forked from extern/shorewall_code
Add an SPORT column to the tcpri file
Signed-off-by: Tom Eastep <teastep@shorewall.net>
This commit is contained in:
parent
381a0ad8aa
commit
ac221348c0
@ -1646,8 +1646,8 @@ sub process_tcfilters() {
|
||||
#
|
||||
# Process a tcpri record
|
||||
#
|
||||
sub process_tc_priority1( $$$$$$ ) {
|
||||
my ( $band, $proto, $ports , $address, $interface, $helper ) = @_;
|
||||
sub process_tc_priority1( $$$$$$$ ) {
|
||||
my ( $band, $proto, $dports , $sports, $address, $interface, $helper ) = @_;
|
||||
|
||||
my $val = numeric_value $band;
|
||||
|
||||
@ -1658,7 +1658,7 @@ sub process_tc_priority1( $$$$$$ ) {
|
||||
$rule .= join('', '/', in_hex( $globals{TC_MASK} ) ) if have_capability( 'EXMARK' );
|
||||
|
||||
if ( $interface ne '-' ) {
|
||||
fatal_error "Invalid combination of columns" unless $address eq '-' && $proto eq '-' && $ports eq '-';
|
||||
fatal_error "Invalid combination of columns" unless $address eq '-' && $proto eq '-' && $dports eq '-' && $sports eq '-';
|
||||
|
||||
my $forwardref = $mangle_table->{tcfor};
|
||||
|
||||
@ -1669,41 +1669,57 @@ sub process_tc_priority1( $$$$$$ ) {
|
||||
my $postref = $mangle_table->{tcpost};
|
||||
|
||||
if ( $address ne '-' ) {
|
||||
fatal_error "Invalid combination of columns" unless $proto eq '-' && $ports eq '-';
|
||||
fatal_error "Invalid combination of columns" unless $proto eq '-' && $dports eq '-' && $sports eq '-';
|
||||
add_rule( $postref ,
|
||||
join( '', match_source_net( $address) , $rule ) ,
|
||||
1 );
|
||||
} else {
|
||||
add_rule( $postref ,
|
||||
join( '', do_proto( $proto, $ports, '-' , 0 ) , $rule ) ,
|
||||
join( '', do_proto( $proto, $dports, $sports , 0 ) , $rule ) ,
|
||||
1 );
|
||||
|
||||
if ( $ports ne '-' ) {
|
||||
if ( $dports ne '-' ) {
|
||||
my $protocol = resolve_proto $proto;
|
||||
|
||||
if ( $proto =~ /^ipp2p/ ) {
|
||||
fatal_error "ipp2p may not be used when there are tracked providers and PROVIDER_OFFSET=0" if @routemarked_interfaces && $config{PROVIDER_OFFSET} == 0;
|
||||
$ipp2p = 1;
|
||||
} elsif ( $file_format == 1 ) {
|
||||
add_rule( $postref ,
|
||||
join( '' , do_proto( $proto, '-', $dports, 0 ) , $rule ) ,
|
||||
1 )
|
||||
unless $proto =~ /^ipp2p/ || $protocol == ICMP || $protocol == IPv6_ICMP;
|
||||
}
|
||||
|
||||
add_rule( $postref ,
|
||||
join( '' , do_proto( $proto, '-', $ports, 0 ) , $rule ) ,
|
||||
1 )
|
||||
unless $proto =~ /^ipp2p/ || $protocol == ICMP || $protocol == IPv6_ICMP;
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
sub process_tc_priority() {
|
||||
my ( $band, $protos, $ports , $address, $interface, $helper ) =
|
||||
split_line1( 'tcpri',
|
||||
{ band => 0, proto => 1, port => 2, address => 3, interface => 4, helper => 5 } );
|
||||
my ( $band, $protos, $dports , $sports, $address, $interface, $helper );
|
||||
|
||||
if ( $file_format == 1 ) {
|
||||
( $band, $protos, $dports , $address, $interface, $helper ) =
|
||||
split_line2( 'tcpri',
|
||||
{ band => 0, proto => 1, port => 2, dport => 2, address => 3, interface => 4, helper => 5 },
|
||||
{},
|
||||
6,
|
||||
1 );
|
||||
$sports = '-';
|
||||
} else {
|
||||
( $band, $protos, $dports , $sports, $address, $interface, $helper ) =
|
||||
split_line2( 'tcpri',
|
||||
{ band => 0, proto => 1, port => 2, dport => 2, sport => 3, address => 4, interface => 5, helper => 6 },
|
||||
{},
|
||||
7,
|
||||
1 );
|
||||
};
|
||||
|
||||
fatal_error 'BAND must be specified' if $band eq '-';
|
||||
|
||||
fatal_error "Invalid tcpri entry" if ( $protos eq '-' &&
|
||||
$ports eq '-' &&
|
||||
$dports eq '-' &&
|
||||
$sports eq '-' &&
|
||||
$address eq '-' &&
|
||||
$interface eq '-' &&
|
||||
$helper eq '-' );
|
||||
@ -1713,7 +1729,7 @@ sub process_tc_priority() {
|
||||
fatal_error "Invalid PRIORITY ($band)" unless $val && $val <= 3;
|
||||
|
||||
for my $proto ( split_list $protos, 'Protocol' ) {
|
||||
process_tc_priority1( $band, $proto, $ports , $address, $interface, $helper );
|
||||
process_tc_priority1( $band, $proto, $dports , $sports, $address, $interface, $helper );
|
||||
}
|
||||
}
|
||||
|
||||
@ -1735,7 +1751,7 @@ sub process_tcinterfaces() {
|
||||
#
|
||||
sub process_tcpri() {
|
||||
my $fn = find_file 'tcinterfaces';
|
||||
my $fn1 = open_file 'tcpri', 1,1;
|
||||
my $fn1 = open_file 'tcpri', 2,1,0,1;
|
||||
|
||||
if ( $fn1 ) {
|
||||
first_entry
|
||||
|
@ -6,5 +6,6 @@
|
||||
# See https://shorewall.org/simple_traffic_shaping.htm for additional
|
||||
# information.
|
||||
#
|
||||
?FORMAT 2
|
||||
###############################################################################
|
||||
#BAND PROTO PORT ADDRESS INTERFACE HELPER
|
||||
#BAND PROTO DPORT SPORT ADDRESS INTERFACE HELPER
|
||||
|
@ -27,8 +27,11 @@
|
||||
|
||||
<para>This file is used to specify the priority of traffic for simple
|
||||
traffic shaping (TC_ENABLED=Simple in <ulink
|
||||
url="shorewall.conf.html">shorewall.conf</ulink>(5)). The
|
||||
priority band of each packet is determined by the <emphasis
|
||||
url="shorewall.conf.html">shorewall.conf</ulink>(5)). Beginning with
|
||||
Shorewall 5.2.7, the file allows ?FORMAT 2 which inserts a SPORT column
|
||||
immediately to the right of the DPORT column.</para>
|
||||
|
||||
<para>The priority band of each packet is determined by the <emphasis
|
||||
role="bold">last</emphasis> entry that the packet matches. If a packet
|
||||
doesn't match any entry in this file, then its priority will be determined
|
||||
by its TOS field. The default mapping is as follows but can be changed by
|
||||
@ -87,15 +90,36 @@
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term>PORT(S) - <replaceable>port</replaceable> [,...]</term>
|
||||
<term>DPORT - <replaceable>port</replaceable> [,...]</term>
|
||||
|
||||
<listitem>
|
||||
<para>This column was named PORT prior to Shorewall 5.2.7. Both
|
||||
'port' and 'dport' may be used in the <ulink
|
||||
url="../configuration_file_basics.htm#Pairs">alternate input
|
||||
format</ulink>.</para>
|
||||
|
||||
<para>Optional. May only be given if the the PROTO is TCP (6), UDP
|
||||
(17), DCCP (33), SCTP (132) or UDPLITE (136). A list of one or more
|
||||
port numbers or service names from /etc/services. Port ranges of the
|
||||
form
|
||||
<replaceable>lowport</replaceable>:<replaceable>highport</replaceable>
|
||||
may also be included.</para>
|
||||
may also be included. In format 1, packets whose source or
|
||||
destination port matches the specified
|
||||
<replaceable>port</replaceable>(s) are assigned to the band given in
|
||||
the BAND column.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term>SPORT - <replaceable>port</replaceable> [,...]</term>
|
||||
|
||||
<listitem>
|
||||
<para>Only present in file format 2. Optional. May only be given if
|
||||
the the PROTO is TCP (6), UDP (17), DCCP (33), SCTP (132) or UDPLITE
|
||||
(136). A list of one or more port numbers or service names from
|
||||
/etc/services. Port ranges of the form
|
||||
<replaceable>lowport</replaceable>:<replaceable>highport</replaceable>
|
||||
may also be included. </para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
