holm/shorewall_code
1
0
Fork 0
forked from extern/shorewall_code
Code Pull Requests Activity

More switch from tcrules to mangle

Browse Source 
Signed-off-by: Tom Eastep <teastep@shorewall.net>
This commit is contained in:
Tom Eastep 2013-12-28 15:24:05 -08:00
parent 543446f8d7
commit 6fe06c82c8
4 changed files with 99 additions and 30 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

109
Shorewall/Perl/Shorewall/Tc.pm
View File

@ -165,6 +165,9 @@ sub initialize( $ ) {
$divertref = 0; $divertref = 0;
} }
#
# Process a rule from the tcrules or mangle file
#
sub process_mangle_rule1( $$$$$$$$$$$$$$$$$ ) { sub process_mangle_rule1( $$$$$$$$$$$$$$$$$ ) {
our ( $file, $action, $source, $dest, $proto, $ports, $sports, $user, $testval, $length, $tos , $connbytes, $helper, $headers, $probability , $dscp , $state ) = @_; our ( $file, $action, $source, $dest, $proto, $ports, $sports, $user, $testval, $length, $tos , $connbytes, $helper, $headers, $probability , $dscp , $state ) = @_;
@ -683,7 +686,7 @@ sub process_mangle_rule1( $$$$$$$$$$$$$$$$$ ) {
unless ( ( $chain || $default_chain ) == OUTPUT ) { unless ( ( $chain || $default_chain ) == OUTPUT ) {
fatal_error 'A USER/GROUP may only be specified when the SOURCE is $FW' unless $user eq '-'; fatal_error 'A USER/GROUP may only be specified when the SOURCE is $FW' unless $user eq '-';
} }
if ( $dest ne '-' ) { if ( $dest ne '-' ) {
if ( $dest eq $fw ) { if ( $dest eq $fw ) {
fatal_error 'Rules with DEST $FW must use the INPUT chain' if $designator && $designator ne INPUT; fatal_error 'Rules with DEST $FW must use the INPUT chain' if $designator && $designator ne INPUT;
@ -776,6 +779,9 @@ sub process_mangle_rule1( $$$$$$$$$$$$$$$$$ ) {
progress_message " $file Rule \"$currentline\" $done"; progress_message " $file Rule \"$currentline\" $done";
} }
#
# Intermediate processing of a tcrules entry
#
sub process_tc_rule1( $$$$$$$$$$$$$$$$ ) { sub process_tc_rule1( $$$$$$$$$$$$$$$$ ) {
my ( $originalmark, $source, $dest, $proto, $ports, $sports, $user, $testval, $length, $tos , $connbytes, $helper, $headers, $probability , $dscp , $state ) = @_; my ( $originalmark, $source, $dest, $proto, $ports, $sports, $user, $testval, $length, $tos , $connbytes, $helper, $headers, $probability , $dscp , $state ) = @_;
@ -815,12 +821,6 @@ sub process_tc_rule1( $$$$$$$$$$$$$$$$ ) {
} , } ,
IPMARK => { match => sub ( $ ) { $_[0] =~ /^IPMARK/ }, IPMARK => { match => sub ( $ ) { $_[0] =~ /^IPMARK/ },
} , } ,
'|' => { match => sub ( $ ) { $_[0] =~ '\|.*'} ,
command => 'MARK',
} ,
'&' => { match => sub ( $ ) { $_[0] =~ '&.*' },
command => 'MARK',
} ,
TPROXY => { match => sub ( $ ) { $_[0] =~ /^TPROXY/ }, TPROXY => { match => sub ( $ ) { $_[0] =~ /^TPROXY/ },
}, },
DIVERT => { match => sub( $ ) { $_[0] =~ /^DIVERT/ }, DIVERT => { match => sub( $ ) { $_[0] =~ /^DIVERT/ },
@ -899,7 +899,7 @@ sub process_tc_rule1( $$$$$$$$$$$$$$$$ ) {
unless ( $command ) { unless ( $command ) {
{ {
if ( $cmd =~ /^([A-Z|&]+)/ ) { if ( $cmd =~ /^([A-Z]+)/ ) {
if ( my $tccmd = $tccmd{$1} ) { if ( my $tccmd = $tccmd{$1} ) {
fatal_error "Invalid $1 ACTION ($originalmark)" unless $tccmd->{match}($cmd); fatal_error "Invalid $1 ACTION ($originalmark)" unless $tccmd->{match}($cmd);
$command = $tccmd->{command} if $tccmd->{command}; $command = $tccmd->{command} if $tccmd->{command};
@ -911,7 +911,7 @@ sub process_tc_rule1( $$$$$$$$$$$$$$$$ ) {
} }
process_mangle_rule1( 'Tcrules', process_mangle_rule1( 'TC',
( $command ? "$command($mark)" : $mark ) . $designator , ( $command ? "$command($mark)" : $mark ) . $designator ,
$source, $source,
$dest, $dest,
@ -935,7 +935,22 @@ sub process_tc_rule( ) {
if ( $family == F_IPV4 ) { if ( $family == F_IPV4 ) {
