forked from extern/shorewall_code
Add a PROBABILITY column to the tcrules file.
Signed-off-by: Tom Eastep <teastep@shorewall.net>
This commit is contained in:
Tom Eastep
parent
c4768d4a4a
commit
6f5ab698b4
@ -183,6 +183,7 @@ our %EXPORT_TAGS = (
|
||||
do_helper
|
||||
validate_helper
|
||||
do_headers
|
||||
do_probability
|
||||
do_condition
|
||||
have_ipset_rules
|
||||
record_runtime_address
|
||||
@ -4123,7 +4124,21 @@ sub do_headers( $ ) {
|
||||
}
|
||||
}
|
||||
|
||||
"-m ipv6header ${invert}--header ${headers} ${soft}";
|
||||
"-m ipv6header ${invert}--header ${headers} ${soft} ";
|
||||
}
|
||||
|
||||
sub do_probability( $ ) {
|
||||
my $probability = shift;
|
||||
|
||||
return '' if $probability eq '-';
|
||||
|
||||
require_capability 'STATISTIC_MATCH', 'A non-empty PROBABILITY column', 's';
|
||||
|
||||
my $invert = $probability =~ s/^!// ? '! ' : "";
|
||||
|
||||
fatal_error "Invalid PROBABILITY ($probability)" unless $probability =~ /^0?\.\d{1,8}$/;
|
||||
|
||||
"-m statistic --mode random --probability $probability ";
|
||||
}
|
||||
|
||||
#
|
||||
|
||||
@ -194,8 +194,15 @@ sub initialize( $ ) {
|
||||
}
|
||||
|
||||
sub process_tc_rule( ) {
|
||||
my ( $originalmark, $source, $dest, $proto, $ports, $sports, $user, $testval, $length, $tos , $connbytes, $helper, $headers ) =
|
||||
split_line1 'tcrules file', { mark => 0, source => 1, dest => 2, proto => 3, dport => 4, sport => 5, user => 6, test => 7, length => 8, tos => 9, connbytes => 10, helper => 11, headers => 12 };
|
||||
my ( $originalmark, $source, $dest, $proto, $ports, $sports, $user, $testval, $length, $tos , $connbytes, $helper, $headers, $probability );
|
||||
if ( $family == F_IPV4 ) {
|
||||
( $originalmark, $source, $dest, $proto, $ports, $sports, $user, $testval, $length, $tos , $connbytes, $helper, $probability ) =
|
||||
split_line1 'tcrules file', { mark => 0, source => 1, dest => 2, proto => 3, dport => 4, sport => 5, user => 6, test => 7, length => 8, tos => 9, connbytes => 10, helper => 11, probability => 12 };
|
||||
$headers = '-';
|
||||
} else {
|
||||
( $originalmark, $source, $dest, $proto, $ports, $sports, $user, $testval, $length, $tos , $connbytes, $helper, $headers, $probability ) =
|
||||
split_line1 'tcrules file', { mark => 0, source => 1, dest => 2, proto => 3, dport => 4, sport => 5, user => 6, test => 7, length => 8, tos => 9, connbytes => 10, helper => 11, headers => 12, probability => 13 };
|
||||
}
|
||||
|
||||
our @tccmd;
|
||||
|
||||
@ -243,6 +250,7 @@ sub process_tc_rule( ) {
|
||||
|
||||
$source = '';
|
||||
} elsif ( $source =~ s/^($fw):// ) {
|
||||
fatal_error ":F is not allowed when the SOURCE is the firewall" if ( $designator || '' ) eq 'F';
|
||||
$chain = 'tcout';
|
||||
}
|
||||
}
|
||||
@ -497,7 +505,8 @@ sub process_tc_rule( ) {
|
||||
do_tos( $tos ) .
|
||||
do_connbytes( $connbytes ) .
|
||||
do_helper( $helper ) .
|
||||
do_headers( $headers ) ,
|
||||
do_headers( $headers ) .
