forked from extern/shorewall_code
Change 'track' interraction with PREROUTING marking
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@3861 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
parent
cee575a5a2
commit
5c76e2a693
@ -10,6 +10,8 @@ Changes in 3.2.0 Beta 6
|
||||
|
||||
5) Fix default route generation in providers handling.
|
||||
|
||||
6) Change interraction of 'track' and PREROUTING marking.
|
||||
|
||||
Changes in 3.2.0 Beta 5
|
||||
|
||||
1) Fix compilation problem on LEAF Bering.
|
||||
|
@ -3416,7 +3416,7 @@ process_tc_rule()
|
||||
fatal_error "Invalid mark value ($mark) in rule \"$rule\""
|
||||
;;
|
||||
esac
|
||||
elif [ -n "$HIGH_ROUTE_MARKS" -a $chain = tcpre ]; then
|
||||
elif [ $(($mask)) -ne 0 -a -n "$HIGH_ROUTE_MARKS" -a $chain = tcpre ]; then
|
||||
fatal_error "Marks < 256 may not be set in the PREROUTING chain when HIGH_ROUTE_MARKS=Yes"
|
||||
fi
|
||||
fi
|
||||
@ -3543,7 +3543,13 @@ setup_tc1() {
|
||||
# packets that are not part of a marked connection to the 'tcpre/tcout' chains.
|
||||
#
|
||||
if [ -n "$ROUTEMARK_INTERFACES" ]; then
|
||||
mark_part="-m mark --mark 0"
|
||||
mark_part="-m mark --mark 0/0xFF00"
|
||||
#
|
||||
# But let marks in tcpre override those assigned by 'track'
|
||||
#
|
||||
for interface in $ROUTEMARK_INTERFACES; do
|
||||
run_iptables -t mangle -A PREROUTING -i $interface -j tcpre
|
||||
done
|
||||
fi
|
||||
|
||||
run_iptables -t mangle -A PREROUTING $mark_part -j tcpre
|
||||
|
@ -51,12 +51,23 @@ Other changes in 3.2.0 Beta 6
|
||||
1) A TOS column has been added to /etc/shorewall/tcrules. This allows marking
|
||||
based on the contents of the TOS field in the packet header.
|
||||
|
||||
2) Beginning with this release, the way in which packet marking in the
|
||||
PREROUTING chain interracts with the 'track' option in /etc/shorewall/providers
|
||||
has changed in two ways:
|
||||
|
||||
a) Packets *arriving* on a tracked interface are now passed to the PREROUTING
|
||||
marking chain so that they may be marked with a mark other than the
|
||||
'track' mark (the connection still retains the 'track' mark).
|
||||
|
||||
b) When HIGH_ROUTE_MARKS=Yes, you can still clear the mark on packets
|
||||
in the PREROUTING chain (i.e., you can specify a mark value of zero).
|
||||
|
||||
Migration Considerations:
|
||||
|
||||
1) If you are upgrading from Shorewall 2.x, it is essential that you read
|
||||
the Shorewall 3.0.5 release notes:
|
||||
the Shorewall 3.0.6 release notes:
|
||||
|
||||
http://www.shorewall.net/pub/shorewall/3.0/shorewall-3.0.5/releasenotes.txt
|
||||
http://www.shorewall.net/pub/shorewall/3.0/shorewall-3.0.6/releasenotes.txt
|
||||
|
||||
2) A number of macros have been split into two. The macros affected are:
|
||||
|
||||
@ -144,6 +155,17 @@ Migration Considerations:
|
||||
Use "shorewall restart" instead if you need to reprocess the
|
||||
tcrules, tcdevices and tcclasses files.
|
||||
|
||||
7) Beginning with this release, the way in which packet marking in the
|
||||
PREROUTING chain interracts with the 'track' option in /etc/shorewall/providers
|
||||
has changed in two ways:
|
||||
|
||||
a) Packets arriving on a tracked interface are now passed to the PREROUTING
|
||||
marking chain so that they may be marked with a mark other than the
|
||||
'track' mark (the connection still retains the 'track' mark).
|
||||
|
||||
b) When HIGH_ROUTE_MARKS=Yes, you can still clear the mark on packets
|
||||
in the PREROUTING chain (i.e., you can specify a mark value of zero).
|
||||
|
||||
New Features:
|
||||
|
||||
1) Shorewall has always been very noisy (lots of messages). No longer.
|
||||
|
Loading…
Reference in New Issue
Block a user