Finish HAProxy support

Signed-off-by: Tom Eastep <teastep@shorewall.net>
2016-01-06 09:12:33 -08:00 · 2016-01-06 09:12:33 -08:00 · ad2f20b824
commit ad2f20b824
parent 4c33c2b957
3 changed files with 61 additions and 21 deletions
--- a/Shorewall/Perl/Shorewall/Tc.pm
+++ b/Shorewall/Perl/Shorewall/Tc.pm
@ -454,27 +454,6 @@ sub process_mangle_rule1( $$$$$$$$$$$$$$$$$ ) {
 	    },
 	},

-	HADIVERT   => {
-	    defaultchain   => REALPREROUTING,
-	    allowedchains  => PREROUTING | REALPREROUTING,
-	    minparams      => 0,
-	    maxparams      => 0,
-	    function       => sub () {
-		fatal_error 'DIVERT is only allowed in the PREROUTING chain' if $designator && $designator != PREROUTING;
-		my $mark = in_hex( $globals{TPROXY_MARK} ) . '/' . in_hex( $globals{TPROXY_MARK} );
-
-		unless ( $divertref ) {
-		    $divertref = new_chain( 'mangle', 'divert' );
-		    add_ijump( $divertref , j => 'MARK', targetopts => "--set-mark $mark"  );
-		    add_ijump( $divertref , j => 'ACCEPT' );
-		}
-
-		$target = 'divert';
-
-		$matches = '-m socket ';
-	    },
-	},
-
 	DROP       => {
 	    defaultchain   => 0,
 	    allowedchains  => PREROUTING | FORWARD | OUTPUT | POSTROUTING,
@ -499,6 +478,27 @@ sub process_mangle_rule1( $$$$$$$$$$$$$$$$$ ) {
 	    },
 	},

+	HADIVERT   => {
+	    defaultchain   => REALPREROUTING,
+	    allowedchains  => PREROUTING | REALPREROUTING,
+	    minparams      => 0,
+	    maxparams      => 0,
+	    function       => sub () {
+		fatal_error 'HADIVERT is only allowed in the PREROUTING chain' if $designator && $designator != PREROUTING;
+		my $mark = in_hex( $globals{TPROXY_MARK} ) . '/' . in_hex( $globals{TPROXY_MARK} );
+
+		unless ( $divertref ) {
+		    $divertref = new_chain( 'mangle', 'divert' );
+		    add_ijump( $divertref , j => 'MARK', targetopts => "--set-mark $mark"  );
+		    add_ijump( $divertref , j => 'ACCEPT' );
+		}
+
+		$target = 'divert';
+
+		$matches = '-m socket ';
+	    },
+	},
+
 	HL        => {
 	    defaultchain   => FORWARD,
 	    allowedchains  => PREROUTING | FORWARD,
--- a/Shorewall/manpages/shorewall-mangle.xml
+++ b/Shorewall/manpages/shorewall-mangle.xml
@ -319,6 +319,26 @@
              </listitem>
            </varlistentry>

+            <varlistentry>
+              <term><emphasis role="bold">HADIVERT</emphasis></term>
+
+              <listitem>
+                <para>Added in Shorewall 5.0.4. To setup the HAProxy
+                configuration described at <ulink
+                url="http://www.loadbalancer.org/blog/setting-up-haproxy-with-transparent-mode-on-centos-6-x">http://www.loadbalancer.org/blog/setting-up-haproxy-with-transparent-mode-on-centos-6-x</ulink>,
+                place this entry in <ulink
+                url="manpages/shorewall-providers.html">shorewall-providers(5)</ulink>:</para>
+
+                <programlisting>#NAME		NUMBER   MARK    DUPLICATE  INTERFACE	GATEWAY         OPTIONS               COPY
+TProxy          3       -          lo        -               tproxy </programlisting>
+
+                <para>and use this HADIVERT entry:</para>
+
+                <programlisting>#ACTION         SOURCE          DEST            PROTO   DPORT   SPORT   USER    TEST    LENGTH  TOS   CONNBYTES         HELPER    PROBABILITY DSCP
+HADIVERT        -               -               tcp</programlisting>
+              </listitem>
+            </varlistentry>
+
            <varlistentry>
              <term><emphasis
              role="bold">IMQ</emphasis>(<replaceable>number</replaceable>)</term>
--- a/Shorewall6/manpages/shorewall6-mangle.xml
+++ b/Shorewall6/manpages/shorewall6-mangle.xml
@ -320,6 +320,26 @@
              </listitem>
            </varlistentry>

+            <varlistentry>
+              <term><emphasis role="bold">HADIVERT</emphasis></term>
+
+              <listitem>
+                <para>Added in Shorewall 5.0.4. To setup the HAProxy
+                configuration described at <ulink
+                url="http://www.loadbalancer.org/blog/setting-up-haproxy-with-transparent-mode-on-centos-6-x">http://www.loadbalancer.org/blog/setting-up-haproxy-with-transparent-mode-on-centos-6-x</ulink>,
+                place this entry in <ulink
+                url="manpages6/shorewall6-providers.html">shorewall6-providers(5)</ulink>:</para>
+
+                <programlisting>#NAME    NUMBER   MARK    DUPLICATE  INTERFACE	GATEWAY         OPTIONS               COPY
+TProxy   1        -       -          lo        -               tproxy </programlisting>
+
+                <para>and use this HADIVERT entry:</para>
+
+                <programlisting>#ACTION         SOURCE          DEST            PROTO   DPORT   SPORT   USER    TEST    LENGTH  TOS   CONNBYTES         HELPER    PROBABILITY DSCP
+HADIVERT        -               -               tcp</programlisting>
+              </listitem>
+            </varlistentry>
+
            <varlistentry>
              <term><emphasis role="bold">HL</emphasis>([<emphasis
              role="bold">-</emphasis>|<emphasis