From 72f75c201cea20f307e308237c2734327c312d7a Mon Sep 17 00:00:00 2001
From: Tom Eastep <teastep@shorewall.net>
Date: Thu, 17 Nov 2011 16:07:45 -0800
Subject: [PATCH] Implement zone automark

Signed-off-by: Tom Eastep <teastep@shorewall.net>
---
 Shorewall/Perl/Shorewall/Config.pm |  2 ++
 Shorewall/Perl/Shorewall/Misc.pm   |  4 +++-
 Shorewall/Perl/Shorewall/Zones.pm  | 23 +++++++++++++++++++++++
 3 files changed, 28 insertions(+), 1 deletion(-)

diff --git a/Shorewall/Perl/Shorewall/Config.pm b/Shorewall/Perl/Shorewall/Config.pm
index c83217ae3..ce3a76af9 100644
--- a/Shorewall/Perl/Shorewall/Config.pm
+++ b/Shorewall/Perl/Shorewall/Config.pm
@@ -3735,6 +3735,8 @@ sub get_configuration( $$$ ) {
     numeric_option 'PROVIDER_OFFSET' , $config{HIGH_ROUTE_MARKS} ? $config{WIDE_TC_MARKS} ? 16 : 8 : 0, 0;
     numeric_option 'ZONE_BITS'       , 0, 0;
 
+    require_capability 'MARK_ANYWHERE', 'A non-zero ZONE_BITS setting', 's';
+
     if ( $config{PROVIDER_OFFSET} ) {
 	$config{PROVIDER_OFFSET}  = $config{MASK_BITS} if $config{PROVIDER_OFFSET} < $config{MASK_BITS};
 	$globals{ZONE_OFFSET}     = $config{PROVIDER_OFFSET} + $config{PROVIDER_BITS};
diff --git a/Shorewall/Perl/Shorewall/Misc.pm b/Shorewall/Perl/Shorewall/Misc.pm
index 48ebe6b97..97e1cd2db 100644
--- a/Shorewall/Perl/Shorewall/Misc.pm
+++ b/Shorewall/Perl/Shorewall/Misc.pm
@@ -1563,7 +1563,9 @@ sub generate_matrix() {
 	#
 	my $frwd_ref = new_standard_chain zone_forward_chain( $zone );
 
-	insert_ijump $frwd_ref , j => $filter_table->{blacklst}, -1, @state if $zoneref->{options}{in}{blacklist};
+	insert_ijump( $frwd_ref , j => $filter_table->{blacklst}, -1, @state ) if $zoneref->{options}{in}{blacklist};
+
+	add_ijump( $frwd_ref , j => 'MARK --set-mark ' . in_hex( $zoneref->{mark} ) . '/' . in_hex( $globals{ZONE_MASK} ) ) if $zoneref->{mark};
 
 	if ( have_ipsec ) {
 	    #
diff --git a/Shorewall/Perl/Shorewall/Zones.pm b/Shorewall/Perl/Shorewall/Zones.pm
index a14cee4c2..01837daeb 100644
--- a/Shorewall/Perl/Shorewall/Zones.pm
+++ b/Shorewall/Perl/Shorewall/Zones.pm
@@ -182,6 +182,9 @@ my $upgrade;
 my $have_ipsec;
 my $baseseq;
 my $minroot;
+my $zonemark;
+my $zonemarkincr;
+my $zonemarklimit;
 
 use constant { FIREWALL => 1,
 	       IP       => 2,
@@ -480,6 +483,22 @@ sub process_zone( \$ ) {
 				    hosts      => {}
 				  };
 
+    if ( $config{ZONE_BITS} ) {
+	my $mark;
+
+	if ( $type == FIREWALL ) {
+	    $mark = 0;
+	} else {
+	    fatal_error "Zone mark overflow - please increase the setting of ZONE_BITS" if $zonemark >= $zonemarklimit;
+	    $mark      = $zonemark;
+	    $zonemark += $zonemarkincr;
+	    $zoneref->{options}{complex} = 1;
+	}
+
+	progress_message_nocompress "   Zone $zone:\tmark value " . in_hex( $zoneref->{mark} = $mark );
+    }
+	
+
     if ( $zoneref->{options}{in_out}{blacklist} ) {
 	for ( qw/in out/ ) {
 	    unless ( $zoneref->{options}{$_}{blacklist} ) {
@@ -501,6 +520,10 @@ sub determine_zones()
     my @z;
     my $ip = 0;
 
+    $zonemark      = 1 << $globals{ZONE_OFFSET};
+    $zonemarkincr  = $zonemark;
+    $zonemarklimit = $zonemark << $config{ZONE_BITS};
+
     if ( my $fn = open_file 'zones' ) {
 	first_entry "$doing $fn...";
 	push @z, process_zone( $ip ) while read_a_line;