diff --git a/Shorewall/Perl/Shorewall/Tc.pm b/Shorewall/Perl/Shorewall/Tc.pm
index 09d199002..a3df84c5c 100644
--- a/Shorewall/Perl/Shorewall/Tc.pm
+++ b/Shorewall/Perl/Shorewall/Tc.pm
@@ -1646,8 +1646,8 @@ sub process_tcfilters() {
#
# Process a tcpri record
#
-sub process_tc_priority1( $$$$$$ ) {
- my ( $band, $proto, $ports , $address, $interface, $helper ) = @_;
+sub process_tc_priority1( $$$$$$$ ) {
+ my ( $band, $proto, $dports , $sports, $address, $interface, $helper ) = @_;
my $val = numeric_value $band;
@@ -1658,7 +1658,7 @@ sub process_tc_priority1( $$$$$$ ) {
$rule .= join('', '/', in_hex( $globals{TC_MASK} ) ) if have_capability( 'EXMARK' );
if ( $interface ne '-' ) {
- fatal_error "Invalid combination of columns" unless $address eq '-' && $proto eq '-' && $ports eq '-';
+ fatal_error "Invalid combination of columns" unless $address eq '-' && $proto eq '-' && $dports eq '-' && $sports eq '-';
my $forwardref = $mangle_table->{tcfor};
@@ -1669,41 +1669,57 @@ sub process_tc_priority1( $$$$$$ ) {
my $postref = $mangle_table->{tcpost};
if ( $address ne '-' ) {
- fatal_error "Invalid combination of columns" unless $proto eq '-' && $ports eq '-';
+ fatal_error "Invalid combination of columns" unless $proto eq '-' && $dports eq '-' && $sports eq '-';
add_rule( $postref ,
join( '', match_source_net( $address) , $rule ) ,
1 );
} else {
add_rule( $postref ,
- join( '', do_proto( $proto, $ports, '-' , 0 ) , $rule ) ,
+ join( '', do_proto( $proto, $dports, $sports , 0 ) , $rule ) ,
1 );
- if ( $ports ne '-' ) {
+ if ( $dports ne '-' ) {
my $protocol = resolve_proto $proto;
if ( $proto =~ /^ipp2p/ ) {
fatal_error "ipp2p may not be used when there are tracked providers and PROVIDER_OFFSET=0" if @routemarked_interfaces && $config{PROVIDER_OFFSET} == 0;
$ipp2p = 1;
+ } elsif ( $file_format == 1 ) {
+ add_rule( $postref ,
+ join( '' , do_proto( $proto, '-', $dports, 0 ) , $rule ) ,
+ 1 )
+ unless $proto =~ /^ipp2p/ || $protocol == ICMP || $protocol == IPv6_ICMP;
}
-
- add_rule( $postref ,
- join( '' , do_proto( $proto, '-', $ports, 0 ) , $rule ) ,
- 1 )
- unless $proto =~ /^ipp2p/ || $protocol == ICMP || $protocol == IPv6_ICMP;
}
}
}
}
sub process_tc_priority() {
- my ( $band, $protos, $ports , $address, $interface, $helper ) =
- split_line1( 'tcpri',
- { band => 0, proto => 1, port => 2, address => 3, interface => 4, helper => 5 } );
+ my ( $band, $protos, $dports , $sports, $address, $interface, $helper );
+
+ if ( $file_format == 1 ) {
+ ( $band, $protos, $dports , $address, $interface, $helper ) =
+ split_line2( 'tcpri',
+ { band => 0, proto => 1, port => 2, dport => 2, address => 3, interface => 4, helper => 5 },
+ {},
+ 6,
+ 1 );
+ $sports = '-';
+ } else {
+ ( $band, $protos, $dports , $sports, $address, $interface, $helper ) =
+ split_line2( 'tcpri',
+ { band => 0, proto => 1, port => 2, dport => 2, sport => 3, address => 4, interface => 5, helper => 6 },
+ {},
+ 7,
+ 1 );
+ };
fatal_error 'BAND must be specified' if $band eq '-';
fatal_error "Invalid tcpri entry" if ( $protos eq '-' &&
- $ports eq '-' &&
+ $dports eq '-' &&
+ $sports eq '-' &&
$address eq '-' &&
$interface eq '-' &&
$helper eq '-' );
@@ -1713,7 +1729,7 @@ sub process_tc_priority() {
fatal_error "Invalid PRIORITY ($band)" unless $val && $val <= 3;
for my $proto ( split_list $protos, 'Protocol' ) {
- process_tc_priority1( $band, $proto, $ports , $address, $interface, $helper );
+ process_tc_priority1( $band, $proto, $dports , $sports, $address, $interface, $helper );
}
}
@@ -1735,7 +1751,7 @@ sub process_tcinterfaces() {
#
sub process_tcpri() {
my $fn = find_file 'tcinterfaces';
- my $fn1 = open_file 'tcpri', 1,1;
+ my $fn1 = open_file 'tcpri', 2,1,0,1;
