holm/shorewall_code
1
0
Fork 0
forked from extern/shorewall_code
Code Pull Requests Activity

Add a SWITCH column to the mangle files

Browse Source 
Signed-off-by: Tom Eastep <teastep@shorewall.net>
This commit is contained in:
Tom Eastep 2016-11-29 16:13:44 -08:00
parent 799b17210c
commit a45fe692cc
No known key found for this signature in database
GPG Key ID: 96E6B3F2423A4D10
6 changed files with 161 additions and 36 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

59
Shorewall/Perl/Shorewall/Rules.pm
View File

@ -1873,7 +1873,7 @@ my %builtinops = ( 'dropBcast' => \&dropBcast,
sub process_rule ( $$$$$$$$$$$$$$$$$$$$ ); sub process_rule ( $$$$$$$$$$$$$$$$$$$$ );
sub process_mangle_rule1( $$$$$$$$$$$$$$$$$$ ); sub process_mangle_rule1( $$$$$$$$$$$$$$$$$$$ );
sub process_snat1( $$$$$$$$$$$$ ); sub process_snat1( $$$$$$$$$$$$ );
sub perl_action_helper( $$;$$ ); sub perl_action_helper( $$;$$ );
@ -1980,10 +1980,10 @@ sub process_action(\$\$$) {
} }
} }
} elsif ( $type & MANGLE_TABLE ) { } elsif ( $type & MANGLE_TABLE ) {
my ( $originalmark, $source, $dest, $protos, $ports, $sports, $user, $testval, $length, $tos , $connbytes, $helper, $headers, $probability , $dscp , $state, $time ); my ( $originalmark, $source, $dest, $protos, $ports, $sports, $user, $testval, $length, $tos , $connbytes, $helper, $headers, $probability , $dscp , $state, $time, $conditional );
if ( $family == F_IPV4 ) { if ( $family == F_IPV4 ) {
( $originalmark, $source, $dest, $protos, $ports, $sports, $user, $testval, $length, $tos , $connbytes, $helper, $probability, $dscp, $state, $time ) = ( $originalmark, $source, $dest, $protos, $ports, $sports, $user, $testval, $length, $tos , $connbytes, $helper, $probability, $dscp, $state, $time, $conditional ) =
split_line2( 'mangle file', split_line2( 'mangle file',
{ mark => 0, { mark => 0,
action => 0, action => 0,
@ -2002,13 +2002,14 @@ sub process_action(\$\$$) {
scp => 13, scp => 13,
state => 14, state => 14,
time => 15, time => 15,
switch => 16,
}, },
{}, {},
16, 17,
1 ); 1 );
$headers = '-'; $headers = '-';
} else { } else {
( $originalmark, $source, $dest, $protos, $ports, $sports, $user, $testval, $length, $tos , $connbytes, $helper, $headers, $probability, $dscp, $state, $time ) = ( $originalmark, $source, $dest, $protos, $ports, $sports, $user, $testval, $length, $tos , $connbytes, $helper, $headers, $probability, $dscp, $state, $time, $conditional ) =
split_line2( 'action file', split_line2( 'action file',
{ mark => 0, { mark => 0,
action => 0, action => 0,
@ -2028,9 +2029,10 @@ sub process_action(\$\$$) {
dscp => 14, dscp => 14,
state => 15, state => 15,
time => 16, time => 16,
switch => 17,
}, },
{}, {},
17, 18,
1 ); 1 );
} }
@ -2059,7 +2061,8 @@ sub process_action(\$\$$) {
$probability , $probability ,
$dscp , $dscp ,
$state, $state,
$time ); $time,
$conditional );
set_inline_matches( $matches ); set_inline_matches( $matches );
} }
} else { } else {
@ -3991,8 +3994,8 @@ sub process_rules() {
$section = $next_section = DEFAULTACTION_SECTION; $section = $next_section = DEFAULTACTION_SECTION;
} }
sub process_mangle_inline( $$$$$$$$$$$$$$$$$$$ ) { sub process_mangle_inline( $$$$$$$$$$$$$$$$$$$$ ) {
