holm/shorewall_code
1
0
Fork 0
forked from extern/shorewall_code
Code Pull Requests Activity

Add DSCP match support

Browse Source 
Signed-off-by: Tom Eastep <teastep@shorewall.net>
This commit is contained in:
Tom Eastep 2012-02-20 08:47:48 -08:00
parent e2f4af6e48
commit a1ec1dc178
8 changed files with 210 additions and 47 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

12
Shorewall-core/lib.cli
View File

@ -1957,6 +1957,8 @@ determine_capabilities() {
CT_TARGET=
STATISTIC_MATCH=
IMQ_TARGET=
DSCP_MATCH=
DSCP_TARGET=
chain=fooX$$
@ -2081,10 +2083,14 @@ determine_capabilities() {
qt $g_tool -t mangle -A $chain -j CLASSIFY --set-class 1:1 && CLASSIFY_TARGET=Yes
qt $g_tool -t mangle -A $chain -j IPMARK --addr src && IPMARK_TARGET=Yes
qt $g_tool -t mangle -A $chain -p tcp -j TPROXY --on-port 0 --tproxy-mark 1 && TPROXY_TARGET=Yes
qt $g_tool -t mangle -A $chain -j IMQ --todev 0 && IMQ_TARGET=Yes
qt $g_tool -t mangle -A $chain -m dscp --dscp 0 && DSCP_MATCH=Yes
qt $g_tool -t mangle -A $chain -j DSCP --set-dscp 0 && DSCP_TARGET=Yes
qt $g_tool -t mangle -F $chain
qt $g_tool -t mangle -X $chain
qt $g_tool -t mangle -L FORWARD -n && MANGLE_FORWARD=Yes
qt $g_tool -t mangle -A $chain -j IMQ --todev 0 && IMQ_TARGET=Yes
fi
qt $g_tool -t raw -L -n && RAW_TABLE=Yes
@ -2267,6 +2273,8 @@ report_capabilities() {
report_capability "Condition Match" $CONDITION_MATCH
report_capability "Statistic Match" $STATISTIC_MATCH
report_capability "IMQ Target" $IMQ_TARGET
report_capability "DSCP Match" $DSCP_MATCH
report_capability "DSCP Target" $DSCP_TARGET
if [ $g_family -eq 4 ]; then
report_capability "iptables -S" $IPTABLES_S
@ -2354,6 +2362,8 @@ report_capabilities1() {
report_capability1 CT_TARGET
report_capability1 STATISTIC_MATCH
report_capability1 IMQ_TARGET
report_capability1 DSCP_MATCH
report_capability1 DSCP_TARGET
echo CAPVERSION=$SHOREWALL_CAPVERSION
echo KERNELVERSION=$KERNELVERSION

46
Shorewall/Perl/Shorewall/Chains.pm
View File

@ -198,6 +198,7 @@ our %EXPORT_TAGS = (
do_headers
do_probability
do_condition
do_dscp
have_ipset_rules
record_runtime_address
conditional_rule
@ -237,6 +238,7 @@ our %EXPORT_TAGS = (
create_chainlist_reload
create_stop_load
%targets
%dscpmap
) ],
);
@ -369,6 +371,30 @@ use constant { OPTIMIZE_MASK => OPTIMIZE_POLICY_MASK | OPTIMIZE_RULESET_MASK };
use constant { DONT_OPTIMIZE => 1 , DONT_DELETE => 2, DONT_MOVE => 4 };
our %dscpmap = ( CS0 => 0x00,
CS1 => 0x08,
CS2 => 0x10,
CS3 => 0x18,
CS4 => 0x20,
CS5 => 0x28,
CS6 => 0x30,
CS7 => 0x38,
BE => 0x00,
AF11 => 0x0a,
AF12 => 0x0c,
AF13 => 0x0e,
AF21 => 0x12,
AF22 => 0x14,
AF23 => 0x16,
AF31 => 0x1a,
AF32 => 0x1c,
AF33 => 0x1e,
AF41 => 0x22,
AF42 => 0x24,
AF43 => 0x26,
EF => 0x2e,
);
#
# These hashes hold the shell code to set shell variables. The key is the name of the variable; the value is the code to generate the variable's contents
#
@ -4218,6 +4244,26 @@ sub do_condition( $ ) {
"-m condition ${invert}--condition $condition "
}
#
# Generate a -m dscp match
#
sub do_dscp( $ ) {
my $dscp = shift;
return '' if $dscp eq '-';
require_capability 'DSCP_MATCH', 'A non-empty DSCP column', 's';
my $invert = $dscp =~ s/^!// ? '! ' : '';
my $value = numeric_value( $dscp );
$value = $dscpmap{$value} unless defined $value;
fatal_error( "Invalid DSCP ($dscp)" ) unless defined $value && $value < 0x2f && ! ( $value & 1 );
"-m dscp ${invert}--dscp $value ";
}
#
# Match Source Interface
#

