holm/shorewall_code
1
0
Fork 0
forked from extern/shorewall_code
Code Pull Requests Activity

Fix merge conflicts

Browse Source
This commit is contained in:
Tom Eastep 2009-04-20 16:16:13 -07:00
commit 905ffb0f98
23 changed files with 303 additions and 81 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
Samples/one-interface/shorewall.conf
View File

@ -188,6 +188,8 @@ MANGLE_ENABLED=Yes
AUTOMAKE=No AUTOMAKE=No
WIDE_TC_MARKS=Yes
############################################################################### ###############################################################################
# P A C K E T D I S P O S I T I O N # P A C K E T D I S P O S I T I O N
############################################################################### ###############################################################################

2
Samples/three-interfaces/shorewall.conf
View File

@ -188,6 +188,8 @@ MANGLE_ENABLED=Yes
AUTOMAKE=No AUTOMAKE=No
WIDE_TC_MARKS=Yes
############################################################################### ###############################################################################
# P A C K E T D I S P O S I T I O N # P A C K E T D I S P O S I T I O N
############################################################################### ###############################################################################

2
Samples/two-interfaces/shorewall.conf
View File

@ -188,6 +188,8 @@ MANGLE_ENABLED=Yes
AUTOMAKE=No AUTOMAKE=No
WIDE_TC_MARKS=Yes
############################################################################### ###############################################################################
# P A C K E T D I S P O S I T I O N # P A C K E T D I S P O S I T I O N
############################################################################### ###############################################################################

2
Samples6/one-interface/shorewall6.conf
View File

@ -137,6 +137,8 @@ MANGLE_ENABLED=Yes
AUTOMAKE=No AUTOMAKE=No
WIDE_TC_MARKS=Yes
############################################################################### ###############################################################################
# P A C K E T D I S P O S I T I O N # P A C K E T D I S P O S I T I O N
############################################################################### ###############################################################################

2
Samples6/three-interfaces/shorewall6.conf
View File

@ -137,6 +137,8 @@ MANGLE_ENABLED=Yes
AUTOMAKE=No AUTOMAKE=No
WIDE_TC_MARKS=Yes
############################################################################### ###############################################################################
# P A C K E T D I S P O S I T I O N # P A C K E T D I S P O S I T I O N
############################################################################### ###############################################################################

2
Samples6/two-interfaces/shorewall6.conf
View File

@ -137,6 +137,8 @@ MANGLE_ENABLED=Yes
AUTOMAKE=No AUTOMAKE=No
WIDE_TC_MARKS=Yes
############################################################################### ###############################################################################
# P A C K E T D I S P O S I T I O N # P A C K E T D I S P O S I T I O N
############################################################################### ###############################################################################

21
Shorewall/Perl/Shorewall/Chains.pm
View File

@ -1482,19 +1482,34 @@ sub mac_match( $ ) {
# #
sub verify_mark( $ ) { sub verify_mark( $ ) {
my $mark = $_[0]; my $mark = $_[0];
my $limit = $config{HIGH_ROUTE_MARKS} ? 0xFFFF : 0xFF; my $limit;
my $mask;
my $value = numeric_value( $mark ); my $value = numeric_value( $mark );
if ( $config{HIGH_ROUTE_MARKS} ) {
if ( $config{WIDE_TC_MARKS} ) {
$limit = 0xFFFFFF;
$mask = 0xFFFF;
} else {
$limit = 0xFFFF;
$mask = 0xFF;
}
} elsif ( $config{WIDE_TC_MARKS} ) {
$limit = $mask = 0x3FFF;
} else {
$limit = $mask = 0xFF;
}
fatal_error "Invalid Mark or Mask value ($mark)" fatal_error "Invalid Mark or Mask value ($mark)"
unless defined( $value ) && $value <= $limit; unless defined( $value ) && $value <= $limit;
fatal_error "Invalid High Mark or Mask value ($mark)" fatal_error "Invalid High Mark or Mask value ($mark)"
if ( $value > 0xFF && $value & 0xFF ); if ( $value > $mask && $value & $mask );
} }
sub verify_small_mark( $ ) { sub verify_small_mark( $ ) {
verify_mark ( (my $mark) = $_[0] ); verify_mark ( (my $mark) = $_[0] );
fatal_error "Mark value ($mark) too large" if numeric_value( $mark ) > 0xFF; fatal_error "Mark value ($mark) too large" if numeric_value( $mark ) > ( $config{WIDE_TC_MARKS} ? 0x03FF : 0xFF );
} }
sub validate_mark( $ ) { sub validate_mark( $ ) {

7
Shorewall/Perl/Shorewall/Config.pm
View File

@ -434,6 +434,7 @@ sub initialize( $ ) {
RESTORE_DEFAULT_ROUTE => undef , RESTORE_DEFAULT_ROUTE => undef ,
FAST_STOP => undef , FAST_STOP => undef ,
AUTOMAKE => undef , AUTOMAKE => undef ,
WIDE_TC_MARKS => undef,
# #
# Packet Disposition # Packet Disposition
# #
@ -536,6 +537,7 @@ sub initialize( $ ) {
AUTO_COMMENT => undef, AUTO_COMMENT => undef,
MANGLE_ENABLED => undef , MANGLE_ENABLED => undef ,
AUTOMAKE => undef , AUTOMAKE => undef ,
WIDE_TC_MARKS => undef,
# #
# Packet Disposition # Packet Disposition
# #
@ -733,15 +735,19 @@ sub assert( $ ) {
# Convert value to decimal number # Convert value to decimal number
# #
sub numeric_value ( $ ) { sub numeric_value ( $ ) {
no warnings;
my $mark = lc $_[0]; my $mark = lc $_[0];
return undef unless $mark =~ /^-?(0x[a-f0-9]+|0[0-7]*|[1-9]\d*)$/; return undef unless $mark =~ /^-?(0x[a-f0-9]+|0[0-7]*|[1-9]\d*)$/;
$mark =~ /^0/ ? oct $mark : $mark; $mark =~ /^0/ ? oct $mark : $mark;
use warnings;
} }
sub numeric_value1 ( $ ) { sub numeric_value1 ( $ ) {
no warnings;
my $val = numeric_value $_[0]; my $val = numeric_value $_[0];
fatal_error "Invalid Number ($_[0])" unless defined $val; fatal_error "Invalid Number ($_[0])" unless defined $val;
$val; $val;
use warnings;
} }
# #
@ -2286,6 +2292,7 @@ sub get_configuration( $ ) {
default_yes_no 'USE_DEFAULT_RT' , ''; default_yes_no 'USE_DEFAULT_RT' , '';
default_yes_no 'RESTORE_DEFAULT_ROUTE' , 'Yes'; default_yes_no 'RESTORE_DEFAULT_ROUTE' , 'Yes';
default_yes_no 'AUTOMAKE' , ''; default_yes_no 'AUTOMAKE' , '';
default_yes_no 'WIDE_TC_MARKS' , '';
$capabilities{XCONNMARK} = '' unless $capabilities{XCONNMARK_MATCH} and $capabilities{XMARK}; $capabilities{XCONNMARK} = '' unless $capabilities{XCONNMARK_MATCH} and $capabilities{XMARK};

76
Shorewall/Perl/Shorewall/Providers.pm
View File

@ -93,7 +93,7 @@ INIT {
# Set up marking for 'tracked' interfaces. # Set up marking for 'tracked' interfaces.
# #
sub setup_route_marking() { sub setup_route_marking() {
my $mask = $config{HIGH_ROUTE_MARKS} ? '0xFF00' : '0xFF'; my $mask = $config{HIGH_ROUTE_MARKS} ? $config{WIDE_TC_MARKS} ? '0xFF0000' : '0xFF00' : '0xFF';
require_capability( 'CONNMARK_MATCH' , 'the provider \'track\' option' , 's' ); require_capability( 'CONNMARK_MATCH' , 'the provider \'track\' option' , 's' );
require_capability( 'CONNMARK' , 'the provider \'track\' option' , 's' ); require_capability( 'CONNMARK' , 'the provider \'track\' option' , 's' );
@ -264,26 +264,25 @@ sub add_a_provider( $$$$$$$$ ) {
fatal_error "Unknown Interface ($interface)" unless known_interface $interface; fatal_error "Unknown Interface ($interface)" unless known_interface $interface;
my $provider = chain_base $table; my $provider = chain_base $table;
my $base = uc chain_base $interface; my $base = uc chain_base $interface;
my $gatewaycase = '';
if ( $gateway eq 'detect' ) { if ( $gateway eq 'detect' ) {
fatal_error "Configuring multiple providers through one interface requires an explicit gateway" if $shared; fatal_error "Configuring multiple providers through one interface requires an explicit gateway" if $shared;
$gateway = get_interface_gateway $interface; $gateway = get_interface_gateway $interface;
start_provider( $table, $number, qq(if interface_is_usable $interface && [ -n "$gateway" ]; then) ); $gatewaycase = 'detect';
} elsif ( $gateway && $gateway ne '-' ) {
validate_address $gateway, 0;
$gatewaycase = 'specified';
} else { } else {
start_provider( $table, $number, "if interface_is_usable $interface; then" ); $gatewaycase = 'none';
fatal_error "Configuring multiple providers through one interface requires a gateway" if $shared;
if ( $gateway && $gateway ne '-' ) { $gateway = '';
validate_address $gateway, 0;
} else {
fatal_error "Configuring multiple providers through one interface requires a gateway" if $shared;
$gateway = '';
emit "run_ip route add default dev $interface table $number";
}
} }
my $val = 0; my $val = 0;
my $pref;
if ( $mark ne '-' ) { if ( $mark ne '-' ) {
@ -293,23 +292,21 @@ sub add_a_provider( $$$$$$$$ ) {
verify_mark $mark; verify_mark $mark;
if ( $val < 256) { if ( $val < 65535 ) {
fatal_error "Invalid Mark Value ($mark) with WIDE_TC_MARKS=No" unless $config{WIDE_TC_MARKS};
fatal_error "Invalid Mark Value ($mark) with HIGH_ROUTE_MARKS=No" unless $config{HIGH_ROUTE_MARKS};
} elsif ( $val < 256) {
fatal_error "Invalid Mark Value ($mark) with HIGH_ROUTE_MARKS=Yes" if $config{HIGH_ROUTE_MARKS}; fatal_error "Invalid Mark Value ($mark) with HIGH_ROUTE_MARKS=Yes" if $config{HIGH_ROUTE_MARKS};
} else { } else {
fatal_error "Invalid Mark Value ($mark) with HIGH_ROUTE_MARKS=No" if ! $config{HIGH_ROUTE_MARKS}; fatal_error "Invalid Mark Value ($mark) with HIGH_ROUTE_MARKS=No" unless $config{HIGH_ROUTE_MARKS};
} }
for my $providerref ( values %providers ) { for my $providerref ( values %providers ) {
fatal_error "Duplicate mark value ($mark)" if $providerref->{mark} == $val; fatal_error "Duplicate mark value ($mark)" if numeric_value( $providerref->{mark} ) == $val;
} }
my $pref = 10000 + $number - 1; $pref = 10000 + $number - 1;
emit ( "qt \$IP -$family rule del fwmark $mark" ) if $config{DELETE_THEN_ADD};
emit ( "run_ip rule add fwmark $mark pref $pref table $number",
"echo \"qt \$IP -$family rule del fwmark $mark\" >> \${VARDIR}/undo_routing"
);
} }
my ( $loose, $track, $balance , $default, $default_balance, $optional, $mtu ) = (0,0,0,0,$config{USE_DEFAULT_RT} ? 1 : 0,interface_is_optional( $interface ), '' ); my ( $loose, $track, $balance , $default, $default_balance, $optional, $mtu ) = (0,0,0,0,$config{USE_DEFAULT_RT} ? 1 : 0,interface_is_optional( $interface ), '' );
@ -360,7 +357,7 @@ sub add_a_provider( $$$$$$$$ ) {
$providers{$table} = { provider => $table, $providers{$table} = { provider => $table,
number => $number , number => $number ,
mark => $val , mark => $val ? in_hex($val) : $val ,
interface => $interface , interface => $interface ,
optional => $optional , optional => $optional ,
gateway => $gateway , gateway => $gateway ,
@ -384,8 +381,22 @@ sub add_a_provider( $$$$$$$$ ) {
my $realm = ''; my $realm = '';
if ( $shared ) { if ( $shared ) {
$providers{$table}{mac} = get_interface_mac( $gateway, $interface , $table ); my $variable = $providers{$table}{mac} = get_interface_mac( $gateway, $interface , $table );
$realm = "realm $number"; $realm = "realm $number";
start_provider( $table, $number, qq(if interface_is_usable $interface && [ -n "$variable" ]; then) );
} elsif ( $gatewaycase eq 'detect' ) {
start_provider( $table, $number, qq(if interface_is_usable $interface && [ -n "$gateway" ]; then) );
} else {
start_provider( $table, $number, "if interface_is_usable $interface; then" );
emit "run_ip route add default dev $interface table $number" if $gatewaycase eq 'none';
}
if ( $mark ne '-' ) {
emit ( "qt \$IP -$family rule del fwmark $mark" ) if $config{DELETE_THEN_ADD};
emit ( "run_ip rule add fwmark $mark pref $pref table $number",
"echo \"qt \$IP -$family rule del fwmark $mark\" >> \${VARDIR}/undo_routing"
);
} }
if ( $duplicate ne '-' ) { if ( $duplicate ne '-' ) {
@ -461,10 +472,19 @@ sub add_a_provider( $$$$$$$$ ) {
emit 'else'; emit 'else';
if ( $optional ) { if ( $optional ) {
emit ( " error_message \"WARNING: Interface $interface is not usable -- Provider $table ($number) not Added\"", if ( $shared ) {
" ${base}_IS_UP=" ); emit ( " error_message \"WARNING: Interface $interface is not usable -- Provider $table ($number) not Added\"" );
} else {
emit ( " error_message \"WARNING: Gateway $gateway is not reachable -- Provider $table ($number) not Added\"" );
}
emit( " ${base}_IS_UP=" );
} else { } else {
emit( " fatal_error \"Interface $interface is not usable -- Provider $table ($number) Cannot be Added\"" ); if ( $shared ) {
emit( " fatal_error \"Gateway $gateway is not reachable -- Provider $table ($number) Cannot be Added\"" );
} else {
emit( " fatal_error \"Interface $interface is not usable -- Provider $table ($number) Cannot be Added\"" );
}
} }
emit "fi\n"; emit "fi\n";
@ -765,7 +785,7 @@ sub lookup_provider( $ ) {
# #
sub handle_stickiness( $ ) { sub handle_stickiness( $ ) {
my $havesticky = shift; my $havesticky = shift;
my $mask = $config{HIGH_ROUTE_MARKS} ? '0xFF00' : '0xFF'; my $mask = $config{HIGH_ROUTE_MARKS} ? $config{WIDE_TC_MARKS} ? '0xFF0000' : '0xFF00' : '0xFF';
my $setstickyref = $mangle_table->{setsticky}; my $setstickyref = $mangle_table->{setsticky};
my $setstickoref = $mangle_table->{setsticko}; my $setstickoref = $mangle_table->{setsticko};
my $tcpreref = $mangle_table->{tcpre}; my $tcpreref = $mangle_table->{tcpre};

