diff --git a/Shorewall-common/accounting b/Shorewall-common/accounting index fbbc4e25c..5b38f2b80 100644 --- a/Shorewall-common/accounting +++ b/Shorewall-common/accounting @@ -7,6 +7,6 @@ # additional information about how to use this file. # ##################################################################################### -#ACTION CHAIN SOURCE DESTINATION PROTO DEST SOURCE USER/ +#ACTION CHAIN SOURCE DESTINATION PROTO DEST SOURCE USER/ MARK # PORT(S) PORT(S) GROUP #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE diff --git a/Shorewall-common/masq b/Shorewall-common/masq index 0c98c3efe..edce8c537 100644 --- a/Shorewall-common/masq +++ b/Shorewall-common/masq @@ -6,5 +6,5 @@ # For additional information, see http://shorewall.net/Documentation.htm#Masq # ############################################################################### -#INTERFACE SOURCE ADDRESS PROTO PORT(S) IPSEC +#INTERFACE SOURCE ADDRESS PROTO PORT(S) IPSEC MARK #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE diff --git a/Shorewall-common/rules b/Shorewall-common/rules index 3c2323951..93104ea14 100644 --- a/Shorewall-common/rules +++ b/Shorewall-common/rules @@ -6,7 +6,7 @@ # See http://shorewall.net/Documentation.htm#Rules for additional information. # ############################################################################################################# -#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ +#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ MARK # PORT PORT(S) DEST LIMIT GROUP #SECTION ESTABLISHED #SECTION RELATED diff --git a/Shorewall-common/tos b/Shorewall-common/tos index 659496516..711bd215c 100644 --- a/Shorewall-common/tos +++ b/Shorewall-common/tos @@ -4,6 +4,6 @@ # For information about entries in this file, type "man shorewall-tos" # ############################################################################### -#SOURCE DEST PROTOCOL SOURCE DEST TOS +#SOURCE DEST PROTOCOL SOURCE DEST TOS MARK # PORTS PORTS #LAST LINE -- Add your entries above -- DO NOT REMOVE diff --git a/Shorewall-shell/compiler b/Shorewall-shell/compiler index de60e164d..410640fa1 100755 --- a/Shorewall-shell/compiler +++ b/Shorewall-shell/compiler @@ -1621,6 +1621,7 @@ __EOF__ # ratelimit = Optional rate limiting clause # userandgroup = -m owner clause # userspec = User name +# mark = Packet mark # logtag = Log tag # policy = Applicable Policy # @@ -1762,6 +1763,7 @@ add_a_rule() { servport=$serverport multiport= user="$userandgroup" + mrk="$mark" # Restore $chain to the canonical chain. @@ -1808,7 +1810,7 @@ add_a_rule() { # # This function is called from process_default_macro() after rules are DONE # - if [ -z "$proto" -a -z "$cli" -a -z "$serv" -a -z "$servport" -a -z "$user" -a -z "$excludesource" -a -z "$excludedest" ] ; then + if [ -z "$proto" -a -z "$cli" -a -z "$serv" -a -z "$servport" -a -z "$user" -a -z "$excludesource" -a -z "$excludedest" -a -z "$mark" ] ; then error_message "WARNING -- Rule \"$rule\" is a POLICY" error_message " -- and should be moved to the policy file" fi @@ -1867,7 +1869,7 @@ add_a_rule() { if [ -n "$addr" -a -n "$CONNTRACK_MATCH" ]; then if [ "$addr" = detect ]; then indent >&3 << __EOF__ - run_iptables -A $chain $state $proto $ratelimit $multiport $cli $sports $(dest_ip_range $srv) $dports -m conntrack --ctorigdst \$adr $user -j $target + run_iptables -A $chain $state $proto $ratelimit $multiport $cli $sports $(dest_ip_range $srv) $dports -m conntrack --ctorigdst \$adr $user $mrk -j $target done __EOF__ @@ -1875,44 +1877,44 @@ __EOF__ for adr in $(separate_list $addr); do if [ -n "$loglevel" -a -z "$natrule" ]; then log_rule_limit $loglevel $chain $logchain $logtarget "$ratelimit" "$logtag" -A -m conntrack --ctorigdst $adr \ - $user $(fix_bang $proto $sports $multiport $cli $(dest_ip_range $srv) $dports) $state + $user $mrk $(fix_bang $proto $sports $multiport $cli $(dest_ip_range $srv) $dports) $state fi run_iptables2 -A $chain $state $proto $ratelimit $multiport $cli $sports \ - $(dest_ip_range $srv) $dports -m conntrack --ctorigdst $adr $user -j $target + $(dest_ip_range $srv) $dports -m conntrack --ctorigdst $adr $user $mrk -j $target done fi else if [ -n "$loglevel" -a -z "$natrule" ]; then - log_rule_limit $loglevel $chain $logchain $logtarget "$ratelimit" "$logtag" -A $user \ + log_rule_limit $loglevel $chain $logchain $logtarget "$ratelimit" "$logtag" -A $user $mrk \ $state $(fix_bang $proto $sports $multiport $cli $(dest_ip_range $srv) $dports) fi if [ -n "$nonat" ]; then addnatrule $(dnat_chain $source) $proto $multiport \ - $cli $sports $(dest_ip_range $srv) $dports $ratelimit $user -j RETURN + $cli $sports $(dest_ip_range $srv) $dports $ratelimit $user $mrk -j RETURN fi if [ "$logtarget" != NONAT ]; then run_iptables2 -A $chain $state $proto $multiport $cli $sports \ - $(dest_ip_range $srv) $dports $ratelimit $user -j $target + $(dest_ip_range $srv) $dports $ratelimit $user $mrk -j $target fi fi done done else if [ -n "$loglevel" -a -z "$natrule" ]; then - log_rule_limit $loglevel $chain $logchain $logtarget "$ratelimit" "$logtag" -A $user \ + log_rule_limit $loglevel $chain $logchain $logtarget "$ratelimit" "$logtag" -A $user $mrk \ $state $(fix_bang $proto $sports $multiport $cli $dports) fi [ -n "$nonat" ] && \ addnatrule $(dnat_chain $source) $proto $multiport \ - $cli $sports $dports $ratelimit $user -j RETURN + $cli $sports $dports $ratelimit $user $mrk -j RETURN [ "$logtarget" != NONAT ] && \ run_iptables2 -A $chain $state $proto $multiport $cli $sports \ - $dports $ratelimit $user -j $target + $dports $ratelimit $user $mrk -j $target fi fi else @@ -1926,37 +1928,37 @@ __EOF__ if [ -n "$addr" ]; then for adr in $(separate_list $addr); do if [ -n "$loglevel" ]; then - log_rule_limit $loglevel $chain $logchain $logtarget "$ratelimit" "$logtag" -A $user \ + log_rule_limit $loglevel $chain $logchain $logtarget "$ratelimit" "$logtag" -A $user $mrk \ $state $(fix_bang $proto $multiport $cli $dest_interface $sports $dports -m conntrack --ctorigdst $adr) fi if [ "$logtarget" != LOG ]; then if [ -n "$nonat" ]; then addnatrule $(dnat_chain $source) $proto $multiport \ - $cli $sports $dports $ratelimit $user -m conntrack --ctorigdst $adr -j RETURN + $cli $sports $dports $ratelimit $user $mrk -m conntrack --ctorigdst $adr -j RETURN fi if [ "$logtarget" != NONAT ]; then run_iptables2 -A $chain $state $proto $multiport $cli $dest_interface \ - $sports $dports $ratelimit $user -m conntrack --ctorigdst $adr -j $target + $sports $dports $ratelimit $user $mrk -m conntrack --ctorigdst $adr -j $target fi fi done else if [ -n "$loglevel" ]; then - log_rule_limit $loglevel $chain $logchain $logtarget "$ratelimit" "$logtag" -A $user \ + log_rule_limit $loglevel $chain $logchain $logtarget "$ratelimit" "$logtag" -A $user $mrk \ $state $(fix_bang $proto $multiport $cli $dest_interface $sports $dports) fi if [ "$logtarget" != LOG ]; then if [ -n "$nonat" ]; then addnatrule $(dnat_chain $source) $proto $multiport \ - $cli $sports $dports $ratelimit $user -j RETURN + $cli $sports $dports $ratelimit $user $mrk -j RETURN fi if [ "$logtarget" != NONAT ]; then run_iptables2 -A $chain $state $proto $multiport $cli $dest_interface \ - $sports $dports $ratelimit $user -j $target + $sports $dports $ratelimit $user $mrk -j $target fi fi fi @@ -2037,6 +2039,21 @@ process_ratelimit() { fi } +# +# Process the MARK column contents +# +process_mark() { + [ "x$mark" = "x-" ] && mark= + + if [ -n "$mark" ]; then + if [ "$mark" = "${mark%!*}" ]; then + mark="-m mark --mark $mark" + else + mark="-m mark ! --mark ${mark#*!}" + fi + fi +} + # # Combine a source/dest from the macro body with one from the macro invocation # @@ -2070,6 +2087,7 @@ process_rule() # $1 = target # $7 = address # $8 = ratelimit # $9 = userspec + # $10= mark { local target="$1" local clients="$2" @@ -2080,12 +2098,15 @@ process_rule() # $1 = target local address="$7" local ratelimit="$8" local userspec="$9" + local mark="${10}" local userandgroup= local logtag= local nonat= # # # # # F u n c t i o n B o d y # # # # # + process_mark + process_ratelimit # Isolate log level @@ -2427,6 +2448,7 @@ process_macro() # $1 = target # $7 = address # $8 = ratelimit # $9 = userspec + # $10= mark { local itarget="$1" local param="$2" @@ -2438,6 +2460,7 @@ process_macro() # $1 = target local iaddress="$8" local iratelimit="$9" local iuserspec="${10}" + local imark="${11}" progress_message "..Expanding Macro $(find_file macro.${itarget%%:*})..." @@ -2506,7 +2529,7 @@ process_macro() # $1 = target [ -n "$iuserspec" ] && [ "x${iuserspec}" != x- ] && muserspec=$iuserspec rule="$mtarget ${mclients=-} ${mservers:=-} ${mprotocol:=-} ${mports:=-} ${mcports:=-} ${xaddress:=-} ${mratelimit:=-} ${muserspec:=-}" - process_rule $mtarget $mclients $mservers $mprotocol $mports $mcports ${iaddress:=-} $mratelimit $muserspec + process_rule $mtarget $mclients $mservers $mprotocol $mports $mcports ${iaddress:=-} $mratelimit $muserspec $imark done < $TMP_DIR/macro.${itarget%%:*} @@ -2545,10 +2568,10 @@ process_rules() fi fi if [ "$1" = Yes ]; then - process_macro $xtarget "$xparam" $yclients $yservers $xprotocol $xports $xcports $xaddress $xratelimit $xuserspec + process_macro $xtarget "$xparam" $yclients $yservers $xprotocol $xports $xcports $xaddress $xratelimit $xuserspec $xmark else - rule="$xtarget $yclients $yservers $xprotocol $xports $xcports $xaddress $xratelimit $xuserspec" - process_rule $xtarget $yclients $yservers $xprotocol $xports $xcports $xaddress $xratelimit $xuserspec + rule="$xtarget $yclients $yservers $xprotocol $xports $xcports $xaddress $xratelimit $xuserspec $xmark" + process_rule $xtarget $yclients $yservers $xprotocol $xports $xcports $xaddress $xratelimit $xuserspec $xmark fi fi fi @@ -2612,16 +2635,16 @@ process_rules() esac if [ "$1" = Yes ]; then - process_macro $xtarget "$xparam" $xclients $xservers $xprotocol $xports $xcports $xaddress $xratelimit $xuserspec + process_macro $xtarget "$xparam" $xclients $xservers $xprotocol $xports $xcports $xaddress $xratelimit $xuserspec $xmark else - rule="$xtarget $xclients $xservers $xprotocol $xports $xcports $xaddress $xratelimit $xuserspec" - process_rule $xtarget $xclients $xservers $xprotocol $xports $xcports $xaddress $xratelimit $xuserspec + rule="$xtarget $xclients $xservers $xprotocol $xports $xcports $xaddress $xratelimit $xuserspec $xmark" + process_rule $xtarget $xclients $xservers $xprotocol $xports $xcports $xaddress $xratelimit $xuserspec $xmark fi } - while read xtarget xclients xservers xprotocol xports xcports xaddress xratelimit xuserspec; do + while read xtarget xclients xservers xprotocol xports xcports xaddress xratelimit xuserspec xmark; do if [ "x$xclients" = xnone -o "x$servers" = xnone ]; then - rule="$xtarget $xclients $xservers $xprotocol $xports $xcports $xaddress $xratelimit $xuserspec" + rule="$xtarget $xclients $xservers $xprotocol $xports $xcports $xaddress $xratelimit $xuserspec $xmark" progress_message " Rule \"$rule\" ignored." continue fi @@ -2638,7 +2661,7 @@ process_rules() ;; COMMENT) if [ -n "$COMMENTS" ]; then - comment=$(echo $xclients $xservers $xprotocol $xports $xcports $xaddress $xratelimit $xuserspec) + comment=$(echo $xclients $xservers $xprotocol $xports $xcports $xaddress $xratelimit $xuserspec $xmark) save_command COMMENT=\"$comment\" else error_message "COMMENT ignored -- requires comment support in iptables/Netfilter" @@ -2703,7 +2726,7 @@ process_rules() strip_file $f $fn do_it Yes else - rule="$xtarget $xclients $xservers $xprotocol $xports $xcports $xaddress $xratelimit $xuserspec" + rule="$xtarget $xclients $xservers $xprotocol $xports $xcports $xaddress $xratelimit $xuserspec $xmark" fatal_error "Invalid Action in rule \"$rule\"" fi fi @@ -2942,6 +2965,15 @@ process_tos_rule() { protocol="${protocol:+-p $protocol}" + [ "x$mark" = x- ] && mark= + if [ -n "$mark" ]; then + if [ "$mark" = "${mark%!*}" ]; then + mark="-m mark --mark $mark" + else + mark="-m mark ! --mark ${mark#*!}" + fi + fi + tos="-j TOS --set-tos $tos" case "$dstzone" in @@ -2964,24 +2996,24 @@ process_tos_rule() { case $srczone in $FW) run_iptables2 -t mangle -A outtos \ - $protocol $dest $dports $sports $tos + $protocol $dest $dports $sports $mark $tos ;; all|ALL) run_iptables2 -t mangle -A outtos \ - $protocol $dest $dports $sports $tos + $protocol $dest $dports $sports $mark $tos run_iptables2 -t mangle -A $chain \ - $protocol $dest $dports $sports $tos + $protocol $dest $dports $sports $mark $tos ;; *) if [ -n "$src" ]; then run_iptables2 -t mangle -A $chain $src \ - $protocol $dest $dports $sports $tos + $protocol $dest $dports $sports $mark $tos else eval hosts=\$${srczone}_hosts for host in $hosts; do run_iptables2 -t mangle -A $chain $(match_source $host) \ - $protocol $dest $dports $sports $tos + $protocol $dest $dports $sports $mark $tos done fi ;; @@ -3013,8 +3045,8 @@ process_tos() # $1 = name of tos file createmanglechain $chain createmanglechain outtos - while read src dst protocol sport dport tos; do - rule="$(echo $src $dst $protocol $sport $dport $tos)" + while read src dst protocol sport dport tos mark; do + rule="$(echo $src $dst $protocol $sport $dport $tos $mark)" process_tos_rule done < $TMP_DIR/tos diff --git a/Shorewall-shell/lib.accounting b/Shorewall-shell/lib.accounting index 96ea5fe0e..d642e6b24 100644 --- a/Shorewall-shell/lib.accounting +++ b/Shorewall-shell/lib.accounting @@ -35,11 +35,11 @@ process_accounting_rule() { user1= accounting_error() { - error_message "WARNING: Invalid Accounting rule" $action $chain $source $dest $proto $port $sport $user + error_message "WARNING: Invalid Accounting rule" $action $chain $source $dest $proto $port $sport $user $mark } accounting_interface_error() { - error_message "WARNING: Unknown interface $1 in " $action $chain $source $dest $proto $port $sport $user + error_message "WARNING: Unknown interface $1 in " $action $chain $source $dest $proto $port $sport $user $mark } accounting_interface_verify() { @@ -195,6 +195,18 @@ process_accounting_rule() { ;; esac + [ -n "$mark" ] && case $mark in + -|any|all) + mark= + ;; + !*) + rule="$rule -m mark ! --mark ${mark#*!}" + ;; + *) + rule="$rule -m mark --mark $mark" + ;; + esac + case $action in COUNT) ;; @@ -239,7 +251,7 @@ setup_accounting() # $1 = Name of accounting file save_progress_message "Setting up Accounting..." - while read action chain source dest proto port sport user ; do + while read action chain source dest proto port sport user mark ; do process_accounting_rule done < $TMP_DIR/accounting diff --git a/Shorewall-shell/lib.actions b/Shorewall-shell/lib.actions index 3760bd590..4f1de00cd 100644 --- a/Shorewall-shell/lib.actions +++ b/Shorewall-shell/lib.actions @@ -245,6 +245,7 @@ process_action() # $1 = chain (Chain to add the rules to) # $8 = cports # $9 = ratelimit # $10 = userspec + # $11 = mark { local chain="$1" local action="$2" @@ -256,6 +257,7 @@ process_action() # $1 = chain (Chain to add the rules to) local cports="$8" local ratelimit="$9" local userspec="${10}" + local mark="${11}" local userandgroup= local logtag= @@ -322,6 +324,16 @@ process_action() # $1 = chain (Chain to add the rules to) [ "$userandgroup" = "-m owner" ] && userandgroup= fi + [ "x$mark" = "x-" ] && mark= + + if [ -n "$mark" ]; then + if [ "$mark" = "${mark%!*}" ]; then + mark="-m mark --mark $mark" + else + mark="-m mark ! --mark ${mark#*!}" + fi + fi + # Isolate log level if [ "$target" = "${target%:*}" ]; then @@ -579,7 +591,7 @@ process_actions1() { if [ -f $fn ]; then progress_message2 " Pre-processing $fn..." strip_file $f $fn - while read xtarget xclients xservers xprotocol xports xcports xratelimit $xuserspec; do + while read xtarget xclients xservers xprotocol xports xcports xratelimit $xuserspec $xmark; do temp="${xtarget%%:*}" case "$temp" in ACCEPT|DROP|REJECT|LOG|QUEUE|CONTINUE) @@ -600,7 +612,7 @@ process_actions1() { ACCEPT|DROP|REJECT|LOG|QUEUE|CONTINUE) ;; *) - rule="$xtarget $xclients $xservers $xprotocol $xports $xcports $xratelimit $xuserspec" + rule="$xtarget $xclients $xservers $xprotocol $xports $xcports $xratelimit $xuserspec $xmark" fatal_error "Invalid Macro Parameter in rule \"$rule\"" ;; esac @@ -633,7 +645,7 @@ process_actions1() { progress_message " ..End Macro" else - rule="$xtarget $xclients $xservers $xprotocol $xports $xcports $xratelimit $xuserspec" + rule="$xtarget $xclients $xservers $xprotocol $xports $xcports $xratelimit $xuserspec $xmark" fatal_error "Invalid TARGET in rule \"$rule\"" fi fi @@ -715,7 +727,7 @@ process_action3() { progress_message2 "$DOING $(find_file $f) for Chain $xchain..." - while read xtarget xclients xservers xprotocol xports xcports xratelimit xuserspec; do + while read xtarget xclients xservers xprotocol xports xcports xratelimit xuserspec xmark; do # # Generate the target:level:tag to pass to process_action() # @@ -734,7 +746,7 @@ process_action3() { ;; COMMENT) if [ -n "$COMMENTS" ]; then - comment=$(echo $xclients $xservers $xprotocol $xports $xcports $xaddress $xratelimit $xuserspec) + comment=$(echo $xclients $xservers $xprotocol $xports $xcports $xaddress $xratelimit $xuserspec $xmark) save_command COMMENT=\"$comment\" else error_message "COMMENT ignored -- requires comment support in iptables/Netfilter" @@ -817,13 +829,13 @@ process_action3() { [ -n "$xratelimit" ] && [ "x${xratelimit}" != x- ] && mratelimit=$xratelimit [ -n "$xuserspec" ] && [ "x${xuserspec}" != x- ] && muserspec=$xuserspec - rule="$mtarget ${mclients:=-} ${mservers:=-} ${mprotocol:=-} ${mports:=-} ${mcports:=-} ${mratelimit:-} ${muserspec:=-}" - process_action $xchain $xaction1 $mtarget $mclients $mservers $mprotocol $mports $mcports $mratelimit $muserspec + rule="$mtarget ${mclients:=-} ${mservers:=-} ${mprotocol:=-} ${mports:=-} ${mcports:=-} ${mratelimit:-} ${muserspec:=-} $xmark" + process_action $xchain $xaction1 $mtarget $mclients $mservers $mprotocol $mports $mcports $mratelimit $muserspec $xmark done < $TMP_DIR/macro.$xtarget1 progress_message "..End Macro" else - rule="$xtarget $xclients $xservers $xprotocol $xports $xcports $xratelimit $xuserspec" - process_action $xchain $xaction1 $xaction2 $xclients $xservers $xprotocol $xports $xcports $xratelimit $xuserspec + rule="$xtarget $xclients $xservers $xprotocol $xports $xcports $xratelimit $xuserspec $xmark" + process_action $xchain $xaction1 $xaction2 $xclients $xservers $xprotocol $xports $xcports $xratelimit $xuserspec $xmark fi done < $TMP_DIR/$f diff --git a/Shorewall-shell/lib.nat b/Shorewall-shell/lib.nat index 443e0162e..a9dd9fd35 100644 --- a/Shorewall-shell/lib.nat +++ b/Shorewall-shell/lib.nat @@ -154,6 +154,8 @@ setup_masq() [ "x$proto" = x- ] && proto= [ "x$ports" = x- ] && ports= + [ "x$mark" = x- ] && mark= + if [ -n "$proto" ]; then displayproto="($proto)" @@ -203,6 +205,15 @@ setup_masq() [ -n "$ports" ] && fatal_error "Ports only allowed with UDP or TCP ($ports)" fi + if [ -n "$mark" ]; then + displaymark="($mark)" + if [ "$mark" = "${mark%!*}" ]; then + mark="-m mark --mark $mark" + else + mark="-m mark ! --mark ${mark#*!