Big cleanup of TOS handling

- Validate settings/matches
- Allow setting in the tcrules file.
- Deprecate /etc/shorewall[6]/tos

Shorewall/Perl/Shorewall/Chains.pm

@@ -191,6 +191,7 @@ our %EXPORT_TAGS = (
 				       do_time
 				       do_user
 				       do_length
+				       decode_tos
 				       do_tos
 				       do_connbytes
 				       do_helper
@@ -395,6 +396,11 @@ our %dscpmap = ( CS0  => 0x00,
 		 EF   => 0x2e,
 	       );
 
+our %tosmap = ( 'Minimize-Delay'       => 0x10,
+		'Maximize-Throughput'  => 0x08,
+		'Maximize-Reliability' => 0x04,
+		'Minimize-Cost'        => 0x02,
+		'Normal-Service'       => 0x00 );
 #
 # These hashes hold the shell code to set shell variables. The key is the name of the variable; the value is the code to generate the variable's contents
 #
@@ -4069,13 +4075,53 @@ sub do_user( $ ) {
     $rule;
 }
 
+
+
 #
 # Create a "-m tos" match for the passed TOS
 #
-sub do_tos( $ ) {
-    my $tos = $_[0];
+# This helper is also used during tos file processing
+#
+sub decode_tos( $$ ) {
+    my ( $tos, $set ) = @_;
 
-    $tos ne '-' ? "-m tos --tos $tos " : '';
+    if ( $tos eq '-' ) {
+	fatal_error [ '',                                            # 0
+		      'A value must be supplied in the TOS column',  # 1
+		      'Invalid TOS() parameter (-)',                 # 2
+		    ]->[$set] if $set;
+	return '';
+    }
+
+    my $mask = 0xff;
+    my $value;
+
+    if ( $tos =~ m"^(.+)/(.+)$" ) {
+	$value = numeric_value $1;
+	$mask  = numeric_value $2;
+    } elsif ( ! defined ( $value = numeric_value( $tos ) ) ) {
+	$value = $tosmap{$tos};
+	$mask  = 0x3f;
+    }
+
+    fatal_error( [ 'Invalid TOS column value',
+		   'Invalid TOS column value',
+		   'Invalid TOS() parameter', ]->[$set] . " ($tos)" )
+	unless ( defined $value &&
+		 $value <= 0xff &&
+		 defined $mask  &&
+		 $mask <= 0xff );
+
+    warning_message "Unmatchable TOS ($tos)" unless $set || $value & $mask;
+
+    $tos = in_hex( $value) . '/' . in_hex( $mask ) . ' ';
+
+    $set ? " --set-tos $tos" : "-m tos --tos $tos ";
+
+}
+
+sub do_tos( $ ) {
+    decode_tos( $_[0], 0 );
 }
 
 my %dir = ( O => 'original' ,

Shorewall/Perl/Shorewall/Misc.pm

@@ -67,18 +67,17 @@ sub process_tos() {
     my $chain    = have_capability( 'MANGLE_FORWARD' ) ? 'fortos'  : 'pretos';
     my $stdchain = have_capability( 'MANGLE_FORWARD' ) ? 'FORWARD' : 'PREROUTING';
 
-    my %tosoptions = ( 'minimize-delay'       => 0x10 ,
-		       'maximize-throughput'  => 0x08 ,
-		       'maximize-reliability' => 0x04 ,
-		       'minimize-cost'        => 0x02 ,
-		       'normal-service'       => 0x00 );
-
-    if ( my $fn = open_file 'tos' ) {
+   if ( my $fn = open_file 'tos' ) {
 	my $first_entry = 1;
 
 	my ( $pretosref, $outtosref );
 
