diff --git a/Shorewall/Perl/Shorewall/Rules.pm b/Shorewall/Perl/Shorewall/Rules.pm
index 5cdfe174b..b4e5060ab 100644
--- a/Shorewall/Perl/Shorewall/Rules.pm
+++ b/Shorewall/Perl/Shorewall/Rules.pm
@@ -1873,7 +1873,7 @@ my %builtinops = ( 'dropBcast' => \&dropBcast,
sub process_rule ( $$$$$$$$$$$$$$$$$$$$ );
-sub process_mangle_rule1( $$$$$$$$$$$$$$$$$$ );
+sub process_mangle_rule1( $$$$$$$$$$$$$$$$$$$ );
sub process_snat1( $$$$$$$$$$$$ );
sub perl_action_helper( $$;$$ );
@@ -1980,10 +1980,10 @@ sub process_action(\$\$$) {
}
}
} elsif ( $type & MANGLE_TABLE ) {
- my ( $originalmark, $source, $dest, $protos, $ports, $sports, $user, $testval, $length, $tos , $connbytes, $helper, $headers, $probability , $dscp , $state, $time );
+ my ( $originalmark, $source, $dest, $protos, $ports, $sports, $user, $testval, $length, $tos , $connbytes, $helper, $headers, $probability , $dscp , $state, $time, $conditional );
if ( $family == F_IPV4 ) {
- ( $originalmark, $source, $dest, $protos, $ports, $sports, $user, $testval, $length, $tos , $connbytes, $helper, $probability, $dscp, $state, $time ) =
+ ( $originalmark, $source, $dest, $protos, $ports, $sports, $user, $testval, $length, $tos , $connbytes, $helper, $probability, $dscp, $state, $time, $conditional ) =
split_line2( 'mangle file',
{ mark => 0,
action => 0,
@@ -2002,13 +2002,14 @@ sub process_action(\$\$$) {
scp => 13,
state => 14,
time => 15,
+ switch => 16,
},
{},
- 16,
+ 17,
1 );
$headers = '-';
} else {
- ( $originalmark, $source, $dest, $protos, $ports, $sports, $user, $testval, $length, $tos , $connbytes, $helper, $headers, $probability, $dscp, $state, $time ) =
+ ( $originalmark, $source, $dest, $protos, $ports, $sports, $user, $testval, $length, $tos , $connbytes, $helper, $headers, $probability, $dscp, $state, $time, $conditional ) =
split_line2( 'action file',
{ mark => 0,
action => 0,
@@ -2028,9 +2029,10 @@ sub process_action(\$\$$) {
dscp => 14,
state => 15,
time => 16,
+ switch => 17,
},
{},
- 17,
+ 18,
1 );
}
@@ -2059,7 +2061,8 @@ sub process_action(\$\$$) {
$probability ,
$dscp ,
$state,
- $time );
+ $time,
+ $conditional );
set_inline_matches( $matches );
}
} else {
@@ -3991,8 +3994,8 @@ sub process_rules() {
$section = $next_section = DEFAULTACTION_SECTION;
}
-sub process_mangle_inline( $$$$$$$$$$$$$$$$$$$ ) {
- my ($inline, $chainref, $params, $source, $dest, $protos, $ports, $sports, $user, $testval, $length, $tos , $connbytes, $helper, $headers, $probability , $dscp , $state, $time ) = @_;
+sub process_mangle_inline( $$$$$$$$$$$$$$$$$$$$ ) {
+ my ($inline, $chainref, $params, $source, $dest, $protos, $ports, $sports, $user, $testval, $length, $tos , $connbytes, $helper, $headers, $probability , $dscp , $state, $time, $conditional ) = @_;
my $oldparms = push_action_params( $inline,
$chainref,
@@ -4011,9 +4014,9 @@ sub process_mangle_inline( $$$$$$$$$$$$$$$$$$$ ) {
my $save_comment = push_comment;
while ( read_a_line( NORMAL_READ ) ) {
- my ( $moriginalmark, $msource, $mdest, $mprotos, $mports, $msports, $muser, $mtestval, $mlength, $mtos , $mconnbytes, $mhelper, $mheaders, $mprobability , $mdscp , $mstate, $mtime );
+ my ( $moriginalmark, $msource, $mdest, $mprotos, $mports, $msports, $muser, $mtestval, $mlength, $mtos , $mconnbytes, $mhelper, $mheaders, $mprobability , $mdscp , $mstate, $mtime, $mconditional );
if ( $family == F_IPV4 ) {
- ( $moriginalmark, $msource, $mdest, $mprotos, $mports, $msports, $muser, $mtestval, $mlength, $mtos , $mconnbytes, $mhelper, $mprobability, $mdscp, $mstate, $mtime ) =
+ ( $moriginalmark, $msource, $mdest, $mprotos, $mports, $msports, $muser, $mtestval, $mlength, $mtos , $mconnbytes, $mhelper, $mprobability, $mdscp, $mstate, $mtime, $mconditional ) =
split_line2( 'mangle file',
{ mark => 0,
action => 0,
@@ -4032,13 +4035,14 @@ sub process_mangle_inline( $$$$$$$$$$$$$$$$$$$ ) {
scp => 13,
state => 14,
time => 15,
+ switch => 16,
},
{},
- 16,
+ 17,
1 );
$headers = $mheaders = '-';
} else {
- ( $moriginalmark, $msource, $mdest, $mprotos, $mports, $msports, $muser, $mtestval, $mlength, $mtos , $mconnbytes, $mhelper, $mheaders, $mprobability, $mdscp, $mstate, $mtime ) =
+ ( $moriginalmark, $msource, $mdest, $mprotos, $mports, $msports, $muser, $mtestval, $mlength, $mtos , $mconnbytes, $mhelper, $mheaders, $mprobability, $mdscp, $mstate, $mtime, $mconditional ) =
split_line2( 'mangle file',
{ mark => 0,
action => 0,
@@ -4058,9 +4062,10 @@ sub process_mangle_inline( $$$$$$$$$$$$$$$$$$$ ) {
dscp => 14,
state => 15,
time => 16,
+ switch => 17,
},
{},
- 17,
+ 18,
1 );
}
@@ -4093,7 +4098,9 @@ sub process_mangle_inline( $$$$$$$$$$$$$$$$$$$ ) {
merge_macro_column( $mprobability , $probability ),
merge_macro_column( $mdscp , $dscp ),
merge_macro_column( $mstate, $state ),
- merge_macro_column( $mtime, $time ) );
+ merge_macro_column( $mtime, $time ),
+ merge_macro_column( $mconditional, $conditional ),
+ );
}
progress_message " Rule \"$currentline\" $done";
@@ -4120,8 +4127,8 @@ sub process_mangle_inline( $$$$$$$$$$$$$$$$$$$ ) {
# appended to that chain. The chain with be the action's chain unless the action
# is inlined, in which case it will be the chain which invoked the action.
#
-sub process_mangle_rule1( $$$$$$$$$$$$$$$$$$ ) {
- my ( $chainref, $action, $source, $dest, $proto, $ports, $sports, $user, $testval, $length, $tos , $connbytes, $helper, $headers, $probability , $dscp , $state, $time) = @_;
+sub process_mangle_rule1( $$$$$$$$$$$$$$$$$$$ ) {
+ my ( $chainref, $action, $source, $dest, $proto, $ports, $sports, $user, $testval, $length, $tos , $connbytes, $helper, $headers, $probability , $dscp , $state, $time, $condition) = @_;
my %designators = (
P => PREROUTING,
@@ -4231,6 +4238,7 @@ sub process_mangle_rule1( $$$$$$$$$$$$$$$$$$ ) {
do_headers( $headers ) .
do_probability( $probability ) .
do_dscp( $dscp ) .
+ do_condition( $condition, $chainref->{name} ) .
state_match( $state ) .
$raw_matches ,
$source ,
@@ -4826,7 +4834,8 @@ sub process_mangle_rule1( $$$$$$$$$$$$$$$$$$ ) {
$probability ,
$dscp ,
$state,
- $time );
+ $time,
+ $condition );
$done = 1;
}
};
@@ -5221,9 +5230,9 @@ sub process_tc_rule( ) {
sub process_mangle_rule( $ ) {
my ( $chainref ) = @_;
- my ( $originalmark, $source, $dest, $protos, $ports, $sports, $user, $testval, $length, $tos , $connbytes, $helper, $headers, $probability , $dscp , $state, $time );
+ my ( $originalmark, $source, $dest, $protos, $ports, $sports, $user, $testval, $length, $tos , $connbytes, $helper, $headers, $probability , $dscp , $state, $time, $conditional );
if ( $family == F_IPV4 ) {
- ( $originalmark, $source, $dest, $protos, $ports, $sports, $user, $testval, $length, $tos , $connbytes, $helper, $probability, $dscp, $state, $time ) =
+ ( $originalmark, $source, $dest, $protos, $ports, $sports, $user, $testval, $length, $tos , $connbytes, $helper, $probability, $dscp, $state, $time, $conditional ) =
split_line2( 'mangle file',
{ mark => 0,
action => 0,
@@ -5242,13 +5251,14 @@ sub process_mangle_rule( $ ) {
scp => 13,
state => 14,
time => 15,
+ switch => 16,
},
{},
- 16,
+ 17,
1 );
$headers = '-';
} else {
- ( $originalmark, $source, $dest, $protos, $ports, $sports, $user, $testval, $length, $tos , $connbytes, $helper, $headers, $probability, $dscp, $state, $time ) =
+ ( $originalmark, $source, $dest, $protos, $ports, $sports, $user, $testval, $length, $tos , $connbytes, $helper, $headers, $probability, $dscp, $state, $time, $conditional ) =
split_line2( 'mangle file',
{ mark => 0,
action => 0,
@@ -5268,14 +5278,15 @@ sub process_mangle_rule( $ ) {
dscp => 14,
state => 15,
time => 16,
+ switch => 17,
},
{},
- 17,
+ 18,
1 );
}
for my $proto (split_list( $protos, 'Protocol' ) ) {
- process_mangle_rule1( $chainref, $originalmark, $source, $dest, $proto, $ports, $sports, $user, $testval, $length, $tos , $connbytes, $helper, $headers, $probability , $dscp , $state, $time );
+ process_mangle_rule1( $chainref, $originalmark, $source, $dest, $proto, $ports, $sports, $user, $testval, $length, $tos , $connbytes, $helper, $headers, $probability , $dscp , $state, $time, $conditional );
}
}
diff --git a/Shorewall/Perl/Shorewall/Tc.pm b/Shorewall/Perl/Shorewall/Tc.pm
index a0549b373..ed57feaa7 100644
--- a/Shorewall/Perl/Shorewall/Tc.pm
+++ b/Shorewall/Perl/Shorewall/Tc.pm
@@ -42,7 +42,7 @@ use strict;
our @ISA = qw(Exporter);
our @EXPORT = qw( process_tc setup_tc );
-our @EXPORT_OK = qw( process_tc_rule initialize );
+our @EXPORT_OK = qw( initialize );
our $VERSION = 'MODULEVERSION';
our %flow_keys = ( 'src' => 1,
@@ -2277,9 +2277,10 @@ sub open_mangle_for_output( $ ) {
#
transfer_permissions( $fn, $fn1 );
- print $mangle <<'EOF';
+ if ( $family == F_IPV4 ) {
+ print $mangle <<'EOF';
#
-# Shorewall version 4 - Mangle File
+# Shorewall -- /etc/shorewall/mangle
#
# For information about entries in this file, type "man shorewall-mangle"
#
@@ -2289,13 +2290,31 @@ sub open_mangle_for_output( $ ) {
#
# See http://shorewall.net/PacketMarking.html for a detailed description of
# the Netfilter/Shorewall packet marking mechanism.
-####################################################################################################################################################
-#ACTION SOURCE DEST PROTO DEST SOURCE USER TEST LENGTH TOS CONNBYTES HELPER PROBABILITY DSCP
-# PORT(S) PORT(S)
+##############################################################################################################################################################
+#ACTION SOURCE DEST PROTO DEST SOURCE USER TEST LENGTH TOS CONNBYTES HELPER PROBABILITY DSCP SWITCH
+EOF
+ } else {
+ print $mangle <<'EOF';
+#
+# Shorewall6 -- /etc/shorewall6/mangle
+#
+# For information about entries in this file, type "man shorewall6-mangle"
+#
+# See http://shorewall.net/traffic_shaping.htm for additional information.
+# For usage in selecting among multiple ISPs, see
+# http://shorewall.net/MultiISP.html
+#
+# See http://shorewall.net/PacketMarking.html for a detailed description of
+# the Netfilter/Shorewall packet marking mechanism.
+#
+######################################################################################################################################################################
+#ACTION SOURCE DEST PROTO DPORT SPORT USER TEST LENGTH TOS CONNBYTES HELPER HEADERS PROBABILITY DSCP SWITCH
EOF
- }
- return ( $mangle, $fn1 );
+ }
+
+ return ( $mangle, $fn1 );
+ }
}
#
diff --git a/Shorewall/configfiles/mangle b/Shorewall/configfiles/mangle
index d5d285e85..496e3f5f3 100644
--- a/Shorewall/configfiles/mangle
+++ b/Shorewall/configfiles/mangle
@@ -10,5 +10,5 @@
# See http://shorewall.net/PacketMarking.html for a detailed description of
# the Netfilter/Shorewall packet marking mechanism.
#
-####################################################################################################################################################
-#ACTION SOURCE DEST PROTO DPORT SPORT USER TEST LENGTH TOS CONNBYTES HELPER PROBABILITY DSCP
+##############################################################################################################################################################
+#ACTION SOURCE DEST PROTO DPORT SPORT USER TEST LENGTH TOS CONNBYTES HELPER PROBABILITY DSCP SWITCH
diff --git a/Shorewall/manpages/shorewall-mangle.xml b/Shorewall/manpages/shorewall-mangle.xml
index 0d8bd3ce8..7b3a32210 100644
--- a/Shorewall/manpages/shorewall-mangle.xml
+++ b/Shorewall/manpages/shorewall-mangle.xml
@@ -1332,6 +1332,53 @@ Normal-Service => 0x00
+
+
+ SWITCH -
+ [!]switch-name[={0|1}]
+
+
+ Added in Shorewall 5.1.0 and allows enabling and disabling the
+ rule without requiring shorewall restart.
+
+ The rule is enabled if the value stored in
+ /proc/net/nf_condition/switch-name
+ is 1. The rule is disabled if that file contains 0 (the default). If
+ '!' is supplied, the test is inverted such that the rule is enabled
+ if the file contains 0.
+
+ Within the switch-name, '@0' and
+ '@{0}' are replaced by the name of the chain to which the rule is a
+ added. The switch-name (after '@...'
+ expansion) must begin with a letter and be composed of letters,
+ decimal digits, underscores or hyphens. Switch names must be 30
+ characters or less in length.
+
+ Switches are normally off. To
+ turn a switch on:
+
+
+ echo 1 >
+ /proc/net/nf_condition/switch-name
+
+
+ To turn it off again:
+
+
+ echo 0 >
+ /proc/net/nf_condition/switch-name
+
+
+ Switch settings are retained over shorewall
+ restart.
+
+ When the switch-name is followed by
+ or , then the switch is
+ initialized to off or on respectively by the
+ start command. Other commands do not affect the
+ switch setting.
+
+
diff --git a/Shorewall6/configfiles/mangle b/Shorewall6/configfiles/mangle
index 82bf8d72a..9cbff31c0 100644
--- a/Shorewall6/configfiles/mangle
+++ b/Shorewall6/configfiles/mangle
@@ -10,5 +10,5 @@
# See http://shorewall.net/PacketMarking.html for a detailed description of
# the Netfilter/Shorewall packet marking mechanism.
#
-############################################################################################################################################################
-#ACTION SOURCE DEST PROTO DPORT SPORT USER TEST LENGTH TOS CONNBYTES HELPER HEADERS PROBABILITY DSCP
+######################################################################################################################################################################
+#ACTION SOURCE DEST PROTO DPORT SPORT USER TEST LENGTH TOS CONNBYTES HELPER HEADERS PROBABILITY DSCP SWITCH
diff --git a/Shorewall6/manpages/shorewall6-mangle.xml b/Shorewall6/manpages/shorewall6-mangle.xml
index fcbf4a353..48e7278d3 100644
--- a/Shorewall6/manpages/shorewall6-mangle.xml
+++ b/Shorewall6/manpages/shorewall6-mangle.xml
@@ -1408,6 +1408,54 @@ Normal-Service => 0x00
+
+
+ SWITCH -
+ [!]switch-name[={0|1}]
+
+
+ Added in Shorewall 5.1.0 and allows enabling and disabling the
+ rule without requiring shorewall -6
+ restart.
+
+ The rule is enabled if the value stored in
+ /proc/net/nf_condition/switch-name
+ is 1. The rule is disabled if that file contains 0 (the default). If
+ '!' is supplied, the test is inverted such that the rule is enabled
+ if the file contains 0.
+
+ Within the switch-name, '@0' and
+ '@{0}' are replaced by the name of the chain to which the rule is a
+ added. The switch-name (after '@...'
+ expansion) must begin with a letter and be composed of letters,
+ decimal digits, underscores or hyphens. Switch names must be 30
+ characters or less in length.
+
+ Switches are normally off. To
+ turn a switch on:
+
+
+ echo 1 >
+ /proc/net/nf_condition/switch-name
+
+
+ To turn it off again:
+
+
+ echo 0 >
+ /proc/net/nf_condition/switch-name
+
+
+ Switch settings are retained over shorewall
+ restart.
+
+ When the switch-name is followed by
+ or , then the switch is
+ initialized to off or on respectively by the
+ start command. Other commands do not affect the
+ switch setting.
+
+