17
Shorewall/Perl/Shorewall/Tc.pm
View File

@ -316,19 +316,19 @@ sub process_tc_rule( $$$$$$$$$$$$ ) {
if ( defined $m1 && $m1 ne '' ) { if ( defined $m1 && $m1 ne '' ) {
$val = numeric_value ($m1); $val = numeric_value ($m1);
fatal_error "Invalid Mask ($m1)" unless defined $val; fatal_error "Invalid Mask ($m1)" unless defined $val && $val && $val <= 0xffffffff;
$mask1 = $m1; $mask1 = $m1;
} }
if ( defined $m2 && $m2 ne '' ) { if ( defined $m2 && $m2 ne '' ) {
$val = numeric_value ($m2); $val = numeric_value ($m2);
fatal_error "Invalid Mask ($m2)" unless defined $val; fatal_error "Invalid Mask ($m2)" unless defined $val && $val <= 0xffffffff;
$mask2 = $m2; $mask2 = $m2;
} }
if ( defined $s ) { if ( defined $s ) {
$val = numeric_value ($s); $val = numeric_value ($s);
fatal_error "Invalid Shift Bits ($s)" unless defined $val; fatal_error "Invalid Shift Bits ($s)" unless defined $val && $val < 128;
$shift = $s; $shift = $s;
} }
} else { } else {
@ -361,8 +361,9 @@ sub process_tc_rule( $$$$$$$$$$$$ ) {
if ( $config{HIGH_ROUTE_MARKS} ) { if ( $config{HIGH_ROUTE_MARKS} ) {
my $val = numeric_value( $cmd ); my $val = numeric_value( $cmd );
fatal_error "Invalid MARK/CLASSIFY ($cmd)" unless defined $val; fatal_error "Invalid MARK/CLASSIFY ($cmd)" unless defined $val;
fatal_error 'Marks < 256 may not be set in the PREROUTING or OUTPUT chains when HIGH_ROUTE_MARKS=Yes' my $limit = $config{WIDE_TC_MARKS} ? 65535 : 255;
if $cmd && ( $chain eq 'tcpre' || $chain eq 'tcout' ) && $val <= 0xFF; fatal_error "Marks <= $limit may not be set in the PREROUTING or OUTPUT chains when HIGH_ROUTE_MARKS=Yes"
if $cmd && ( $chain eq 'tcpre' || $chain eq 'tcout' ) && $val <= $limit;
} }
} }
} }
@ -598,7 +599,7 @@ sub validate_tc_class( $$$$$$ ) {
$markval = numeric_value( $mark ); $markval = numeric_value( $mark );
fatal_error "Invalid MARK ($markval)" unless defined $markval; fatal_error "Invalid MARK ($markval)" unless defined $markval;
$classnumber = ( $devref->{number} << 10 ) | $mark; $classnumber = $config{WIDE_TC_MARKS} ? ( $devref->{number} << 10 ) | $mark : $devref->{number} . $mark;
fatal_error "Duplicate MARK ($mark)" if $tcref->{$classnumber}; fatal_error "Duplicate MARK ($mark)" if $tcref->{$classnumber};
} }
} else { } else {
@ -1007,7 +1008,7 @@ sub setup_tc() {
my $mark_part = ''; my $mark_part = '';
if ( @routemarked_interfaces && ! $config{TC_EXPERT} ) { if ( @routemarked_interfaces && ! $config{TC_EXPERT} ) {
$mark_part = $config{HIGH_ROUTE_MARKS} ? '-m mark --mark 0/0xFF00' : '-m mark --mark 0/0xFF'; $mark_part = $config{HIGH_ROUTE_MARKS} ? $config{WIDE_TC_MARKS} ? '-m mark --mark 0/0xFF0000' : '-m mark --mark 0/0xFF00' : '-m mark --mark 0/0xFF';
for my $interface ( @routemarked_interfaces ) { for my $interface ( @routemarked_interfaces ) {
add_rule $mangle_table->{PREROUTING} , "-i $interface -j tcpre"; add_rule $mangle_table->{PREROUTING} , "-i $interface -j tcpre";
@ -1024,7 +1025,7 @@ sub setup_tc() {
if ( $config{HIGH_ROUTE_MARKS} ) { if ( $config{HIGH_ROUTE_MARKS} ) {
for my $chain qw(INPUT FORWARD POSTROUTING) { for my $chain qw(INPUT FORWARD POSTROUTING) {
insert_rule1 $mangle_table->{$chain}, 0, '-j MARK --and-mark 0xFF'; insert_rule1 $mangle_table->{$chain}, 0, $config{WIDE_TC_MARKS} ? '-j MARK --and-mark 0x03FF' : '-j MARK --and-mark 0xFF';
} }
} }
} }

4
Shorewall/changelog.txt
View File

@ -1,6 +1,8 @@
Changes in Shorewall 4.3.10 Changes in Shorewall 4.3.10
None. 1) Fix handling of shared optional providers.
2) Add WIDE_TC_MARKS option.
Changes in Shorewall 4.3.9 Changes in Shorewall 4.3.9

2
Shorewall/configfiles/shorewall.conf
View File

@ -197,6 +197,8 @@ FAST_STOP=No
AUTOMAKE=No AUTOMAKE=No
WIDE_TC_MARKS=No
############################################################################### ###############################################################################
# P A C K E T D I S P O S I T I O N # P A C K E T D I S P O S I T I O N
############################################################################### ###############################################################################

