forked from extern/shorewall_code
Allow tcrules in the POSTROUTING chain
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@5066 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
parent
6d0deec4c8
commit
75554a06be
@ -23,6 +23,8 @@ Changes in 3.3.6
|
|||||||
|
|
||||||
11) Allow in-memory circular buffer for system log.
|
11) Allow in-memory circular buffer for system log.
|
||||||
|
|
||||||
|
12) Add ":T" qualifier in tcrules.
|
||||||
|
|
||||||
Changes in 3.3.5
|
Changes in 3.3.5
|
||||||
|
|
||||||
1) Restore default route when there are no 'balance' providers.
|
1) Restore default route when there are no 'balance' providers.
|
||||||
|
@ -45,20 +45,18 @@
|
|||||||
#
|
#
|
||||||
process_tc_rule()
|
process_tc_rule()
|
||||||
{
|
{
|
||||||
local did_connmark= multiport=
|
local did_connmark= multiport= classid=
|
||||||
|
|
||||||
chain=$MARKING_CHAIN target="MARK --set-mark" marktest=
|
chain=$MARKING_CHAIN target="MARK --set-mark" marktest=
|
||||||
|
|
||||||
verify_designator() {
|
handle_designator() {
|
||||||
[ "$chain" = tcout ] && \
|
|
||||||
fatal_error "Chain designator not allowed when source is \$FW; rule \"$rule\""
|
|
||||||
chain=$1
|
chain=$1
|
||||||
mark="${mark%:*}"
|
mark="${mark%:*}"
|
||||||
}
|
}
|
||||||
|
|
||||||
do_ipp2p()
|
do_ipp2p()
|
||||||
{
|
{
|
||||||
[ -n "$IPP2P_MATCH" ] || fatal_error "Your kernel and/or iptables does not have IPP2P match support. Rule: \"$rule\""
|
[ -n "$IPP2P_MATCH" ] || fatal_error "Your kernel and/or iptables does not have IPP2P match support. TC Rule: \"$rule\""
|
||||||
[ "x$port" = "x-" ] && port="ipp2p"
|
[ "x$port" = "x-" ] && port="ipp2p"
|
||||||
|
|
||||||
case $proto in
|
case $proto in
|
||||||
@ -66,7 +64,7 @@ process_tc_rule()
|
|||||||
proto=${proto#*:}
|
proto=${proto#*:}
|
||||||
;;
|
;;
|
||||||
*)
|
*)
|
||||||
proto=all
|
proto=tcp
|
||||||
;;
|
;;
|
||||||
esac
|
esac
|
||||||
|
|
||||||
@ -154,7 +152,6 @@ process_tc_rule()
|
|||||||
esac
|
esac
|
||||||
fi
|
fi
|
||||||
|
|
||||||
|
|
||||||
[ -n "$marktest" ] && r="${r}-m ${marktest}--mark $testval "
|
[ -n "$marktest" ] && r="${r}-m ${marktest}--mark $testval "
|
||||||
|
|
||||||
if [ "x$dest" != "x-" ]; then
|
if [ "x$dest" != "x-" ]; then
|
||||||
@ -220,23 +217,53 @@ process_tc_rule()
|
|||||||
case $sources in
|
case $sources in
|
||||||
$FW|$FW:*)
|
$FW|$FW:*)
|
||||||
chain=tcout
|
chain=tcout
|
||||||
|
|
||||||
|
if [ "x$mark" != "x${mark%:*}" ]; then
|
||||||
|
case "${mark#*:}" in
|
||||||
|
t|T)
|
||||||
|
handle_designator tcpost
|
||||||
|
;;
|
||||||
|
ct|CT)
|
||||||
|
handle_designator tcpost
|
||||||
|
do_connmark
|
||||||
|
;;
|
||||||
|
c|C)
|
||||||
|
mark=${mark%:*}
|
||||||
|
do_connmark
|
||||||
|
;;
|
||||||
|
p|P|cp|CP|f|F|cf|CF)
|
||||||
|
fatal_error "Invalid chain designator for source \$FW; rule \"$rule\""
|
||||||
|
;;
|
||||||
|
*)
|
||||||
|
chain=tcpost
|
||||||
|
