holm/shorewall_code
1
0
Fork 0
forked from extern/shorewall_code
Code Pull Requests Activity

Restore 4.5.3 compatibility

Browse Source 
Signed-off-by: Tom Eastep <teastep@shorewall.net>
This commit is contained in:
Tom Eastep 2012-05-10 14:23:33 -07:00
parent 69d735ea0a
commit cb7fc31f0b
4 changed files with 190 additions and 23 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

21
Shorewall/Perl/Shorewall/Providers.pm
View File

@ -396,8 +396,8 @@ sub process_a_provider() {
$gateway = ''; $gateway = '';
} }
my ( $loose, $track, $balance , $default, $default_balance, $optional, $mtu, $tproxy , $load ) = my ( $loose, $track, $balance , $default, $default_balance, $optional, $mtu, $tproxy , $local, $load ) =
(0, $config{TRACK_PROVIDERS}, 0 , 0, $config{USE_DEFAULT_RT} ? 1 : 0, interface_is_optional( $interface ), '' , 0 , 0 ); (0, $config{TRACK_PROVIDERS}, 0 , 0, $config{USE_DEFAULT_RT} ? 1 : 0, interface_is_optional( $interface ), '' , 0 , 0, 0 );
unless ( $options eq '-' ) { unless ( $options eq '-' ) {
for my $option ( split_list $options, 'option' ) { for my $option ( split_list $options, 'option' ) {
@ -434,6 +434,11 @@ sub process_a_provider() {
} elsif ( $option eq 'fallback' ) { } elsif ( $option eq 'fallback' ) {
$default = -1; $default = -1;
$default_balance = 0; $default_balance = 0;
} elsif ( $option eq 'local' ) {
warning_message q(The 'local' provider option is deprecated in favor of 'tproxy');
$local = $tproxy = 1;
$track = 0 if $config{TRACK_PROVIDERS};
$default_balance = 0 if $config{USE_DEFAULT_RT};
} elsif ( $option eq 'tproxy' ) { } elsif ( $option eq 'tproxy' ) {
$tproxy = 1; $tproxy = 1;
$track = 0 if $config{TRACK_PROVIDERS}; $track = 0 if $config{TRACK_PROVIDERS};
@ -455,7 +460,11 @@ sub process_a_provider() {
$maxload += $load; $maxload += $load;
} }
if ( $tproxy ) { if ( $local ) {
fatal_error "GATEWAY not valid with 'local' provider" unless $gatewaycase eq 'none';
fatal_error "'track' not valid with 'local'" if $track;
fatal_error "DUPLICATE not valid with 'local'" if $duplicate ne '-';
} elsif ( $tproxy ) {
fatal_error "GATEWAY not valid with 'tproxy' provider" unless $gatewaycase eq 'none'; fatal_error "GATEWAY not valid with 'tproxy' provider" unless $gatewaycase eq 'none';
fatal_error "'track' not valid with 'tproxy'" if $track; fatal_error "'track' not valid with 'tproxy'" if $track;
fatal_error "DUPLICATE not valid with 'tproxy'" if $duplicate ne '-'; fatal_error "DUPLICATE not valid with 'tproxy'" if $duplicate ne '-';
@ -472,7 +481,7 @@ sub process_a_provider() {
require_capability( 'MANGLE_ENABLED' , 'Provider marks' , '' ); require_capability( 'MANGLE_ENABLED' , 'Provider marks' , '' );
if ( $tproxy ) { if ( $tproxy && ! $local ) {
$val = $globals{TPROXY_MARK}; $val = $globals{TPROXY_MARK};
$pref = 1; $pref = 1;
} else { } else {
@ -532,6 +541,7 @@ sub process_a_provider() {
loose => $loose , loose => $loose ,
duplicate => $duplicate , duplicate => $duplicate ,
address => $address , address => $address ,
local => $local ,
tproxy => $tproxy , tproxy => $tproxy ,
load => $load , load => $load ,
rules => [] , rules => [] ,
@ -584,6 +594,7 @@ sub add_a_provider( $$ ) {
my $loose = $providerref->{loose}; my $loose = $providerref->{loose};
my $duplicate = $providerref->{duplicate}; my $duplicate = $providerref->{duplicate};
my $address = $providerref->{address}; my $address = $providerref->{address};
my $local = $providerref->{local};
my $tproxy = $providerref->{tproxy}; my $tproxy = $providerref->{tproxy};
my $load = $providerref->{load}; my $load = $providerref->{load};
@ -639,7 +650,7 @@ CEOF
if ( $mark ne '-' ) { if ( $mark ne '-' ) {
my $hexmark = in_hex( $mark ); my $hexmark = in_hex( $mark );
my $mask = have_capability 'FWMARK_RT_MASK' ? '/' . in_hex( $globals{ $tproxy ? 'TPROXY_MARK' : 'PROVIDER_MASK' } ) : ''; my $mask = have_capability 'FWMARK_RT_MASK' ? '/' . in_hex( $globals{ $tproxy && ! $local ? 'TPROXY_MARK' : 'PROVIDER_MASK' } ) : '';
emit ( "qt \$IP -$family rule del fwmark ${hexmark}${mask}" ) if $config{DELETE_THEN_ADD}; emit ( "qt \$IP -$family rule del fwmark ${hexmark}${mask}" ) if $config{DELETE_THEN_ADD};

47
Shorewall/Perl/Shorewall/Tc.pm
View File

@ -202,15 +202,17 @@ sub process_tc_rule( ) {
my ( $originalmark, $source, $dest, $proto, $ports, $sports, $user, $testval, $length, $tos , $connbytes, $helper, $headers, $probability , $dscp ); my ( $originalmark, $source, $dest, $proto, $ports, $sports, $user, $testval, $length, $tos , $connbytes, $helper, $headers, $probability , $dscp );
if ( $family == F_IPV4 ) { if ( $family == F_IPV4 ) {
( $originalmark, $source, $dest, $proto, $ports, $sports, $user, $testval, $length, $tos , $connbytes, $helper, $probability, $dscp ) = ( $originalmark, $source, $dest, $proto, $ports, $sports, $user, $testval, $length, $tos , $connbytes, $helper, $probability, $dscp ) =
split_line1 'tcrules file', { mark => 0, action => 0, source => 1, dest => 2, proto => 3, dport => 4, sport => 5, user => 6, test => 7, length => 8, tos => 9, connbytes => 10, helper => 11, probability => 12 , dscp => 13 }, undef , 14; split_line1 'tcrules file', { mark => 0, action => 0, source => 1, dest => 2, proto => 3, dport => 4, sport => 5, user => 6, test => 7, length => 8, tos => 9, connbytes => 10, helper => 11, probability => 12 , dscp => 13 }, { COMMENT => 0, FORMAT => 2 } , 14;
$headers = '-'; $headers = '-';
} else { } else {
( $originalmark, $source, $dest, $proto, $ports, $sports, $user, $testval, $length, $tos , $connbytes, $helper, $headers, $probability, $dscp ) = ( $originalmark, $source, $dest, $proto, $ports, $sports, $user, $testval, $length, $tos , $connbytes, $helper, $headers, $probability, $dscp ) =
split_line1 'tcrules file', { mark => 0, action => 0, source => 1, dest => 2, proto => 3, dport => 4, sport => 5, user => 6, test => 7, length => 8, tos => 9, connbytes => 10, helper => 11, headers => 12, probability => 13 , dscp => 14 }, undef, 15; split_line1 'tcrules file', { mark => 0, action => 0, source => 1, dest => 2, proto => 3, dport => 4, sport => 5, user => 6, test => 7, length => 8, tos => 9, connbytes => 10, helper => 11, headers => 12, probability => 13 , dscp => 14 }, { COMMENT => 0, FORMAT => 2 }, 15;
} }
our @tccmd; our @tccmd;
our $format;
fatal_error 'MARK must be specified' if $originalmark eq '-'; fatal_error 'MARK must be specified' if $originalmark eq '-';
if ( $originalmark eq 'COMMENT' ) { if ( $originalmark eq 'COMMENT' ) {
@ -218,6 +220,15 @@ sub process_tc_rule( ) {
return; return;
} }
if ( $originalmark eq 'FORMAT' ) {
if ( $source =~ /^([12])$/ ) {
$format = $1;
return;
}
fatal_error "Invalid FORMAT ($source)";
}
my ( $mark, $designator, $remainder ) = split( /:/, $originalmark, 3 ); my ( $mark, $designator, $remainder ) = split( /:/, $originalmark, 3 );
fatal_error "Invalid MARK ($originalmark)" unless supplied $mark; fatal_error "Invalid MARK ($originalmark)" unless supplied $mark;
@ -301,6 +312,7 @@ sub process_tc_rule( ) {
$target = "IPMARK --addr $srcdst --and-mask $mask1 --or-mask $mask2 --shift $shift"; $target = "IPMARK --addr $srcdst --and-mask $mask1 --or-mask $mask2 --shift $shift";
}, },
DIVERT => sub() { DIVERT => sub() {
fatal_error "Invalid MARK ($originalmark)" unless $format == 2;
fatal_error "Invalid DIVERT specification( $cmd/$rest )" if $rest; fatal_error "Invalid DIVERT specification( $cmd/$rest )" if $rest;
$chain = 'tproxy'; $chain = 'tproxy';
@ -327,12 +339,28 @@ sub process_tc_rule( ) {
$cmd =~ /TPROXY\((.+?)\)$/; $cmd =~ /TPROXY\((.+?)\)$/;
my $params = $1; my $params = $1;
my ( $port, $ip, $bad );
fatal_error "Invalid TPROXY specification( $cmd )" unless defined $params; if ( $format == 1 ) {
fatal_error "Invalid TPROXY specification( $cmd )" unless defined $params;
( my $port, my $ip, my $bad ) = split ',', $params; ( $mark, $port, $ip, $bad ) = split_list $params, 'Parameter';
fatal_error "Invalid TPROXY specification( $cmd )" if defined $bad; fatal_error "Invalid TPROXY specification( $cmd )" if defined $bad;
warning_message "TPROXY is deprecated in a format-1 tcrules file";
} else {
if ( $params ) {
( $port, $ip, $bad ) = split_list $params, 'Parameter';
fatal_error "Invalid TPROXY specification( $cmd )" if defined $bad;
} else {
fatal_error "Invalid TPROXY specification ($cmd)" unless $cmd eq 'TPROXY' || $cmd eq 'TPROXY()';
}
$mark = in_hex( $globals{TPROXY_MARK} ) . '/' . in_hex( $globals{TPROXY_MARK} );
}
if ( $port ) { if ( $port ) {
$port = validate_port( 'tcp', $port ); $port = validate_port( 'tcp', $port );
@ -352,8 +380,6 @@ sub process_tc_rule( ) {
} }
$target .= ' --tproxy-mark'; $target .= ' --tproxy-mark';
$mark = in_hex( $globals{TPROXY_MARK} ) . '/' . in_hex( $globals{TPROXY_MARK} );
}, },
TTL => sub() { TTL => sub() {
fatal_error "TTL is not supported in IPv6 - use HL instead" if $family == F_IPV6; fatal_error "TTL is not supported in IPv6 - use HL instead" if $family == F_IPV6;
@ -1938,12 +1964,12 @@ sub setup_tc() {
if ( $config{MANGLE_ENABLED} ) { if ( $config{MANGLE_ENABLED} ) {
ensure_mangle_chain 'tcpre'; ensure_mangle_chain 'tcpre';
ensure_mangle_chain 'tcout'; ensure_mangle_chain 'tcout';
ensure_mangle_chain 'tproxy';
if ( have_capability( 'MANGLE_FORWARD' ) ) { if ( have_capability( 'MANGLE_FORWARD' ) ) {
ensure_mangle_chain 'tcfor'; ensure_mangle_chain 'tcfor';
ensure_mangle_chain 'tcpost'; ensure_mangle_chain 'tcpost';
ensure_mangle_chain 'tcin'; ensure_mangle_chain 'tcin';
ensure_mangle_chain 'tproxy';
} }
my @mark_part; my @mark_part;
@ -1961,7 +1987,7 @@ sub setup_tc() {
} }
} }
add_ijump $mangle_table->{PREROUTING} , j => 'tproxy' if $mangle_table->{tproxy}{referenced}; add_ijump $mangle_table->{PREROUTING} , j => 'tproxy';
add_ijump $mangle_table->{PREROUTING} , j => 'tcpre', @mark_part; add_ijump $mangle_table->{PREROUTING} , j => 'tcpre', @mark_part;
add_ijump $mangle_table->{OUTPUT} , j => 'tcout', @mark_part; add_ijump $mangle_table->{OUTPUT} , j => 'tcout', @mark_part;
@ -2073,7 +2099,10 @@ sub setup_tc() {
process_tc_rule while read_a_line( NORMAL_READ ); process_tc_rule while read_a_line( NORMAL_READ );
clear_comment; clear_comment;
} }
delete_jumps( $mangle_table->{PREROUTING}, $mangle_table->{tproxy} ) unless @{$mangle_table->{tproxy}{rules}};
} }
if ( $config{MANGLE_ENABLED} ) { if ( $config{MANGLE_ENABLED} ) {

80
Shorewall/manpages/shorewall-tcrules.xml
View File

@ -38,6 +38,34 @@
url="http://shorewall.net/MultiISP.html">http://shorewall.net/MultiISP.html</ulink>.</para> url="http://shorewall.net/MultiISP.html">http://shorewall.net/MultiISP.html</ulink>.</para>
</important> </important>
<para>Beginning with Shorewall 4.5.4, the tcrules file supports two
different formats:</para>
<variablelist>
<varlistentry>
<term>FORMAT 1 (default - deprecated)</term>
<listitem>
<para>The older limited-function version of TPROXY is
supported.</para>
</listitem>
</varlistentry>
<varlistentry>
<term>FORMAT 2</term>
<listitem>
<para>The newer version of TPROXY is supported.</para>
</listitem>
</varlistentry>
</variablelist>
<para>The format is specified by a line as follows:</para>
<blockquote>
<para><emphasis role="bold">FORMAT {1|2}</emphasis></para>
</blockquote>
<para>The columns in the file are as follows (where the column name is <para>The columns in the file are as follows (where the column name is
followed by a different name in parentheses, the different name is used in followed by a different name in parentheses, the different name is used in
the alternate specification syntax).</para> the alternate specification syntax).</para>
@ -410,18 +438,54 @@ SAME $FW 0.0.0.0/0 tcp 80,443</programlisting>
<listitem> <listitem>
<para><emphasis role="bold">DIVERT</emphasis></para> <para><emphasis role="bold">DIVERT</emphasis></para>
<para>Added in Shorewall 4.5.3. Two DIVERT rule should preceed <para>Added in Shorewall 4.5.4 and only available when FORMAT is
the TPROXY rule and should select DEST PORT tcp 80 and SOURCE 2. Two DIVERT rule should preceed the TPROXY rule and should
PORT tcp 80 respectively (assuming that tcp port 80 is being select DEST PORT tcp 80 and SOURCE PORT tcp 80 respectively
proxied). DIVERT avoids sending packets to the TPROXY target (assuming that tcp port 80 is being proxied). DIVERT avoids
once a socket connection to Squid3 has been established by sending packets to the TPROXY target once a socket connection to
TPROXY. DIVERT marks the packet with a unique mark and exempts Squid3 has been established by TPROXY. DIVERT marks the packet
it from any rules that follow.</para> with a unique mark and exempts it from any rules that
follow.</para>
</listitem> </listitem>
<listitem> <listitem>
<para><emphasis <para><emphasis
role="bold">TPROXY</emphasis>([<replaceable>port</replaceable>][,<replaceable>address</replaceable>])</para> role="bold">TPROXY</emphasis>(<replaceable>mark</replaceable>[,[<replaceable>port</replaceable>][,[<replaceable>address</replaceable>]]])
-- FORMAT 1</para>
<para>Transparently redirects a packet without altering the IP
header. Requires a local provider to be defined in <ulink
url="shorewall-providers.html">shorewall-providers</ulink>(5).</para>
<para>There are three parameters to TPROXY - only the first
(mark) is required:</para>
<itemizedlist>
<listitem>
<para><replaceable>mark</replaceable> - the MARK value
corresponding to the local provider in <ulink
url="shorewall-providers.html">shorewall-providers</ulink>(5).</para>
</listitem>
<listitem>
<para><replaceable>port</replaceable> - the port on which
the proxy server is listening. If omitted, the original
destination port.</para>
</listitem>
<listitem>
<para><replaceable>address</replaceable> - a local (to the
firewall) IP address on which the proxy server is listening.
If omitted, the IP address of the interface on which the
request arrives.</para>
</listitem>
</itemizedlist>
</listitem>
<listitem>
<para><emphasis
role="bold">TPROXY</emphasis>([<replaceable>port</replaceable>][,<replaceable>address</replaceable>])
-- FORMAT 2</para>
<para>Transparently redirects a packet without altering the IP <para>Transparently redirects a packet without altering the IP
header. Requires a tproxy provider to be defined in <ulink header. Requires a tproxy provider to be defined in <ulink

65
Shorewall6/manpages/shorewall6-tcrules.xml
View File

@ -38,6 +38,34 @@
url="http://shorewall.net/MultiISP.html">http://shorewall.net/MultiISP.html</ulink>.</para> url="http://shorewall.net/MultiISP.html">http://shorewall.net/MultiISP.html</ulink>.</para>
</important> </important>
<para>Beginning with Shorewall 4.5.4, the tcrules file supports two
different formats:</para>
<variablelist>
<varlistentry>
<term>FORMAT 1 (default - deprecated)</term>
<listitem>
<para>The older limited-function version of TPROXY is
supported.</para>
</listitem>
</varlistentry>
<varlistentry>
<term>FORMAT 2</term>
<listitem>
<para>The newer version of TPROXY is supported.</para>
</listitem>
</varlistentry>
</variablelist>
<para>The format is specified by a line as follows:</para>
<blockquote>
<para><emphasis role="bold">FORMAT {1|2}</emphasis></para>
</blockquote>
<para>The columns in the file are as follows (where the column name is <para>The columns in the file are as follows (where the column name is
followed by a different name in parentheses, the different name is used in followed by a different name in parentheses, the different name is used in
the alternate specification syntax).</para> the alternate specification syntax).</para>
@ -318,7 +346,42 @@ SAME $FW 0.0.0.0/0 tcp 80,443</programlisting>
<listitem> <listitem>
<para><emphasis <para><emphasis
role="bold">TPROXY</emphasis>([<replaceable>port</replaceable>][,[<replaceable>address</replaceable>]]])</para> role="bold">TPROXY</emphasis>(<replaceable>mark</replaceable>[,[<replaceable>port</replaceable>][,[<replaceable>address</replaceable>]]])
-- FORMAT 1</para>
<para>Transparently redirects a packet without altering the IP
header. Requires a local provider to be defined in <ulink
url="shorewall6-providers.html">shorewall6-providers</ulink>(5).</para>
<para>There are three parameters to TPROXY - only the first
(mark) is required:</para>
<itemizedlist>
<listitem>
<para><replaceable>mark</replaceable> - the MARK value
corresponding to the local provider in <ulink
url="shorewall6-providers.html">shorewall6-providers</ulink>(5).</para>
</listitem>
<listitem>
<para><replaceable>port</replaceable> - the port on which
the proxy server is listening. If omitted, the original
destination port.</para>
</listitem>
<listitem>
<para><replaceable>address</replaceable> - a local (to the
firewall) IP address on which the proxy server is listening.
If omitted, the IP address of the interface on which the
request arrives.</para>
</listitem>
</itemizedlist>
</listitem>
<listitem>
<para><emphasis
role="bold">TPROXY</emphasis>([<replaceable>port</replaceable>][,[<replaceable>address</replaceable>]]])
-- FORMAT 2</para>
<para>Transparently redirects a packet without altering the IP <para>Transparently redirects a packet without altering the IP
header. Requires a local provider to be defined in <ulink header. Requires a local provider to be defined in <ulink