my ($inline, $chainref, $params, $source, $dest, $protos, $ports, $sports, $user, $testval, $length, $tos , $connbytes, $helper, $headers, $probability , $dscp , $state, $time ) = @_; my ($inline, $chainref, $params, $source, $dest, $protos, $ports, $sports, $user, $testval, $length, $tos , $connbytes, $helper, $headers, $probability , $dscp , $state, $time, $conditional ) = @_;
my $oldparms = push_action_params( $inline, my $oldparms = push_action_params( $inline,
$chainref, $chainref,
@ -4011,9 +4014,9 @@ sub process_mangle_inline( $$$$$$$$$$$$$$$$$$$ ) {
my $save_comment = push_comment; my $save_comment = push_comment;
while ( read_a_line( NORMAL_READ ) ) { while ( read_a_line( NORMAL_READ ) ) {
my ( $moriginalmark, $msource, $mdest, $mprotos, $mports, $msports, $muser, $mtestval, $mlength, $mtos , $mconnbytes, $mhelper, $mheaders, $mprobability , $mdscp , $mstate, $mtime ); my ( $moriginalmark, $msource, $mdest, $mprotos, $mports, $msports, $muser, $mtestval, $mlength, $mtos , $mconnbytes, $mhelper, $mheaders, $mprobability , $mdscp , $mstate, $mtime, $mconditional );
if ( $family == F_IPV4 ) { if ( $family == F_IPV4 ) {
( $moriginalmark, $msource, $mdest, $mprotos, $mports, $msports, $muser, $mtestval, $mlength, $mtos , $mconnbytes, $mhelper, $mprobability, $mdscp, $mstate, $mtime ) = ( $moriginalmark, $msource, $mdest, $mprotos, $mports, $msports, $muser, $mtestval, $mlength, $mtos , $mconnbytes, $mhelper, $mprobability, $mdscp, $mstate, $mtime, $mconditional ) =
split_line2( 'mangle file', split_line2( 'mangle file',
{ mark => 0, { mark => 0,
action => 0, action => 0,
@ -4032,13 +4035,14 @@ sub process_mangle_inline( $$$$$$$$$$$$$$$$$$$ ) {
scp => 13, scp => 13,
state => 14, state => 14,
time => 15, time => 15,
switch => 16,
}, },
{}, {},
16, 17,
1 ); 1 );
$headers = $mheaders = '-'; $headers = $mheaders = '-';
} else { } else {
( $moriginalmark, $msource, $mdest, $mprotos, $mports, $msports, $muser, $mtestval, $mlength, $mtos , $mconnbytes, $mhelper, $mheaders, $mprobability, $mdscp, $mstate, $mtime ) = ( $moriginalmark, $msource, $mdest, $mprotos, $mports, $msports, $muser, $mtestval, $mlength, $mtos , $mconnbytes, $mhelper, $mheaders, $mprobability, $mdscp, $mstate, $mtime, $mconditional ) =
split_line2( 'mangle file', split_line2( 'mangle file',
{ mark => 0, { mark => 0,
action => 0, action => 0,
@ -4058,9 +4062,10 @@ sub process_mangle_inline( $$$$$$$$$$$$$$$$$$$ ) {
dscp => 14, dscp => 14,
state => 15, state => 15,
time => 16, time => 16,
switch => 17,
}, },
{}, {},
17, 18,
1 ); 1 );
} }
@ -4093,7 +4098,9 @@ sub process_mangle_inline( $$$$$$$$$$$$$$$$$$$ ) {
merge_macro_column( $mprobability , $probability ), merge_macro_column( $mprobability , $probability ),
merge_macro_column( $mdscp , $dscp ), merge_macro_column( $mdscp , $dscp ),
merge_macro_column( $mstate, $state ), merge_macro_column( $mstate, $state ),
merge_macro_column( $mtime, $time ) ); merge_macro_column( $mtime, $time ),
merge_macro_column( $mconditional, $conditional ),
);
} }
progress_message " Rule \"$currentline\" $done"; progress_message " Rule \"$currentline\" $done";
@ -4120,8 +4127,8 @@ sub process_mangle_inline( $$$$$$$$$$$$$$$$$$$ ) {
# appended to that chain. The chain with be the action's chain unless the action # appended to that chain. The chain with be the action's chain unless the action
# is inlined, in which case it will be the chain which invoked the action. # is inlined, in which case it will be the chain which invoked the action.
# #
sub process_mangle_rule1( $$$$$$$$$$$$$$$$$$ ) { sub process_mangle_rule1( $$$$$$$$$$$$$$$$$$$ ) {