33
Shorewall/releasenotes.txt
View File

@ -59,7 +59,12 @@ released late in 2009.
P R O B L E M S C O R R E C T E D I N 4 . 3 . 10 P R O B L E M S C O R R E C T E D I N 4 . 3 . 10
---------------------------------------------------------------------------- ----------------------------------------------------------------------------
None. 1. When Shorewall could not determine the MAC address of of a gateway
router where multiple providers are configured through the same
interface, invalid iptables-restore input was generated. This
resulted in an error message similar to the following:
iptables-restore v1.3.5: Bad mac address `-j'
---------------------------------------------------------------------------- ----------------------------------------------------------------------------
K N O W N P R O B L E M S R E M A I N I N G K N O W N P R O B L E M S R E M A I N I N G
@ -71,7 +76,29 @@ None.
N E W F E A T U R E S I N 4 . 3 . 10 N E W F E A T U R E S I N 4 . 3 . 10
---------------------------------------------------------------------------- ----------------------------------------------------------------------------
None. 1. The change that implemented IPMARK support in 4.3.9 resulted in a
lack of upward compatibility which could break some
configurations. The incompatibility stems from the way in which
Shorewall generates a TC class Id from a mark value.
- Prior to 4.3.9, the class number was constructed by concatinating
the device number with the mark value.
- Beginning with 4.3.9, the class number is constructed by shifting
the device number left by 10 bits and logically ORing the result
with the mark value.
The WIDE_TC_MARKS option in shorewall.conf selects which
construction to use. WIDE_TC_MARKS=No (the default) produces
pre-4.3.9 behavior. WIDE_TC_MARKS=Yes produces the new behavior.
In addition to determining the method of constructing class Ids,
WIDE_TC_MARKS=Yes provides for larger mark values for traffic
shaping. Traffic shaping marks may have values up to 1023 with
WIDE_TC_MARKS=Yes. This means that when both WIDE_TC_MARKS=Yes and
HIGH_ROUTE_MARKS=Yes, routing marks (/etc/shorewall/providers MARK
column) must be >= 65536 (0x10000) and must be a multiple of 65536
(0x1000, 0x20000, 0x30000, ...).
---------------------------------------------------------------------------- ----------------------------------------------------------------------------
N E W F E A T U R E S IN 4 . 3 N E W F E A T U R E S IN 4 . 3
@ -436,7 +463,7 @@ None.
IPMARK(dst, 0XFF00, 0x8000,8) IPMARK(dst, 0XFF00, 0x8000,8)
Destination IP address is 192.168.4.3 = 0xc0a80103 Destination IP address is 192.168.4.3 = 0xc0a80403
0xc0a80403 LAND 0xFF00 = 0x0400 0xc0a80403 LAND 0xFF00 = 0x0400
0x0400 LOR 0x80 = 0x8400 0x0400 LOR 0x80 = 0x8400

8
Shorewall6/lib.base
View File

@ -33,12 +33,12 @@
# #
SHOREWALL_LIBVERSION=40300 SHOREWALL_LIBVERSION=40300
SHOREWALL_CAPVERSION=40205 SHOREWALL_CAPVERSION=40309
[ -n "${VARDIR:=/var/lib/shorewall6}" ] [ -n "${VARDIR:=/var/lib/shorewall6}" ]
[ -n "${SHAREDIR:=/usr/share/shorewall6}" ] [ -n "${SHAREDIR:=/usr/share/shorewall6}" ]
[ -n "${CONFDIR:=/etc/shorewall6}" ] [ -n "${CONFDIR:=/etc/shorewall6}" ]
PERLSHAREDIR=/usr/share/shorewall [ -n "${PERLSHAREDIR:=/usr/share/shorewall}" ]
# #
# Message to stderr # Message to stderr
@ -735,6 +735,7 @@ determine_capabilities() {
CONNLIMIT_MATCH= CONNLIMIT_MATCH=
TIME_MATCH= TIME_MATCH=
GOTO_TARGET= GOTO_TARGET=
IPMARK_TARGET=
chain=fooX$$ chain=fooX$$
@ -828,6 +829,7 @@ determine_capabilities() {
fi fi
qt $IP6TABLES -t mangle -A $chain -j CLASSIFY --set-class 1:1 && CLASSIFY_TARGET=Yes qt $IP6TABLES -t mangle -A $chain -j CLASSIFY --set-class 1:1 && CLASSIFY_TARGET=Yes
qt $IP6TABLES -t mangle -A $chain -j IPMARK --addr src && IPMARK_TARGET=Yes
qt $IP6TABLES -t mangle -F $chain qt $IP6TABLES -t mangle -F $chain
qt $IP6TABLES -t mangle -X $chain qt $IP6TABLES -t mangle -X $chain
qt $IP6TABLES -t mangle -L FORWARD -n && MANGLE_FORWARD=Yes qt $IP6TABLES -t mangle -L FORWARD -n && MANGLE_FORWARD=Yes
@ -919,6 +921,7 @@ report_capabilities() {
report_capability "Connlimit Match" $CONNLIMIT_MATCH report_capability "Connlimit Match" $CONNLIMIT_MATCH
report_capability "Time Match" $TIME_MATCH report_capability "Time Match" $TIME_MATCH
report_capability "Goto Support" $GOTO_TARGET report_capability "Goto Support" $GOTO_TARGET
report_capability "IPMARK Target" $IPMARK_TARGET
fi fi
[ -n "$PKTTYPE" ] || USEPKTTYPE= [ -n "$PKTTYPE" ] || USEPKTTYPE=
@ -972,6 +975,7 @@ report_capabilities1() {
report_capability1 CONNLIMIT_MATCH report_capability1 CONNLIMIT_MATCH
report_capability1 TIME_MATCH report_capability1 TIME_MATCH
report_capability1 GOTO_TARGET report_capability1 GOTO_TARGET
report_capability1 IPMARK_TARGET
echo CAPVERSION=$SHOREWALL_CAPVERSION echo CAPVERSION=$SHOREWALL_CAPVERSION
} }

2
Shorewall6/shorewall6.conf
View File

@ -143,6 +143,8 @@ MANGLE_ENABLED=Yes
AUTOMAKE=No AUTOMAKE=No
WIDE_TC_MARKS=No
############################################################################### ###############################################################################
# P A C K E T D I S P O S I T I O N # P A C K E T D I S P O S I T I O N
############################################################################### ###############################################################################