|
@ -7,4 +7,4 @@
|
||||
# information.
|
||||
#
|
||||
###############################################################################
|
||||
#BAND PROTO PORT ADDRESS INTERFACE HELPER
|
||||
#BAND PROTO DPORT SPORT ADDRESS INTERFACE HELPER
|
||||
|
@ -187,8 +187,9 @@ eth0 External</programlisting>
|
||||
<para>Assign traffic entering the firewall on a particular interface
|
||||
to a specific priority band:</para>
|
||||
|
||||
<programlisting>#BAND PROTO PORT(S) ADDRESS INTERFACE HELPER
|
||||
2 - - - eth1</programlisting>
|
||||
<programlisting>?FORMAT 2
|
||||
#BAND PROTO DPORT SPORT ADDRESS INTERFACE HELPER
|
||||
2 - - - - eth1</programlisting>
|
||||
|
||||
<para>In this example, traffic from eth1 will be assigned to priority
|
||||
band 2.</para>
|
||||
@ -203,15 +204,17 @@ eth0 External</programlisting>
|
||||
<para>Assign traffic from a particular IP address to a specific
|
||||
priority band:</para>
|
||||
|
||||
<programlisting>#BAND PROTO DPORT ADDRESS INTERFACE HELPER
|
||||
1 - - 192.168.1.44</programlisting>
|
||||
<programlisting>?FORMAT 2
|
||||
#BAND PROTO DPORT SPORT ADDRESS INTERFACE HELPER
|
||||
|
||||
1 - - - 192.168.1.44</programlisting>
|
||||
|
||||
<para>In this example, traffic from 192.168.1.44 will be assigned to
|
||||
priority band 1.</para>
|
||||
|
||||
<note>
|
||||
<para>When an ADDRESS is specified, the PROTO, DPORT and INTERFACE
|
||||
columns must be empty.</para>
|
||||
<para>When an ADDRESS is specified, the PROTO, DPORT, SPORT and
|
||||
INTERFACE columns must be empty.</para>
|
||||
</note>
|
||||
</listitem>
|
||||
|
||||
@ -219,11 +222,19 @@ eth0 External</programlisting>
|
||||
<para>Assign traffic to/from a particular application to a specific
|
||||
priority band:</para>
|
||||
|
||||
<programlisting>#BAND PROTO DPORT ADDRESS INTERFACE HELPER
|
||||
<programlisting>#BAND PROTO PORT ADDRESS INTERFACE HELPER
|
||||
1 udp 1194</programlisting>
|
||||
|
||||
<para>In that example, OpenVPN traffic is assigned to priority band
|
||||
1.</para>
|
||||
<para>In that example, SSH traffic is assigned to priority band 1. In
|
||||
file format 2, the above would be as follows:</para>
|
||||
|
||||
<programlisting>#BAND PROTO DPORT SPORT ADDRESS INTERFACE HELPER
|
||||
1 tcp 22
|
||||
1 tcp - 22</programlisting>
|
||||
|
||||
<para>In other words, in file format 1, the compiler generates rules
|
||||
for traffic from client to server and from server to client. In format
|
||||
2, separate tcpri rules are required.</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
|
Loading…
Reference in New Issue
Block a user