-	first_entry( sub { progress_message2 "$doing $fn..."; $pretosref = ensure_chain 'mangle' , $chain; $outtosref = ensure_chain 'mangle' , 'outtos'; } );
+	first_entry( sub { progress_message2 "$doing $fn..."; 
+			   warning_message "Use of the tos file is deprecated in favor of the TOS target in tcrules";
+			   $pretosref = ensure_chain 'mangle' , $chain; 
+			   $outtosref = ensure_chain 'mangle' , 'outtos';
+		       }
+		   );
 
 	while ( read_a_line ) {
 
@@ -86,14 +85,7 @@ sub process_tos() {
 
 	    $first_entry = 0;
 
-	    fatal_error 'A value must be supplied in the TOS column' if $tos eq '-';
-
-	    if ( defined ( my $tosval = $tosoptions{"\L$tos"} ) ) {
-		$tos = $tosval;
-	    } else {
-		my $val = numeric_value( $tos );
-		fatal_error "Invalid TOS value ($tos)" unless defined( $val ) && $val < 0x1f;
-	    }
+	    $tos = decode_tos( $tos , 1 );
 
 	    my $chainref;
 
@@ -129,7 +121,7 @@ sub process_tos() {
 		$src ,
 		$dst ,
 		'' ,
-		"TOS --set-tos $tos" ,
+		'TOS' . $tos ,
 		'' ,
 		'TOS' ,
 		'';

Shorewall/Perl/Shorewall/Tc.pm

@@ -380,11 +380,15 @@ sub process_tc_rule( ) {
 		       DSCP => sub() {
 			                  assert( $cmd =~ /^DSCP\((\w+)\)$/ );
 					  require_capability 'DSCP_TARGET', 'The DSCP action', 's'; 
-					  my $dscp = numeric_value( $1);
+					  my $dscp = numeric_value( $1 );
 					  $dscp = $dscpmap{$1} unless defined $dscp;
 					  fatal_error( "Invalid DSCP ($1)" ) unless defined $dscp && $dscp <= 0x38 && ! ( $dscp & 1 );
 					  $target .= ' --set-dscp ' . in_hex( $dscp );
-				      }
+				      },
+		       TOS => sub() {
+			                  assert( $cmd =~ /^TOS\((.+)\)$/ );
+					  $target .= decode_tos( $1 , 2 );
+				      },
 		     );
 
     if ( $source ) {
@@ -2017,6 +2021,12 @@ sub setup_tc() {
 			  mask      => '',
 			  connmark  => 0
 			},
+			{ match     => sub( $ ) { $_[0] =~ /^TOS\(.+\)$/ },
+			  target    => 'TOS',
+			  mark      => NOMARK,
+			  mask      => '',
+			  connmark  => 0
+			},
 		      );
 
 	if ( my $fn = open_file 'tcrules' ) {

Shorewall/configfiles/tos

@@ -4,5 +4,5 @@
 # For information about entries in this file, type "man shorewall-tos"
 #
 ###############################################################################
-#SOURCE		DEST		PROTOCOL	SOURCE	DEST	TOS	MARK
+#SOURCE		DEST		PROTOCOL	DEST	SOURCE	TOS	MARK
 #						PORTS	PORTS

Shorewall/manpages/shorewall-tcrules.xml

@@ -503,6 +503,35 @@ SAME              $FW            0.0.0.0/0    tcp        80,443</programlisting>
     AF43 =&gt; 0x26
     EF   =&gt; 0x2e</programlisting>
             </listitem>
+
+            <listitem>
+              <para><emphasis
+              role="bold">TOS</emphasis>(<replaceable>tos</replaceable>[/<replaceable>mask</replaceable>])</para>
+
+              <para>Added in Shorewall 4.5.1. Sets the <firstterm>Type of
+              Service</firstterm> field in the IP header. The
+              <replaceable>tos</replaceable> value may be given as an number
+              (hex or decimal) or as the name of a TOS type. Valid type names
+              and their associated hex numeric values are:</para>
+
+              <programlisting>Minimize-Delay       =&gt; 0x10,
+Maximize-Throughput  =&gt; 0x08,
+Maximize-Reliability =&gt; 0x04,
+Minimize-Cost        =&gt; 0x02,
+Normal-Service       =&gt; 0x00</programlisting>
+
+              <para>When <replaceable>tos</replaceable> is given as a number,
+              it may be optionally followed by '/' and a
+              <replaceable>mask</replaceable>. When no
+              <replaceable>mask</replaceable> is given, the value 0xff is
+              assumed. When <replaceable>tos</replaceable> is given as a type
+              name, the <replaceable>mask</replaceable> 0x3f is
+              assumed.</para>
+
+              <para>The action performed is to zero out the bits specified by
+              the <replaceable>mask</replaceable>, then set the bits specified
+              by <replaceable>tos</replaceable>.</para>
+            </listitem>
           </orderedlist>
         </listitem>
       </varlistentry>