target="CLASSIFY --set-class"
|
||||||
|
classid=Yes
|
||||||
;;
|
;;
|
||||||
esac
|
esac
|
||||||
|
fi
|
||||||
if [ "$mark" != "${mark%:*}" ]; then
|
;;
|
||||||
|
*)
|
||||||
|
if [ "x$mark" != "x${mark%:*}" ]; then
|
||||||
case "${mark#*:}" in
|
case "${mark#*:}" in
|
||||||
p|P)
|
p|P)
|
||||||
verify_designator tcpre
|
handle_designator tcpre
|
||||||
;;
|
;;
|
||||||
cp|CP)
|
cp|CP)
|
||||||
verify_designator tcpre
|
handle_designator tcpre
|
||||||
do_connmark
|
do_connmark
|
||||||
;;
|
;;
|
||||||
f|F)
|
f|F)
|
||||||
verify_designator tcfor
|
handle_designator tcfor
|
||||||
;;
|
;;
|
||||||
cf|CF)
|
cf|CF)
|
||||||
verify_designator tcfor
|
handle_designator tcfor
|
||||||
|
do_connmark
|
||||||
|
;;
|
||||||
|
t|T)
|
||||||
|
handle_designator tcpost
|
||||||
|
;;
|
||||||
|
ct|CT)
|
||||||
|
handle_designator tcpost
|
||||||
do_connmark
|
do_connmark
|
||||||
;;
|
;;
|
||||||
c|C)
|
c|C)
|
||||||
@ -245,11 +272,13 @@ process_tc_rule()
|
|||||||
;;
|
;;
|
||||||
*)
|
*)
|
||||||
chain=tcpost
|
chain=tcpost
|
||||||
|
classid=Yes
|
||||||
target="CLASSIFY --set-class"
|
target="CLASSIFY --set-class"
|
||||||
;;
|
;;
|
||||||
esac
|
esac
|
||||||
|
|
||||||
fi
|
fi
|
||||||
|
;;
|
||||||
|
esac
|
||||||
|
|
||||||
mask=0xffff
|
mask=0xffff
|
||||||
|
|
||||||
@ -282,7 +311,7 @@ process_tc_rule()
|
|||||||
mark=
|
mark=
|
||||||
;;
|
;;
|
||||||
\|*)
|
\|*)
|
||||||
[ $chain = tcpost ] && fatal_error "Invalid class ID: $mark"
|
[ -n "$classid" ] && fatal_error "Invalid class ID: $mark"
|
||||||
[ -n "$did_connmark" ] && fatal_error "Logical OR not valid with :C[FP]"
|
[ -n "$did_connmark" ] && fatal_error "Logical OR not valid with :C[FP]"
|
||||||
target="MARK --or-mark"
|
target="MARK --or-mark"
|
||||||
mark=${mark#|}
|
mark=${mark#|}
|
||||||
@ -292,7 +321,7 @@ process_tc_rule()
|
|||||||
fi
|
fi
|
||||||
;;
|
;;
|
||||||
\&*)
|
\&*)
|
||||||
[ $chain = tcpost ] && fatal_error "Invalid class ID: $mark"
|
[ -n "$classid" ] && fatal_error "Invalid class ID: $mark"
|
||||||
[ -n "$did_connmark" ] && fatal_error "Logical AND not valid with :C[FP]"
|
[ -n "$did_connmark" ] && fatal_error "Logical AND not valid with :C[FP]"
|
||||||
target="MARK --and-mark"
|
target="MARK --and-mark"
|
||||||
mark=${mark#&}
|
mark=${mark#&}
|
||||||
@ -302,7 +331,7 @@ process_tc_rule()
|
|||||||
fi
|
fi
|
||||||
;;
|
;;
|
||||||
*)
|
*)
|
||||||
if [ "$chain" != tcpost ]; then
|
if [ -z "$classid" ]; then
|
||||||
validate_mark $mark
|
validate_mark $mark
|
||||||
if [ $((${mark%/*})) -gt 255 ]; then
|
if [ $((${mark%/*})) -gt 255 ]; then
|
||||||
case $chain in
|
case $chain in
|
||||||
|
@ -133,6 +133,10 @@ Other Changes in 3.3.6
|
|||||||
buffer), /sbin/shorewall will now use the 'logread' command to read
|
buffer), /sbin/shorewall will now use the 'logread' command to read
|
||||||
the log from that buffer. This is for combatibility with OpenWRT.