|
||||
do_probability( $probability ) ,
|
||||
$source ,
|
||||
$dest ,
|
||||
'' ,
|
||||
|
||||
@ -9,6 +9,7 @@
|
||||
#
|
||||
# See http://shorewall.net/PacketMarking.html for a detailed description of
|
||||
# the Netfilter/Shorewall packet marking mechanism.
|
||||
######################################################################################################################
|
||||
#MARK SOURCE DEST PROTO DEST SOURCE USER TEST LENGTH TOS CONNBYTES HELPER
|
||||
######################################################################################################################################
|
||||
#MARK SOURCE DEST PROTO DEST SOURCE USER TEST LENGTH TOS CONNBYTES HELPER PROBABILITY
|
||||
# PORT(S) PORT(S)
|
||||
|
||||
|
||||
@ -9,6 +9,6 @@
|
||||
#
|
||||
# See http://shorewall.net/PacketMarking.html for a detailed description of
|
||||
# the Netfilter/Shorewall packet marking mechanism.
|
||||
##################################################################################################################################
|
||||
#MARK SOURCE DEST PROTO DEST SOURCE USER TEST LENGTH TOS CONNBYTES HELPER HEADERS
|
||||
##############################################################################################################################################
|
||||
#MARK SOURCE DEST PROTO DEST SOURCE USER TEST LENGTH TOS CONNBYTES HELPER HEADERS PROBABILITY
|
||||
# PORT(S) PORT(S)
|
||||
|
||||
@ -32,7 +32,7 @@
|
||||
<variablelist>
|
||||
<varlistentry>
|
||||
<term><emphasis role="bold">SOURCE</emphasis> (Optional) - {<emphasis
|
||||
role="bold">-</emphasis>|<emphasis>interface</emphasis>|<emphasis>address</emphasis>|<emphasis>interface</emphasis><firstterm>:</firstterm><emphasis>address</emphasis>}</term>
|
||||
role="bold">-</emphasis>|[&]<emphasis>interface</emphasis>|<emphasis>address</emphasis>|<emphasis>interface</emphasis><firstterm>:</firstterm><emphasis>address</emphasis>}</term>
|
||||
|
||||
<listitem>
|
||||
<para>An ip <emphasis>address</emphasis> (network or host) that
|
||||
@ -41,6 +41,11 @@
|
||||
and an address. If the device <emphasis role="bold">lo</emphasis> is
|
||||
specified, the packet must originate from the firewall
|
||||
itself.</para>
|
||||
|
||||
<para>Beginning with Shorewall 4.5.0, you may specify
|
||||
&<replaceable>interface</replaceable> in this column to indicate
|
||||
that the source is the primary IP address of the named
|
||||
interface.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
|
||||
@ -827,6 +827,21 @@ SAME $FW 0.0.0.0/0 tcp 80,443</programlisting>
|
||||
4:T 0.0.0.0/0 0.0.0.0/0 TCP - - - - - - - ftp</programlisting></para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis role="bold">PROBABILITY</emphasis> -
|
||||
[probability]</term>
|
||||
|
||||
<listitem>
|
||||
<para>Added in Shorewall 4.5.0. When non-empty, requires the
|
||||
<firstterm>Statistics Match</firstterm> capability in your kernel
|
||||
and ip6tables and causes the rule to match randomly but with the
|
||||
given <replaceable>probability</replaceable>. The
|
||||
<replaceable>probability</replaceable> is a number 0 <
|
||||
<replaceable>probability</replaceable> <= 1 and may be expressed
|
||||
at up to 8 decimal points of precision.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
</variablelist>
|
||||
</refsect1>
|
||||
|
||||
|
||||
@ -41,6 +41,11 @@
|
||||
and an address. If the device <emphasis role="bold">lo</emphasis> is
|
||||
specified, the packet must originate from the firewall
|
||||
itself.</para>
|
||||
|
||||
<para>Beginning with Shorewall 4.5.0, you may specify
|
||||
&<replaceable>interface</replaceable> in this column to indicate
|
||||
that the source is the primary IP address of the named
|
||||
interface.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
|
||||
@ -778,6 +778,21 @@ SAME $FW 0.0.0.0/0 tcp 80,443</programlisting>
|
||||
role="bold">!</emphasis> is omitted.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><emphasis role="bold">PROBABILITY</emphasis> -
|
||||
[probability]</term>
|
||||
|
||||
<listitem>
|
||||
<para>Added in Shorewall 4.5.0. When non-empty, requires the
|
||||
<firstterm>Statistics Match</firstterm> capability in your kernel
|
||||
and ip6tables and causes the rule to match randomly but with the
|
||||
given <replaceable>probability</replaceable>. The
|
||||
<replaceable>probability</replaceable> is a number 0 <
|
||||
<replaceable>probability</replaceable> <= 1 and may be expressed
|
||||
at up to 8 decimal points of precision.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
</variablelist>
|
||||
</refsect1>
|
||||
|
||||
|
||||
Loading…
Reference in New Issue
Block a user