37
Shorewall/Perl/Shorewall/Config.pm
View File

@ -292,6 +292,8 @@ my %capdesc = ( NAT_ENABLED => 'NAT',
STATISTIC_MATCH =>
'Statistics Match',
IMQ_TARGET => 'IMQ Target',
DSCP_MATCH => 'DSCP Match',
DSCP_TARGET => 'DSCP Target',
CAPVERSION => 'Capability Version',
KERNELVERSION => 'Kernel Version',
);
@ -389,8 +391,8 @@ my $toolNAME; # Tool name in CAPS
our $product; # Name of product that will run the generated script
our $Product; # $product with initial cap.
my $sillyname; # Name of temporary filter chains for testing capabilities
my $sillyname1;
our $sillyname; # Name of temporary filter chains for testing capabilities
our $sillyname1;
my $iptables; # Path to iptables/ip6tables
my $tc; # Path to tc
my $ip; # Path to ip
@ -692,6 +694,8 @@ sub initialize( $ ) {
CT_TARGET => undef,
STATISTIC_MATCH => undef,
IMQ_TARGET => undef,
DSCP_MATCH => undef,
DSCP_TARGET => undef,
CAPVERSION => undef,
KERNELVERSION => undef,
);
@ -2778,7 +2782,15 @@ sub Statistic_Match() {
}
sub Imq_Target() {
qt1( "$iptables -t mangle -A $sillyname -j IMQ --todev 0" );
have_capability 'MANGLE_ENABLED' && qt1( "$iptables -t mangle -A $sillyname -j IMQ --todev 0" );
}
sub Dscp_Match() {
have_capability 'MANGLE_ENABLED' && qt1( "$iptables -t mangle -A $sillyname -m dscp --dscp 0" );
}
sub Dscp_Target() {
have_capability 'MANGLE_ENABLED' && qt1( "$iptables -t mangle -A $sillyname -j DSCP --set-dscp 0" );
}
our %detect_capability =
@ -2794,6 +2806,8 @@ our %detect_capability =
CONNMARK_MATCH => \&Connmark_Match,
CONNTRACK_MATCH => \&Conntrack_Match,
CT_TARGET => \&Ct_Target,
DSCP_MATCH => \&Dscp_Match,
DSCP_TARGET => \&Dscp_Target,
ENHANCED_REJECT => \&Enhanced_Reject,
EXMARK => \&Exmark,
FLOW_FILTER => \&Flow_Filter,
@ -2941,11 +2955,6 @@ sub determine_capabilities() {
$capabilities{IPMARK_TARGET} = detect_capability( 'IPMARK_TARGET' );
$capabilities{TPROXY_TARGET} = detect_capability( 'TPROXY_TARGET' );
if ( $capabilities{MANGLE_ENABLED} ) {
qt1( "$iptables -t mangle -F $sillyname" );
qt1( "$iptables -t mangle -X $sillyname" );
}
$capabilities{MANGLE_FORWARD} = detect_capability( 'MANGLE_FORWARD' );
$capabilities{RAW_TABLE} = detect_capability( 'RAW_TABLE' );
$capabilities{RAWPOST_TABLE} = detect_capability( 'RAWPOST_TABLE' );
@ -2975,6 +2984,8 @@ sub determine_capabilities() {
$capabilities{CT_TARGET} = detect_capability( 'CT_TARGET' );
$capabilities{STATISTIC_MATCH} = detect_capability( 'STATISTIC_MATCH' );
$capabilities{IMQ_TARGET} = detect_capability( 'IMQ_TARGET' );
$capabilities{DSCP_MATCH} = detect_capability( 'DSCP_MATCH' );
$capabilities{DSCP_TARGET} = detect_capability( 'DSCP_TARGET' );
qt1( "$iptables -F $sillyname" );
@ -2982,6 +2993,16 @@ sub determine_capabilities() {
qt1( "$iptables -F $sillyname1" );
qt1( "$iptables -X $sillyname1" );
if ( $capabilities{MANGLE_ENABLED} ) {
qt1( "$iptables -t mangle -F $sillyname" );
qt1( "$iptables -t mangle -X $sillyname" );
}
if ( $capabilities{NAT_ENABLED} ) {
qt1( "$iptables -t nat -F $sillyname" );
qt1( "$iptables -t nat -X $sillyname" );
}
$sillyname = $sillyname1 = undef;
}
}

44
Shorewall/Perl/Shorewall/Tc.pm
View File

@ -86,30 +86,6 @@ use constant { NOMARK => 0 ,
HIGHMARK => 2
};
my %dscpmap = ( CS0 => 0x00,
CS1 => 0x08,
CS2 => 0x10,
CS3 => 0x18,
CS4 => 0x20,
CS5 => 0x28,
CS6 => 0x30,
CS7 => 0x38,
BE => 0x00,
AF11 => 0x0a,
AF12 => 0x0c,
AF13 => 0x0e,
AF21 => 0x12,
AF22 => 0x14,
AF23 => 0x16,
AF31 => 0x1a,
AF32 => 0x1c,
AF33 => 0x1e,
AF41 => 0x22,
AF42 => 0x24,
AF43 => 0x26,
EF => 0x2e,
);
my %flow_keys = ( 'src' => 1,
'dst' => 1,
'proto' => 1,
@ -218,14 +194,14 @@ sub initialize( $ ) {
}
sub process_tc_rule( ) {
my ( $originalmark, $source, $dest, $proto, $ports, $sports, $user, $testval, $length, $tos , $connbytes, $helper, $headers, $probability );
my ( $originalmark, $source, $dest, $proto, $ports, $sports, $user, $testval, $length, $tos , $connbytes, $helper, $headers, $probability , $dscp );
if ( $family == F_IPV4 ) {
( $originalmark, $source, $dest, $proto, $ports, $sports, $user, $testval, $length, $tos , $connbytes, $helper, $probability ) =
split_line1 'tcrules file', { mark => 0, source => 1, dest => 2, proto => 3, dport => 4, sport => 5, user => 6, test => 7, length => 8, tos => 9, connbytes => 10, helper => 11, probability => 12 };
( $originalmark, $source, $dest, $proto, $ports, $sports, $user, $testval, $length, $tos , $connbytes, $helper, $probability, $dscp ) =
split_line1 'tcrules file', { mark => 0, source => 1, dest => 2, proto => 3, dport => 4, sport => 5, user => 6, test => 7, length => 8, tos => 9, connbytes => 10, helper => 11, probability => 12 , dscp => 13 };
$headers = '-';
} else {
( $originalmark, $source, $dest, $proto, $ports, $sports, $user, $testval, $length, $tos , $connbytes, $helper, $headers, $probability ) =
split_line1 'tcrules file', { mark => 0, source => 1, dest => 2, proto => 3, dport => 4, sport => 5, user => 6, test => 7, length => 8, tos => 9, connbytes => 10, helper => 11, headers => 12, probability => 13 };
( $originalmark, $source, $dest, $proto, $ports, $sports, $user, $testval, $length, $tos , $connbytes, $helper, $headers, $probability, $dscp ) =
split_line1 'tcrules file', { mark => 0, source => 1, dest => 2, proto => 3, dport => 4, sport => 5, user => 6, test => 7, length => 8, tos => 9, connbytes => 10, helper => 11, headers => 12, probability => 13 , $dscp };
}
our @tccmd;
@ -403,6 +379,7 @@ sub process_tc_rule( ) {
},
DSCP => sub() {
assert( $cmd =~ /^DSCP\((\w+)\)$/ );
require_capability 'DSCP_TARGET', 'The DSCP action', 's';
my $dscp = numeric_value( $1);
$dscp = $dscpmap{$1} unless defined $dscp;
fatal_error( "Invalid DSCP ($1)" ) unless defined $dscp && $dscp < 0x2f && ! ( $dscp & 1 );
@ -504,9 +481,9 @@ sub process_tc_rule( ) {
$mark =~ s/^[|&]//;
}
my $f = $processtcc{$target};
$f->() if $f;
if ( my $f = $processtcc{$target} ) {
$f->();
}
if ( $rest ) {
fatal_error "Invalid MARK ($originalmark)" if $marktype == NOMARK;
@ -552,7 +529,8 @@ sub process_tc_rule( ) {
do_connbytes( $connbytes ) .
do_helper( $helper ) .
do_headers( $headers ) .
do_probability( $probability ) ,
do_probability( $probability ) .
do_dscp( $dscp ),
$source ,
$dest ,
'' ,

4
Shorewall/configfiles/tcrules
View File

@ -9,7 +9,7 @@
#
# See http://shorewall.net/PacketMarking.html for a detailed description of
# the Netfilter/Shorewall packet marking mechanism.
######################################################################################################################################
#MARK SOURCE DEST PROTO DEST SOURCE USER TEST LENGTH TOS CONNBYTES HELPER PROBABILITY
##########################################################################################################################################
#MARK SOURCE DEST PROTO DEST SOURCE USER TEST LENGTH TOS CONNBYTES HELPER PROBABILITY DSCP
# PORT(S) PORT(S)

75
Shorewall/manpages/shorewall-tcrules.xml
View File

@ -468,6 +468,41 @@ SAME $FW 0.0.0.0/0 tcp 80,443</programlisting>
<replaceable>number</replaceable>. Requires IMQ Target support
in your kernel and iptables.</para>
</listitem>
<listitem>
<para><emphasis
role="bold">DSCP</emphasis>(<replaceable>dscp</replaceable>)</para>
<para>Added in Shorewall 4.5.1. Sets the
<firstterm>Differentiated Services Code Point</firstterm> field
in the IP header. The <replaceable>dscp</replaceable> value may
be given as an even number (hex or decimal) or as the name of a
DSCP class. Valid class names and their associated hex numeric
values are:</para>
<programlisting> CS0 =&gt; 0x00
CS1 =&gt; 0x08
CS2 =&gt; 0x10
CS3 =&gt; 0x18
CS4 =&gt; 0x20
CS5 =&gt; 0x28
CS6 =&gt; 0x30
CS7 =&gt; 0x38
BE =&gt; 0x00
AF11 =&gt; 0x0a
AF12 =&gt; 0x0c
AF13 =&gt; 0x0e
AF21 =&gt; 0x12
AF22 =&gt; 0x14
AF23 =&gt; 0x16
AF31 =&gt; 0x1a
AF32 =&gt; 0x1c
AF33 =&gt; 0x1e
AF41 =&gt; 0x22
AF42 =&gt; 0x24
AF43 =&gt; 0x26
EF =&gt; 0x2e</programlisting>
</listitem>
</orderedlist>
</listitem>
</varlistentry>
@ -840,7 +875,7 @@ SAME $FW 0.0.0.0/0 tcp 80,443</programlisting>
<varlistentry>
<term><emphasis role="bold">PROBABILITY</emphasis> -
[probability]</term>
[<replaceable>probability</replaceable>]</term>
<listitem>
<para>Added in Shorewall 4.5.0. When non-empty, requires the
@ -852,6 +887,44 @@ SAME $FW 0.0.0.0/0 tcp 80,443</programlisting>
at up to 8 decimal points of precision.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">DSCP -</emphasis>
[[!]<replaceable>dscp</replaceable>]</term>
<listitem>
<para>Added in Shorewall 4.5.1. When non-empty, match packets whose
<firstterm>Differentiated Service Code Point</firstterm> field
matches the supplied value (when '!' is given, the rule matches
packets whose DSCP field does not match the supplied value). The
<replaceable>dscp</replaceable> value may be given as an even number
(hex or decimal) or as the name of a DSCP class. Valid class names
and their associated hex numeric values are:</para>
<programlisting> CS0 =&gt; 0x00
CS1 =&gt; 0x08
CS2 =&gt; 0x10
CS3 =&gt; 0x18
CS4 =&gt; 0x20
CS5 =&gt; 0x28
CS6 =&gt; 0x30
CS7 =&gt; 0x38
BE =&gt; 0x00
AF11 =&gt; 0x0a
AF12 =&gt; 0x0c
AF13 =&gt; 0x0e
AF21 =&gt; 0x12
AF22 =&gt; 0x14
AF23 =&gt; 0x16
AF31 =&gt; 0x1a
AF32 =&gt; 0x1c
AF33 =&gt; 0x1e
AF41 =&gt; 0x22
AF42 =&gt; 0x24
AF43 =&gt; 0x26
EF =&gt; 0x2e</programlisting>
</listitem>
</varlistentry>
</variablelist>
</refsect1>