|
the log from that buffer. This is for combatibility with OpenWRT.
|
||||||
|
|
||||||
|
10) There is now a ":T" qualifier in /etc/shorewall/tcrules which
|
||||||
|
causes the resulting rule to be inserted into the POSTROUTING
|
||||||
|
chain.
|
||||||
|
|
||||||
Migration Considerations:
|
Migration Considerations:
|
||||||
|
|
||||||
1) Shorewall supports the notion of "default actions". A default
|
1) Shorewall supports the notion of "default actions". A default
|
||||||
|
@ -515,11 +515,82 @@ ppp0 6000kbit 500kbit</programlisting>
|
|||||||
<para>MARK or CLASSIFY - MARK specifies the mark value is to be
|
<para>MARK or CLASSIFY - MARK specifies the mark value is to be
|
||||||
assigned in case of a match. This is an integer in the range 1-255.
|
assigned in case of a match. This is an integer in the range 1-255.
|
||||||
This value may be optionally followed by <quote>:</quote> and either
|
This value may be optionally followed by <quote>:</quote> and either
|
||||||
<quote>F</quote> or <quote>P</quote> to designate that the marking
|
<quote>F</quote>, <quote>P</quote> or "T" to designate that the
|
||||||
will occur in the FORWARD or PREROUTING chains respectively. If this
|
marking will occur in the FORWARD, PREROUTING or POSTROUTING chains
|
||||||
additional specification is omitted, the chain used to mark packets
|
respectively. If this additional specification is omitted, the chain
|
||||||
will be determined by the setting of the MARK_IN_FORWARD_CHAIN
|
used to mark packets will be determined as follows:</para>
|
||||||
option in shorewall.conf.</para>
|
|
||||||
|
<itemizedlist>
|
||||||
|
<listitem>
|
||||||
|
<para>If the SOURCE is
|
||||||
|
$FW[:<<emphasis>address</emphasis>>], then the rule is
|
||||||
|
inserted in the OUTPUT chain.</para>
|
||||||
|
</listitem>
|
||||||
|
|
||||||
|
<listitem>
|
||||||
|
<para>Otherwise, the chain is determined by the setting of the
|
||||||
|
MARK_IN_FORWARD_CHAIN option in shorewall.conf.</para>
|
||||||
|
</listitem>
|
||||||
|
</itemizedlist>
|
||||||
|
|
||||||
|
<note>
|
||||||
|
<para>The "T" qualifier was added in Shorewall version 3.3.6 and
|
||||||
|
is not available in earlier versions.</para>
|
||||||
|
</note>
|
||||||
|
|
||||||
|
<para>Normally, the mark is applied to the packet. If you follow the
|
||||||
|
mark value with ":" and "C", then the mark is applied to the
|
||||||
|
connection. "C" can be combined with "F", "P" or "T" to designate
|
||||||
|
that the connection should be marked in a particular chain (e.g.,
|
||||||
|
"CF", "CP", "CT").</para>
|
||||||
|
|
||||||
|
<para>There are additional special values available:</para>
|
||||||
|
|
||||||
|
<orderedlist numeration="loweralpha">
|
||||||
|
<listitem>
|
||||||
|
<para><emphasis
|
||||||
|
role="bold">RESTORE</emphasis>[/<emphasis>mask</emphasis>] --
|
||||||
|
restore the packet's mark from the connection's mark using the
|
||||||
|
supplied mask if any. Your kernel and iptables must include
|
||||||
|
CONNMARK support.</para>
|
||||||
|
|
||||||
|
<para>As above, may be followed by <emphasis
|
||||||
|
role="bold">:P</emphasis>, <emphasis role="bold">:F</emphasis>
|
||||||
|
or <emphasis role="bold">:T</emphasis>.</para>
|
||||||
|
</listitem>
|
||||||
|
|
||||||
|
<listitem>
|
||||||
|
<para><emphasis
|
||||||
|
role="bold">SAVE</emphasis>[/<emphasis>mask</emphasis>] -- save
|
||||||
|
the packet's mark to the connection's mark using the supplied
|
||||||
|
mask if any. Your kernel and iptables must include CONNMARK
|
||||||
|
support.</para>
|
||||||
|
|
||||||
|
<para>As above, may be followed by <emphasis
|
||||||
|
role="bold">:P</emphasis>, <emphasis role="bold">:F</emphasis>
|
||||||
|
or <emphasis role="bold">:T</emphasis>.</para>
|
||||||
|
</listitem>
|
||||||
|
|
||||||
|
<listitem>
|
||||||
|
<para><emphasis role="bold">CONTINUE</emphasis> Don't process
|
||||||
|
any more marking rules in the table.</para>
|
||||||
|
|
||||||
|
<para>As above, may be followed by <emphasis
|
||||||
|
role="bold">:P</emphasis>, <emphasis role="bold">:F</emphasis>
|
||||||
|
or <emphasis role="bold">:T</emphasis>.</para>
|
||||||
|
</listitem>
|
||||||
|
|
||||||
|
<listitem>
|
||||||
|
<para><emphasis role="bold">COMMENT</emphasis> -- the rest of
|
||||||
|
the line will be attached as a comment to the Netfilter rule(s)
|
||||||
|
generated by the following entries. The comment will appear
|
||||||
|
delimited by "/* ... */" in the output of <command>shorewall
|
||||||
|
show mangle</command></para>
|
||||||
|
|
||||||
|
<para>To stop the comment from being attached to further rules,
|
||||||
|
simply include COMMENT on a line by itself.</para>
|
||||||
|
</listitem>
|
||||||
|
</orderedlist>
|
||||||
|
|
||||||
<para>To use CLASSIFY, your kernel and iptables must include
|
<para>To use CLASSIFY, your kernel and iptables must include
|
||||||
CLASSIFY target support. In that case, this column contains a
|
CLASSIFY target support. In that case, this column contains a
|
||||||
@ -541,9 +612,9 @@ ppp0 6000kbit 500kbit</programlisting>
|
|||||||
<member>prio</member>
|
<member>prio</member>
|
||||||
</simplelist>
|
</simplelist>
|
||||||
|
|
||||||
<para>With Shorewall versions prior to 3.2.3, classify always occurs
|
<para>With Shorewall versions prior to 3.2.3, classify rules are
|
||||||
in the POSTROUTING chain. Beginning with Shorewall 3.2.3, classify
|
always placed in the POSTROUTING chain. Beginning with Shorewall
|
||||||
occurs in the POSTROUTING chain <emphasis
|
3.2.3, classification occurs in the POSTROUTING chain <emphasis
|
||||||
role="bold">except</emphasis> when the SOURCE contains
|
role="bold">except</emphasis> when the SOURCE contains
|
||||||
$FW[:<<emphasis>address</emphasis>>] in which case, the
|
$FW[:<<emphasis>address</emphasis>>] in which case, the
|
||||||
classify action takes place in the OUTPUT chain. When used with the
|
classify action takes place in the OUTPUT chain. When used with the
|
||||||
|
@ -77,15 +77,28 @@
|
|||||||
<emphasis role="bold">$FW</emphasis>).</para>
|
<emphasis role="bold">$FW</emphasis>).</para>
|
||||||
|
|
||||||
<para>May optionally be followed by <emphasis
|
<para>May optionally be followed by <emphasis
|
||||||
role="bold">:P</emphasis> or <emphasis role="bold">:F</emphasis>
|
role="bold">:P</emphasis>, <emphasis role="bold">:F</emphasis>
|
||||||
where<emphasis role="bold"> :P</emphasis> indicates that marking
|
or <emphasis role="bold">:T</emphasis> where<emphasis
|
||||||
should occur in the PREROUTING chain and <emphasis
|
role="bold"> :P</emphasis> indicates that marking should occur
