holm/shorewall_code
1
0
Fork 0
forked from extern/shorewall_code
Code Pull Requests Activity

Allow tcrules in the POSTROUTING chain

Browse Source 
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@5066 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
teastep 2006-12-08 22:43:46 +00:00
parent 6d0deec4c8
commit 75554a06be
5 changed files with 184 additions and 57 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
Shorewall/changelog.txt
View File

@ -23,6 +23,8 @@ Changes in 3.3.6
11) Allow in-memory circular buffer for system log.
12) Add ":T" qualifier in tcrules.
Changes in 3.3.5
1) Restore default route when there are no 'balance' providers.

105
Shorewall/lib.tcrules
View File

@ -45,20 +45,18 @@
#
process_tc_rule()
{
local did_connmark= multiport=
local did_connmark= multiport= classid=
chain=$MARKING_CHAIN target="MARK --set-mark" marktest=
verify_designator() {
[ "$chain" = tcout ] && \
fatal_error "Chain designator not allowed when source is \$FW; rule \"$rule\""
handle_designator() {
chain=$1
mark="${mark%:*}"
}
do_ipp2p()
{
[ -n "$IPP2P_MATCH" ] || fatal_error "Your kernel and/or iptables does not have IPP2P match support. Rule: \"$rule\""
[ -n "$IPP2P_MATCH" ] || fatal_error "Your kernel and/or iptables does not have IPP2P match support. TC Rule: \"$rule\""
[ "x$port" = "x-" ] && port="ipp2p"
case $proto in
@ -66,7 +64,7 @@ process_tc_rule()
proto=${proto#*:}
;;
*)
proto=all
proto=tcp
;;
esac
@ -154,7 +152,6 @@ process_tc_rule()
esac
fi
[ -n "$marktest" ] && r="${r}-m ${marktest}--mark $testval "
if [ "x$dest" != "x-" ]; then
@ -220,37 +217,69 @@ process_tc_rule()
case $sources in
$FW|$FW:*)
chain=tcout
if [ "x$mark" != "x${mark%:*}" ]; then
case "${mark#*:}" in
t|T)
handle_designator tcpost
;;
ct|CT)
handle_designator tcpost
do_connmark
;;
c|C)
mark=${mark%:*}
do_connmark
;;
p|P|cp|CP|f|F|cf|CF)
fatal_error "Invalid chain designator for source \$FW; rule \"$rule\""
;;
*)
chain=tcpost
target="CLASSIFY --set-class"
classid=Yes
;;
esac
fi
;;
*)
if [ "x$mark" != "x${mark%:*}" ]; then
case "${mark#*:}" in
p|P)
handle_designator tcpre
;;
cp|CP)
handle_designator tcpre
do_connmark
;;
f|F)
handle_designator tcfor
;;
cf|CF)
handle_designator tcfor
do_connmark
;;
t|T)
handle_designator tcpost
;;
ct|CT)
handle_designator tcpost
do_connmark
;;
c|C)
mark=${mark%:*}
do_connmark
;;
*)
chain=tcpost
classid=Yes
target="CLASSIFY --set-class"
;;
esac
fi
;;
esac
if [ "$mark" != "${mark%:*}" ]; then
case "${mark#*:}" in
p|P)
verify_designator tcpre
;;
cp|CP)
verify_designator tcpre
do_connmark
;;
f|F)
verify_designator tcfor
;;
cf|CF)
verify_designator tcfor
do_connmark
;;
c|C)
mark=${mark%:*}
do_connmark
;;
*)
chain=tcpost
target="CLASSIFY --set-class"
;;
esac
fi
mask=0xffff
case $mark in
@ -282,7 +311,7 @@ process_tc_rule()
mark=
;;
\|*)
[ $chain = tcpost ] && fatal_error "Invalid class ID: $mark"
[ -n "$classid" ] && fatal_error "Invalid class ID: $mark"
[ -n "$did_connmark" ] && fatal_error "Logical OR not valid with :C[FP]"
target="MARK --or-mark"
mark=${mark#|}
@ -292,7 +321,7 @@ process_tc_rule()
fi
;;
\&*)
[ $chain = tcpost ] && fatal_error "Invalid class ID: $mark"
[ -n "$classid" ] && fatal_error "Invalid class ID: $mark"
[ -n "$did_connmark" ] && fatal_error "Logical AND not valid with :C[FP]"
target="MARK --and-mark"
mark=${mark#&}
@ -302,7 +331,7 @@ process_tc_rule()
fi
;;
*)
if [ "$chain" != tcpost ]; then
if [ -z "$classid" ]; then
validate_mark $mark
if [ $((${mark%/*})) -gt 255 ]; then
case $chain in

4
Shorewall/releasenotes.txt
View File

@ -133,6 +133,10 @@ Other Changes in 3.3.6
buffer), /sbin/shorewall will now use the 'logread' command to read
the log from that buffer. This is for combatibility with OpenWRT.
10) There is now a ":T" qualifier in /etc/shorewall/tcrules which
causes the resulting rule to be inserted into the POSTROUTING
chain.
Migration Considerations:
1) Shorewall supports the notion of "default actions". A default

87
docs/traffic_shaping.xml
View File

@ -515,11 +515,82 @@ ppp0 6000kbit 500kbit</programlisting>
<para>MARK or CLASSIFY - MARK specifies the mark value is to be
assigned in case of a match. This is an integer in the range 1-255.
This value may be optionally followed by <quote>:</quote> and either
<quote>F</quote> or <quote>P</quote> to designate that the marking
will occur in the FORWARD or PREROUTING chains respectively. If this
additional specification is omitted, the chain used to mark packets
will be determined by the setting of the MARK_IN_FORWARD_CHAIN
option in shorewall.conf.</para>
<quote>F</quote>, <quote>P</quote> or "T" to designate that the
marking will occur in the FORWARD, PREROUTING or POSTROUTING chains
respectively. If this additional specification is omitted, the chain
used to mark packets will be determined as follows:</para>
<itemizedlist>
<listitem>
<para>If the SOURCE is
$FW[:&lt;<emphasis>address</emphasis>&gt;], then the rule is
inserted in the OUTPUT chain.</para>
</listitem>
<listitem>
<para>Otherwise, the chain is determined by the setting of the
MARK_IN_FORWARD_CHAIN option in shorewall.conf.</para>
</listitem>
</itemizedlist>
<note>
<para>The "T" qualifier was added in Shorewall version 3.3.6 and
is not available in earlier versions.</para>
</note>
<para>Normally, the mark is applied to the packet. If you follow the
mark value with ":" and "C", then the mark is applied to the
connection. "C" can be combined with "F", "P" or "T" to designate
that the connection should be marked in a particular chain (e.g.,
"CF", "CP", "CT").</para>
<para>There are additional special values available:</para>
<orderedlist numeration="loweralpha">
<listitem>
<para><emphasis
role="bold">RESTORE</emphasis>[/<emphasis>mask</emphasis>] --
restore the packet's mark from the connection's mark using the
supplied mask if any. Your kernel and iptables must include
CONNMARK support.</para>
<para>As above, may be followed by <emphasis
role="bold">:P</emphasis>, <emphasis role="bold">:F</emphasis>
or <emphasis role="bold">:T</emphasis>.</para>
</listitem>
<listitem>
<para><emphasis
role="bold">SAVE</emphasis>[/<emphasis>mask</emphasis>] -- save
the packet's mark to the connection's mark using the supplied
mask if any. Your kernel and iptables must include CONNMARK
support.</para>
<para>As above, may be followed by <emphasis
role="bold">:P</emphasis>, <emphasis role="bold">:F</emphasis>
or <emphasis role="bold">:T</emphasis>.</para>
</listitem>
<listitem>
<para><emphasis role="bold">CONTINUE</emphasis> Don't process
any more marking rules in the table.</para>
<para>As above, may be followed by <emphasis
role="bold">:P</emphasis>, <emphasis role="bold">:F</emphasis>
or <emphasis role="bold">:T</emphasis>.</para>
</listitem>
<listitem>
<para><emphasis role="bold">COMMENT</emphasis> -- the rest of
the line will be attached as a comment to the Netfilter rule(s)
generated by the following entries. The comment will appear
delimited by "/* ... */" in the output of <command>shorewall
show mangle</command></para>
<para>To stop the comment from being attached to further rules,
simply include COMMENT on a line by itself.</para>
</listitem>
</orderedlist>
<para>To use CLASSIFY, your kernel and iptables must include
CLASSIFY target support. In that case, this column contains a
@ -541,9 +612,9 @@ ppp0 6000kbit 500kbit</programlisting>
<member>prio</member>
</simplelist>
<para>With Shorewall versions prior to 3.2.3, classify always occurs
in the POSTROUTING chain. Beginning with Shorewall 3.2.3, classify
occurs in the POSTROUTING chain <emphasis
<para>With Shorewall versions prior to 3.2.3, classify rules are
always placed in the POSTROUTING chain. Beginning with Shorewall
3.2.3, classification occurs in the POSTROUTING chain <emphasis
role="bold">except</emphasis> when the SOURCE contains
$FW[:&lt;<emphasis>address</emphasis>&gt;] in which case, the
classify action takes place in the OUTPUT chain. When used with the

43
manpages/shorewall-tcrules.xml
View File

@ -77,15 +77,28 @@
<emphasis role="bold">$FW</emphasis>).</para>
<para>May optionally be followed by <emphasis
role="bold">:P</emphasis> or <emphasis role="bold">:F</emphasis>
where<emphasis role="bold"> :P</emphasis> indicates that marking
should occur in the PREROUTING chain and <emphasis
role="bold">:F</emphasis> indicates that marking should occur in
the FORWARD chain. If neither <emphasis
role="bold">:P</emphasis> nor <emphasis
role="bold">:F</emphasis> follow the mark value then the chain
is determined by the setting of MARK_IN_FORWARD_CHAIN in
shorewall.conf(5).</para>
role="bold">:P</emphasis>, <emphasis role="bold">:F</emphasis>
or <emphasis role="bold">:T</emphasis> where<emphasis
role="bold"> :P</emphasis> indicates that marking should occur
in the PREROUTING chain, <emphasis role="bold">:F</emphasis>
indicates that marking should occur in the FORWARD chain and
<emphasis role="bold">:T</emphasis> indicates that marking
should occur in the POSTROUTING chain. If neither <emphasis
role="bold">:P</emphasis>, <emphasis role="bold">:F</emphasis>
nor <emphasis role="bold">:T</emphasis> follow the mark value
then the chain is determined as follows:</para>
<itemizedlist>
<listitem>
<para>If the SOURCE is $FW, then the rule is inserted into
the OUTPUT chain.</para>
</listitem>
<listitem>
<para>Otherwise, the chain is determined by the setting of
MARK_IN_FORWARD_CHAIN in shorewall.conf(5).</para>
</listitem>
</itemizedlist>
<para>If your kernel and iptables include CONNMARK support then
you can also mark the connection rather than the packet.</para>
@ -93,7 +106,7 @@
<para>The mark value may be optionally followed by "/" and a
mask value (used to determine those bits of the connection mark
to actually be set). The mark and optional mask are then
followed by one of:</para>
followed by one of:+</para>
<variablelist>
<varlistentry>
@ -120,6 +133,14 @@
<para>Mark the connection in the PREROUTING chain.</para>
</listitem>
</varlistentry>
<varlistentry>
<term>CT</term>
<listitem>
<para>Mark the connecdtion in the POSTROUTING chain</para>
</listitem>
</varlistentry>
</variablelist>
</listitem>
@ -149,7 +170,7 @@
<emphasis>minor</emphasis> class is the class's MARK value in
shorewall-tcclasses(5) preceded by the number 1 (MARK 1
corresponds to minor class 11, MARK 5 corresponds to minor class
15, MARK 22 corresponds to minor class 122, etc.). </para>
15, MARK 22 corresponds to minor class 122, etc.).</para>
</listitem>
<listitem>