4
Shorewall6/configfiles/tcrules
View File

@ -9,6 +9,6 @@
#
# See http://shorewall.net/PacketMarking.html for a detailed description of
# the Netfilter/Shorewall packet marking mechanism.
##############################################################################################################################################
#MARK SOURCE DEST PROTO DEST SOURCE USER TEST LENGTH TOS CONNBYTES HELPER HEADERS PROBABILITY
###################################################################################################################################################
#MARK SOURCE DEST PROTO DEST SOURCE USER TEST LENGTH TOS CONNBYTES HELPER HEADERS PROBABILITY DSCP
# PORT(S) PORT(S)

35
Shorewall6/manpages/shorewall6-tcrules.xml
View File

@ -365,6 +365,41 @@ SAME $FW 0.0.0.0/0 tcp 80,443</programlisting>
<replaceable>number</replaceable>. Requires IMQ Target support
in your kernel and ip6tables.</para>
</listitem>
<listitem>
<para><emphasis
role="bold">DSCP</emphasis>(<replaceable>dscp</replaceable>)</para>
<para>Added in Shorewall 4.5.1. Sets the
<firstterm>Differentiated Services Code Point</firstterm> field
in the IP header. The <replaceable>dscp</replaceable> value may
be given as an even number (hex or decimal) or as the name of a
DSCP class. Valid class names and their associated hex numeric
values are:</para>
<programlisting> CS0 =&gt; 0x00
CS1 =&gt; 0x08
CS2 =&gt; 0x10
CS3 =&gt; 0x18
CS4 =&gt; 0x20
CS5 =&gt; 0x28
CS6 =&gt; 0x30
CS7 =&gt; 0x38
BE =&gt; 0x00
AF11 =&gt; 0x0a
AF12 =&gt; 0x0c
AF13 =&gt; 0x0e
AF21 =&gt; 0x12
AF22 =&gt; 0x14
AF23 =&gt; 0x16
AF31 =&gt; 0x1a
AF32 =&gt; 0x1c
AF33 =&gt; 0x1e
AF41 =&gt; 0x22
AF42 =&gt; 0x24
AF43 =&gt; 0x26
EF =&gt; 0x2e</programlisting>
</listitem>
</orderedlist>
</listitem>
</varlistentry>