holm/shorewall_code
1
0
Fork 0
forked from extern/shorewall_code
Code Pull Requests Activity

change 'marks' file to 'mangle'

Browse Source 
Signed-off-by: Tom Eastep <teastep@shorewall.net>
This commit is contained in:
Tom Eastep 2013-12-28 10:03:23 -08:00
parent 45f64aefd7
commit a1222d10cb
4 changed files with 1216 additions and 43 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

16
Shorewall/Perl/Shorewall/Tc.pm
View File

@ -165,7 +165,7 @@ sub initialize( $ ) {
$divertref = 0; $divertref = 0;
} }
sub process_mark_rule1( $$$$$$$$$$$$$$$$ ) { sub process_mangle_rule1( $$$$$$$$$$$$$$$$ ) {
our ( $action, $source, $dest, $proto, $ports, $sports, $user, $testval, $length, $tos , $connbytes, $helper, $headers, $probability , $dscp , $state ) = @_; our ( $action, $source, $dest, $proto, $ports, $sports, $user, $testval, $length, $tos , $connbytes, $helper, $headers, $probability , $dscp , $state ) = @_;
use constant { use constant {
@ -1449,16 +1449,16 @@ sub process_tc_rule( ) {
} }
} }
sub process_mark_rule( ) { sub process_mangle_rule( ) {
my ( $originalmark, $source, $dest, $protos, $ports, $sports, $user, $testval, $length, $tos , $connbytes, $helper, $headers, $probability , $dscp , $state ) = my ( $originalmark, $source, $dest, $protos, $ports, $sports, $user, $testval, $length, $tos , $connbytes, $helper, $headers, $probability , $dscp , $state ) =
split_line2( 'marks file', split_line2( 'mangle file',
{ mark => 0, action => 0, source => 1, dest => 2, proto => 3, dport => 4, sport => 5, user => 6, test => 7, length => 8, tos => 9, connbytes => 10, helper => 11, headers => 12, probability => 13 , dscp => 14 , state => 15 }, { mark => 0, action => 0, source => 1, dest => 2, proto => 3, dport => 4, sport => 5, user => 6, test => 7, length => 8, tos => 9, connbytes => 10, helper => 11, headers => 12, probability => 13 , dscp => 14 , state => 15 },
{}, {},
16, 16,
1 ); 1 );
for my $proto (split_list( $protos, 'Protocol' ) ) { for my $proto (split_list( $protos, 'Protocol' ) ) {
process_mark_rule1( $originalmark, $source, $dest, $proto, $ports, $sports, $user, $testval, $length, $tos , $connbytes, $helper, $headers, $probability , $dscp , $state ); process_mangle_rule1( $originalmark, $source, $dest, $proto, $ports, $sports, $user, $testval, $length, $tos , $connbytes, $helper, $headers, $probability , $dscp , $state );
} }
} }
@ -3207,14 +3207,14 @@ sub setup_tc() {
} }
if ( -f find_file 'marks' ) { if ( -f find_file 'mangle' ) {
if ( $have_tcrules ) { if ( $have_tcrules ) {
warning_message "The 'tcrules' file is non-empty -- 'marks' file ignored"; warning_message "The 'tcrules' file is non-empty -- 'mangle' file ignored";
} elsif ( my $fn = open_file( 'marks', 2, 1 ) ) { } elsif ( my $fn = open_file( 'mangle', 2, 1 ) ) {
first_entry "$doing $fn..."; first_entry "$doing $fn...";
process_mark_rule while read_a_line( NORMAL_READ ); process_mangle_rule while read_a_line( NORMAL_READ );
} }
} }

18
Shorewall/manpages/shorewall-marks.xml → Shorewall/manpages/shorewall-mangle.xml
View File

@ -3,7 +3,7 @@
"http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd"> "http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd">
<refentry> <refentry>
<refmeta> <refmeta>
<refentrytitle>shorewall-marks</refentrytitle> <refentrytitle>shorewall-mangle</refentrytitle>
<manvolnum>5</manvolnum> <manvolnum>5</manvolnum>
</refmeta> </refmeta>
@ -11,12 +11,12 @@
<refnamediv> <refnamediv>
<refname>marks</refname> <refname>marks</refname>
<refpurpose>Shorewall Packet Marking rules file</refpurpose> <refpurpose>Shorewall Packet marking/mangling rules file</refpurpose>
</refnamediv> </refnamediv>
<refsynopsisdiv> <refsynopsisdiv>
<cmdsynopsis> <cmdsynopsis>
<command>/etc/shorewall/marks</command> <command>/etc/shorewall/mangle</command>
</cmdsynopsis> </cmdsynopsis>
</refsynopsisdiv> </refsynopsisdiv>
@ -24,8 +24,8 @@
<title>Description</title> <title>Description</title>
<para>This file was introduced in Shorewall 4.6.0 and is intended to <para>This file was introduced in Shorewall 4.6.0 and is intended to
replace shorewall-tcrules(5). This file is only processed by the compiler replace <ulink url="shorewall-tcrules.html">shorewall-tcrules(5)</ulink>.
if:</para> This file is only processed by the compiler if:</para>
<orderedlist numeration="loweralpha"> <orderedlist numeration="loweralpha">
<listitem> <listitem>
@ -110,7 +110,7 @@
<para>A chain-designator may not be specified if the SOURCE or DEST <para>A chain-designator may not be specified if the SOURCE or DEST
columns begin with '$FW'. When the SOURCE is $FW, the generated rule columns begin with '$FW'. When the SOURCE is $FW, the generated rule
is always placed in the OUTPUT chain. If DEST is '$FW', then the is always placed in the OUTPUT chain. If DEST is '$FW', then the
rule is placed in the OUTPUT chain.</para> rule is placed in the INPUT chain.</para>
<para>Where a command takes parameters, those parameters are <para>Where a command takes parameters, those parameters are
enclosed in parentheses ("(....)") and separated by commas.</para> enclosed in parentheses ("(....)") and separated by commas.</para>
@ -1069,8 +1069,8 @@ Normal-Service =&gt; 0x00</programlisting>
role="bold">INVALID</emphasis>} [,...]</term> role="bold">INVALID</emphasis>} [,...]</term>
<listitem> <listitem>
<para>Added in Shorewall 4.5.9. The rule will only match if the <para>The rule will only match if the packet's connection is in one
packet's connection is in one of the listed states.</para> of the listed states.</para>
</listitem> </listitem>
</varlistentry> </varlistentry>
</variablelist> </variablelist>
@ -1138,7 +1138,7 @@ Normal-Service =&gt; 0x00</programlisting>
<refsect1> <refsect1>
<title>FILES</title> <title>FILES</title>
<para>/etc/shorewall/tcrules</para> <para>/etc/shorewall/mangle</para>
</refsect1> </refsect1>
<refsect1> <refsect1>

1148
Shorewall6/manpages/shorewall6-mangle.xml Normal file
View File

File diff suppressed because it is too large Load Diff

77
docs/configuration_file_basics.xml
View File

@ -134,7 +134,9 @@
<para><filename>/etc/shorewall/tcrules </filename>- The file has a <para><filename>/etc/shorewall/tcrules </filename>- The file has a
rather unfortunate name because it is used to define marking of rather unfortunate name because it is used to define marking of
packets for later use by both traffic control/shaping and policy packets for later use by both traffic control/shaping and policy
routing.</para> routing. This file is superceded by
<filename>/etc/shorewall/mangle</filename> in Shorewall
4.6.0.</para>
</listitem> </listitem>
<listitem> <listitem>
@ -275,6 +277,12 @@
<para><filename>/usr/share/arprules</filename> — Added in Shorewall <para><filename>/usr/share/arprules</filename> — Added in Shorewall
4.5.12. Allows specification of arptables rules.</para> 4.5.12. Allows specification of arptables rules.</para>
</listitem> </listitem>
<listitem>
<para><filename>/etc/shorewall/mangle</filename> -- Added in
Shorewall 4.6.0. Supercedes<filename>
/etc/shorewall/tcrules</filename>.</para>
</listitem>
</itemizedlist></para> </itemizedlist></para>
<para><emphasis role="bold">If you need to change a file in <para><emphasis role="bold">If you need to change a file in
@ -356,10 +364,14 @@ ACCEPT net $FW tcp www #This is an end-of-line comment</progra
<para>Example: Traffic from zone A to zone B would go through chain A2B <para>Example: Traffic from zone A to zone B would go through chain A2B
(think "A to B") or "A-B".</para> (think "A to B") or "A-B".</para>
<para>The default separator is "2" but you can override that by setting <para>In Shorewall 4.6, the default separator is "-" but you can override
ZONE_SEPARATOR="-" in <ulink that by setting ZONE_SEPARATOR="2" in <ulink
url="manpages/shorewall.conf.html">shorewall.conf</ulink> (5).</para> url="manpages/shorewall.conf.html">shorewall.conf</ulink> (5).</para>
<note>
<para>Prior to Shorewall 4.6, the default separator was "2".</para>
</note>
<para>Zones themselves have names that begin with a letter and are <para>Zones themselves have names that begin with a letter and are
composed of letters, numerals, and "_". The maximum length of a name is composed of letters, numerals, and "_". The maximum length of a name is
dependent on the setting of LOGFORMAT in <ulink dependent on the setting of LOGFORMAT in <ulink
@ -421,36 +433,36 @@ ACCEPT net $FW tcp www #This is an end-of-line comment</progra
</itemizedlist> </itemizedlist>
<para>To attach a comment to one or more rules, insert a record above the <para>To attach a comment to one or more rules, insert a record above the
rules that begins with the word COMMENT (must be in all caps). The rules that begins with the word ?COMMENT (must be in all caps). The
remainder of the line is treated as a comment -- that comment will appear remainder of the line is treated as a comment -- that comment will appear
delimited by "/* ... */" in the output of the <command>shorewall[-lite] delimited by "/* ... */" in the output of the <command>shorewall[-lite]
show</command> and <command>shorewall[-lite] dump</command> commands. The show</command> and <command>shorewall[-lite] dump</command> commands. The
comment will be attached to each generated rule until another COMMENT line comment will be attached to each generated rule until another ?COMMENT
appears. To stop attaching comments to rules, simply insert a line that line appears. To stop attaching comments to rules, simply insert a line
contains the single word COMMENT.</para> that contains the single word ?COMMENT.</para>
<para>Example (<filename>/etc/shorewall/rules</filename>):</para> <para>Example (<filename>/etc/shorewall/rules</filename>):</para>
<programlisting>COMMENT Stop NETBIOS noise <programlisting>?COMMENT Stop NETBIOS noise
REJECT loc net tcp 137,445 REJECT loc net tcp 137,445
REJECT loc net udp 137:139 REJECT loc net udp 137:139
COMMENT Stop my idiotic work laptop from sending to the net with an HP source/dest IP address ?COMMENT Stop my idiotic work laptop from sending to the net with an HP source/dest IP address
DROP loc:!192.168.0.0/22 net DROP loc:!192.168.0.0/22 net
COMMENT</programlisting> ?COMMENT</programlisting>
<para>Here's the corresponding output from <para>Here's the corresponding output from
<filename>/sbin/shorewall-lite</filename>:</para> <filename>/sbin/shorewall-lite</filename>:</para>
<programlisting>gateway:~ # <command>shorewall-lite show loc2net</command> <programlisting>gateway:~ # <command>shorewall-lite show loc-net</command>
Shorewall Lite 4.3.3 Chains loc2net at gateway - Mon Oct 16 15:04:52 PDT 2008 Shorewall Lite 4.3.3 Chains loc2net at gateway - Mon Oct 16 15:04:52 PDT 2008