6
docs/GettingStarted.xml
View File

@ -173,6 +173,12 @@
</blockquote></para> </blockquote></para>
</listitem> </listitem>
<listitem>
<para><ulink url="starting_and_stopping_shorewall.htm">Operating
Shorewall and Shorewall Lite</ulink> contains a lot of useful
operational hints.</para>
</listitem>
<listitem> <listitem>
<para>PPPPPPPS ( or, Paul's Principles for Practical Provision of Packet <para>PPPPPPPS ( or, Paul's Principles for Practical Provision of Packet
Processing with Shorewall ) <ulink Processing with Shorewall ) <ulink

4
docs/standalone.xml
View File

@ -644,6 +644,8 @@ SSH(ACCEPT) net $FW </programlisting>
<para>I highly recommend that you review the <ulink <para>I highly recommend that you review the <ulink
url="configuration_file_basics.htm">Common Configuration File Features url="configuration_file_basics.htm">Common Configuration File Features
page</ulink> -- it contains helpful tips about Shorewall features than page</ulink> -- it contains helpful tips about Shorewall features than
make administering your firewall easier.</para> make administering your firewall easier. Also, <ulink
url="starting_and_stopping_shorewall.htm">Operating Shorewall and
Shorewall Lite</ulink> contains a lot of useful operational hints.</para>
</section> </section>
</article> </article>

4
docs/three-interface.xml
View File

@ -1151,6 +1151,8 @@ ACCEPT net $FW tcp 80 </programlisting><it
<para>I highly recommend that you review the <ulink <para>I highly recommend that you review the <ulink
url="configuration_file_basics.htm">Common Configuration File url="configuration_file_basics.htm">Common Configuration File
Features</ulink> page -- it contains helpful tips about Shorewall features Features</ulink> page -- it contains helpful tips about Shorewall features
than make administering your firewall easier.</para> than make administering your firewall easier. Also, <ulink
url="starting_and_stopping_shorewall.htm">Operating Shorewall and
Shorewall Lite</ulink> contains a lot of useful operational hints.</para>
</section> </section>
</article> </article>

78
docs/traffic_shaping.xml
View File

@ -173,8 +173,10 @@
<listitem> <listitem>
<para>MARK - Netfilter has a facility for <para>MARK - Netfilter has a facility for
<firstterm>marking</firstterm> packets. Packet marks have a numeric <firstterm>marking</firstterm> packets. Packet marks have a numeric
value which is limited in Shorewall to the values 1-255. You assign value which is limited in Shorewall to the values 1-255 (1-1023 if you
packet marks to different types of traffic using entries in the set WIDE_TC_MARKS=Yes in <ulink
url="manpages/shorewall.conf.html">shorewall.conf</ulink> (5) ). You
assign packet marks to different types of traffic using entries in the
<filename>/etc/shorewall/tcrules</filename> file.</para> <filename>/etc/shorewall/tcrules</filename> file.</para>
</listitem> </listitem>
</orderedlist> </orderedlist>
@ -431,12 +433,14 @@ ppp0 6000kbit 500kbit</programlisting>
</listitem> </listitem>
<listitem> <listitem>
<para>MARK - The mark value which is an integer in the range 1-255. <para>MARK - The mark value which is an integer in the range 1-255
You define these marks in the tcrules file, marking the traffic you (1-1023 if you set WIDE_TC_MARKS=Yes in <ulink
want to go into the queuing classes defined in here. You can use the url="manpages/shorewall.conf.html">shorewall.conf</ulink> (5) ). You
same marks for different Interfaces. You must specify "-' in this define these marks in the tcrules file, marking the traffic you want
column if the device specified in the INTERFACE column has the to go into the queuing classes defined in here. You can use the same
<emphasis role="bold">classify</emphasis> option in marks for different Interfaces. You must specify "-' in this column
if the device specified in the INTERFACE column has the <emphasis
role="bold">classify</emphasis> option in
<filename>/etc/shorewall/tcdevices</filename>.</para> <filename>/etc/shorewall/tcdevices</filename>.</para>
</listitem> </listitem>
@ -610,7 +614,9 @@ ppp0 6000kbit 500kbit</programlisting>
<itemizedlist> <itemizedlist>
<listitem> <listitem>
<para>MARK or CLASSIFY - MARK specifies the mark value is to be <para>MARK or CLASSIFY - MARK specifies the mark value is to be
assigned in case of a match. This is an integer in the range 1-255. assigned in case of a match. This is an integer in the range 1-255
(1-1023 if you set WIDE_TC_MARKS=Yes in <ulink
url="manpages/shorewall.conf.html">shorewall.conf</ulink> (5) ).
This value may be optionally followed by <quote>:</quote> and either This value may be optionally followed by <quote>:</quote> and either
<quote>F</quote>, <quote>P</quote> or "T" to designate that the <quote>F</quote>, <quote>P</quote> or "T" to designate that the
marking will occur in the FORWARD, PREROUTING or POSTROUTING chains marking will occur in the FORWARD, PREROUTING or POSTROUTING chains
@ -716,12 +722,54 @@ ppp0 6000kbit 500kbit</programlisting>
$FW[:&lt;<emphasis>address</emphasis>&gt;] in which case, the $FW[:&lt;<emphasis>address</emphasis>&gt;] in which case, the
classify action takes place in the OUTPUT chain. When used with the classify action takes place in the OUTPUT chain. When used with the
builtin traffic shaper, the &lt;major&gt; class is the interface builtin traffic shaper, the &lt;major&gt; class is the interface
number and the &lt;minor&gt; class is either a) the MARK value of number and the &lt;minor&gt; class is either:</para>
the class preceded by the number "1" (MARK value 1 is &lt;minor&gt;
class 11, MARK value 22 is &lt;minor&gt; class 122, and so on) or b) <orderedlist>
The class number (if the <emphasis role="bold">classify</emphasis> <listitem>
option was specified in for the interface <para>Constructed from the mark. The method of construction
<filename>/etc/shorewall/interfaces</filename>)</para> depends on the setting of WIDE_TC_MARKS (<ulink
url="manpages/shorewall.conf.html">shorewall.conf</ulink>
(5)).</para>
<para>When WIDE_TC_MARKS=No (the default), the &lt;minor&gt;
class is:</para>
<itemizedlist>
<listitem>
<para>the MARK value of the class preceded by the number "1"
(MARK value 1 is &lt;minor&gt; class 11, MARK value 22 is
&lt;minor&gt; class 122, and so on)</para>
</listitem>
</itemizedlist>
<para>When SIDE_TC_MARKS=Yes, the &lt;minor&gt; class is:</para>
<itemizedlist>
<listitem>
<para>The number shifted 10 bits to the left (multiplied by
1024) and logically ORed with the MARK value. The
<command>shorewall encode</command> and <command>shorewall
decode</command> commands (<ulink
url="manpages/shorewall.html">shorewall</ulink> (8)) may be
used to translate a device number/mark pair to/from a
&lt;minor&gt; class.</para>
<para>Examples:</para>
<programlisting>$ <command>shorewall encode 1 100</command>
Class Number = 1124
$ <command>shorewall decode 1124</command>
Device = 1 Mark = 100</programlisting>
</listitem>
</itemizedlist>
</listitem>
<listitem>
<para>The class number (if the <emphasis
role="bold">classify</emphasis> option was specified in for the
interface <filename>/etc/shorewall/interfaces</filename>)</para>
</listitem>
</orderedlist>
</listitem> </listitem>
<listitem> <listitem>

