From 6f5ab698b45e0e02fae0abcb7439d9e82e49e517 Mon Sep 17 00:00:00 2001 From: Tom Eastep Date: Fri, 6 Jan 2012 12:54:37 -0800 Subject: [PATCH] Add a PROBABILITY column to the tcrules file. Signed-off-by: Tom Eastep --- Shorewall/Perl/Shorewall/Chains.pm | 17 ++++++++++++++++- Shorewall/Perl/Shorewall/Tc.pm | 15 ++++++++++++--- Shorewall/configfiles/tcrules | 5 +++-- Shorewall6/configfiles/tcrules | 4 ++-- manpages/shorewall-route_rules.xml | 7 ++++++- manpages/shorewall-tcrules.xml | 15 +++++++++++++++ manpages6/shorewall6-route_rules.xml | 5 +++++ manpages6/shorewall6-tcrules.xml | 15 +++++++++++++++ 8 files changed, 74 insertions(+), 9 deletions(-) diff --git a/Shorewall/Perl/Shorewall/Chains.pm b/Shorewall/Perl/Shorewall/Chains.pm index a82d4baf7..19b4f98b7 100644 --- a/Shorewall/Perl/Shorewall/Chains.pm +++ b/Shorewall/Perl/Shorewall/Chains.pm @@ -183,6 +183,7 @@ our %EXPORT_TAGS = ( do_helper validate_helper do_headers + do_probability do_condition have_ipset_rules record_runtime_address @@ -4123,7 +4124,21 @@ sub do_headers( $ ) { } } - "-m ipv6header ${invert}--header ${headers} ${soft}"; + "-m ipv6header ${invert}--header ${headers} ${soft} "; +} + +sub do_probability( $ ) { + my $probability = shift; + + return '' if $probability eq '-'; + + require_capability 'STATISTIC_MATCH', 'A non-empty PROBABILITY column', 's'; + + my $invert = $probability =~ s/^!// ? '! ' : ""; + + fatal_error "Invalid PROBABILITY ($probability)" unless $probability =~ /^0?\.\d{1,8}$/; + + "-m statistic --mode random --probability $probability "; } # diff --git a/Shorewall/Perl/Shorewall/Tc.pm b/Shorewall/Perl/Shorewall/Tc.pm index 6d6cabbde..a25b4e5be 100644 --- a/Shorewall/Perl/Shorewall/Tc.pm +++ b/Shorewall/Perl/Shorewall/Tc.pm @@ -194,8 +194,15 @@ sub initialize( $ ) { } sub process_tc_rule( ) { - my ( $originalmark, $source, $dest, $proto, $ports, $sports, $user, $testval, $length, $tos , $connbytes, $helper, $headers ) = - split_line1 'tcrules file', { mark => 0, source => 1, dest => 2, proto => 3, dport => 4, sport => 5, user => 6, test => 7, length => 8, tos => 9, connbytes => 10, helper => 11, headers => 12 }; + my ( $originalmark, $source, $dest, $proto, $ports, $sports, $user, $testval, $length, $tos , $connbytes, $helper, $headers, $probability ); + if ( $family == F_IPV4 ) { + ( $originalmark, $source, $dest, $proto, $ports, $sports, $user, $testval, $length, $tos , $connbytes, $helper, $probability ) = + split_line1 'tcrules file', { mark => 0, source => 1, dest => 2, proto => 3, dport => 4, sport => 5, user => 6, test => 7, length => 8, tos => 9, connbytes => 10, helper => 11, probability => 12 }; + $headers = '-'; + } else { + ( $originalmark, $source, $dest, $proto, $ports, $sports, $user, $testval, $length, $tos , $connbytes, $helper, $headers, $probability ) = + split_line1 'tcrules file', { mark => 0, source => 1, dest => 2, proto => 3, dport => 4, sport => 5, user => 6, test => 7, length => 8, tos => 9, connbytes => 10, helper => 11, headers => 12, probability => 13 }; + } our @tccmd; @@ -243,6 +250,7 @@ sub process_tc_rule( ) { $source = ''; } elsif ( $source =~ s/^($fw):// ) { + fatal_error ":F is not allowed when the SOURCE is the firewall" if ( $designator || '' ) eq 'F'; $chain = 'tcout'; } } @@ -497,7 +505,8 @@ sub process_tc_rule( ) { do_tos( $tos ) . do_connbytes( $connbytes ) . do_helper( $helper ) . - do_headers( $headers ) , + do_headers( $headers ) . + do_probability( $probability ) , $source , $dest , '' , diff --git a/Shorewall/configfiles/tcrules b/Shorewall/configfiles/tcrules index e8308797a..74b58bb63 100644 --- a/Shorewall/configfiles/tcrules +++ b/Shorewall/configfiles/tcrules @@ -9,6 +9,7 @@ # # See http://shorewall.net/PacketMarking.html for a detailed description of # the Netfilter/Shorewall packet marking mechanism. -###################################################################################################################### -#MARK SOURCE DEST PROTO DEST SOURCE USER TEST LENGTH TOS CONNBYTES HELPER +###################################################################################################################################### +#MARK SOURCE DEST PROTO DEST SOURCE USER TEST LENGTH TOS CONNBYTES HELPER PROBABILITY # PORT(S) PORT(S) + diff --git a/Shorewall6/configfiles/tcrules b/Shorewall6/configfiles/tcrules index 1c5b86025..ba36f4a21 100644 --- a/Shorewall6/configfiles/tcrules +++ b/Shorewall6/configfiles/tcrules @@ -9,6 +9,6 @@ # # See http://shorewall.net/PacketMarking.html for a detailed description of # the Netfilter/Shorewall packet marking mechanism. -################################################################################################################################## -#MARK SOURCE DEST PROTO DEST SOURCE USER TEST LENGTH TOS CONNBYTES HELPER HEADERS +############################################################################################################################################## +#MARK SOURCE DEST PROTO DEST SOURCE USER TEST LENGTH TOS CONNBYTES HELPER HEADERS PROBABILITY # PORT(S) PORT(S) diff --git a/manpages/shorewall-route_rules.xml b/manpages/shorewall-route_rules.xml index bebfd96d4..22f6573dc 100644 --- a/manpages/shorewall-route_rules.xml +++ b/manpages/shorewall-route_rules.xml @@ -32,7 +32,7 @@ SOURCE (Optional) - {-|interface|address|interface:address} + role="bold">-|[&]interface|address|interface:address} An ip address (network or host) that @@ -41,6 +41,11 @@ and an address. If the device lo is specified, the packet must originate from the firewall itself. + + Beginning with Shorewall 4.5.0, you may specify + &interface in this column to indicate + that the source is the primary IP address of the named + interface. diff --git a/manpages/shorewall-tcrules.xml b/manpages/shorewall-tcrules.xml index cf433474d..ef91ea521 100644 --- a/manpages/shorewall-tcrules.xml +++ b/manpages/shorewall-tcrules.xml @@ -827,6 +827,21 @@ SAME $FW 0.0.0.0/0 tcp 80,443 4:T 0.0.0.0/0 0.0.0.0/0 TCP - - - - - - - ftp + + + PROBABILITY - + [probability] + + + Added in Shorewall 4.5.0. When non-empty, requires the + Statistics Match capability in your kernel + and ip6tables and causes the rule to match randomly but with the + given probability. The + probability is a number 0 < + probability <= 1 and may be expressed + at up to 8 decimal points of precision. + + diff --git a/manpages6/shorewall6-route_rules.xml b/manpages6/shorewall6-route_rules.xml index 305330fda..438d189d5 100644 --- a/manpages6/shorewall6-route_rules.xml +++ b/manpages6/shorewall6-route_rules.xml @@ -41,6 +41,11 @@ and an address. If the device lo is specified, the packet must originate from the firewall itself. + + Beginning with Shorewall 4.5.0, you may specify + &interface in this column to indicate + that the source is the primary IP address of the named + interface. diff --git a/manpages6/shorewall6-tcrules.xml b/manpages6/shorewall6-tcrules.xml index 125ed8fbd..fbad02eb5 100644 --- a/manpages6/shorewall6-tcrules.xml +++ b/manpages6/shorewall6-tcrules.xml @@ -778,6 +778,21 @@ SAME $FW 0.0.0.0/0 tcp 80,443 role="bold">! is omitted. + + + PROBABILITY - + [probability] + + + Added in Shorewall 4.5.0. When non-empty, requires the + Statistics Match capability in your kernel + and ip6tables and causes the rule to match randomly but with the + given probability. The + probability is a number 0 < + probability <= 1 and may be expressed + at up to 8 decimal points of precision. + +