From 9302a9c1480aed50641a44b5ac30b7b5748ff32f Mon Sep 17 00:00:00 2001 From: teastep Date: Wed, 28 Mar 2007 18:48:43 +0000 Subject: [PATCH] Add ECN processing git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@5732 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb --- New/Shorewall/Rules.pm | 57 ++++++++++++++++++++++++++++++++++++++++++ New/compiler.pl | 4 +++ 2 files changed, 61 insertions(+) diff --git a/New/Shorewall/Rules.pm b/New/Shorewall/Rules.pm index 7ef45c5b4..886129070 100644 --- a/New/Shorewall/Rules.pm +++ b/New/Shorewall/Rules.pm @@ -38,6 +38,7 @@ use strict; our @ISA = qw(Exporter); our @EXPORT = qw( process_tos + setup_ecn add_common_rules setup_mac_lists process_criticalhosts @@ -114,6 +115,62 @@ sub process_tos() { } } +# +# Setup ECN disabling rules +# +sub setup_ecn() +{ + my %interfaces; + my @hosts; + + if ( -s "$ENV{TMP_DIR}/ecn" ) { + + progress_message2 join( '' , '$doing ', find_file( 'ecn' ), '...' ); + + open ECN, "$ENV{TMP_DIR}/ecn" or fatal_error "Unable to open stripped ecn file: $!"; + + while ( $line = ) { + + my ($interface, $hosts ) = split_line 2, 'ecn file'; + + fatal_error "Unknown interface ( $interface ) in ECN entry \"$line\"" unless known_interface $interface; + + $interfaces{$interface} = 1; + + $hosts = ALLIPv4 if $hosts eq '-'; + + for my $host( split /,/, $hosts ) { + push @hosts, [ $interface, $host ]; + } + } + + close ECN; + + if ( @hosts ) { + my @interfaces = ( keys %interfaces ); + + progress_message "$doing ECN control on @interfaces..."; + + for my $interface ( @interfaces ) { + my $chainref = ensure_chain 'mangle', ecn_chain( $interface ); + + if ( $capabilities{MANGLE_FORWARD} ) { + add_rule $mangle_table->{POSTROUTING}, "-p tcp -o $interface -j $chainref->{name}"; + } else { + add_rule $mangle_table->{PREROUTING}, "-p tcp -o $interface -j $chainref->{name}"; + add_rule $mangle_table->{OUTPUT}, "-p tcp -o $interface -j $chainref->{name}"; + } + } + + for my $host ( @hosts ) { + my ( $interface, $net ) = ( @$host ); + + add_rule $mangle_table->{ecn_chain $interface}, join ('', '-p tcp ', match_dest_net( $net ) , ' -j ECN --ecn-tcp-remove' ); + } + } + } +} + sub add_rule_pair( $$$$ ) { my ($chainref , $predicate , $target , $level ) = @_; diff --git a/New/compiler.pl b/New/compiler.pl index ea1230cf4..7c43c6a7a 100755 --- a/New/compiler.pl +++ b/New/compiler.pl @@ -754,6 +754,10 @@ sub compiler( $ ) { # process_tos; # + # ECN + # + setup_ecn; + # # Setup Masquerading/SNAT # progress_message2 "$doing Masq file...";