diff --git a/Shorewall/changelog.txt b/Shorewall/changelog.txt
index 10c9fb981..d480093dd 100644
--- a/Shorewall/changelog.txt
+++ b/Shorewall/changelog.txt
@@ -23,6 +23,8 @@ Changes in 3.3.6
11) Allow in-memory circular buffer for system log.
+12) Add ":T" qualifier in tcrules.
+
Changes in 3.3.5
1) Restore default route when there are no 'balance' providers.
diff --git a/Shorewall/lib.tcrules b/Shorewall/lib.tcrules
index 6165ebefc..0d808b7c4 100644
--- a/Shorewall/lib.tcrules
+++ b/Shorewall/lib.tcrules
@@ -45,20 +45,18 @@
#
process_tc_rule()
{
- local did_connmark= multiport=
+ local did_connmark= multiport= classid=
chain=$MARKING_CHAIN target="MARK --set-mark" marktest=
- verify_designator() {
- [ "$chain" = tcout ] && \
- fatal_error "Chain designator not allowed when source is \$FW; rule \"$rule\""
+ handle_designator() {
chain=$1
mark="${mark%:*}"
}
do_ipp2p()
{
- [ -n "$IPP2P_MATCH" ] || fatal_error "Your kernel and/or iptables does not have IPP2P match support. Rule: \"$rule\""
+ [ -n "$IPP2P_MATCH" ] || fatal_error "Your kernel and/or iptables does not have IPP2P match support. TC Rule: \"$rule\""
[ "x$port" = "x-" ] && port="ipp2p"
case $proto in
@@ -66,7 +64,7 @@ process_tc_rule()
proto=${proto#*:}
;;
*)
- proto=all
+ proto=tcp
;;
esac
@@ -154,7 +152,6 @@ process_tc_rule()
esac
fi
-
[ -n "$marktest" ] && r="${r}-m ${marktest}--mark $testval "
if [ "x$dest" != "x-" ]; then
@@ -220,37 +217,69 @@ process_tc_rule()
case $sources in
$FW|$FW:*)
chain=tcout
+
+ if [ "x$mark" != "x${mark%:*}" ]; then
+ case "${mark#*:}" in
+ t|T)
+ handle_designator tcpost
+ ;;
+ ct|CT)
+ handle_designator tcpost
+ do_connmark
+ ;;
+ c|C)
+ mark=${mark%:*}
+ do_connmark
+ ;;
+ p|P|cp|CP|f|F|cf|CF)
+ fatal_error "Invalid chain designator for source \$FW; rule \"$rule\""
+ ;;
+ *)
+ chain=tcpost
+ target="CLASSIFY --set-class"
+ classid=Yes
+ ;;
+ esac
+ fi
+ ;;
+ *)
+ if [ "x$mark" != "x${mark%:*}" ]; then
+ case "${mark#*:}" in
+ p|P)
+ handle_designator tcpre
+ ;;
+ cp|CP)
+ handle_designator tcpre
+ do_connmark
+ ;;
+ f|F)
+ handle_designator tcfor
+ ;;
+ cf|CF)
+ handle_designator tcfor
+ do_connmark
+ ;;
+ t|T)
+ handle_designator tcpost
+ ;;
+ ct|CT)
+ handle_designator tcpost
+ do_connmark
+ ;;
+ c|C)
+ mark=${mark%:*}
+ do_connmark
+ ;;
+ *)
+ chain=tcpost
+ classid=Yes
+ target="CLASSIFY --set-class"
+ ;;
+ esac
+ fi
;;
esac
- if [ "$mark" != "${mark%:*}" ]; then
- case "${mark#*:}" in
- p|P)
- verify_designator tcpre
- ;;
- cp|CP)
- verify_designator tcpre
- do_connmark
- ;;
- f|F)
- verify_designator tcfor
- ;;
- cf|CF)
- verify_designator tcfor
- do_connmark
- ;;
- c|C)
- mark=${mark%:*}
- do_connmark
- ;;
- *)
- chain=tcpost
- target="CLASSIFY --set-class"
- ;;
- esac
-
- fi
-
mask=0xffff
case $mark in
@@ -282,7 +311,7 @@ process_tc_rule()
mark=
;;
\|*)
- [ $chain = tcpost ] && fatal_error "Invalid class ID: $mark"
+ [ -n "$classid" ] && fatal_error "Invalid class ID: $mark"
[ -n "$did_connmark" ] && fatal_error "Logical OR not valid with :C[FP]"
target="MARK --or-mark"
mark=${mark#|}
@@ -292,7 +321,7 @@ process_tc_rule()
fi
;;
\&*)
- [ $chain = tcpost ] && fatal_error "Invalid class ID: $mark"
+ [ -n "$classid" ] && fatal_error "Invalid class ID: $mark"
[ -n "$did_connmark" ] && fatal_error "Logical AND not valid with :C[FP]"
target="MARK --and-mark"
mark=${mark#&}
@@ -302,7 +331,7 @@ process_tc_rule()
fi
;;
*)
- if [ "$chain" != tcpost ]; then
+ if [ -z "$classid" ]; then
validate_mark $mark
if [ $((${mark%/*})) -gt 255 ]; then
case $chain in
diff --git a/Shorewall/releasenotes.txt b/Shorewall/releasenotes.txt
index b931a8599..ccefd3ac8 100644
--- a/Shorewall/releasenotes.txt
+++ b/Shorewall/releasenotes.txt
@@ -133,6 +133,10 @@ Other Changes in 3.3.6
buffer), /sbin/shorewall will now use the 'logread' command to read
the log from that buffer. This is for combatibility with OpenWRT.
+10) There is now a ":T" qualifier in /etc/shorewall/tcrules which
+ causes the resulting rule to be inserted into the POSTROUTING
+ chain.
+
Migration Considerations:
1) Shorewall supports the notion of "default actions". A default
diff --git a/docs/traffic_shaping.xml b/docs/traffic_shaping.xml
index 1564dc724..c497b18ac 100644
--- a/docs/traffic_shaping.xml
+++ b/docs/traffic_shaping.xml
@@ -515,11 +515,82 @@ ppp0 6000kbit 500kbit
MARK or CLASSIFY - MARK specifies the mark value is to be
assigned in case of a match. This is an integer in the range 1-255.
This value may be optionally followed by :
and either
- F
or P
to designate that the marking
- will occur in the FORWARD or PREROUTING chains respectively. If this
- additional specification is omitted, the chain used to mark packets
- will be determined by the setting of the MARK_IN_FORWARD_CHAIN
- option in shorewall.conf.
+ F
, P
or "T" to designate that the
+ marking will occur in the FORWARD, PREROUTING or POSTROUTING chains
+ respectively. If this additional specification is omitted, the chain
+ used to mark packets will be determined as follows:
+
+
+
+ If the SOURCE is
+ $FW[:<address>], then the rule is
+ inserted in the OUTPUT chain.
+
+
+
+ Otherwise, the chain is determined by the setting of the
+ MARK_IN_FORWARD_CHAIN option in shorewall.conf.
+
+
+
+
+ The "T" qualifier was added in Shorewall version 3.3.6 and
+ is not available in earlier versions.
+
+
+ Normally, the mark is applied to the packet. If you follow the
+ mark value with ":" and "C", then the mark is applied to the
+ connection. "C" can be combined with "F", "P" or "T" to designate
+ that the connection should be marked in a particular chain (e.g.,
+ "CF", "CP", "CT").
+
+ There are additional special values available:
+
+
+
+ RESTORE[/mask] --
+ restore the packet's mark from the connection's mark using the
+ supplied mask if any. Your kernel and iptables must include
+ CONNMARK support.
+
+ As above, may be followed by :P, :F
+ or :T.
+
+
+
+ SAVE[/mask] -- save
+ the packet's mark to the connection's mark using the supplied
+ mask if any. Your kernel and iptables must include CONNMARK
+ support.
+
+ As above, may be followed by :P, :F
+ or :T.
+
+
+
+ CONTINUE Don't process
+ any more marking rules in the table.
+
+ As above, may be followed by :P, :F
+ or :T.
+
+
+
+ COMMENT -- the rest of
+ the line will be attached as a comment to the Netfilter rule(s)
+ generated by the following entries. The comment will appear
+ delimited by "/* ... */" in the output of shorewall
+ show mangle
+
+ To stop the comment from being attached to further rules,
+ simply include COMMENT on a line by itself.
+
+
To use CLASSIFY, your kernel and iptables must include
CLASSIFY target support. In that case, this column contains a
@@ -541,9 +612,9 @@ ppp0 6000kbit 500kbit
prio
- With Shorewall versions prior to 3.2.3, classify always occurs
- in the POSTROUTING chain. Beginning with Shorewall 3.2.3, classify
- occurs in the POSTROUTING chain With Shorewall versions prior to 3.2.3, classify rules are
+ always placed in the POSTROUTING chain. Beginning with Shorewall
+ 3.2.3, classification occurs in the POSTROUTING chain except when the SOURCE contains
$FW[:<address>] in which case, the
classify action takes place in the OUTPUT chain. When used with the
diff --git a/manpages/shorewall-tcrules.xml b/manpages/shorewall-tcrules.xml
index a4bdf26eb..d02cdb5e3 100644
--- a/manpages/shorewall-tcrules.xml
+++ b/manpages/shorewall-tcrules.xml
@@ -77,15 +77,28 @@
$FW).
May optionally be followed by :P or :F
- where :P indicates that marking
- should occur in the PREROUTING chain and :F indicates that marking should occur in
- the FORWARD chain. If neither :P nor :F follow the mark value then the chain
- is determined by the setting of MARK_IN_FORWARD_CHAIN in
- shorewall.conf(5).
+ role="bold">:P, :F
+ or :T where :P indicates that marking should occur
+ in the PREROUTING chain, :F
+ indicates that marking should occur in the FORWARD chain and
+ :T indicates that marking
+ should occur in the POSTROUTING chain. If neither :P, :F
+ nor :T follow the mark value
+ then the chain is determined as follows:
+
+
+
+ If the SOURCE is $FW, then the rule is inserted into
+ the OUTPUT chain.
+
+
+
+ Otherwise, the chain is determined by the setting of
+ MARK_IN_FORWARD_CHAIN in shorewall.conf(5).
+
+
If your kernel and iptables include CONNMARK support then
you can also mark the connection rather than the packet.
@@ -93,7 +106,7 @@
The mark value may be optionally followed by "/" and a
mask value (used to determine those bits of the connection mark
to actually be set). The mark and optional mask are then
- followed by one of:
+ followed by one of:+
@@ -120,6 +133,14 @@
Mark the connection in the PREROUTING chain.
+
+
+ CT
+
+
+ Mark the connecdtion in the POSTROUTING chain
+
+
@@ -149,7 +170,7 @@
minor class is the class's MARK value in
shorewall-tcclasses(5) preceded by the number 1 (MARK 1
corresponds to minor class 11, MARK 5 corresponds to minor class
- 15, MARK 22 corresponds to minor class 122, etc.).
+ 15, MARK 22 corresponds to minor class 122, etc.).