From 6110ef3aa7757df16a6e1a6f9bd82d4d814dbea3 Mon Sep 17 00:00:00 2001
From: teastep <teastep@fbd18981-670d-0410-9b5c-8dc0c1a9a2bb>
Date: Wed, 13 Jun 2007 18:40:31 +0000
Subject: [PATCH] Validate classids

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@6535 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
---
 Shorewall-common/releasenotes.txt |  4 +++
 Shorewall-perl/Shorewall/Tc.pm    | 57 ++++++++++++++++++-------------
 2 files changed, 37 insertions(+), 24 deletions(-)

diff --git a/Shorewall-common/releasenotes.txt b/Shorewall-common/releasenotes.txt
index c5a262cd8..467d00b34 100644
--- a/Shorewall-common/releasenotes.txt
+++ b/Shorewall-common/releasenotes.txt
@@ -87,6 +87,10 @@ Other changes in Shorewall 4.0.0 Beta 5.
 	   --directory		  SHOREWALL_DIR
 	   --timestamp		  TIMESTAMP
 
+2)  When TC_ENABLED=Internal, Shorewall-perl now validates classids in
+    the MARK/CLASSIFY column of /etc/shorewall/tcrules against the
+    classes generated by /etc/shorewall/tcclasses.
+
 Migration Considerations:
 
 1)  You cannot simply upgrade your existing Shorewall package. You must
diff --git a/Shorewall-perl/Shorewall/Tc.pm b/Shorewall-perl/Shorewall/Tc.pm
index c5e4d9864..823e3594f 100644
--- a/Shorewall-perl/Shorewall/Tc.pm
+++ b/Shorewall-perl/Shorewall/Tc.pm
@@ -119,6 +119,8 @@ our @tccmd = ( { match     => sub ( $ ) { $_[0] eq 'SAVE' } ,
 		}
 	      );
 
+our %classids;
+
 sub process_tc_rule( $$$$$$$$$$ ) {
     my ( $mark, $source, $dest, $proto, $ports, $sports, $user, $testval, $length, $tos ) = @_;
 
@@ -156,7 +158,12 @@ sub process_tc_rule( $$$$$$$$$$ ) {
 	    $mark     = "$mark/0xFF"      if $connmark = $tcsref->{connmark};
 
 	} else {
-	    fatal_error "Invalid MARK ($original_mark)" unless $mark =~ /^([0-9]+|0x[0-9a-f]+)$/ and $designator =~ /^([0-9]+|0x[0-9a-f]+)$/;
+	    fatal_error "Invalid MARK ($original_mark)"   unless $mark =~ /^([0-9]+|0x[0-9a-f]+)$/ and $designator =~ /^([0-9]+|0x[0-9a-f]+)$/;
+
+	    if ( $config{TC_ENABLED} eq 'Internal' ) {
+		fatal_error "Unknown Class ($original_mark)}" unless $classids{$original_mark};
+	    }
+
 	    $chain   = 'tcpost';
 	    $classid = 1;
 	    $mark    = $original_mark;
@@ -462,6 +469,8 @@ sub setup_traffic_shaping() {
 	my $quantum = calculate_quantum $rate, calculate_r2q( $devref->{out_bandwidth} );
 	my $dev     = chain_base $device;
 
+	$classids{$classid}=$device;
+
 	if ( $lastdevice ne $device ) {
 	    if ( $lastdevice ) {
 		pop_indent;
@@ -522,29 +531,6 @@ sub setup_tc() {
 	}
     }
 
-    if ( my $fn = open_file 'tcrules' ) {
-
-	while ( read_a_line ) {
-
-	    if ( $first_entry ) {
-		progress_message2 "$doing $fn...";
-		require_capability( 'MANGLE_ENABLED' , 'a non-empty tcrules file' , 's' );
-		$first_entry = 0;
-	    }
-
-	    my ( $mark, $source, $dest, $proto, $ports, $sports, $user, $testval, $length, $tos ) = split_line1 2, 10, 'tcrules file';
-
-	    if ( $mark eq 'COMMENT' ) {
-		process_comment;
-	    } else {
-		process_tc_rule $mark, $source, $dest, $proto, $ports, $sports, $user, $testval, $length, $tos
-	    }
-
-	}
-
-	$comment = '';
-    }
-
     if ( $capabilities{MANGLE_ENABLED} ) {
 
 	my $mark_part = '';
@@ -578,6 +564,29 @@ sub setup_tc() {
     } elsif ( $config{TC_ENABLED} eq 'Internal' ) {
 	setup_traffic_shaping;
     }
+    
+    if ( my $fn = open_file 'tcrules' ) {
+
+	while ( read_a_line ) {
+
+	    if ( $first_entry ) {
+		progress_message2 "$doing $fn...";
+		require_capability( 'MANGLE_ENABLED' , 'a non-empty tcrules file' , 's' );
+		$first_entry = 0;
+	    }
+
+	    my ( $mark, $source, $dest, $proto, $ports, $sports, $user, $testval, $length, $tos ) = split_line1 2, 10, 'tcrules file';
+
+	    if ( $mark eq 'COMMENT' ) {
+		process_comment;
+	    } else {
+		process_tc_rule $mark, $source, $dest, $proto, $ports, $sports, $user, $testval, $length, $tos
+	    }
+
+	}
+
+	$comment = '';
+    }
 }
 
 1;