Change 'track' interraction with PREROUTING marking

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@3861 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb

Shorewall/changelog.txt

@@ -10,6 +10,8 @@ Changes in 3.2.0 Beta 6
 
 5)  Fix default route generation in providers handling.
 
+6)  Change interraction of 'track' and PREROUTING marking.
+
 Changes in 3.2.0 Beta 5
 
 1)  Fix compilation problem on LEAF Bering.

Shorewall/compiler

@@ -3416,7 +3416,7 @@ process_tc_rule()
 			    fatal_error "Invalid mark value ($mark) in rule \"$rule\""
 			    ;;
 		    esac
-		elif [ -n "$HIGH_ROUTE_MARKS" -a $chain = tcpre ]; then
+		elif [ $(($mask)) -ne 0 -a -n "$HIGH_ROUTE_MARKS" -a $chain = tcpre ]; then
 		    fatal_error "Marks < 256 may not be set in the PREROUTING chain when HIGH_ROUTE_MARKS=Yes"
 		fi
 	    fi
@@ -3543,7 +3543,13 @@ setup_tc1() {
     # packets that are not part of a marked connection to the 'tcpre/tcout' chains.
     #
     if [ -n "$ROUTEMARK_INTERFACES" ]; then
-	mark_part="-m mark --mark 0"
+	mark_part="-m mark --mark 0/0xFF00"
+	#
+	# But let marks in tcpre override those assigned by 'track'
+	#
+	for interface in $ROUTEMARK_INTERFACES; do
+	    run_iptables -t mangle -A PREROUTING -i $interface -j tcpre
+	done
     fi
 
     run_iptables -t mangle -A PREROUTING $mark_part -j tcpre

Shorewall/releasenotes.txt

@@ -51,12 +51,23 @@ Other changes in 3.2.0 Beta 6
 1)  A TOS column has been added to /etc/shorewall/tcrules. This allows marking
     based on the contents of the TOS field in the packet header.
 
+2)  Beginning with this release, the way in which packet marking in the
+    PREROUTING chain interracts with the 'track' option in /etc/shorewall/providers
+    has changed in two ways:
+
+    a)  Packets *arriving* on a tracked interface are now passed to the PREROUTING
+	marking chain so that they may be marked with a mark other than the
+	'track' mark (the connection still retains the 'track' mark).
+
+    b)  When HIGH_ROUTE_MARKS=Yes, you can still clear the mark on packets
+	in the PREROUTING chain (i.e., you can specify a mark value of zero).
+
 Migration Considerations:
 
 1)  If you are upgrading from Shorewall 2.x, it is essential that you read
-    the Shorewall 3.0.5 release notes:
+    the Shorewall 3.0.6 release notes:
 
-    http://www.shorewall.net/pub/shorewall/3.0/shorewall-3.0.5/releasenotes.txt
+    http://www.shorewall.net/pub/shorewall/3.0/shorewall-3.0.6/releasenotes.txt
 
 2)  A number of macros have been split into two.  The macros affected are:
 
@@ -144,6 +155,17 @@ Migration Considerations:
     Use "shorewall restart" instead if you need to reprocess the
     tcrules, tcdevices and tcclasses files.
 
+7)  Beginning with this release, the way in which packet marking in the
+    PREROUTING chain interracts with the 'track' option in /etc/shorewall/providers
+    has changed in two ways:
+
+    a)  Packets arriving on a tracked interface are now passed to the PREROUTING
+	marking chain so that they may be marked with a mark other than the
+	'track' mark (the connection still retains the 'track' mark).
+
+    b)  When HIGH_ROUTE_MARKS=Yes, you can still clear the mark on packets
+	in the PREROUTING chain (i.e., you can specify a mark value of zero).
+
 New Features:
 
 1)  Shorewall has always been very noisy (lots of messages). No longer.