Shorewall/manpages/shorewall-tos.xml

@@ -23,7 +23,9 @@
   <refsect1>
     <title>Description</title>
 
-    <para>This file defines rules for setting Type Of Service (TOS)</para>
+    <para>This file defines rules for setting Type Of Service (TOS). Its use
+    is deprecated, beginning in Shorewall 4.5.1, in favor of the TOS target in
+    <ulink url="shorewall-tcrules.html">shorewall-tcrules</ulink> (5).</para>
 
     <para>The columns in the file are as follows (where the column name is
     followed by a different name in parentheses, the different name is used in

Shorewall6/configfiles/tos

@@ -4,5 +4,5 @@
 # For information about entries in this file, type "man shorewall6-tos"
 #
 ###############################################################################
-#SOURCE		DEST		PROTOCOL	SOURCE	DEST	TOS	MARK
+#SOURCE		DEST		PROTOCOL	DEST	SOURCE	TOS	MARK
 #						PORTS	PORTS

Shorewall6/manpages/shorewall6-tcrules.xml

@@ -400,6 +400,35 @@ SAME              $FW            0.0.0.0/0    tcp        80,443</programlisting>
     AF43 =&gt; 0x26
     EF   =&gt; 0x2e</programlisting>
             </listitem>
+
+            <listitem>
+              <para><emphasis
+              role="bold">TOS</emphasis>(<replaceable>tos</replaceable>[/<replaceable>mask</replaceable>])</para>
+
+              <para>Added in Shorewall 4.5.1. Sets the <firstterm>Type of
+              Service</firstterm> field in the IP header. The
+              <replaceable>tos</replaceable> value may be given as an number
+              (hex or decimal) or as the name of a TOS type. Valid type names
+              and their associated hex numeric values are:</para>
+
+              <programlisting>Minimize-Delay       =&gt; 0x10,
+Maximize-Throughput  =&gt; 0x08,
+Maximize-Reliability =&gt; 0x04,
+Minimize-Cost        =&gt; 0x02,
+Normal-Service       =&gt; 0x00</programlisting>
+
+              <para>When <replaceable>tos</replaceable> is given as a number,
+              it may be optionally followed by '/' and a
+              <replaceable>mask</replaceable>. When no
+              <replaceable>mask</replaceable> is given, the value 0xff is
+              assumed. When <replaceable>tos</replaceable> is given as a type
+              name, the <replaceable>mask</replaceable> 0x3f is
+              assumed.</para>
+
+              <para>The action performed is to zero out the bits specified by
+              the <replaceable>mask</replaceable>, then set the bits specified
+              by <replaceable>tos</replaceable>.</para>
+            </listitem>
           </orderedlist>
         </listitem>
       </varlistentry>

Shorewall6/manpages/shorewall6-tos.xml

@@ -23,7 +23,10 @@
   <refsect1>
     <title>Description</title>
 
-    <para>This file defines rules for setting Type Of Service (TOS)</para>
+    <para>This file defines rules for setting Type Of Service (TOS). Its use
+    is deprecated, beginning in Shorewall 4.5.1, in favor of the TOS target in
+    <ulink url="shorewall6-tcrules.html">shorewall6-tcrules</ulink>
+    (5).</para>
 
     <para>The columns in the file are as follows.</para>