( $originalmark, $source, $dest, $protos, $ports, $sports, $user, $testval, $length, $tos , $connbytes, $helper, $probability, $dscp, $state ) = ( $originalmark, $source, $dest, $protos, $ports, $sports, $user, $testval, $length, $tos , $connbytes, $helper, $probability, $dscp, $state ) =
split_line2( 'tcrules file', split_line2( 'tcrules file',
{ mark => 0, action => 0, source => 1, dest => 2, proto => 3, dport => 4, sport => 5, user => 6, test => 7, length => 8, tos => 9, connbytes => 10, helper => 11, probability => 12 , dscp => 13, state => 14 }, { mark => 0,
action => 0,
source => 1,
dest => 2,
proto => 3,
dport => 4,
sport => 5,
user => 6,
test => 7,
length => 8,
tos => 9,
connbytes => 10,
helper => 11,
probability => 12 ,
scp => 13,
state => 14 },
{}, {},
15, 15,
1 ); 1 );
@ -943,7 +958,23 @@ sub process_tc_rule( ) {
} else { } else {
( $originalmark, $source, $dest, $protos, $ports, $sports, $user, $testval, $length, $tos , $connbytes, $helper, $headers, $probability, $dscp, $state ) = ( $originalmark, $source, $dest, $protos, $ports, $sports, $user, $testval, $length, $tos , $connbytes, $helper, $headers, $probability, $dscp, $state ) =
split_line2( 'tcrules file', split_line2( 'tcrules file',
{ mark => 0, action => 0, source => 1, dest => 2, proto => 3, dport => 4, sport => 5, user => 6, test => 7, length => 8, tos => 9, connbytes => 10, helper => 11, headers => 12, probability => 13 , dscp => 14 , state => 15 }, { mark => 0,
action => 0,
source => 1,
dest => 2,
proto => 3,
dport => 4,
sport => 5,
user => 6,
test => 7,
length => 8,
tos => 9,
connbytes => 10,
helper => 11,
headers => 12,
probability => 13,
dscp => 14,
state => 15 },
{}, {},
16, 16,
1 ); 1 );
@ -955,18 +986,60 @@ sub process_tc_rule( ) {
} }
sub process_mangle_rule( ) { sub process_mangle_rule( ) {
my ( $originalmark, $source, $dest, $protos, $ports, $sports, $user, $testval, $length, $tos , $connbytes, $helper, $headers, $probability , $dscp , $state ) = my ( $originalmark, $source, $dest, $protos, $ports, $sports, $user, $testval, $length, $tos , $connbytes, $helper, $headers, $probability , $dscp , $state );
split_line2( 'mangle file', if ( $family == F_IPV4 ) {
{ mark => 0, action => 0, source => 1, dest => 2, proto => 3, dport => 4, sport => 5, user => 6, test => 7, length => 8, tos => 9, connbytes => 10, helper => 11, headers => 12, probability => 13 , dscp => 14 , state => 15 }, ( $originalmark, $source, $dest, $protos, $ports, $sports, $user, $testval, $length, $tos , $connbytes, $helper, $probability, $dscp, $state ) =
{}, split_line2( 'tcrules file',
16, { mark => 0,
1 ); action => 0,
source => 1,
dest => 2,
proto => 3,
dport => 4,
sport => 5,
user => 6,
test => 7,
length => 8,
tos => 9,
connbytes => 10,
helper => 11,
probability => 12 ,
scp => 13,
state => 14 },
{},
15,
1 );
$headers = '-';
} else {
( $originalmark, $source, $dest, $protos, $ports, $sports, $user, $testval, $length, $tos , $connbytes, $helper, $headers, $probability, $dscp, $state ) =
split_line2( 'tcrules file',
{ mark => 0,
action => 0,
source => 1,
dest => 2,
proto => 3,
dport => 4,
sport => 5,
user => 6,
test => 7,
length => 8,
tos => 9,
connbytes => 10,
helper => 11,
headers => 12,
probability => 13,
dscp => 14,
state => 15 },
{},
16,
1 );
}
for my $proto (split_list( $protos, 'Protocol' ) ) { for my $proto (split_list( $protos, 'Protocol' ) ) {
process_mangle_rule1( 'Mangle', $originalmark, $source, $dest, $proto, $ports, $sports, $user, $testval, $length, $tos , $connbytes, $helper, $headers, $probability , $dscp , $state ); process_mangle_rule1( 'Mangle', $originalmark, $source, $dest, $proto, $ports, $sports, $user, $testval, $length, $tos , $connbytes, $helper, $headers, $probability , $dscp , $state );
} }
} }
sub rate_to_kbit( $ ) { sub rate_to_kbit( $ ) {
my $rate = $_[0]; my $rate = $_[0];

