From 6fe06c82c8e5ebc95196c96772860b7403fd91a9 Mon Sep 17 00:00:00 2001 From: Tom Eastep Date: Sat, 28 Dec 2013 15:24:05 -0800 Subject: [PATCH] More switch from tcrules to mangle Signed-off-by: Tom Eastep --- Shorewall/Perl/Shorewall/Tc.pm | 109 +++++++++++++++++---- Shorewall/configfiles/{tcrules => mangle} | 4 +- Shorewall/install.sh | 12 +-- Shorewall6/configfiles/{tcrules => mangle} | 4 +- 4 files changed, 99 insertions(+), 30 deletions(-) rename Shorewall/configfiles/{tcrules => mangle} (77%) rename Shorewall6/configfiles/{tcrules => mangle} (76%) diff --git a/Shorewall/Perl/Shorewall/Tc.pm b/Shorewall/Perl/Shorewall/Tc.pm index 29ee1758a..810e3bcf4 100644 --- a/Shorewall/Perl/Shorewall/Tc.pm +++ b/Shorewall/Perl/Shorewall/Tc.pm @@ -165,6 +165,9 @@ sub initialize( $ ) { $divertref = 0; } +# +# Process a rule from the tcrules or mangle file +# sub process_mangle_rule1( $$$$$$$$$$$$$$$$$ ) { our ( $file, $action, $source, $dest, $proto, $ports, $sports, $user, $testval, $length, $tos , $connbytes, $helper, $headers, $probability , $dscp , $state ) = @_; @@ -683,7 +686,7 @@ sub process_mangle_rule1( $$$$$$$$$$$$$$$$$ ) { unless ( ( $chain || $default_chain ) == OUTPUT ) { fatal_error 'A USER/GROUP may only be specified when the SOURCE is $FW' unless $user eq '-'; } - + if ( $dest ne '-' ) { if ( $dest eq $fw ) { fatal_error 'Rules with DEST $FW must use the INPUT chain' if $designator && $designator ne INPUT; @@ -776,6 +779,9 @@ sub process_mangle_rule1( $$$$$$$$$$$$$$$$$ ) { progress_message " $file Rule \"$currentline\" $done"; } +# +# Intermediate processing of a tcrules entry +# sub process_tc_rule1( $$$$$$$$$$$$$$$$ ) { my ( $originalmark, $source, $dest, $proto, $ports, $sports, $user, $testval, $length, $tos , $connbytes, $helper, $headers, $probability , $dscp , $state ) = @_; @@ -815,12 +821,6 @@ sub process_tc_rule1( $$$$$$$$$$$$$$$$ ) { } , IPMARK => { match => sub ( $ ) { $_[0] =~ /^IPMARK/ }, } , - '|' => { match => sub ( $ ) { $_[0] =~ '\|.*'} , - command => 'MARK', - } , - '&' => { match => sub ( $ ) { $_[0] =~ '&.*' }, - command => 'MARK', - } , TPROXY => { match => sub ( $ ) { $_[0] =~ /^TPROXY/ }, }, DIVERT => { match => sub( $ ) { $_[0] =~ /^DIVERT/ }, @@ -899,7 +899,7 @@ sub process_tc_rule1( $$$$$$$$$$$$$$$$ ) { unless ( $command ) { { - if ( $cmd =~ /^([A-Z|&]+)/ ) { + if ( $cmd =~ /^([A-Z]+)/ ) { if ( my $tccmd = $tccmd{$1} ) { fatal_error "Invalid $1 ACTION ($originalmark)" unless $tccmd->{match}($cmd); $command = $tccmd->{command} if $tccmd->{command}; @@ -911,7 +911,7 @@ sub process_tc_rule1( $$$$$$$$$$$$$$$$ ) { } - process_mangle_rule1( 'Tcrules', + process_mangle_rule1( 'TC', ( $command ? "$command($mark)" : $mark ) . $designator , $source, $dest, @@ -935,7 +935,22 @@ sub process_tc_rule( ) { if ( $family == F_IPV4 ) { ( $originalmark, $source, $dest, $protos, $ports, $sports, $user, $testval, $length, $tos , $connbytes, $helper, $probability, $dscp, $state ) = split_line2( 'tcrules file', - { mark => 0, action => 0, source => 1, dest => 2, proto => 3, dport => 4, sport => 5, user => 6, test => 7, length => 8, tos => 9, connbytes => 10, helper => 11, probability => 12 , dscp => 13, state => 14 }, + { mark => 0, + action => 0, + source => 1, + dest => 2, + proto => 3, + dport => 4, + sport => 5, + user => 6, + test => 7, + length => 8, + tos => 9, + connbytes => 10, + helper => 11, + probability => 12 , + scp => 13, + state => 14 }, {}, 15, 1 ); @@ -943,7 +958,23 @@ sub process_tc_rule( ) { } else { ( $originalmark, $source, $dest, $protos, $ports, $sports, $user, $testval, $length, $tos , $connbytes, $helper, $headers, $probability, $dscp, $state ) = split_line2( 'tcrules file', - { mark => 0, action => 0, source => 1, dest => 2, proto => 3, dport => 4, sport => 5, user => 6, test => 7, length => 8, tos => 9, connbytes => 10, helper => 11, headers => 12, probability => 13 , dscp => 14 , state => 15 }, + { mark => 0, + action => 0, + source => 1, + dest => 2, + proto => 3, + dport => 4, + sport => 5, + user => 6, + test => 7, + length => 8, + tos => 9, + connbytes => 10, + helper => 11, + headers => 12, + probability => 13, + dscp => 14, + state => 15 }, {}, 16, 1 ); @@ -955,18 +986,60 @@ sub process_tc_rule( ) { } sub process_mangle_rule( ) { - my ( $originalmark, $source, $dest, $protos, $ports, $sports, $user, $testval, $length, $tos , $connbytes, $helper, $headers, $probability , $dscp , $state ) = - split_line2( 'mangle file', - { mark => 0, action => 0, source => 1, dest => 2, proto => 3, dport => 4, sport => 5, user => 6, test => 7, length => 8, tos => 9, connbytes => 10, helper => 11, headers => 12, probability => 13 , dscp => 14 , state => 15 }, - {}, - 16, - 1 ); + my ( $originalmark, $source, $dest, $protos, $ports, $sports, $user, $testval, $length, $tos , $connbytes, $helper, $headers, $probability , $dscp , $state ); + if ( $family == F_IPV4 ) { + ( $originalmark, $source, $dest, $protos, $ports, $sports, $user, $testval, $length, $tos , $connbytes, $helper, $probability, $dscp, $state ) = + split_line2( 'tcrules file', + { mark => 0, + action => 0, + source => 1, + dest => 2, + proto => 3, + dport => 4, + sport => 5, + user => 6, + test => 7, + length => 8, + tos => 9, + connbytes => 10, + helper => 11, + probability => 12 , + scp => 13, + state => 14 }, + {}, + 15, + 1 ); + $headers = '-'; + } else { + ( $originalmark, $source, $dest, $protos, $ports, $sports, $user, $testval, $length, $tos , $connbytes, $helper, $headers, $probability, $dscp, $state ) = + split_line2( 'tcrules file', + { mark => 0, + action => 0, + source => 1, + dest => 2, + proto => 3, + dport => 4, + sport => 5, + user => 6, + test => 7, + length => 8, + tos => 9, + connbytes => 10, + helper => 11, + headers => 12, + probability => 13, + dscp => 14, + state => 15 }, + {}, + 16, + 1 ); + } for my $proto (split_list( $protos, 'Protocol' ) ) { process_mangle_rule1( 'Mangle', $originalmark, $source, $dest, $proto, $ports, $sports, $user, $testval, $length, $tos , $connbytes, $helper, $headers, $probability , $dscp , $state ); } } - + sub rate_to_kbit( $ ) { my $rate = $_[0]; diff --git a/Shorewall/configfiles/tcrules b/Shorewall/configfiles/mangle