4
docs/two-interface.xml
View File

@ -1070,7 +1070,9 @@ ACCEPT loc $FW tcp 80 #Allow Weblet to work</progra
<para>I highly recommend that you review the <ulink <para>I highly recommend that you review the <ulink
url="configuration_file_basics.htm">Common Configuration File Features url="configuration_file_basics.htm">Common Configuration File Features
page</ulink> -- it contains helpful tips about Shorewall features than page</ulink> -- it contains helpful tips about Shorewall features than
make administering your firewall easier.</para> make administering your firewall easier. Also, <ulink
url="starting_and_stopping_shorewall.htm">Operating Shorewall and
Shorewall Lite</ulink> contains a lot of useful operational hints.</para>
</section> </section>
<section id="Wireless"> <section id="Wireless">

52
manpages/shorewall.conf.xml
View File

@ -598,14 +598,15 @@ net all DROP info</programlisting>then the chain name is 'net2all'
<listitem> <listitem>
<para>Prior to version 3.2.0, it was not possible to use connection <para>Prior to version 3.2.0, it was not possible to use connection
marking in <ulink marking in <ulink
url="shorewall-tcrules.html">shorewall-tcrules</ulink>(5) if you url="shorewall-tcrules.html">shorewall-tcrules</ulink>(5) if you had
have a multi-ISP configuration that uses the track option.</para> a multi-ISP configuration that uses the track option.</para>
<para>Beginning with release 3.2.0, you may now set <para>Beginning with release 3.2.0, you may set HIGH_ROUTE_MARKS=Yes
HIGH_ROUTE_MARKS=Yes in to effectively divide the packet mark and in to effectively divide the packet mark and connection mark into
connection mark into two 8-byte mark fields.</para> two mark fields.</para>
<para>When you do this:</para> <para>The width of the fields are determined by the setting of
WIDE_TC_MARKS. If WIDE_TC_MARKS=No (the default):</para>
<orderedlist numeration="loweralpha"> <orderedlist numeration="loweralpha">
<listitem> <listitem>
@ -625,13 +626,33 @@ net all DROP info</programlisting>then the chain name is 'net2all'
of 1-255 and may still not be set in the PREROUTING of 1-255 and may still not be set in the PREROUTING
chain.</para> chain.</para>
</listitem> </listitem>
</orderedlist>
<para>When WIDE_TC_MARKS=Yes:</para>
<orderedlist numeration="loweralpha">
<listitem>
<para>The MARK field in the providers file must have a value
that is a multiple of 65536 (using hex representation, the
values are 0x010000-0xFF0000 with the low-order 16 bits being
zero).</para>
</listitem>
<listitem> <listitem>
<para>When you SAVE or RESTORE in tcrules, only the TC mark <para>You may only set those mark values in the PREROUTING
value is saved or restored. Shorewall handles saving and chain.</para>
restoring the routing (provider) marks.</para> </listitem>
<listitem>
<para>Marks used for traffic shaping must be in the range of
1-1023 and may still not be set in the PREROUTING chain.</para>
</listitem> </listitem>
</orderedlist> </orderedlist>
<para>Regardless of the setting of WIDE_TC_MARKS, when you SAVE or
RESTORE in tcrules, only the TC mark value is saved or restored.
Shorewall handles saving and restoring the routing (provider)
marks.</para>
</listitem> </listitem>
</varlistentry> </varlistentry>
@ -1700,6 +1721,19 @@ net all DROP info</programlisting>then the chain name is 'net2all'
<para>If not specified, then 2 is assumed.</para> <para>If not specified, then 2 is assumed.</para>
</listitem> </listitem>
</varlistentry> </varlistentry>
<varlistentry>
<term><emphasis role="bold">WIDE_ROUTE_MARKS=</emphasis>{<emphasis
role="bold">Yes</emphasis>|<emphasis role="bold">No</emphasis>}</term>
<listitem>
<para>When set to No (the default), traffic shaping marks are 8
bytes wide (possible values are 1-255). When WIDE_ROUTE_MARKS=Yes,
traffic shaping marks are 10 bytes wide (values 1-1023). The setting
of WIDE_ROUTE_MARKS also has an effect on the HIGH_ROUTE_MARKS
option (see above).</para>
</listitem>
</varlistentry>
</variablelist> </variablelist>
</refsect1> </refsect1>

