Add TC connmark support

Signed-off-by: Tom Eastep <teastep@shorewall.net>
2020-07-07 15:39:23 -07:00 · 2020-07-07 15:39:23 -07:00 · 89201bd294
commit 89201bd294
parent b617c8d224
3 changed files with 19 additions and 4 deletions
--- a/Shorewall-core/lib.cli
+++ b/Shorewall-core/lib.cli
@ -25,7 +25,7 @@
 # loaded after this one and replaces some of the functions declared here.
 #

-SHOREWALL_CAPVERSION=50200
+SHOREWALL_CAPVERSION=50207

 if [ -z "$g_basedir" ]; then
    #
@ -2878,6 +2878,7 @@ determine_capabilities() {
    NETMAP_TARGET=
    NFLOG_SIZE=
    RESTORE_WAIT_OPTION=
+    CONNMARK_ACTION=

    AMANDA_HELPER=
    FTP_HELPER=
@ -3245,6 +3246,10 @@ determine_capabilities() {
 	    BASIC_FILTER=Yes
 	    $TC filter add basic help 2>&1 | egrep -q match && BASIC_EMATCH=Yes
 	fi
+
+	if $TC action add connmark help 2>&1 | grep -q ^Usage; then
+	    CONNMARK_ACTION=Yes
+	fi
    fi

    [ -n "$IP" ] && $IP rule add help 2>&1 | grep -q /MASK && FWMARK_RT_MASK=Yes
@ -3388,6 +3393,7 @@ report_capabilities_unsorted() {
    report_capability "NETMAP Target (NETMAP_TARGET)" $NETMAP_TARGET
    report_capability "--nflog-size support (NFLOG_SIZE)" $NFLOG_SIZE
    report_capability "INPUT chain in nat table (NAT_INPUT_CHAIN)" $NAT_INPUT_CHAIN
+    report_capability "TC connmark support (CONNMARK_ACTION)" $CONNMARK_ACTION

    echo "   Kernel Version (KERNELVERSION): $KERNELVERSION"
    echo "   Capabilities Version (CAPVERSION): $CAPVERSION"
@ -3494,6 +3500,7 @@ report_capabilities_unsorted1() {
    report_capability1 NFLOG_SIZE
    report_capability1 RESTORE_WAIT_OPTION
    report_capability1 NAT_INPUT_CHAIN
+    report_capability1 CONNMARK_ACTION

    report_capability1 AMANDA_HELPER
    report_capability1 FTP_HELPER
--- a/Shorewall/Perl/Shorewall/Config.pm
+++ b/Shorewall/Perl/Shorewall/Config.pm
@ -502,6 +502,7 @@ our %capdesc = ( NAT_ENABLED     => 'NAT',
 		 RESTORE_WAIT_OPTION
 				 => 'iptables-restore --wait option',
                 NAT_INPUT_CHAIN => 'INPUT chain in NAT table',
+		 CONNMARK_ACTION => 'TC connmark support',
 		 #
 		 # Helpers
 		 #
@ -883,8 +884,8 @@ sub initialize($;$$$$) {
 		    TC_SCRIPT               => '',
 		    EXPORT                  => 0,
 		    KLUDGEFREE              => '',
-		    VERSION                 => '5.2.4.1',
-		    CAPVERSION              => 50200 ,
+		    VERSION                 => '5.2.7-Beta1',
+		    CAPVERSION              => 50207 ,
 		    BLACKLIST_LOG_TAG       => '',
 		    RELATED_LOG_TAG         => '',
 		    MACLIST_LOG_TAG         => '',
@ -1178,6 +1179,7 @@ sub initialize($;$$$$) {
 	       NFLOG_SIZE => undef,
 	       RESTORE_WAIT_OPTION => undef,
 	       NAT_INPUT_CHAIN => undef,
+	       CONNMARK_ACTION => undef ,

 	       AMANDA_HELPER => undef,
 	       FTP_HELPER => undef,
@ -5052,6 +5054,10 @@ sub Basic_Filter() {
    $tc && system( "$tc filter add basic help 2>&1 | grep -q ^Usage" ) == 0;
 }

+sub Connmark_Action() {
+    $tc && system( "$tc action add connmark help 2>&1 | grep -q ^Usage" ) == 0;
+}
+
 sub Basic_Ematch() {
    $tc && have_capability( 'BASIC_FILTER' ) && system( "$tc filter add basic help 2>&1 | egrep -q match" ) == 0;
 }
@ -5181,6 +5187,7 @@ our %detect_capability =
      COMMENTS => \&Comments,
      CONNLIMIT_MATCH => \&Connlimit_Match,
      CONNMARK => \&Connmark,
+      CONNMARK_ACTION => \&Connmark_Action,
      CONNMARK_MATCH => \&Connmark_Match,
      CONNTRACK_MATCH => \&Conntrack_Match,
      CPU_FANOUT => \&Cpu_Fanout,
--- a/Shorewall/Perl/Shorewall/Tc.pm
+++ b/Shorewall/Perl/Shorewall/Tc.pm
@ -459,6 +459,7 @@ sub validate_tc_device( ) {
 		fatal_error "Invalid tsize ($1)" unless defined $tsize;
 		fatal_error q('tsize' requires 'linklayer') unless $linklayer; 
 	    } elsif ( $option eq 'connmark' ) {
+		require_capability( 'CONNMARK_ACTION', q(The 'connmark' option), 's' );
 		$connmark = 1;
 	    } else {
 		fatal_error "Unknown device option ($option)";
@ -1870,7 +1871,7 @@ sub process_traffic_shaping() {
 	    for my $rdev ( @{$devref->{redirected}} ) {
 		my $phyrdev = physical_name( $rdev );
 		emit ( "run_tc qdisc add dev $phyrdev handle ffff: ingress" );
-		emit( "run_tc filter add dev $phyrdev parent ffff: protocol all u32 match u32 0 0 ".($devref->{'connmark'} ? ' action connmark' : '')." action mirred egress redirect dev $device > /dev/null" );
+		emit( "run_tc filter add dev $phyrdev parent ffff: protocol all u32 match u32 0 0".($devref->{'connmark'} ? ' action connmark' : '')." action mirred egress redirect dev $device > /dev/null" );
 	    }

 	    for my $class ( @tcclasses ) {