holm/shorewall_code
1
0
Fork 0
forked from extern/shorewall_code
Code Pull Requests Activity

Use multiport match in tcrules

Browse Source 
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@5018 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
teastep 2006-11-29 00:38:10 +00:00
parent dbdc85bec6
commit adfa31c8e4
3 changed files with 32 additions and 9 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
Shorewall/changelog.txt
View File

@ -8,6 +8,8 @@ Changes in 3.3.6
4) Use fwmark tc filter with unknown interfaces. 4) Use fwmark tc filter with unknown interfaces.
5) Use multiport match in tcrules.
Changes in 3.3.5 Changes in 3.3.5
1) Restore default route when there are no 'balance' providers. 1) Restore default route when there are no 'balance' providers.

27
Shorewall/lib.tcrules
View File

@ -45,7 +45,7 @@
# #
process_tc_rule() process_tc_rule()
{ {
local did_connmark= local did_connmark= multiport=
chain=$MARKING_CHAIN target="MARK --set-mark" marktest= chain=$MARKING_CHAIN target="MARK --set-mark" marktest=
@ -185,8 +185,6 @@ process_tc_rule()
r="${r}-m tos --tos ${tos} " r="${r}-m tos --tos ${tos} "
fi fi
multiport=
case $proto in case $proto in
ipp2p|IPP2P|ipp2p:*|IPP2P:*) ipp2p|IPP2P|ipp2p:*|IPP2P:*)
do_ipp2p do_ipp2p
@ -199,7 +197,7 @@ process_tc_rule()
[ "x$proto" = "x-" ] && proto=all [ "x$proto" = "x-" ] && proto=all
[ "x$proto" = "x" ] && proto=all [ "x$proto" = "x" ] && proto=all
[ "$proto" = "all" ] || r="${r}-p $proto " [ "$proto" = "all" ] || r="${r}-p $proto "
[ "x$port" = "x-" ] || r="${r}--dport $port " [ "x$port" = "x-" ] || r="${r}$multiport $port "
;; ;;
esac esac
@ -391,7 +389,25 @@ process_tc_rule()
dests=${dests%!*} dests=${dests%!*}
;; ;;
esac esac
#
# This isn't as fancy as the code in the rules file processor. It only uses multiport match
# if the extended variety is available and then only on the destination port(s).
#
if [ -n "$XMULTIPORT" ]; then
#
# Extended Multiport match can handle port ranges
#
multiport="-m multiport --dports"
for source in $(separate_list $sources); do
for dest in $(separate_list $dests); do
port=${ports:=-}
for sport in $(separate_list ${sports:=-}); do
add_a_tc_rule
done
done
done
else
multiport=--dport
for source in $(separate_list $sources); do for source in $(separate_list $sources); do
for dest in $(separate_list $dests); do for dest in $(separate_list $dests); do
for port in $(separate_list ${ports:=-}); do for port in $(separate_list ${ports:=-}); do
@ -401,6 +417,7 @@ process_tc_rule()
done done
done done
done done
fi
progress_message " TC Rule \"$rule\" $DONE" progress_message " TC Rule \"$rule\" $DONE"
save_progress_message_short " TC Rule \\\"$rule\\\" Added" save_progress_message_short " TC Rule \\\"$rule\\\" Added"

4
Shorewall/releasenotes.txt
View File

@ -59,6 +59,10 @@ Other Changes in 3.3.6
/etc/shorewall/interfaces. This is in preparation for the upcoming /etc/shorewall/interfaces. This is in preparation for the upcoming
change to the way that --physdev-out works in iptables/Netfilter. change to the way that --physdev-out works in iptables/Netfilter.
4) If your kernel and iptables have extended multiport support, then
Shorewall will use that support for the destination port when
generating rules from entries in the /etc/shorewall/tcrules file.
Migration Considerations: Migration Considerations:
1) Shorewall supports the notion of "default actions". A default 1) Shorewall supports the notion of "default actions". A default