46
manpages6/shorewall6.conf.xml
View File

@ -456,9 +456,12 @@ net all DROP info</programlisting>then the chain name is 'net2all'
<listitem> <listitem>
<para>You may set HIGH_ROUTE_MARKS=Yes in to effectively divide the <para>You may set HIGH_ROUTE_MARKS=Yes in to effectively divide the
packet mark and connection mark into two 8-byte mark fields.</para> packet mark and connection mark into two mark fields.</para>
<para>When you do this:</para> <para>The width of the fields are determined by the setting of the
WIDE_TC_MARKS option.</para>
<para>When WIDE_TC_MARKS=No (the default):</para>
<orderedlist numeration="loweralpha"> <orderedlist numeration="loweralpha">
<listitem> <listitem>
@ -478,13 +481,33 @@ net all DROP info</programlisting>then the chain name is 'net2all'
of 1-255 and may still not be set in the PREROUTING of 1-255 and may still not be set in the PREROUTING
chain.</para> chain.</para>
</listitem> </listitem>
</orderedlist>
<para>When WIDE_TC_MARKS=Yes:</para>
<orderedlist numeration="loweralpha">
<listitem>
<para>The MARK field in the providers file must have a value
that is a multiple of 65536 (using hex representation, the
values are 0x010000-0xFF0000 with the low-order 16 bits being
zero).</para>
</listitem>
<listitem> <listitem>
<para>When you SAVE or RESTORE in tcrules, only the TC mark <para>You may only set those mark values in the PREROUTING
value is saved or restored. Shorewall6 handles saving and chain.</para>
restoring the routing (provider) marks.</para> </listitem>
<listitem>
<para>Marks used for traffic shaping must be in the range of
1-1023 and may still not be set in the PREROUTING chain.</para>
</listitem> </listitem>
</orderedlist> </orderedlist>
<para>Regardless of the setting of WIDE_TC_MARKS, when you SAVE or
RESTORE in tcrules, only the TC mark value is saved or restored.
Shorewall handles saving and restoring the routing (provider)
marks.</para>
</listitem> </listitem>
</varlistentry> </varlistentry>
@ -1187,6 +1210,19 @@ net all DROP info</programlisting>then the chain name is 'net2all'
<para>If not specified, then 2 is assumed.</para> <para>If not specified, then 2 is assumed.</para>
</listitem> </listitem>
</varlistentry> </varlistentry>
<varlistentry>
<term><emphasis role="bold">WIDE_ROUTE_MARKS=</emphasis>{<emphasis
role="bold">Yes</emphasis>|<emphasis role="bold">No</emphasis>}</term>
<listitem>
<para>When set to No (the default), traffic shaping marks are 8
bytes wide (possible values are 1-255). When WIDE_ROUTE_MARKS=Yes,
traffic shaping marks are 10 bytes wide (values 1-1023). The setting
of WIDE_ROUTE_MARKS also has an effect on the HIGH_ROUTE_MARKS
option (see above).</para>
</listitem>
</varlistentry>
</variablelist> </variablelist>
</refsect1> </refsect1>

8
web/shorewall_index.htm
View File

@ -47,7 +47,7 @@
</tr> </tr>
</tbody> </tbody>
</table> </table>
<hr style="width: 100%; height: 2px;"><span style="font-weight: bold;">2009-04-17<br> <hr style="width: 100%; height: 2px;"><span style="font-weight: bold;">2009-04-19<br>
</span> </span>
<h2><span style="font-weight: bold;"><a href="Notices.html#Perl">Attention <h2><span style="font-weight: bold;"><a href="Notices.html#Perl">Attention
re: Shorewall-perl 4.2.8<br> re: Shorewall-perl 4.2.8<br>
@ -100,14 +100,14 @@ Problems</a><br>
Release</span><br> Release</span><br>
</div> </div>
</td> </td>
<td style="vertical-align: top;"><span style="font-weight: bold;">4.3.8</span><br> <td style="vertical-align: top;"><span style="font-weight: bold;">4.3.9</span><br>
</td> </td>
<td style="vertical-align: top;"><a <td style="vertical-align: top;"><a
href="http://www1.shorewall.net/pub/shorewall/development/4.3/shorewall-4.3.8/releasenotes.txt">Release href="http://www1.shorewall.net/pub/shorewall/development/4.3/shorewall-4.3.9/releasenotes.txt">Release
Notes<br> Notes<br>
</a> </td> </a> </td>
<td style="vertical-align: top;"><a <td style="vertical-align: top;"><a
href="http://www1.shorewall.net/pub/shorewall/development/4.3/shorewall-4.3.8/known_problems.txt">Known href="http://www1.shorewall.net/pub/shorewall/development/4.3/shorewall-4.3.9/known_problems.txt">Known
Problems</a> </td> Problems</a> </td>
</tr> </tr>
</tbody> </tbody>