holm/shorewall_code
1
0
Fork 0
forked from extern/shorewall_code
Code Pull Requests Activity

Add RESTORE_ROUTEMARKS option

Browse Source 
Signed-off-by: Tom Eastep <teastep@shorewall.net>
This commit is contained in:
Tom Eastep 2012-10-11 07:34:57 -07:00
parent 2a175c627e
commit cc90a06958
14 changed files with 75 additions and 17 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
Shorewall/Perl/Shorewall/Config.pm
View File

@ -731,6 +731,7 @@ sub initialize( $;$$) {
USE_PHYSICAL_NAMES => undef,
HELPERS => undef,
AUTOHELPERS => undef,
RESTORE_ROUTEMARKS => undef,
#
# Packet Disposition
#
@ -4552,6 +4553,7 @@ sub get_configuration( $$$ ) {
default_yes_no 'USE_PHYSICAL_NAMES' , '';
default_yes_no 'IPSET_WARNINGS' , 'Yes';
default_yes_no 'AUTOHELPERS' , 'Yes';
default_yes_no 'RESTORE_ROUTEMARKS' , 'Yes';
if ( supplied $config{HELPERS} ) {
my %helpers_temp = %helpers_enabled;

6
Shorewall/Perl/Shorewall/Providers.pm
View File

@ -121,7 +121,11 @@ sub setup_route_marking() {
require_capability( $_ , q(The provider 'track' option) , 's' ) for qw/CONNMARK_MATCH CONNMARK/;
add_ijump $mangle_table->{$_} , j => 'CONNMARK', targetopts => "--restore-mark --mask $mask" for qw/PREROUTING OUTPUT/;
if ( $config{RESTORE_ROUTEMARKS} ) {
add_ijump $mangle_table->{$_} , j => 'CONNMARK', targetopts => "--restore-mark --mask $mask" for qw/PREROUTING OUTPUT/;
} else {
add_ijump $mangle_table->{$_} , j => 'CONNMARK', targetopts => "--restore-mark --mask $mask", connmark => "! --mark 0/$mask" for qw/PREROUTING OUTPUT/;
}
my $chainref = new_chain 'mangle', 'routemark';

2
Shorewall/Samples/Universal/shorewall.conf
View File

@ -186,6 +186,8 @@ REQUIRE_INTERFACE=Yes
RESTORE_DEFAULT_ROUTE=Yes
RESTORE_ROUTEMARKS=Yes
RETAIN_ALIASES=No
ROUTE_FILTER=No

2
Shorewall/Samples/one-interface/shorewall.conf
View File

@ -197,6 +197,8 @@ REQUIRE_INTERFACE=No
RESTORE_DEFAULT_ROUTE=Yes
RESTORE_ROUTEMARKS=Yes
RETAIN_ALIASES=No
ROUTE_FILTER=No

2
Shorewall/Samples/three-interfaces/shorewall.conf
View File

@ -195,6 +195,8 @@ REQUIRE_INTERFACE=No
RESTORE_DEFAULT_ROUTE=Yes
RESTORE_ROUTEMARKS=Yes
RETAIN_ALIASES=No
ROUTE_FILTER=No

2
Shorewall/Samples/two-interfaces/shorewall.conf
View File

@ -198,6 +198,8 @@ REQUIRE_INTERFACE=No
RESTORE_DEFAULT_ROUTE=Yes
RESTORE_ROUTEMARKS=Yes
RETAIN_ALIASES=No
ROUTE_FILTER=No

2
Shorewall/configfiles/shorewall.conf
View File

@ -186,6 +186,8 @@ REQUIRE_INTERFACE=No
RESTORE_DEFAULT_ROUTE=Yes
RESTORE_ROUTEMARKS=Yes
RETAIN_ALIASES=No
ROUTE_FILTER=No

