From cce9058120cfe59a7cc536dbbb9fa0409fccb50a Mon Sep 17 00:00:00 2001 From: teastep Date: Mon, 18 Oct 2004 18:08:15 +0000 Subject: [PATCH] Enhance packet marking capability git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@1701 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb --- Shorewall2/changelog.txt | 2 ++ Shorewall2/firewall | 39 +++++++++++++++++++++++++++++++++------ Shorewall2/tcrules | 20 ++++++++++++++++++-- 3 files changed, 53 insertions(+), 8 deletions(-) diff --git a/Shorewall2/changelog.txt b/Shorewall2/changelog.txt index 38bd4ed6c..6ef4d9d96 100644 --- a/Shorewall2/changelog.txt +++ b/Shorewall2/changelog.txt @@ -110,3 +110,5 @@ Changes since 2.0.3 52) Detect duplicate zone names. 53) Add mss= option to the ipsec file. + +54) Added CONNMARK/ipp2p support. diff --git a/Shorewall2/firewall b/Shorewall2/firewall index e4c062456..1518a00ce 100755 --- a/Shorewall2/firewall +++ b/Shorewall2/firewall @@ -2292,7 +2292,7 @@ setup_ecn() # $1 = file name # process_tc_rule() { - chain=$MARKING_CHAIN target="MARK --set-mark" + chain=$MARKING_CHAIN target="MARK --set-mark" marktest= verify_designator() { [ "$chain" = tcout ] && \ @@ -2342,11 +2342,34 @@ process_tc_rule() esac fi + case $testval in + -) + ;; + !*:C) + marktest="connmark ! " + testval=${testval%:*} + testval=${testval#!} + ;; + *:C) + marktest="connmark " + testval=${testval%:*} + ;; + !*) + marktest="mark ! " + testval=${testval#!} + ;; + *) + [ -n "$testval" ] && marktest="mark " + ;; + esac + + [ -n "$marktest" ] && r="${r}-m ${marktest}--mark $testval " + [ "x$dest" = "x-" ] || r="${r}$(dest_ip_range $dest) " if [ "x$proto" = xipp2p ]; then [ "x$port" = "x-" ] && port="ipp2p" - r="${r} -p tcp -m ipp2p --${port}" + r="${r}-p tcp -m ipp2p --${port} " else [ "x$proto" = "x-" ] && proto=all [ "x$proto" = "x" ] && proto=all @@ -2409,7 +2432,11 @@ process_tc_rule() RESTORE/*) target="CONNMARK --restore-mark --mask" mark=${mark#*/} - ;; + ;; + CONTINUE) + target=RETURN + mark= + ;; esac for source in $(separate_list ${sources:=-}); do @@ -2442,9 +2469,9 @@ setup_tc1() { # strip_file tcrules - while read mark sources dests proto ports sports user; do - expandv mark sources dests proto ports sports user - rule=$(echo "$mark $sources $dests $proto $ports $sports $user") + while read mark sources dests proto ports sports user testval; do + expandv mark sources dests proto ports sports user testval + rule=$(echo "$mark $sources $dests $proto $ports $sports $user $testval") process_tc_rule done < $TMP_DIR/tcrules # diff --git a/Shorewall2/tcrules b/Shorewall2/tcrules index c538520a9..7d676f6f3 100755 --- a/Shorewall2/tcrules +++ b/Shorewall2/tcrules @@ -69,6 +69,10 @@ # Your kernel and iptables must include CONNMARK support. # As in a) above, may be followed by ":P" or ":F # +# d) CONTINUE -- don't process any more marking rules in +# the table. As in a) above, may be followed by ":P" or +# ":F". +# # SOURCE Source of the packet. A comma-separated list of # interface names, IP addresses, MAC addresses # and/or subnets. If your kernel and iptables include @@ -124,9 +128,21 @@ # []:[] # # The colon is optionnal when specifying only a user. -# Examples : john: / john / :users / john:users +# Examples : john: / john / :users / john:users # +# TEST Defines a test on the existing packet or connection mark. +# The rule will match only if the test returns true. Tests +# have the format [!][/][:C] +# +# Where: +# +# ! Inverts the test (not equal) +# Value of the packet or connection mark. +# A mask to be applied to the mark before +# testing +# :C Designates a connection mark. If omitted, +# the packet mark's value is tested. ############################################################################## -#MARK SOURCE DEST PROTO PORT(S) CLIENT USER +#MARK SOURCE DEST PROTO PORT(S) CLIENT USER TEST # PORT(S) #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE