Add a PROBABILITY column to the tcrules file.

Signed-off-by: Tom Eastep <teastep@shorewall.net>

Shorewall/Perl/Shorewall/Chains.pm

@@ -183,6 +183,7 @@ our %EXPORT_TAGS = (
 				       do_helper
 				       validate_helper
 				       do_headers
+				       do_probability
 				       do_condition
 				       have_ipset_rules
 				       record_runtime_address
@@ -4123,7 +4124,21 @@ sub do_headers( $ ) {
 	}
     }
 
-    "-m ipv6header ${invert}--header ${headers} ${soft}";
+    "-m ipv6header ${invert}--header ${headers} ${soft} ";
+}
+
+sub do_probability( $ ) {
+    my $probability = shift;
+
+    return '' if $probability eq '-';
+
+    require_capability 'STATISTIC_MATCH', 'A non-empty PROBABILITY column', 's';
+
+    my $invert = $probability =~ s/^!// ? '! ' : "";
+    
+    fatal_error "Invalid PROBABILITY ($probability)" unless $probability =~ /^0?\.\d{1,8}$/;
+
+    "-m statistic --mode random --probability $probability ";
 }
 
 #

Shorewall/Perl/Shorewall/Tc.pm

@@ -194,8 +194,15 @@ sub initialize( $ ) {
 }
 
 sub process_tc_rule( ) {
-    my ( $originalmark, $source, $dest, $proto, $ports, $sports, $user, $testval, $length, $tos , $connbytes, $helper, $headers ) = 
+    my ( $originalmark, $source, $dest, $proto, $ports, $sports, $user, $testval, $length, $tos , $connbytes, $helper, $headers, $probability );
-	split_line1 'tcrules file', { mark => 0, source => 1, dest => 2, proto => 3, dport => 4, sport => 5, user => 6, test => 7, length => 8, tos => 9, connbytes => 10, helper => 11, headers => 12 };
+    if ( $family == F_IPV4 ) {
+	( $originalmark, $source, $dest, $proto, $ports, $sports, $user, $testval, $length, $tos , $connbytes, $helper, $probability ) =
+	    split_line1 'tcrules file', { mark => 0, source => 1, dest => 2, proto => 3, dport => 4, sport => 5, user => 6, test => 7, length => 8, tos => 9, connbytes => 10, helper => 11, probability => 12 };
+	$headers = '-';
+    } else {
+	( $originalmark, $source, $dest, $proto, $ports, $sports, $user, $testval, $length, $tos , $connbytes, $helper, $headers, $probability ) = 
+	    split_line1 'tcrules file', { mark => 0, source => 1, dest => 2, proto => 3, dport => 4, sport => 5, user => 6, test => 7, length => 8, tos => 9, connbytes => 10, helper => 11, headers => 12, probability => 13 };
+    }
 
     our @tccmd;
 
@@ -243,6 +250,7 @@ sub process_tc_rule( ) {
 
 	    $source = '';
 	} elsif ( $source =~ s/^($fw):// ) {
+	    fatal_error ":F is not allowed when the SOURCE is the firewall" if ( $designator || '' ) eq 'F';
 	    $chain = 'tcout';
 	}
     }
@@ -497,7 +505,8 @@ sub process_tc_rule( ) {
 				     do_tos( $tos ) .
 				     do_connbytes( $connbytes ) .
 				     do_helper( $helper ) .
-				     do_headers( $headers ) ,
+				     do_headers( $headers ) .
+				     do_probability( $probability ) ,
 				     $source ,
 				     $dest ,
 				     '' ,

Shorewall/configfiles/tcrules

@@ -9,6 +9,7 @@
 #
 # See http://shorewall.net/PacketMarking.html for a detailed description of
 # the Netfilter/Shorewall packet marking mechanism.
-######################################################################################################################
+######################################################################################################################################
-#MARK	SOURCE		DEST		PROTO	DEST	SOURCE	USER	TEST	LENGTH	TOS   CONNBYTES		HELPER
+#MARK	SOURCE		DEST		PROTO	DEST	SOURCE	USER	TEST	LENGTH	TOS   CONNBYTES		HELPER    PROBABILITY
 #						PORT(S)	PORT(S)
+

