Use multiport match in tcrules

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@5018 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
2006-11-29 00:38:10 +00:00 · 2006-11-29 00:38:10 +00:00 · adfa31c8e4
commit adfa31c8e4
parent dbdc85bec6
3 changed files with 32 additions and 9 deletions
--- a/Shorewall/changelog.txt
+++ b/Shorewall/changelog.txt
@ -8,6 +8,8 @@ Changes in 3.3.6

 4)  Use fwmark tc filter with unknown interfaces.

+5)  Use multiport match in tcrules.
+
 Changes in 3.3.5

 1)  Restore default route when there are no 'balance' providers.
--- a/Shorewall/lib.tcrules
+++ b/Shorewall/lib.tcrules
@ -45,7 +45,7 @@
 #
 process_tc_rule()
 {
-    local did_connmark=
+    local did_connmark= multiport=

    chain=$MARKING_CHAIN  target="MARK --set-mark" marktest=

@ -185,8 +185,6 @@ process_tc_rule()
 	    r="${r}-m tos --tos ${tos} "
 	fi

-	multiport=
-
 	case $proto in
 	    ipp2p|IPP2P|ipp2p:*|IPP2P:*)
 		do_ipp2p
@ -199,7 +197,7 @@ process_tc_rule()
 		[ "x$proto" = "x-"  ] && proto=all
 		[ "x$proto" = "x"   ] && proto=all
 		[ "$proto"  = "all" ] || r="${r}-p $proto "
-		[ "x$port"  = "x-"  ] || r="${r}--dport $port "
+		[ "x$port"  = "x-"  ] || r="${r}$multiport $port "
 		;;
 	esac

@ -391,16 +389,35 @@ process_tc_rule()
 	    dests=${dests%!*}
 	    ;;
    esac
-
-    for source in $(separate_list $sources); do
-	for dest in $(separate_list $dests); do
-	    for port in $(separate_list ${ports:=-}); do
+    #
+    # This isn't as fancy as the code in the rules file processor. It only uses multiport match
+    # if the extended variety is available and then only on the destination port(s). 
+    #
+    if [ -n "$XMULTIPORT" ]; then
+	#
+	# Extended Multiport match can handle port ranges 
+	#
+	multiport="-m multiport --dports"
+	for source in $(separate_list $sources); do
+	    for dest in $(separate_list $dests); do
+		port=${ports:=-}
 		for sport in $(separate_list ${sports:=-}); do
 		    add_a_tc_rule
 		done
 	    done
 	done
-    done
+    else
+	multiport=--dport
+	for source in $(separate_list $sources); do
+	    for dest in $(separate_list $dests); do
+		for port in $(separate_list ${ports:=-}); do
+		    for sport in $(separate_list ${sports:=-}); do
+			add_a_tc_rule
+		    done
+		done
+	    done
+	done
+    fi

    progress_message "   TC Rule \"$rule\" $DONE"
    save_progress_message_short "   TC Rule \\\"$rule\\\" Added"
--- a/Shorewall/releasenotes.txt
+++ b/Shorewall/releasenotes.txt
@ -59,6 +59,10 @@ Other Changes in 3.3.6
    /etc/shorewall/interfaces. This is in preparation for the upcoming
    change to the way that --physdev-out works in iptables/Netfilter.

+4)  If your kernel and iptables have extended multiport support, then
+    Shorewall will use that support for the destination port when
+    generating rules from entries in the /etc/shorewall/tcrules file.
+
 Migration Considerations:

 1)  Shorewall supports the notion of "default actions". A default