From afcb4aa5044dacf8fdb4590a1d6cb4aefa923c3c Mon Sep 17 00:00:00 2001 From: teastep Date: Wed, 8 Feb 2006 22:33:13 +0000 Subject: [PATCH] Fix TC match for bridge ports git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@3453 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb --- Shorewall/changelog.txt | 7 +++++++ Shorewall/compiler | 29 ++++++++++++++++++++++++----- Shorewall/firewall | 29 ++++++++++++++++++++++++----- Shorewall/functions | 18 ++++++++++++++++++ Shorewall/releasenotes.txt | 3 +++ 5 files changed, 76 insertions(+), 10 deletions(-) diff --git a/Shorewall/changelog.txt b/Shorewall/changelog.txt index 50aef5944..9d21883a5 100755 --- a/Shorewall/changelog.txt +++ b/Shorewall/changelog.txt @@ -38,6 +38,8 @@ Changes in 3.1.x. 18) Fix QUEUE when used in the ESTABLISHED section. 19) Apply Ed Suominen's patch to tcrules. +------------------------------------------------------------------------------- +3.1.5 20) Speed up compilation by rewriting 'fix_bang()'. @@ -47,8 +49,13 @@ Changes in 3.1.x. 23) Add compiled-program/library versioning scheme. +------------------------------------------------------------------------------- +3.1.6 + 24) Apply Steven Springl's help patch. 25) Fix 'allow/drop/reject' while Shorewall not running. 26) Implement bi-directional macros. + +27) Fix TC bridge port handling. diff --git a/Shorewall/compiler b/Shorewall/compiler index fcb1d8e7c..caa5d9bc5 100755 --- a/Shorewall/compiler +++ b/Shorewall/compiler @@ -2835,6 +2835,8 @@ setup_traffic_shaping() case $1 in default|tcp-ack|tos-minimize-delay|tos-maximize-throughput|tos-maximize-reliability|tos-minimize-cost|tos-normal-service) ;; + tos=0x[0-9a-f][0-9a-f]|tos=0x[0-9a-f][0-9a-f]/0x[0-9a-f][0-9a-f]) + ;; *) echo $1 return 1 @@ -2891,8 +2893,14 @@ setup_traffic_shaping() ratew=$(get_outband_for_dev $device) options=$(separate_list $options | tr '[A-Z]' '[a-z]') for opt in $options; do - list_search "$device-$opt" $allopts && fatal_error "option $opt already defined in a chain for interface $device in tcclasses" - allopts="$allopts $device-$opt" + case opt in + tos=*) + ;; + *) + list_search "$device-$opt" $allopts && fatal_error "option $opt already defined in a chain for interface $device in tcclasses" + allopts="$allopts $device-$opt" + ;; + esac done wrongopt=$(check_tcclasses_options $options) || fatal_error "unknown option $wrongopt for class iface $device mark $mark in tcclasses file" if [ -z "$ratew" ] ; then @@ -2917,7 +2925,7 @@ setup_traffic_shaping() } add_tc_class() { - local full classid + local full classid tospair tosmask full=$(get_outband_for_dev $device) full=$(rate_to_kbit $full) @@ -2948,7 +2956,7 @@ setup_traffic_shaping() run_tc qdisc add dev $device parent $classid handle 1$mark: sfq perturb 10 # add filters if [ -n "$CLASSIFY_TARGET" ]; then - run_iptables -t mangle -A tcpost -o $device -m mark --mark $mark -j CLASSIFY --set-class $classid + run_iptables -t mangle -A tcpost $(match_dest_dev $device) -m mark --mark $mark -j CLASSIFY --set-class $classid else run_tc filter add dev $device protocol ip parent $devnum:0 prio 1 handle $mark fw classid $classid fi @@ -2959,7 +2967,18 @@ setup_traffic_shaping() list_search "tos-maximize-throughput" $options && run_tc filter add dev $device parent $devnum:0 protocol ip prio 10 u32 match ip tos 0x08 0x08 flowid $classid list_search "tos-minimize-reliability" $options && run_tc filter add dev $device parent $devnum:0 protocol ip prio 10 u32 match ip tos 0x04 0x04 flowid $classid list_search "tos-normal-service" $options && run_tc filter add dev $device parent $devnum:0 protocol ip prio 10 u32 match ip tos 0x00 0x1e flowid $classid - # tcp + + for tospair in $(list_walk "tos=" $options) ; do + case $tospair in + */*) + tosmask=${tospair##*/} + ;; + *) + tosmask=0xff + ;; + esac + run_tc filter add dev $device parent $devnum:0 