Shorewall6/configfiles/tcrules

@@ -9,6 +9,6 @@
 #
 # See http://shorewall.net/PacketMarking.html for a detailed description of
 # the Netfilter/Shorewall packet marking mechanism.
-##################################################################################################################################
+##############################################################################################################################################
-#MARK	SOURCE		DEST		PROTO	DEST	SOURCE	USER	TEST	LENGTH	TOS   CONNBYTES		HELPER	HEADERS
+#MARK	SOURCE		DEST		PROTO	DEST	SOURCE	USER	TEST	LENGTH	TOS   CONNBYTES		HELPER	HEADERS    PROBABILITY
 #						PORT(S)	PORT(S)

manpages/shorewall-route_rules.xml

@@ -32,7 +32,7 @@
     <variablelist>
       <varlistentry>
         <term><emphasis role="bold">SOURCE</emphasis> (Optional) - {<emphasis
-        role="bold">-</emphasis>|<emphasis>interface</emphasis>|<emphasis>address</emphasis>|<emphasis>interface</emphasis><firstterm>:</firstterm><emphasis>address</emphasis>}</term>
+        role="bold">-</emphasis>|[&amp;]<emphasis>interface</emphasis>|<emphasis>address</emphasis>|<emphasis>interface</emphasis><firstterm>:</firstterm><emphasis>address</emphasis>}</term>
 
         <listitem>
           <para>An ip <emphasis>address</emphasis> (network or host) that
@@ -41,6 +41,11 @@
           and an address. If the device <emphasis role="bold">lo</emphasis> is
           specified, the packet must originate from the firewall
           itself.</para>
+
+          <para>Beginning with Shorewall 4.5.0, you may specify
+          &amp;<replaceable>interface</replaceable> in this column to indicate
+          that the source is the primary IP address of the named
+          interface.</para>
         </listitem>
       </varlistentry>
 

manpages/shorewall-tcrules.xml

@@ -827,6 +827,21 @@ SAME              $FW            0.0.0.0/0    tcp        80,443</programlisting>
 4:T       0.0.0.0/0 0.0.0.0/0 TCP     -          -       -    -    -      -   -         ftp</programlisting></para>
         </listitem>
       </varlistentry>
+
+      <varlistentry>
+        <term><emphasis role="bold">PROBABILITY</emphasis> -
+        [probability]</term>
+
+        <listitem>
+          <para>Added in Shorewall 4.5.0. When non-empty, requires the
+          <firstterm>Statistics Match</firstterm> capability in your kernel
+          and ip6tables and causes the rule to match randomly but with the
+          given <replaceable>probability</replaceable>. The
+          <replaceable>probability</replaceable> is a number 0 &lt;
+          <replaceable>probability</replaceable> &lt;= 1 and may be expressed
+          at up to 8 decimal points of precision.</para>
+        </listitem>
+      </varlistentry>
     </variablelist>
   </refsect1>
 

manpages6/shorewall6-route_rules.xml

@@ -41,6 +41,11 @@
           and an address. If the device <emphasis role="bold">lo</emphasis> is
           specified, the packet must originate from the firewall
           itself.</para>
+
+          <para>Beginning with Shorewall 4.5.0, you may specify
+          &amp;<replaceable>interface</replaceable> in this column to indicate
+          that the source is the primary IP address of the named
+          interface.</para>
         </listitem>
       </varlistentry>
 

manpages6/shorewall6-tcrules.xml

@@ -778,6 +778,21 @@ SAME              $FW            0.0.0.0/0    tcp        80,443</programlisting>
           role="bold">!</emphasis> is omitted.</para>
         </listitem>
       </varlistentry>
+
+      <varlistentry>
+        <term><emphasis role="bold">PROBABILITY</emphasis> -
+        [probability]</term>
+
+        <listitem>
+          <para>Added in Shorewall 4.5.0. When non-empty, requires the
+          <firstterm>Statistics Match</firstterm> capability in your kernel
+          and ip6tables and causes the rule to match randomly but with the
+          given <replaceable>probability</replaceable>. The
+          <replaceable>probability</replaceable> is a number 0 &lt;
+          <replaceable>probability</replaceable> &lt;= 1 and may be expressed
+          at up to 8 decimal points of precision.</para>
+        </listitem>
+      </varlistentry>
     </variablelist>
   </refsect1>