}" + fi + fi + destination=${destnets:=0.0.0.0/0} [ -z "$pre_nat" ] && chain=$(masq_chain $interface) || chain=$(snat_chain $interface) @@ -217,7 +228,7 @@ setup_masq() if [ -n "$networks" ]; then for s in $networks; do - addnatrule $chain $(source_ip_range $s) $proto $ports $policy -j $newchain + addnatrule $chain $(source_ip_range $s) $proto $ports $mark $policy -j $newchain done networks= elif [ -n "$detectinterface" ]; then @@ -228,7 +239,7 @@ networks="\$(get_routed_networks $detectinterface)" [ -z "\$networks" ] && fatal_error "Unable to determine the routes through interface \"$detectinterface\"" for network in \$networks; do - run_iptables -t nat -A $chain -s \$network $proto $ports $policy -j $newchain + run_iptables -t nat -A $chain -s \$network $proto $ports $mark $policy -j $newchain done __EOF__ @@ -252,7 +263,7 @@ __EOF__ if [ -n "$networks" ]; then for s in $networks; do for destnet in $(separate_list $destnets); do - addnatrule $chain $(both_ip_ranges $s $destnet) $proto $ports $policy -j $newchain + addnatrule $chain $(both_ip_ranges $s $destnet) $proto $ports $mark $policy -j $newchain done done elif [ -n "$detectinterface" ]; then @@ -266,7 +277,7 @@ for network in \$networks; do __EOF__ for destnet in $(separate_list $destnets); do indent >&3 << __EOF__ - run_iptables -t nat -A $chain -s \$network $(dest_ip_range $destnet) $proto $ports $policy -j $newchain + run_iptables -t nat -A $chain -s \$network $(dest_ip_range $destnet) $proto $ports $mark $policy -j $newchain __EOF__ done indent >&3 << __EOF__ @@ -275,7 +286,7 @@ done __EOF__ else for destnet in $(separate_list $destnets); do - addnatrule $chain $(dest_ip_range $destnet) $proto $ports $policy -j $newchain + addnatrule $chain $(dest_ip_range $destnet) $proto $ports $mark $policy -j $newchain done fi @@ -379,7 +390,7 @@ __EOF__ if [ -n "$networks" ]; then for network in $networks; do for destnet in $(separate_list $destnets); do - addnatrule $chain $(both_ip_ranges $network $destnet) $proto $ports $policy -j $target $addrlist + addnatrule $chain $(both_ip_ranges $network $destnet) $proto $ports $mark $policy -j $target $addrlist done if [ -n "$addresses" ]; then @@ -399,7 +410,7 @@ for network in \$networks; do __EOF__ for destnet in $(separate_list $destnets); do indent >&3 << __EOF__ - run_iptables -t nat -A $chain -s \$network $(dest_ip_range $destnet) $proto $ports $policy -j $target $addrlist + run_iptables -t nat -A $chain -s \$network $(dest_ip_range $destnet) $proto $ports $mark $policy -j $target $addrlist __EOF__ done @@ -417,7 +428,7 @@ __EOF__ else for destnet in $(separate_list $destnets); do - addnatrule $chain $(dest_ip_range $destnet) $proto $ports $policy -j $target $addrlist + addnatrule $chain $(dest_ip_range $destnet) $proto $ports $mark $policy -j $target $addrlist done if [ -n "$addresses" ]; then @@ -433,11 +444,11 @@ __EOF__ progress_message2 "$DOING Masquerading/SNAT" save_progress_message "Setting up Masquerading/SNAT..." - while read fullinterface networks addresses proto ports ipsec; do + while read fullinterface networks addresses proto ports ipsec mark; do if [ -n "$NAT_ENABLED" ]; then if [ "x$fullinterface" = xCOMMENT ]; then if [ -n "$COMMENTS" ]; then - comment=$(echo $networks $addresses $proto $ports $ipsec) + comment=$(echo $networks $addresses $proto $ports $ipsec $mark) save_command COMMENT=\"$comment\" else error_message "COMMENT ignored -- requires comment support in iptables/Netfilter"