Enhance packet marking capability

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@1701 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb

Shorewall2/changelog.txt

@@ -110,3 +110,5 @@ Changes since 2.0.3
 52) Detect duplicate zone names.
 
 53) Add mss=<number> option to the ipsec file.
+
+54) Added CONNMARK/ipp2p support.

Shorewall2/firewall

@@ -2292,7 +2292,7 @@ setup_ecn() # $1 = file name
 #
 process_tc_rule()
 {
-    chain=$MARKING_CHAIN target="MARK --set-mark"
+    chain=$MARKING_CHAIN target="MARK --set-mark" marktest=
 
     verify_designator() {
 	[ "$chain" = tcout ] && \
@@ -2342,11 +2342,34 @@ process_tc_rule()
 	    esac
 	fi
 
+	case $testval in
+	    -)
+		;;
+	    !*:C)
+		marktest="connmark ! "
+		testval=${testval%:*}
+		testval=${testval#!}
+		;;
+	    *:C)
+		marktest="connmark "
+		testval=${testval%:*}
+		;;
+	    !*)
+		marktest="mark ! "
+		testval=${testval#!}
+		;;
+	    *)
+		[ -n "$testval" ] && marktest="mark "
+		;;
+	esac
+
+	[ -n "$marktest" ] && r="${r}-m ${marktest}--mark $testval "
+
 	[ "x$dest"   = "x-"  ] || r="${r}$(dest_ip_range $dest) "
 
 	if [ "x$proto" = xipp2p ]; then
 	    [ "x$port" = "x-" ] && port="ipp2p"
-	    r="${r} -p tcp -m ipp2p --${port}"
+	    r="${r}-p tcp -m ipp2p --${port} "
 	else
 	    [ "x$proto"  = "x-"  ] && proto=all
 	    [ "x$proto"  = "x"   ] && proto=all
@@ -2410,6 +2433,10 @@ process_tc_rule()
 	    target="CONNMARK --restore-mark --mask"
 	    mark=${mark#*/}
 	    ;;
+	CONTINUE)
+	    target=RETURN
+	    mark=
+	    ;;
     esac
 
     for source in $(separate_list ${sources:=-}); do
@@ -2442,9 +2469,9 @@ setup_tc1() {
     #
     strip_file tcrules
 
-    while read mark sources dests proto ports sports user; do
+    while read mark sources dests proto ports sports user testval; do
-	expandv mark sources dests proto ports sports user
+	expandv mark sources dests proto ports sports user testval
-	rule=$(echo "$mark $sources $dests $proto $ports $sports $user")
+	rule=$(echo "$mark $sources $dests $proto $ports $sports $user $testval")
 	process_tc_rule
     done < $TMP_DIR/tcrules
     #

Shorewall2/tcrules

@@ -69,6 +69,10 @@
 #			   Your kernel and iptables must  include CONNMARK support.
 #			   As in a) above, may be followed by ":P" or ":F
 #
+#			d) CONTINUE -- don't process any more marking rules in
+#			   the table. As in a) above, may be followed by ":P" or
+#			   ":F".
+#
 #	SOURCE 		Source of the packet. A comma-separated list of
 #			interface names, IP addresses, MAC addresses
 #			and/or subnets. If your kernel and iptables include
@@ -126,7 +130,19 @@
 #			The colon is optionnal when specifying only a user.
 #			Examples : john: / john / :users / john:users
 #
+#	TEST		Defines a test on the existing packet or connection mark. 
+#			The rule will match only if the test returns true. Tests
+#			have the format [!]<value>[/<mask>][:C]
+#
+#			Where:
+#
+#				!	Inverts the test (not equal)
+#				<value> Value of the packet or connection mark.
+#				<mask>  A mask to be applied to the mark before
+#					testing 
+#				:C	Designates a connection mark. If omitted,
+#					the packet mark's value is tested.
 ##############################################################################
-#MARK		SOURCE 		DEST		PROTO	PORT(S)	CLIENT	USER
+#MARK		SOURCE 		DEST		PROTO	PORT(S)	CLIENT	USER	TEST
 #								PORT(S)
 #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE