forked from extern/shorewall_code
Document and correct implementation of EXCLUSION_MASK
1. Require KLUDGEFREE if existing rule uses mark match 2. Pretty up the code 3. Use MASK_BITS rather than TC_BITS when calculating the offset of EXCLUSION_MASK Signed-off-by: Tom Eastep <teastep@shorewall.net>
This commit is contained in:
parent
c98cf8aea6
commit
c2558af9c8
@ -3487,21 +3487,29 @@ sub expand_rule( $$$$$$$$$$;$ )
|
||||
|
||||
if ( $iexcl || $dexcl || $oexcl ) {
|
||||
#
|
||||
# We have non-trivial exclusion -- need to create an exclusion chain
|
||||
# We have non-trivial exclusion
|
||||
#
|
||||
if ( $disposition eq 'RETURN' || $disposition eq 'CONTINUE' ) {
|
||||
#
|
||||
# We can't use an exclusion chain -- we mark those packets to be excluded and then condition the following rules based on the mark value
|
||||
#
|
||||
require_capability 'MARK_ANYWHERE' , 'Exclusion in ACCEPT+/CONTINUE/NONAT rules', 's';
|
||||
require_capability 'MARK_ANYWHERE' , 'Exclusion in ACCEPT+/CONTINUE/NONAT rules', 's' unless $chainref->{table} eq 'mangle';
|
||||
require_capability 'KLUDGEFREE' , 'Exclusion in ACCEPT+/CONTINUE/NONAT rules', 's' if $rule -~ / -m mark /;
|
||||
#
|
||||
# Clear the exclusion bit
|
||||
#
|
||||
add_rule $chainref = $chainref , '-j MARK --and-mark ' . in_hex( $globals{EXCLUSION_MASK} ^ 0xffffffff );
|
||||
|
||||
#
|
||||
# Mark packet if it matches any of the exclusions
|
||||
#
|
||||
my $exclude = '-j MARK --or-mark ' . in_hex( $globals{EXCLUSION_MASK} );
|
||||
|
||||
add_rule $chainref, ( match_source_net $_ , $restriction ) . $exclude for ( mysplit $iexcl );
|
||||
add_rule $chainref, ( match_dest_net $_ ) . $exclude for ( mysplit $dexcl );
|
||||
add_rule $chainref, ( match_orig_dest $_ ) . $exclude for ( mysplit $oexcl );
|
||||
|
||||
#
|
||||
# Augment the rule to include 'not excluded'
|
||||
#
|
||||
$rule .= '-m mark --mark 0/' . in_hex( $globals{EXCLUSION_MASK} ) . ' ';
|
||||
} else {
|
||||
#
|
||||
@ -3514,23 +3522,25 @@ sub expand_rule( $$$$$$$$$$;$ )
|
||||
# Use the current rule and send all possible matches to the exclusion chain
|
||||
#
|
||||
for my $onet ( mysplit $onets ) {
|
||||
|
||||
$onet = match_orig_dest $onet;
|
||||
|
||||
for my $inet ( mysplit $inets ) {
|
||||
|
||||
my $source_match = match_source_net( $inet, $restriction ) if have_capability( 'KLUDGEFREE' );
|
||||
|
||||
for my $dnet ( mysplit $dnets ) {
|
||||
#
|
||||
# We evaluate the source net match in the inner loop to accomodate systems without $capabilities{KLUDGEFREE}
|
||||
#
|
||||
add_jump( $chainref, $echainref, 0, join( '', $rule, match_source_net( $inet, $restriction ), match_dest_net( $dnet ), $onet ), 1 );
|
||||
$source_match = match_source_net( $inet, $restriction ) unless have_capability( 'KLUDGEFREE' );
|
||||
add_jump( $chainref, $echainref, 0, join( '', $rule, $source_match, match_dest_net( $dnet ), $onet ), 1 );
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
#
|
||||
# Generate RETURNs for each exclusion
|
||||
#
|
||||
add_rule $echainref, ( match_source_net $_ , $restriction ) . '-j RETURN' for ( mysplit $iexcl );
|
||||
