forked from extern/shorewall_code
Tweak 'tracked' interface handling
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@7831 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
parent
d946e11fc4
commit
6bb6ff5e14
@ -14,6 +14,8 @@ Changes in 4.1.2
|
||||
|
||||
7) Tighten up HIGH_ROUTE_MARKS in the OUTPUT chain.
|
||||
|
||||
8) Tweak 'track'.
|
||||
|
||||
Changes in 4.1.1
|
||||
|
||||
1) Fix ULOG/NFLOG output.
|
||||
|
@ -131,6 +131,22 @@ Other changes in Shorewall 4.1.2.
|
||||
there. Packet marking rules for traffic shaping of packets
|
||||
originating on the firewall must be coded in the POSTROUTING table.
|
||||
|
||||
3) The behavior of the 'track' provider has been changed subtly when
|
||||
TC_EXPERT=No.
|
||||
|
||||
Previously, traffic entering from a tracked interface was subjected
|
||||
to PREROUTING marking. This was to allow the PREROUTING rules to
|
||||
clear the packet mark, thus causing the packet to be routed using
|
||||
the 'main' table (table 254).
|
||||
|
||||
Beginning with Shorewall 4.1.2, when a packet enters on a tracked
|
||||
interface, the packet mark will be cleared unconditionally and the
|
||||
packet will be routed based on the main table.
|
||||
|
||||
This change should be transparent to most users. Users who use
|
||||
PREROUTING marks to route between two tracked interface are advised
|
||||
to switch to TC_EXPORT=Yes.
|
||||
|
||||
Migration Issues.
|
||||
|
||||
1) Previously, when HIGH_ROUTE_MARKS=Yes, Shorewall allowed non-zero
|
||||
@ -139,6 +155,22 @@ Migration Issues.
|
||||
there. Packet marking rules for traffic shaping of packets
|
||||
originating on the firewall must be coded in the POSTROUTING table.
|
||||
|
||||
2) The behavior of the 'track' provider has been changed subtly when
|
||||
TC_EXPERT=No.
|
||||
|
||||
Previously, traffic entering from a tracked interface was subjected
|
||||
to PREROUTING marking. This was to allow the PREROUTING rules to
|
||||
clear the packet mark, thus causing the packet to be routed using
|
||||
the 'main' table (table 254).
|
||||
|
||||
Beginning with Shorewall 4.1.2, when a packet enters on a tracked
|
||||
interface, the packet mark will be cleared unconditionally and the
|
||||
packet will be routed based on the main table.
|
||||
|
||||
This change should be transparent to most users. Users who use
|
||||
PREROUTING marks to route between two tracked interface are advised
|
||||
to switch to TC_EXPORT=Yes.
|
||||
|
||||
New Features in Shorewall 4.1.
|
||||
|
||||
1) Shorewall 4.1 contains experimental support for multiple Internet
|
||||
|
@ -233,7 +233,7 @@ get_config() {
|
||||
[ -n "$STARTUP_LOG" ] || $LOG_VERBOSITY=-1;
|
||||
;;
|
||||
*)
|
||||
echo " ERROR: INvalid LOG_VERBOSITY ($LOG_VERBOSITY)" >&2
|
||||
echo " ERROR: Invalid LOG_VERBOSITY ($LOG_VERBOSITY)" >&2
|
||||
exit 2;
|
||||
;;
|
||||
esac
|
||||
@ -256,10 +256,27 @@ get_config() {
|
||||
fi
|
||||
fi
|
||||
|
||||
[ -n "${VERBOSITY:=2}" ]
|
||||
case $VERBOSITY in
|
||||
-1|0|1|2)
|
||||
;;
|
||||
*)
|
||||
if [ -n "$VERBOSITY" ]; then
|
||||
echo " ERROR: Invalid VERBOSITY setting ($VERBOSITY)" >&2
|
||||
exit 2
|
||||
else
|
||||
VERBOSITY=2
|
||||
fi
|
||||
;;
|
||||
esac
|
||||
|
||||
[ -n "$USE_VERBOSITY" ] && VERBOSE=$USE_VERBOSITY || VERBOSE=$(($VERBOSE_OFFSET + $VERBOSITY))
|
||||
|
||||
if [ $VERBOSE -lt -1 ]; then
|
||||
VERBOSE=-1
|
||||
elif [ $VERBOSE -gt 2 ]; then
|
||||
VERBOSE=2
|
||||
fi
|
||||
|
||||
export VERBOSE
|
||||
|
||||
[ -n "${HOSTNAME:=$(hostname)}" ]
|
||||
|
@ -552,10 +552,10 @@ sub setup_tc() {
|
||||
my $mark_part = '';
|
||||
|
||||
if ( @routemarked_interfaces && ! $config{TC_EXPERT} ) {
|
||||
$mark_part = $config{HIGH_ROUTE_MARKS} ? '-m mark --mark 0/0xFF00' : '-m mark --mark 0/0xFF';
|
||||
$mark_part = $config{HIGH_ROUTE_MARKS} ? '-m connmark --mark 0/0xFF00' : '-m connmark --mark 0/0xFF';
|
||||
|
||||
for my $interface ( @routemarked_interfaces ) {
|
||||
add_rule $mangle_table->{PREROUTING} , "-i $interface -j tcpre";
|
||||
add_rule $mangle_table->{PREROUTING} , "-i $interface -j MARK --set-mark 0";
|
||||
}
|
||||
}
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user