my ( $chainref, $action, $source, $dest, $proto, $ports, $sports, $user, $testval, $length, $tos , $connbytes, $helper, $headers, $probability , $dscp , $state, $time) = @_; my ( $chainref, $action, $source, $dest, $proto, $ports, $sports, $user, $testval, $length, $tos , $connbytes, $helper, $headers, $probability , $dscp , $state, $time, $condition) = @_;
my %designators = ( my %designators = (
P => PREROUTING, P => PREROUTING,
@ -4231,6 +4238,7 @@ sub process_mangle_rule1( $$$$$$$$$$$$$$$$$$ ) {
do_headers( $headers ) . do_headers( $headers ) .
do_probability( $probability ) . do_probability( $probability ) .
do_dscp( $dscp ) . do_dscp( $dscp ) .
do_condition( $condition, $chainref->{name} ) .
state_match( $state ) . state_match( $state ) .
$raw_matches , $raw_matches ,
$source , $source ,
@ -4826,7 +4834,8 @@ sub process_mangle_rule1( $$$$$$$$$$$$$$$$$$ ) {
$probability , $probability ,
$dscp , $dscp ,
$state, $state,
$time ); $time,
$condition );
$done = 1; $done = 1;
} }
}; };
@ -5221,9 +5230,9 @@ sub process_tc_rule( ) {
sub process_mangle_rule( $ ) { sub process_mangle_rule( $ ) {
my ( $chainref ) = @_; my ( $chainref ) = @_;
my ( $originalmark, $source, $dest, $protos, $ports, $sports, $user, $testval, $length, $tos , $connbytes, $helper, $headers, $probability , $dscp , $state, $time ); my ( $originalmark, $source, $dest, $protos, $ports, $sports, $user, $testval, $length, $tos , $connbytes, $helper, $headers, $probability , $dscp , $state, $time, $conditional );
if ( $family == F_IPV4 ) { if ( $family == F_IPV4 ) {
( $originalmark, $source, $dest, $protos, $ports, $sports, $user, $testval, $length, $tos , $connbytes, $helper, $probability, $dscp, $state, $time ) = ( $originalmark, $source, $dest, $protos, $ports, $sports, $user, $testval, $length, $tos , $connbytes, $helper, $probability, $dscp, $state, $time, $conditional ) =
split_line2( 'mangle file', split_line2( 'mangle file',
{ mark => 0, { mark => 0,
action => 0, action => 0,
@ -5242,13 +5251,14 @@ sub process_mangle_rule( $ ) {
scp => 13, scp => 13,
state => 14, state => 14,
time => 15, time => 15,
switch => 16,
}, },
{}, {},
16, 17,
1 ); 1 );
$headers = '-'; $headers = '-';
} else { } else {
( $originalmark, $source, $dest, $protos, $ports, $sports, $user, $testval, $length, $tos , $connbytes, $helper, $headers, $probability, $dscp, $state, $time ) = ( $originalmark, $source, $dest, $protos, $ports, $sports, $user, $testval, $length, $tos , $connbytes, $helper, $headers, $probability, $dscp, $state, $time, $conditional ) =
split_line2( 'mangle file', split_line2( 'mangle file',
{ mark => 0, { mark => 0,
action => 0, action => 0,
@ -5268,14 +5278,15 @@ sub process_mangle_rule( $ ) {
dscp => 14, dscp => 14,
state => 15, state => 15,
time => 16, time => 16,
switch => 17,
}, },
{}, {},
17, 18,
1 ); 1 );
} }
for my $proto (split_list( $protos, 'Protocol' ) ) { for my $proto (split_list( $protos, 'Protocol' ) ) {
process_mangle_rule1( $chainref, $originalmark, $source, $dest, $proto, $ports, $sports, $user, $testval, $length, $tos , $connbytes, $helper, $headers, $probability , $dscp , $state, $time ); process_mangle_rule1( $chainref, $originalmark, $source, $dest, $proto, $ports, $sports, $user, $testval, $length, $tos , $connbytes, $helper, $headers, $probability , $dscp , $state, $time, $conditional );
} }
} }

35
Shorewall/Perl/Shorewall/Tc.pm
View File

@ -42,7 +42,7 @@ use strict;
our @ISA = qw(Exporter); our @ISA = qw(Exporter);
our @EXPORT = qw( process_tc setup_tc ); our @EXPORT = qw( process_tc setup_tc );
our @EXPORT_OK = qw( process_tc_rule initialize ); our @EXPORT_OK = qw( initialize );
our $VERSION = 'MODULEVERSION'; our $VERSION = 'MODULEVERSION';
our %flow_keys = ( 'src' => 1, our %flow_keys = ( 'src' => 1,
@ -2277,9 +2277,10 @@ sub open_mangle_for_output( $ ) {
# #
transfer_permissions( $fn, $fn1 ); transfer_permissions( $fn, $fn1 );
print $mangle <<'EOF'; if ( $family == F_IPV4 ) {
print $mangle <<'EOF';
# #
# Shorewall version 4 - Mangle File # Shorewall -- /etc/shorewall/mangle
# #
# For information about entries in this file, type "man shorewall-mangle" # For information about entries in this file, type "man shorewall-mangle"
# #
@ -2289,13 +2290,31 @@ sub open_mangle_for_output( $ ) {
# #
# See http://shorewall.net/PacketMarking.html for a detailed description of # See http://shorewall.net/PacketMarking.html for a detailed description of
# the Netfilter/Shorewall packet marking mechanism. # the Netfilter/Shorewall packet marking mechanism.
#################################################################################################################################################### ##############################################################################################################################################################
#ACTION SOURCE DEST PROTO DEST SOURCE USER TEST LENGTH TOS CONNBYTES HELPER PROBABILITY DSCP #ACTION SOURCE DEST PROTO DEST SOURCE USER TEST LENGTH TOS CONNBYTES HELPER PROBABILITY DSCP SWITCH
# PORT(S) PORT(S) EOF
} else {
print $mangle <<'EOF';
#
# Shorewall6 -- /etc/shorewall6/mangle
#
# For information about entries in this file, type "man shorewall6-mangle"
#
# See http://shorewall.net/traffic_shaping.htm for additional information.
# For usage in selecting among multiple ISPs, see
# http://shorewall.net/MultiISP.html
#
# See http://shorewall.net/PacketMarking.html for a detailed description of
# the Netfilter/Shorewall packet marking mechanism.
#
######################################################################################################################################################################
#ACTION SOURCE DEST PROTO DPORT SPORT USER TEST LENGTH TOS CONNBYTES HELPER HEADERS PROBABILITY DSCP SWITCH
EOF EOF
}
return ( $mangle, $fn1 ); }
return ( $mangle, $fn1 );
}
} }
# #

4
Shorewall/configfiles/mangle
View File

@ -10,5 +10,5 @@
# See http://shorewall.net/PacketMarking.html for a detailed description of # See http://shorewall.net/PacketMarking.html for a detailed description of
# the Netfilter/Shorewall packet marking mechanism. # the Netfilter/Shorewall packet marking mechanism.
# #
#################################################################################################################################################### ##############################################################################################################################################################
#ACTION SOURCE DEST PROTO DPORT SPORT USER TEST LENGTH TOS CONNBYTES HELPER PROBABILITY DSCP #ACTION SOURCE DEST PROTO DPORT SPORT USER TEST LENGTH TOS CONNBYTES HELPER PROBABILITY DSCP SWITCH