add_rule $echainref, ( match_dest_net $_ ) . '-j RETURN' for ( mysplit $dexcl );
|
||||
add_rule $echainref, ( match_orig_dest $_ ) . '-j RETURN' for ( mysplit $oexcl );
|
||||
add_rule $echainref, ( match_dest_net $_ ) . '-j RETURN' for ( mysplit $dexcl );
|
||||
add_rule $echainref, ( match_orig_dest $_ ) . '-j RETURN' for ( mysplit $oexcl );
|
||||
#
|
||||
# Log rule
|
||||
#
|
||||
@ -3554,7 +3564,7 @@ sub expand_rule( $$$$$$$$$$;$ )
|
||||
|
||||
unless ( $done ) {
|
||||
#
|
||||
# No exclusions
|
||||
# No non-trivial exclusions or we're using marks to handle them
|
||||
#
|
||||
for my $onet ( mysplit $onets ) {
|
||||
$onet = match_orig_dest $onet;
|
||||
|
@ -3094,8 +3094,8 @@ sub get_configuration( $ ) {
|
||||
$config{PROVIDER_OFFSET} = $config{MASK_BITS} if $config{PROVIDER_OFFSET} < $config{MASK_BITS};
|
||||
fatal_error 'PROVIDER_BITS + PROVIDER_OFFSET > 32' if $config{PROVIDER_BITS} + $config{PROVIDER_OFFSET} > 31;
|
||||
$globals{EXCLUSION_MASK} = 1 << ( $config{PROVIDER_OFFSET} + $config{PROVIDER_BITS} );
|
||||
} elsif ( $config{TC_BITS} >= $config{PROVIDER_BITS} ) {
|
||||
$globals{EXCLUSION_MASK} = 1 << $config{TC_BITS};
|
||||
} elsif ( $config{MASK_BITS} >= $config{PROVIDER_BITS} ) {
|
||||
$globals{EXCLUSION_MASK} = 1 << $config{MASK_BITS};
|
||||
} else {
|
||||
$globals{EXCLUSION_MASK} = 1 << $config{PROVIDER_BITS};
|
||||
}
|
||||
|
@ -35,7 +35,8 @@ VI. PROBLEMS CORRECTED AND NEW FEATURES IN PRIOR RELEASES
|
||||
address/net) in CONTINUE, NONAT and ACCEPT+ rules generated
|
||||
valid but incorrect iptables input. This has been corrected but
|
||||
requires that your iptables/kernel support marking rules in any
|
||||
Netfilter table.
|
||||
Netfilter table (CONTINUE in the tcrules file does not require this
|
||||
support).
|
||||
|
||||
This fix implements a new 'Mark in any table' capability; those
|
||||
who utilize a capabilities file should re-generate the file using
|
||||
|
@ -331,7 +331,7 @@ tcp 6 19 TIME_WAIT src=206.124.146.176 dst=192.136.34.98 sport=58597 dport=
|
||||
<row>
|
||||
<entry>WIDE_TC_MARKS=No, HIGH_ROUTE_MARKS=No</entry>
|
||||
|
||||
<entry>TC_BITS=8, PROVIDER_BITS=0, PROVIDER_OFFSET=0,
|
||||
<entry>TC_BITS=8, PROVIDER_BITS=8, PROVIDER_OFFSET=0,
|
||||
MASK_BITS=8</entry>
|
||||
</row>
|
||||
|
||||
@ -364,7 +364,11 @@ tcp 6 19 TIME_WAIT src=206.124.146.176 dst=192.136.34.98 sport=58597 dport=
|
||||
than 16 when WIDE_TC_MARKS=Yes.</para>
|
||||
|
||||
<para>Beginning with Shorewall 4.4.12, the field between MASK_BITS and
|
||||
PROVIDER_OFFSET can be used for any purpose you want. </para>
|
||||
PROVIDER_OFFSET can be used for any purpose you want.</para>
|
||||
|
||||
<para>Beginning with Shorewall 4.4.13, The first unused bit on the left is
|
||||
used by Shorewall as an <firstterm>exclusion mark</firstterm>, allowing
|
||||
exclusion in CONTINUE, NONAT and ACCEPT+ rules.</para>
|
||||
</section>
|
||||
|
||||
<section id="Shorewall">
|
||||
|
Binary file not shown.
Binary file not shown.
Before Width: | Height: | Size: 13 KiB After Width: | Height: | Size: 17 KiB |
Loading…
Reference in New Issue
Block a user