similarity index 77% rename from Shorewall/configfiles/tcrules rename to Shorewall/configfiles/mangle index 4a74117c6..b676ae61c 100644 --- a/Shorewall/configfiles/tcrules +++ b/Shorewall/configfiles/mangle @@ -1,5 +1,5 @@ # -# Shorewall version 4 - Tcrules File +# Shorewall version 4 - Mangle File # # For information about entries in this file, type "man shorewall-tcrules" # @@ -10,8 +10,6 @@ # See http://shorewall.net/PacketMarking.html for a detailed description of # the Netfilter/Shorewall packet marking mechanism. ########################################################################################################################################## -?FORMAT 2 -########################################################################################################################################## #ACTION SOURCE DEST PROTO DEST SOURCE USER TEST LENGTH TOS CONNBYTES HELPER PROBABILITY DSCP # PORT(S) PORT(S) diff --git a/Shorewall/install.sh b/Shorewall/install.sh index bf12507c8..15fc846f9 100755 --- a/Shorewall/install.sh +++ b/Shorewall/install.sh @@ -695,14 +695,14 @@ if [ ! -f ${DESTDIR}${CONFDIR}/$PRODUCT/conntrack ]; then fi # -# Install the TC Rules file +# Install the Mangle file # -run_install $OWNERSHIP -m 0644 tcrules ${DESTDIR}${SHAREDIR}/$PRODUCT/configfiles/ -run_install $OWNERSHIP -m 0644 tcrules.annotated ${DESTDIR}${SHAREDIR}/$PRODUCT/configfiles/ +run_install $OWNERSHIP -m 0644 mangle ${DESTDIR}${SHAREDIR}/$PRODUCT/configfiles/ +run_install $OWNERSHIP -m 0644 mangle.annotated ${DESTDIR}${SHAREDIR}/$PRODUCT/configfiles/ -if [ -z "$SPARSE" -a ! -f ${DESTDIR}${CONFDIR}/$PRODUCT/tcrules ]; then - run_install $OWNERSHIP -m 0600 tcrules${suffix} ${DESTDIR}${CONFDIR}/$PRODUCT/tcrules - echo "TC Rules file installed as ${DESTDIR}${CONFDIR}/$PRODUCT/tcrules" +if [ -z "$SPARSE" -a ! -f ${DESTDIR}${CONFDIR}/$PRODUCT/mangle ]; then + run_install $OWNERSHIP -m 0600 mangle${suffix} ${DESTDIR}${CONFDIR}/$PRODUCT/mangle + echo "Mangle file installed as ${DESTDIR}${CONFDIR}/$PRODUCT/mangle" fi # diff --git a/Shorewall6/configfiles/tcrules b/Shorewall6/configfiles/mangle similarity index 76% rename from Shorewall6/configfiles/tcrules rename to Shorewall6/configfiles/mangle index 9e4a1b499..569c1b753 100644 --- a/Shorewall6/configfiles/tcrules +++ b/Shorewall6/configfiles/mangle @@ -1,5 +1,5 @@ # -# Shorewall6 version 4 - Tcrules File +# Shorewall6 version 4 - Mangle File # # For information about entries in this file, type "man shorewall6-tcrules" # @@ -10,7 +10,5 @@ # See http://shorewall.net/PacketMarking.html for a detailed description of # the Netfilter/Shorewall packet marking mechanism. ################################################################################################################################################### -?FORMAT 2 -################################################################################################################################################### #ACTION SOURCE DEST PROTO DEST SOURCE USER TEST LENGTH TOS CONNBYTES HELPER HEADERS PROBABILITY DSCP # PORT(S) PORT(S)