47
Shorewall/manpages/shorewall-mangle.xml
View File

@ -1332,6 +1332,53 @@ Normal-Service =&gt; 0x00</programlisting>
</variablelist> </variablelist>
</listitem> </listitem>
</varlistentry> </varlistentry>
<varlistentry>
<term><emphasis role="bold">SWITCH -
[!]<replaceable>switch-name</replaceable>[={0|1}]</emphasis></term>
<listitem>
<para>Added in Shorewall 5.1.0 and allows enabling and disabling the
rule without requiring <command>shorewall restart</command>.</para>
<para>The rule is enabled if the value stored in
<filename>/proc/net/nf_condition/<replaceable>switch-name</replaceable></filename>
is 1. The rule is disabled if that file contains 0 (the default). If
'!' is supplied, the test is inverted such that the rule is enabled
if the file contains 0.</para>
<para>Within the <replaceable>switch-name</replaceable>, '@0' and
'@{0}' are replaced by the name of the chain to which the rule is a
added. The <replaceable>switch-name</replaceable> (after '@...'
expansion) must begin with a letter and be composed of letters,
decimal digits, underscores or hyphens. Switch names must be 30
characters or less in length.</para>
<para>Switches are normally <emphasis role="bold">off</emphasis>. To
turn a switch <emphasis role="bold">on</emphasis>:</para>
<simplelist>
<member><command>echo 1 &gt;
/proc/net/nf_condition/<replaceable>switch-name</replaceable></command></member>
</simplelist>
<para>To turn it <emphasis role="bold">off</emphasis> again:</para>
<simplelist>
<member><command>echo 0 &gt;
/proc/net/nf_condition/<replaceable>switch-name</replaceable></command></member>
</simplelist>
<para>Switch settings are retained over <command>shorewall
restart</command>.</para>
<para>When the <replaceable>switch-name</replaceable> is followed by
<option>=0</option> or <option>=1</option>, then the switch is
initialized to off or on respectively by the
<command>start</command> command. Other commands do not affect the
switch setting.</para>
</listitem>
</varlistentry>
</variablelist> </variablelist>
</refsect1> </refsect1>

4
Shorewall6/configfiles/mangle
View File

@ -10,5 +10,5 @@
# See http://shorewall.net/PacketMarking.html for a detailed description of # See http://shorewall.net/PacketMarking.html for a detailed description of
# the Netfilter/Shorewall packet marking mechanism. # the Netfilter/Shorewall packet marking mechanism.
# #
############################################################################################################################################################ ######################################################################################################################################################################
#ACTION SOURCE DEST PROTO DPORT SPORT USER TEST LENGTH TOS CONNBYTES HELPER HEADERS PROBABILITY DSCP #ACTION SOURCE DEST PROTO DPORT SPORT USER TEST LENGTH TOS CONNBYTES HELPER HEADERS PROBABILITY DSCP SWITCH

48
Shorewall6/manpages/shorewall6-mangle.xml
View File

@ -1408,6 +1408,54 @@ Normal-Service =&gt; 0x00</programlisting>
</variablelist> </variablelist>
</listitem> </listitem>
</varlistentry> </varlistentry>
<varlistentry>
<term><emphasis role="bold">SWITCH -
[!]<replaceable>switch-name</replaceable>[={0|1}]</emphasis></term>
<listitem>
<para>Added in Shorewall 5.1.0 and allows enabling and disabling the
rule without requiring <command>shorewall -6
restart</command>.</para>
<para>The rule is enabled if the value stored in
<filename>/proc/net/nf_condition/<replaceable>switch-name</replaceable></filename>
is 1. The rule is disabled if that file contains 0 (the default). If
'!' is supplied, the test is inverted such that the rule is enabled
if the file contains 0.</para>
<para>Within the <replaceable>switch-name</replaceable>, '@0' and
'@{0}' are replaced by the name of the chain to which the rule is a
added. The <replaceable>switch-name</replaceable> (after '@...'
expansion) must begin with a letter and be composed of letters,
decimal digits, underscores or hyphens. Switch names must be 30
characters or less in length.</para>
<para>Switches are normally <emphasis role="bold">off</emphasis>. To
turn a switch <emphasis role="bold">on</emphasis>:</para>
<simplelist>
<member><command>echo 1 &gt;
/proc/net/nf_condition/<replaceable>switch-name</replaceable></command></member>
</simplelist>
<para>To turn it <emphasis role="bold">off</emphasis> again:</para>
<simplelist>
<member><command>echo 0 &gt;
/proc/net/nf_condition/<replaceable>switch-name</replaceable></command></member>
</simplelist>
<para>Switch settings are retained over <command>shorewall
restart</command>.</para>
<para>When the <replaceable>switch-name</replaceable> is followed by
<option>=0</option> or <option>=1</option>, then the switch is
initialized to off or on respectively by the
<command>start</command> command. Other commands do not affect the
switch setting.</para>
</listitem>
</varlistentry>
</variablelist> </variablelist>
</refsect1> </refsect1>