max ) || $address =~ /::/; return 0 if $address =~ /:::/ || $address =~ /::.*::/; diff --git a/Shorewall/Perl/Shorewall/Tc.pm b/Shorewall/Perl/Shorewall/Tc.pm index 9a2cea2b9..3721a090f 100644 --- a/Shorewall/Perl/Shorewall/Tc.pm +++ b/Shorewall/Perl/Shorewall/Tc.pm @@ -205,7 +205,15 @@ sub process_tc_rule( ) { my ( $mark, $designator, $remainder ) = split( /:/, $originalmark, 3 ); - fatal_error "Invalid MARK ($originalmark)" if defined $remainder || ! defined $mark || $mark eq ''; + fatal_error "Invalid MARK ($originalmark)" unless defined $mark || $mark eq ''; + + if ( $remainder ) { + if ( $originalmark =~ /^\w+\(?.*\)$/ ) { + $mark = $originalmark; # Most likely, an IPv6 address is included in the parameter list + } else { + fatal_error "Invalid MARK ($originalmark)"; + } + } my $chain = $globals{MARKING_CHAIN}; my $target = 'MARK --set-mark'; @@ -376,6 +384,10 @@ sub process_tc_rule( ) { $target .= " --on-port $port"; if ( supplied $ip ) { + if ( $family == F_IPV6 ) { + $ip = $1 if $ip =~ /^\[(.+)\]$/ || $ip =~ /^<(.+)>$/; + } + validate_address $ip, 1; $target .= " --on-ip $ip"; } diff --git a/manpages/shorewall-tcrules.xml b/manpages/shorewall-tcrules.xml index d43a29772..c82814a9c 100644 --- a/manpages/shorewall-tcrules.xml +++ b/manpages/shorewall-tcrules.xml @@ -43,26 +43,11 @@ MARK/CLASSIFY - - {value|major:minor|RESTORE[/mask]|SAVE[/mask]|CONTINUE|SAME|COMMENT|IPMARK[([(src|dst}][,[mask1][,[mask2][,[shift]]]]])]}[:{C|F|P|T|CF|CP|CT|I:CI}] + mark - May assume one of the following values. + Where mark may assume one of the + following values. @@ -397,6 +382,39 @@ SAME $FW 0.0.0.0/0 tcp 80,443 above so that all of your minor classes will have a value > 256. + + + TPROXY(mark[/mask][,[port][,[address]]]) + + Transparently redirects a packet without altering the IP + header. Requires a local provider to be defined in shorewall-providers(5). + + There are three parameters to TPROXY - only the first + (mark) is required: + + + + mark - the MARK value + corresponding to the local provider in shorewall-providers(5). + + + + port - the port on which + the proxy server is listening. If omitted, the original + destination port. + + + + address - a local (to the + firewall) IP address on which the proxy server is listening. + If omitted, the IP address of the interface on which the + request arrives. + + + diff --git a/manpages6/shorewall6-tcrules.xml b/manpages6/shorewall6-tcrules.xml index 784f3730c..a139e8aa3 100644 --- a/manpages6/shorewall6-tcrules.xml +++ b/manpages6/shorewall6-tcrules.xml @@ -43,22 +43,11 @@ MARK/CLASSIFY - - {value|major:minor|RESTORE[/mask]|SAVE[/mask]|CONTINUE|COMMENT}[:{C|F|P|T|CF|CP|CT|I|CI}] + mark - May assume one of the following values. + mark may assume one of the + following values. @@ -290,6 +279,39 @@ SAME $FW 0.0.0.0/0 tcp 80,443 To stop the comment from being attached to further rules, simply include COMMENT on a line by itself. + + + TPROXY(mark[/mask][,[port][,[address]]]) + + Transparently redirects a packet without altering the IP + header. Requires a local provider to be defined in shorewall6-providers(5). + + There are three parameters to TPROXY - only the first + (mark) is required: + + + + mark - the MARK value + corresponding to the local provider in shorewall6-providers(5). + + + + port - the port on which + the proxy server is listening. If omitted, the original + destination port. + + + + address - a local (to the + firewall) IP address on which the proxy server is listening. + If omitted, the IP address of the interface on which the + request arrives. + + +