|
||||||
role="bold">:F</emphasis> indicates that marking should occur in
|
in the PREROUTING chain, <emphasis role="bold">:F</emphasis>
|
||||||
the FORWARD chain. If neither <emphasis
|
indicates that marking should occur in the FORWARD chain and
|
||||||
role="bold">:P</emphasis> nor <emphasis
|
<emphasis role="bold">:T</emphasis> indicates that marking
|
||||||
role="bold">:F</emphasis> follow the mark value then the chain
|
should occur in the POSTROUTING chain. If neither <emphasis
|
||||||
is determined by the setting of MARK_IN_FORWARD_CHAIN in
|
role="bold">:P</emphasis>, <emphasis role="bold">:F</emphasis>
|
||||||
shorewall.conf(5).</para>
|
nor <emphasis role="bold">:T</emphasis> follow the mark value
|
||||||
|
then the chain is determined as follows:</para>
|
||||||
|
|
||||||
|
<itemizedlist>
|
||||||
|
<listitem>
|
||||||
|
<para>If the SOURCE is $FW, then the rule is inserted into
|
||||||
|
the OUTPUT chain.</para>
|
||||||
|
</listitem>
|
||||||
|
|
||||||
|
<listitem>
|
||||||
|
<para>Otherwise, the chain is determined by the setting of
|
||||||
|
MARK_IN_FORWARD_CHAIN in shorewall.conf(5).</para>
|
||||||
|
</listitem>
|
||||||
|
</itemizedlist>
|
||||||
|
|
||||||
<para>If your kernel and iptables include CONNMARK support then
|
<para>If your kernel and iptables include CONNMARK support then
|
||||||
you can also mark the connection rather than the packet.</para>
|
you can also mark the connection rather than the packet.</para>
|
||||||
@ -93,7 +106,7 @@
|
|||||||
<para>The mark value may be optionally followed by "/" and a
|
<para>The mark value may be optionally followed by "/" and a
|
||||||
mask value (used to determine those bits of the connection mark
|
mask value (used to determine those bits of the connection mark
|
||||||
to actually be set). The mark and optional mask are then
|
to actually be set). The mark and optional mask are then
|
||||||
followed by one of:</para>
|
followed by one of:+</para>
|
||||||
|
|
||||||
<variablelist>
|
<variablelist>
|
||||||
<varlistentry>
|
<varlistentry>
|
||||||
@ -120,6 +133,14 @@
|
|||||||
<para>Mark the connection in the PREROUTING chain.</para>
|
<para>Mark the connection in the PREROUTING chain.</para>
|
||||||
</listitem>
|
</listitem>
|
||||||
</varlistentry>
|
</varlistentry>
|
||||||
|
|
||||||
|
<varlistentry>
|
||||||
|
<term>CT</term>
|
||||||
|
|
||||||
|
<listitem>
|
||||||
|
<para>Mark the connecdtion in the POSTROUTING chain</para>
|
||||||
|
</listitem>
|
||||||
|
</varlistentry>
|
||||||
</variablelist>
|
</variablelist>
|
||||||
</listitem>
|
</listitem>
|
||||||
|
|
||||||
@ -149,7 +170,7 @@
|
|||||||
<emphasis>minor</emphasis> class is the class's MARK value in
|
<emphasis>minor</emphasis> class is the class's MARK value in
|
||||||
shorewall-tcclasses(5) preceded by the number 1 (MARK 1
|
shorewall-tcclasses(5) preceded by the number 1 (MARK 1
|
||||||
corresponds to minor class 11, MARK 5 corresponds to minor class
|
corresponds to minor class 11, MARK 5 corresponds to minor class
|
||||||
15, MARK 22 corresponds to minor class 122, etc.). </para>
|
15, MARK 22 corresponds to minor class 122, etc.).</para>
|
||||||
</listitem>
|
</listitem>
|
||||||
|
|
||||||
<listitem>
|
<listitem>
|
||||||
|
Loading…
Reference in New Issue
Block a user