holm/shorewall_code
1
0
Fork 0
forked from extern/shorewall_code
Code Pull Requests Activity

Add ZERO_MARKS option

Browse Source 
Signed-off-by: Tom Eastep <teastep@shorewall.net>
This commit is contained in:
Tom Eastep 2016-09-26 16:04:26 -07:00
parent 3f8ddb11ab
commit 792b3b696c
No known key found for this signature in database
GPG Key ID: 96E6B3F2423A4D10
14 changed files with 60 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
Shorewall/Perl/Shorewall/Config.pm
View File

@ -897,6 +897,7 @@ sub initialize( $;$$) {
PAGER => undef ,
MINIUPNPD => undef ,
VERBOSE_MESSAGES => undef ,
ZERO_MARKS => undef ,
#
# Packet Disposition
#
@ -6292,6 +6293,7 @@ sub get_configuration( $$$$ ) {
default_yes_no 'DEFER_DNS_RESOLUTION' , 'Yes';
default_yes_no 'MINIUPNPD' , '';
default_yes_no 'VERBOSE_MESSAGES' , 'Yes';
default_yes_no 'ZERO_MARKS' , '';
$config{IPSET} = '' if supplied $config{IPSET} && $config{IPSET} eq 'ipset';

5
Shorewall/Perl/Shorewall/Providers.pm
View File

@ -128,7 +128,10 @@ sub setup_route_marking() {
#
# Clear the mark -- we have seen cases where the mark is non-zero even in the raw table chains!
#
add_ijump( $mangle_table->{$_}, j => 'MARK', targetopts => '--set-mark 0' ) for qw/PREROUTING OUTPUT/;
if ( $config{ZERO_MARKS} ) {
add_ijump( $mangle_table->{$_}, j => 'MARK', targetopts => '--set-mark 0' ) for qw/PREROUTING OUTPUT/;
}
if ( $config{RESTORE_ROUTEMARKS} ) {
add_ijump $mangle_table->{$_} , j => 'CONNMARK', targetopts => "--restore-mark --mask $mask" for qw/PREROUTING OUTPUT/;

2
Shorewall/Samples/Universal/shorewall.conf
View File

@ -248,6 +248,8 @@ WARNOLDCAPVERSION=Yes
WORKAROUNDS=No
ZERO_MARKS=No
ZONE2ZONE=-
###############################################################################

2
Shorewall/Samples/one-interface/shorewall.conf
View File

@ -259,6 +259,8 @@ WARNOLDCAPVERSION=Yes
WORKAROUNDS=No
ZERO_MARKS=No
ZONE2ZONE=-
###############################################################################

2
Shorewall/Samples/three-interfaces/shorewall.conf
View File

@ -256,6 +256,8 @@ WARNOLDCAPVERSION=Yes
WORKAROUNDS=No
ZERO_MARKS=No
ZONE2ZONE=-
###############################################################################

2
Shorewall/Samples/two-interfaces/shorewall.conf
View File

@ -259,6 +259,8 @@ WARNOLDCAPVERSION=Yes
WORKAROUNDS=No
ZERO_MARKS=No
ZONE2ZONE=-
###############################################################################

2
Shorewall/configfiles/shorewall.conf
View File

@ -248,6 +248,8 @@ WARNOLDCAPVERSION=Yes
WORKAROUNDS=No
ZERO_MARKS=No
ZONE2ZONE=-
###############################################################################

17
Shorewall/manpages/shorewall.conf.xml
View File

@ -2947,6 +2947,23 @@ INLINE - - - ;; -j REJECT
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">ZERO_MARKS=</emphasis>[<emphasis
role="bold">Yes</emphasis>|<emphasis role="bold">No</emphasis>]</term>
<listitem>
<para>Added in Shorewall 5.0.12, this is a workaround for an issue
where packet marks are not zeroed by the kernel. It should be set to
No (the default) unless you find that incoming packets are being
mis-routed for no apparent reasons.</para>
<caution>
<para>Do not set this option to Yes if you have IPSEC software
running on the firewall system.</para>
</caution>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis
role="bold">ZONE_BITS</emphasis>=[<replaceable>number</replaceable>]</term>

2
Shorewall6/Samples6/Universal/shorewall6.conf
View File

@ -219,6 +219,8 @@ WARNOLDCAPVERSION=Yes
WORKAROUNDS=No
ZERO_MARKS=No
ZONE2ZONE=-
###############################################################################

2
Shorewall6/Samples6/one-interface/shorewall6.conf
View File

@ -220,6 +220,8 @@ WARNOLDCAPVERSION=Yes
WORKAROUNDS=No
ZERO_MARKS=No
ZONE2ZONE=-
###############################################################################

2
Shorewall6/Samples6/three-interfaces/shorewall6.conf
View File

@ -219,6 +219,8 @@ WARNOLDCAPVERSION=Yes
WORKAROUNDS=No
ZERO_MARKS=No
ZONE2ZONE=-
###############################################################################

2
Shorewall6/Samples6/two-interfaces/shorewall6.conf
View File

@ -219,6 +219,8 @@ WARNOLDCAPVERSION=Yes
WORKAROUNDS=No
ZERO_MARKS=No
ZONE2ZONE=-
###############################################################################

2
Shorewall6/configfiles/shorewall6.conf
View File

@ -219,6 +219,8 @@ WARNOLDCAPVERSION=Yes
WORKAROUNDS=No
ZERO_MARKS=No
ZONE2ZONE=-
###############################################################################

17
Shorewall6/manpages/shorewall6.conf.xml
View File

@ -2604,6 +2604,23 @@ INLINE - - - ;; -j REJECT
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">ZERO_MARKS=</emphasis>[<emphasis
role="bold">Yes</emphasis>|<emphasis role="bold">No</emphasis>]</term>
<listitem>
<para>Added in Shorewall 5.0.12, this is a workaround for an issue
where packet marks are not zeroed by the kernel. It should be set to
No (the default) unless you find that incoming packets are being
mis-routed for no apparent reasons.</para>
<caution>
<para>Do not set this option to Yes if you have IPSEC software
running on the firewall system.</para>
</caution>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis
role="bold">ZONE_BITS</emphasis>=[<replaceable>number</replaceable>]</term>