34
Shorewall/manpages/shorewall.conf.xml
View File

@ -96,7 +96,7 @@
role="bold">none</emphasis>}</term>
<listitem>
<para></para>
<para/>
</listitem>
</varlistentry>
@ -106,7 +106,7 @@
role="bold">none</emphasis>}</term>
<listitem>
<para></para>
<para/>
</listitem>
</varlistentry>
@ -116,7 +116,7 @@
role="bold">none</emphasis>}</term>
<listitem>
<para></para>
<para/>
</listitem>
</varlistentry>
@ -126,7 +126,7 @@
role="bold">none</emphasis>}</term>
<listitem>
<para></para>
<para/>
</listitem>
</varlistentry>
@ -525,7 +525,7 @@
</itemizedlist>
<blockquote>
<para></para>
<para/>
<para>If CONFIG_PATH is not given or if it is set to the empty
value then the contents of /usr/share/shorewall/configpath are
@ -932,7 +932,7 @@ net all DROP info</programlisting>then the chain name is 'net2all'
</varlistentry>
</variablelist>
<para></para>
<para/>
<blockquote>
<para>If this variable is not set or is given an empty value
@ -1142,7 +1142,7 @@ net all DROP info</programlisting>then the chain name is 'net2all'
</listitem>
</itemizedlist>
<para></para>
<para/>
<blockquote>
<para>For example, using the default LOGFORMAT, the log prefix for
@ -1159,7 +1159,7 @@ net all DROP info</programlisting>then the chain name is 'net2all'
control your firewall after you enable this option.</para>
</important>
<para></para>
<para/>
<caution>
<para>Do not use this option if the resulting log messages will
@ -1823,7 +1823,7 @@ net all DROP info</programlisting>then the chain name is 'net2all'
role="bold">"</emphasis></term>
<listitem>
<para></para>
<para/>
</listitem>
</varlistentry>
@ -1934,6 +1934,22 @@ net all DROP info</programlisting>then the chain name is 'net2all'
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">RESTORE_ROUTEMARKS=</emphasis>[<emphasis
role="bold">Yes</emphasis>|<emphasis role="bold">No</emphasis>]</term>
<listitem>
<para>Added in Shorewall 4.5.9. When set to <emphasis
role="bold">Yes</emphasis> (the default), provider marks are
restored unconditionally at the top of the mangle OUTPUT and
PREROUTING chains, even if the saved mark is zero. When this option
is set to <emphasis role="bold">No</emphasis>, the mark is restored
even when it is zero. If you have problems with IPSEC ESP packets
not being routed correctly on output, try setting this option to
<emphasis role="bold">No</emphasis>.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis
role="bold">RESTOREFILE=</emphasis><emphasis>filename</emphasis></term>

2
Shorewall6/Samples6/Universal/shorewall6.conf
View File

@ -169,6 +169,8 @@ OPTIMIZE_ACCOUNTING=No
REQUIRE_INTERFACE=Yes
RESTORE_ROUTEMARKS=Yes
TC_ENABLED=No
TC_EXPERT=No

2
Shorewall6/Samples6/one-interface/shorewall6.conf
View File

@ -169,6 +169,8 @@ OPTIMIZE_ACCOUNTING=No
REQUIRE_INTERFACE=No
RESTORE_ROUTEMARKS=Yes
TC_ENABLED=No
TC_EXPERT=No

2
Shorewall6/Samples6/three-interfaces/shorewall6.conf
View File

@ -169,6 +169,8 @@ OPTIMIZE_ACCOUNTING=No
REQUIRE_INTERFACE=No
RESTORE_ROUTEMARKS=Yes
TC_ENABLED=No
TC_EXPERT=No

2
Shorewall6/Samples6/two-interfaces/shorewall6.conf
View File

@ -169,6 +169,8 @@ OPTIMIZE_ACCOUNTING=No
REQUIRE_INTERFACE=No
RESTORE_ROUTEMARKS=Yes
TC_ENABLED=No
TC_EXPERT=No

2
Shorewall6/configfiles/shorewall6.conf
View File

@ -169,6 +169,8 @@ OPTIMIZE_ACCOUNTING=No
REQUIRE_INTERFACE=No
RESTORE_ROUTEMARKS=Yes
TC_ENABLED=No
TC_EXPERT=No

30
Shorewall6/manpages/shorewall6.conf.xml
View File

@ -82,7 +82,7 @@
role="bold">none</emphasis>}</term>
<listitem>
<para></para>
<para/>
</listitem>
</varlistentry>
@ -92,7 +92,7 @@
role="bold">none</emphasis>}</term>
<listitem>
<para></para>
<para/>
</listitem>
</varlistentry>
@ -102,7 +102,7 @@
role="bold">none</emphasis>}</term>
<listitem>
<para></para>
<para/>
</listitem>
</varlistentry>
@ -112,7 +112,7 @@
role="bold">none</emphasis>}</term>
<listitem>
<para></para>
<para/>
</listitem>
</varlistentry>
@ -1005,7 +1005,7 @@ net all DROP info</programlisting>then the chain name is 'net2all'
</listitem>
</itemizedlist>
<para></para>
<para/>
<blockquote>
<para>For example, using the default LOGFORMAT, the log prefix for
@ -1022,7 +1022,7 @@ net all DROP info</programlisting>then the chain name is 'net2all'
control your firewall after you enable this option.</para>
</important>
<para></para>
<para/>
<caution>
<para>Do not use this option if the resulting log messages will
@ -1621,7 +1621,7 @@ net all DROP info</programlisting>then the chain name is 'net2all'
role="bold">"</emphasis></term>
<listitem>
<para></para>
<para/>
</listitem>
</varlistentry>
@ -1712,6 +1712,22 @@ net all DROP info</programlisting>then the chain name is 'net2all'
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">RESTORE_ROUTEMARKS=</emphasis>[<emphasis
role="bold">Yes</emphasis>|<emphasis role="bold">No</emphasis>]</term>
<listitem>
<para>Added in Shorewall 4.5.9. When set to <emphasis
role="bold">Yes</emphasis> (the default), provider marks are
restored unconditionally at the top of the mangle OUTPUT and
PREROUTING chains, even if the saved mark is zero. When this option
is set to <emphasis role="bold">No</emphasis>, the mark is restored
even when it is zero. If you have problems with IPSEC ESP packets
not being routed correctly on output, try setting this option to
<emphasis role="bold">No</emphasis>.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis
role="bold">RESTOREFILE=</emphasis><emphasis>filename</emphasis></term>