From 75554a06bee49056132ec0a5c86b0eaf9b7c66de Mon Sep 17 00:00:00 2001 From: teastep Date: Fri, 8 Dec 2006 22:43:46 +0000 Subject: [PATCH] Allow tcrules in the POSTROUTING chain git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@5066 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb --- Shorewall/changelog.txt | 2 + Shorewall/lib.tcrules | 105 +++++++++++++++++++++------------ Shorewall/releasenotes.txt | 4 ++ docs/traffic_shaping.xml | 87 ++++++++++++++++++++++++--- manpages/shorewall-tcrules.xml | 43 ++++++++++---- 5 files changed, 184 insertions(+), 57 deletions(-) diff --git a/Shorewall/changelog.txt b/Shorewall/changelog.txt index 10c9fb981..d480093dd 100644 --- a/Shorewall/changelog.txt +++ b/Shorewall/changelog.txt @@ -23,6 +23,8 @@ Changes in 3.3.6 11) Allow in-memory circular buffer for system log. +12) Add ":T" qualifier in tcrules. + Changes in 3.3.5 1) Restore default route when there are no 'balance' providers. diff --git a/Shorewall/lib.tcrules b/Shorewall/lib.tcrules index 6165ebefc..0d808b7c4 100644 --- a/Shorewall/lib.tcrules +++ b/Shorewall/lib.tcrules @@ -45,20 +45,18 @@ # process_tc_rule() { - local did_connmark= multiport= + local did_connmark= multiport= classid= chain=$MARKING_CHAIN target="MARK --set-mark" marktest= - verify_designator() { - [ "$chain" = tcout ] && \ - fatal_error "Chain designator not allowed when source is \$FW; rule \"$rule\"" + handle_designator() { chain=$1 mark="${mark%:*}" } do_ipp2p() { - [ -n "$IPP2P_MATCH" ] || fatal_error "Your kernel and/or iptables does not have IPP2P match support. Rule: \"$rule\"" + [ -n "$IPP2P_MATCH" ] || fatal_error "Your kernel and/or iptables does not have IPP2P match support. TC Rule: \"$rule\"" [ "x$port" = "x-" ] && port="ipp2p" case $proto in @@ -66,7 +64,7 @@ process_tc_rule() proto=${proto#*:} ;; *) - proto=all + proto=tcp ;; esac @@ -154,7 +152,6 @@ process_tc_rule() esac fi - [ -n "$marktest" ] && r="${r}-m ${marktest}--mark $testval " if [ "x$dest" != "x-" ]; then @@ -220,37 +217,69 @@ process_tc_rule() case $sources in $FW|$FW:*) chain=tcout + + if [ "x$mark" != "x${mark%:*}" ]; then + case "${mark#*:}" in + t|T) + handle_designator tcpost + ;; + ct|CT) + handle_designator tcpost + do_connmark + ;; + c|C) + mark=${mark%:*} + do_connmark + ;; + p|P|cp|CP|f|F|cf|CF) + fatal_error "Invalid chain designator for source \$FW; rule \"$rule\"" + ;; + *) + chain=tcpost + target="CLASSIFY --set-class" + classid=Yes + ;; + esac + fi + ;; + *) + if [ "x$mark" != "x${mark%:*}" ]; then + case "${mark#*:}" in + p|P) + handle_designator tcpre + ;; + cp|CP) + handle_designator tcpre + do_connmark + ;; + f|F) + handle_designator tcfor + ;; + cf|CF) + handle_designator tcfor + do_connmark + ;; + t|T) + handle_designator tcpost + ;; + ct|CT) + handle_designator tcpost + do_connmark + ;; + c|C) + mark=${mark%:*} + do_connmark + ;; + *) + chain=tcpost + classid=Yes + target="CLASSIFY --set-class" + ;; + esac + fi ;; esac - if [ "$mark" != "${mark%:*}" ]; then - case "${mark#*:}" in - p|P) - verify_designator tcpre - ;; - cp|CP) - verify_designator tcpre - do_connmark - ;; - f|F) - verify_designator tcfor - ;; - cf|CF) - verify_designator tcfor - do_connmark - ;; - c|C) - mark=${mark%:*} - do_connmark - ;; - *) - chain=tcpost - target="CLASSIFY --set-class" - ;; - esac - - fi - mask=0xffff case $mark in @@ -282,7 +311,7 @@ process_tc_rule() mark= ;; \|*) - [ $chain = tcpost ] && fatal_error "Invalid class ID: $mark" + [ -n "$classid" ] && fatal_error "Invalid class ID: $mark" [ -n "$did_connmark" ] && fatal_error "Logical OR not valid with :C[FP]" target="MARK --or-mark" mark=${mark#|} @@ -292,7 +321,7 @@ process_tc_rule() fi ;; \&*) - [ $chain = tcpost ] && fatal_error "Invalid class ID: $mark" + [ -n "$classid" ] && fatal_error "Invalid class ID: $mark" [ -n "$did_connmark" ] && fatal_error "Logical AND not valid with :C[FP]" target="MARK --and-mark" mark=${mark#&} @@ -302,7 +331,7 @@ process_tc_rule() fi ;; *) - if [ "$chain" != tcpost ]; then + if [ -z "$classid" ]; then validate_mark $mark if [ $((${mark%/*})) -gt 255 ]; then case $chain in diff --git a/Shorewall/releasenotes.txt b/Shorewall/releasenotes.txt index b931a8599..ccefd3ac8 100644 --- a/Shorewall/releasenotes.txt +++ b/Shorewall/releasenotes.txt @@ -133,6 +133,10 @@ Other Changes in 3.3.6 buffer), /sbin/shorewall will now use the 'logread' command to read the log from that buffer. This is for combatibility with OpenWRT. +10) There is now a ":T" qualifier in /etc/shorewall/tcrules which + causes the resulting rule to be inserted into the POSTROUTING + chain. + Migration Considerations: 1) Shorewall supports the notion of "default actions". A default diff --git a/docs/traffic_shaping.xml b/docs/traffic_shaping.xml index 1564dc724..c497b18ac 100644 --- a/docs/traffic_shaping.xml +++ b/docs/traffic_shaping.xml @@ -515,11 +515,82 @@ ppp0 6000kbit 500kbit MARK or CLASSIFY - MARK specifies the mark value is to be assigned in case of a match. This is an integer in the range 1-255. This value may be optionally followed by : and either - F or P to designate that the marking - will occur in the FORWARD or PREROUTING chains respectively. If this - additional specification is omitted, the chain used to mark packets - will be determined by the setting of the MARK_IN_FORWARD_CHAIN - option in shorewall.conf. + F, P or "T" to designate that the + marking will occur in the FORWARD, PREROUTING or POSTROUTING chains + respectively. If this additional specification is omitted, the chain + used to mark packets will be determined as follows: + + + + If the SOURCE is + $FW[:<address>], then the rule is + inserted in the OUTPUT chain. + + + + Otherwise, the chain is determined by the setting of the + MARK_IN_FORWARD_CHAIN option in shorewall.conf. + + + + + The "T" qualifier was added in Shorewall version 3.3.6 and + is not available in earlier versions. + + + Normally, the mark is applied to the packet. If you follow the + mark value with ":" and "C", then the mark is applied to the + connection. "C" can be combined with "F", "P" or "T" to designate + that the connection should be marked in a particular chain (e.g., + "CF", "CP", "CT"). + + There are additional special values available: + + + + RESTORE[/mask] -- + restore the packet's mark from the connection's mark using the + supplied mask if any. Your kernel and iptables must include + CONNMARK support. + + As above, may be followed by :P, :F + or :T. + + + + SAVE[/mask] -- save + the packet's mark to the connection's mark using the supplied + mask if any. Your kernel and iptables must include CONNMARK + support. + + As above, may be followed by :P, :F + or :T. + + + + CONTINUE Don't process + any more marking rules in the table. + + As above, may be followed by :P, :F + or :T. + + + + COMMENT -- the rest of + the line will be attached as a comment to the Netfilter rule(s) + generated by the following entries. The comment will appear + delimited by "/* ... */" in the output of shorewall + show mangle + + To stop the comment from being attached to further rules, + simply include COMMENT on a line by itself. + + To use CLASSIFY, your kernel and iptables must include CLASSIFY target support. In that case, this column contains a @@ -541,9 +612,9 @@ ppp0 6000kbit 500kbit prio - With Shorewall versions prior to 3.2.3, classify always occurs - in the POSTROUTING chain. Beginning with Shorewall 3.2.3, classify - occurs in the POSTROUTING chain With Shorewall versions prior to 3.2.3, classify rules are + always placed in the POSTROUTING chain. Beginning with Shorewall + 3.2.3, classification occurs in the POSTROUTING chain except when the SOURCE contains $FW[:<address>] in which case, the classify action takes place in the OUTPUT chain. When used with the diff --git a/manpages/shorewall-tcrules.xml b/manpages/shorewall-tcrules.xml index a4bdf26eb..d02cdb5e3 100644 --- a/manpages/shorewall-tcrules.xml +++ b/manpages/shorewall-tcrules.xml @@ -77,15 +77,28 @@ $FW). May optionally be followed by :P or :F - where :P indicates that marking - should occur in the PREROUTING chain and :F indicates that marking should occur in - the FORWARD chain. If neither :P nor :F follow the mark value then the chain - is determined by the setting of MARK_IN_FORWARD_CHAIN in - shorewall.conf(5). + role="bold">:P, :F + or :T where :P indicates that marking should occur + in the PREROUTING chain, :F + indicates that marking should occur in the FORWARD chain and + :T indicates that marking + should occur in the POSTROUTING chain. If neither :P, :F + nor :T follow the mark value + then the chain is determined as follows: + + + + If the SOURCE is $FW, then the rule is inserted into + the OUTPUT chain. + + + + Otherwise, the chain is determined by the setting of + MARK_IN_FORWARD_CHAIN in shorewall.conf(5). + + If your kernel and iptables include CONNMARK support then you can also mark the connection rather than the packet. @@ -93,7 +106,7 @@ The mark value may be optionally followed by "/" and a mask value (used to determine those bits of the connection mark to actually be set). The mark and optional mask are then - followed by one of: + followed by one of:+ @@ -120,6 +133,14 @@ Mark the connection in the PREROUTING chain. + + + CT + + + Mark the connecdtion in the POSTROUTING chain + + @@ -149,7 +170,7 @@ minor class is the class's MARK value in shorewall-tcclasses(5) preceded by the number 1 (MARK 1 corresponds to minor class 11, MARK 5 corresponds to minor class - 15, MARK 22 corresponds to minor class 122, etc.). + 15, MARK 22 corresponds to minor class 122, etc.).