protocol ip prio 10 u32 match ip tos ${tospair%%/*} $tosmask flowid $classid + done } strip_file tcdevices $devfile diff --git a/Shorewall/firewall b/Shorewall/firewall index a180c6d1c..a0b704cb2 100755 --- a/Shorewall/firewall +++ b/Shorewall/firewall @@ -1648,6 +1648,8 @@ setup_traffic_shaping() case $1 in default|tcp-ack|tos-minimize-delay|tos-maximize-throughput|tos-maximize-reliability|tos-minimize-cost|tos-normal-service) ;; + tos=0x[0-9a-f][0-9a-f]|tos=0x[0-9a-f][0-9a-f]/0x[0-9a-f][0-9a-f]) + ;; *) echo $1 return 1 @@ -1704,8 +1706,14 @@ setup_traffic_shaping() ratew=$(get_outband_for_dev $device) options=$(separate_list $options | tr '[A-Z]' '[a-z]') for opt in $options; do - list_search "$device-$opt" $allopts && fatal_error "option $opt already defined in a chain for interface $device in tcclasses" - allopts="$allopts $device-$opt" + case opt in + tos=*) + ;; + *) + list_search "$device-$opt" $allopts && fatal_error "option $opt already defined in a chain for interface $device in tcclasses" + allopts="$allopts $device-$opt" + ;; + esac done wrongopt=$(check_tcclasses_options $options) || fatal_error "unknown option $wrongopt for class iface $device mark $mark in tcclasses file" if [ -z "$ratew" ] ; then @@ -1730,7 +1738,7 @@ setup_traffic_shaping() } add_tc_class() { - local full classid + local full classid tospair tosmask full=$(get_outband_for_dev $device) full=$(rate_to_kbit $full) @@ -1761,7 +1769,7 @@ setup_traffic_shaping() run_tc qdisc add dev $device parent $classid handle 1$mark: sfq perturb 10 # add filters if [ -n "$CLASSIFY_TARGET" ]; then - run_iptables -t mangle -A tcpost -o $device -m mark --mark $mark -j CLASSIFY --set-class $classid + run_iptables -t mangle -A tcpost $(match_dest_dev $device) -m mark --mark $mark -j CLASSIFY --set-class $classid else run_tc filter add dev $device protocol ip parent $devnum:0 prio 1 handle $mark fw classid $classid fi @@ -1772,7 +1780,18 @@ setup_traffic_shaping() list_search "tos-maximize-throughput" $options && run_tc filter add dev $device parent $devnum:0 protocol ip prio 10 u32 match ip tos 0x08 0x08 flowid $classid list_search "tos-minimize-reliability" $options && run_tc filter add dev $device parent $devnum:0 protocol ip prio 10 u32 match ip tos 0x04 0x04 flowid $classid list_search "tos-normal-service" $options && run_tc filter add dev $device parent $devnum:0 protocol ip prio 10 u32 match ip tos 0x00 0x1e flowid $classid - # tcp + + for tospair in $(list_walk "tos=" $options) ; do + case $tospair in + */*) + tosmask=${tospair##*/} + ;; + *) + tosmask=0xff + ;; + esac + run_tc filter add dev $device parent $devnum:0 protocol ip prio 10 u32 match ip tos ${tospair%%/*} $tosmask flowid $classid + done } strip_file tcdevices $devfile diff --git a/Shorewall/functions b/Shorewall/functions index e741940b8..75e7eafdc 100755 --- a/Shorewall/functions +++ b/Shorewall/functions @@ -49,6 +49,24 @@ list_search() # $1 = element to search for , $2-$n = list return 1 } +# +# Return a space separated list of values matching +# +list_walk() # $1 = element to search for, $2-$n = list +{ + local e=$1 result= + + while [ $# -gt 1 ]; do + shift + case $1 in + $e*) + result="$result ${1##$e}" + ;; + esac + done + echo $result +} + # # Functions to count list elements # - - - - - - - - - - - - - - - - diff --git a/Shorewall/releasenotes.txt b/Shorewall/releasenotes.txt index aa9984ecb..f77f15048 100755 --- a/Shorewall/releasenotes.txt +++ b/Shorewall/releasenotes.txt @@ -35,6 +35,9 @@ Problems Corrected in 3.1.6 2) The 'allow', 'drop' and 'reject' commands no longer produce iptables errors when executed while Shorewall is not started. +3) Shorewall now correctly handles devices in /etc/shorewall/tcdevices that + are actually bridge ports. + Other changes in 3.1.6 1) In macro files, you can now use the reserved words SOURCE and DEST