if ( $fn1 ) {
first_entry
diff --git a/Shorewall/configfiles/tcpri b/Shorewall/configfiles/tcpri
index 82926852d..38f6685cb 100644
--- a/Shorewall/configfiles/tcpri
+++ b/Shorewall/configfiles/tcpri
@@ -6,5 +6,6 @@
# See https://shorewall.org/simple_traffic_shaping.htm for additional
# information.
#
+?FORMAT 2
###############################################################################
-#BAND PROTO PORT ADDRESS INTERFACE HELPER
+#BAND PROTO DPORT SPORT ADDRESS INTERFACE HELPER
diff --git a/Shorewall/manpages/shorewall-tcpri.xml b/Shorewall/manpages/shorewall-tcpri.xml
index 43bf4b48a..d72e3d456 100644
--- a/Shorewall/manpages/shorewall-tcpri.xml
+++ b/Shorewall/manpages/shorewall-tcpri.xml
@@ -27,8 +27,11 @@
This file is used to specify the priority of traffic for simple
traffic shaping (TC_ENABLED=Simple in shorewall.conf(5)). The
- priority band of each packet is determined by the shorewall.conf(5)). Beginning with
+ Shorewall 5.2.7, the file allows ?FORMAT 2 which inserts a SPORT column
+ immediately to the right of the DPORT column.
+
+ The priority band of each packet is determined by the last entry that the packet matches. If a packet
doesn't match any entry in this file, then its priority will be determined
by its TOS field. The default mapping is as follows but can be changed by
@@ -87,15 +90,36 @@
- PORT(S) - port [,...]
+ DPORT - port [,...]
+ This column was named PORT prior to Shorewall 5.2.7. Both
+ 'port' and 'dport' may be used in the alternate input
+ format.
+
Optional. May only be given if the the PROTO is TCP (6), UDP
(17), DCCP (33), SCTP (132) or UDPLITE (136). A list of one or more
port numbers or service names from /etc/services. Port ranges of the
form
lowport:highport
- may also be included.
+ may also be included. In format 1, packets whose source or
+ destination port matches the specified
+ port(s) are assigned to the band given in
+ the BAND column.
+
+
+
+
+ SPORT - port [,...]
+
+
+ Only present in file format 2. Optional. May only be given if
+ the the PROTO is TCP (6), UDP (17), DCCP (33), SCTP (132) or UDPLITE
+ (136). A list of one or more port numbers or service names from
+ /etc/services. Port ranges of the form
+ lowport:highport
+ may also be included.
diff --git a/Shorewall6/configfiles/tcpri b/Shorewall6/configfiles/tcpri
index 30be54890..b4bc043c6 100644
--- a/Shorewall6/configfiles/tcpri
+++ b/Shorewall6/configfiles/tcpri
@@ -7,4 +7,4 @@
# information.
#
###############################################################################
-#BAND PROTO PORT ADDRESS INTERFACE HELPER
+#BAND PROTO DPORT SPORT ADDRESS INTERFACE HELPER
diff --git a/docs/simple_traffic_shaping.xml b/docs/simple_traffic_shaping.xml
index b8142d2dd..2ee0857a5 100644
--- a/docs/simple_traffic_shaping.xml
+++ b/docs/simple_traffic_shaping.xml
@@ -187,8 +187,9 @@ eth0 External
Assign traffic entering the firewall on a particular interface
to a specific priority band:
- #BAND PROTO PORT(S) ADDRESS INTERFACE HELPER
-2 - - - eth1
+ ?FORMAT 2
+#BAND PROTO DPORT SPORT ADDRESS INTERFACE HELPER
+2 - - - - eth1
In this example, traffic from eth1 will be assigned to priority
band 2.
@@ -203,15 +204,17 @@ eth0 External
Assign traffic from a particular IP address to a specific
priority band:
- #BAND PROTO DPORT ADDRESS INTERFACE HELPER
-1 - - 192.168.1.44
+ ?FORMAT 2
+#BAND PROTO DPORT SPORT ADDRESS INTERFACE HELPER
+
+1 - - - 192.168.1.44
In this example, traffic from 192.168.1.44 will be assigned to
priority band 1.
- When an ADDRESS is specified, the PROTO, DPORT and INTERFACE
- columns must be empty.
+ When an ADDRESS is specified, the PROTO, DPORT, SPORT and
+ INTERFACE columns must be empty.
@@ -219,11 +222,19 @@ eth0 External
Assign traffic to/from a particular application to a specific
priority band:
- #BAND PROTO DPORT ADDRESS INTERFACE HELPER
+ #BAND PROTO PORT ADDRESS INTERFACE HELPER
1 udp 1194
- In that example, OpenVPN traffic is assigned to priority band
- 1.
+ In that example, SSH traffic is assigned to priority band 1. In
+ file format 2, the above would be as follows:
+
+ #BAND PROTO DPORT SPORT ADDRESS INTERFACE HELPER
+1 tcp 22
+1 tcp - 22
+
+ In other words, in file format 1, the compiler generates rules
+ for traffic from client to server and from server to client. In format
+ 2, separate tcpri rules are required.