4
Shorewall/configfiles/tcrules → Shorewall/configfiles/mangle
View File

@ -1,5 +1,5 @@
# #
# Shorewall version 4 - Tcrules File # Shorewall version 4 - Mangle File
# #
# For information about entries in this file, type "man shorewall-tcrules" # For information about entries in this file, type "man shorewall-tcrules"
# #
@ -10,8 +10,6 @@
# See http://shorewall.net/PacketMarking.html for a detailed description of # See http://shorewall.net/PacketMarking.html for a detailed description of
# the Netfilter/Shorewall packet marking mechanism. # the Netfilter/Shorewall packet marking mechanism.
########################################################################################################################################## ##########################################################################################################################################
?FORMAT 2
##########################################################################################################################################
#ACTION SOURCE DEST PROTO DEST SOURCE USER TEST LENGTH TOS CONNBYTES HELPER PROBABILITY DSCP #ACTION SOURCE DEST PROTO DEST SOURCE USER TEST LENGTH TOS CONNBYTES HELPER PROBABILITY DSCP
# PORT(S) PORT(S) # PORT(S) PORT(S)

12
Shorewall/install.sh
View File

@ -695,14 +695,14 @@ if [ ! -f ${DESTDIR}${CONFDIR}/$PRODUCT/conntrack ]; then
fi fi
# #
# Install the TC Rules file # Install the Mangle file
# #
run_install $OWNERSHIP -m 0644 tcrules ${DESTDIR}${SHAREDIR}/$PRODUCT/configfiles/ run_install $OWNERSHIP -m 0644 mangle ${DESTDIR}${SHAREDIR}/$PRODUCT/configfiles/
run_install $OWNERSHIP -m 0644 tcrules.annotated ${DESTDIR}${SHAREDIR}/$PRODUCT/configfiles/ run_install $OWNERSHIP -m 0644 mangle.annotated ${DESTDIR}${SHAREDIR}/$PRODUCT/configfiles/
if [ -z "$SPARSE" -a ! -f ${DESTDIR}${CONFDIR}/$PRODUCT/tcrules ]; then if [ -z "$SPARSE" -a ! -f ${DESTDIR}${CONFDIR}/$PRODUCT/mangle ]; then
run_install $OWNERSHIP -m 0600 tcrules${suffix} ${DESTDIR}${CONFDIR}/$PRODUCT/tcrules run_install $OWNERSHIP -m 0600 mangle${suffix} ${DESTDIR}${CONFDIR}/$PRODUCT/mangle
echo "TC Rules file installed as ${DESTDIR}${CONFDIR}/$PRODUCT/tcrules" echo "Mangle file installed as ${DESTDIR}${CONFDIR}/$PRODUCT/mangle"
fi fi
# #

4
Shorewall6/configfiles/tcrules → Shorewall6/configfiles/mangle
View File

@ -1,5 +1,5 @@
# #
# Shorewall6 version 4 - Tcrules File # Shorewall6 version 4 - Mangle File
# #
# For information about entries in this file, type "man shorewall6-tcrules" # For information about entries in this file, type "man shorewall6-tcrules"
# #
@ -10,7 +10,5 @@
# See http://shorewall.net/PacketMarking.html for a detailed description of # See http://shorewall.net/PacketMarking.html for a detailed description of
# the Netfilter/Shorewall packet marking mechanism. # the Netfilter/Shorewall packet marking mechanism.
################################################################################################################################################### ###################################################################################################################################################
?FORMAT 2
###################################################################################################################################################
#ACTION SOURCE DEST PROTO DEST SOURCE USER TEST LENGTH TOS CONNBYTES HELPER HEADERS PROBABILITY DSCP #ACTION SOURCE DEST PROTO DEST SOURCE USER TEST LENGTH TOS CONNBYTES HELPER HEADERS PROBABILITY DSCP
# PORT(S) PORT(S) # PORT(S) PORT(S)