Counters reset Mon Oct 16 14:52:17 PDT 2006 Counters reset Mon Oct 16 14:52:17 PDT 2006
Chain loc2net (1 references) Chain loc-net (1 references)
pkts bytes target prot opt in out source destination pkts bytes target prot opt in out source destination
0 0 LOG tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:25 LOG flags 0 level 6 prefix `FW:loc2net:REJECT:' 0 0 LOG tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:25 LOG flags 0 level 6 prefix `FW:loc2net:REJECT:'
0 0 reject tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:25 0 0 reject tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:25
@ -467,8 +479,8 @@ gateway:~ #
</programlisting> </programlisting>
<para>COMMENT lines in macro files work somewhat differently from other <para>?COMMENT lines in macro files work somewhat differently from other
files. COMMENT lines in macros are ignored if COMMENT support is not files. ?COMMENT lines in macros are ignored if COMMENT support is not
available or if there was a COMMENT in use when the top-level macro was available or if there was a COMMENT in use when the top-level macro was
invoked. This allows the following:</para> invoked. This allows the following:</para>
@ -476,12 +488,12 @@ gateway:~ #
<para><programlisting>#ACTION SOURCE DEST PROTO DEST SOURCE RATE USER/ <para><programlisting>#ACTION SOURCE DEST PROTO DEST SOURCE RATE USER/
# PORT(S) PORT(S) LIMIT GROUP # PORT(S) PORT(S) LIMIT GROUP
COMMENT SSH ?COMMENT SSH
PARAM - - tcp 22 </programlisting> PARAM - - tcp 22 </programlisting>
<filename>/etc/shorewall/rules</filename>:<programlisting>COMMENT Allow SSH from home <filename>/etc/shorewall/rules</filename>:<programlisting>?COMMENT Allow SSH from home
SSH(ACCEPT) net:$MYIP $FW SSH(ACCEPT) net:$MYIP $FW
COMMENT</programlisting>The comment line in macro.SSH will not override the ?COMMENT</programlisting>The comment line in macro.SSH will not override the
COMMENT line in the rules file and the generated rule will show <emphasis ?COMMENT line in the rules file and the generated rule will show <emphasis
role="bold">/* Allow SSH from home */</emphasis> when displayed through role="bold">/* Allow SSH from home */</emphasis> when displayed through
the Shorewall show and dump commands.</para> the Shorewall show and dump commands.</para>
</section> </section>
@ -571,8 +583,8 @@ ACCEPT net:\
<itemizedlist> <itemizedlist>
<listitem> <listitem>
<para>At any point, you can enter a semicolon (';') followed by one or <para>At any point, you can enter a left curly bracket ('{') followed
more specifications of the following forms:</para> by one or more specifications of the following forms:</para>
<simplelist> <simplelist>
<member><replaceable>column-name</replaceable>=<replaceable>value</replaceable></member> <member><replaceable>column-name</replaceable>=<replaceable>value</replaceable></member>
@ -582,6 +594,9 @@ ACCEPT net:\
<member><replaceable>column-name</replaceable>:<replaceable>value</replaceable></member> <member><replaceable>column-name</replaceable>:<replaceable>value</replaceable></member>
</simplelist> </simplelist>
<para>The pairs must be followed by a right curly bracket
("}").</para>
<para>The value may optionally be enclosed in double quotes.</para> <para>The value may optionally be enclosed in double quotes.</para>
<para>The pairs must be separated by white space, but you can add a <para>The pairs must be separated by white space, but you can add a
@ -589,19 +604,23 @@ ACCEPT net:\
readability as in:</para> readability as in:</para>
<simplelist> <simplelist>
<member><emphasis role="bold">; proto=&gt;udp, <member><emphasis role="bold">{ proto=&gt;udp, port=1024
port=1024</emphasis></member> }</emphasis></member>
</simplelist> </simplelist>
</listitem> </listitem>
<listitem> <listitem>
<para>You can enclose the pairs in curly brackets ("{...}") rather <para>You can also separate the pairs from columns by using a
than separating them from columns by a semicolon:</para> semicolon:</para>
<simplelist> <simplelist>
<member><emphasis role="bold">{ proto:udp, port:1024 <member><emphasis role="bold">; proto:udp,
}</emphasis></member> port:1024</emphasis></member>
</simplelist> </simplelist>
<para>That usage is deprecated beginning with Shorewall 4.6.0. See the
INLINE_MATCHES option in <ulink
url="manpages/shorewall.conf.html">shorewall.conf(5)</ulink>.</para>
</listitem> </listitem>
</itemizedlist> </itemizedlist>
@ -673,6 +692,12 @@ ACCEPT net:\
<entry>disposition,interface,mac,addresses</entry> <entry>disposition,interface,mac,addresses</entry>
</row> </row>
<row>
<entry>mangle</entry>
<entry>action,source,dest,proto,dport,sport,user,test,length,tos,connbytes,helper,headers</entry>
</row>
<row> <row>
<entry>masq</entry> <entry>masq</entry>