Add FORWARD_CLEAR_MARK option

2010-07-03 17:03:42 -07:00 · 2010-07-03 17:03:42 -07:00 · d3e30b5fe4
commit d3e30b5fe4
parent 5d1e19364a
6 changed files with 45 additions and 1 deletions
--- a/Shorewall/Perl/Shorewall/Config.pm
+++ b/Shorewall/Perl/Shorewall/Config.pm
@ -461,6 +461,7 @@ sub initialize( $ ) {
 	      DYNAMIC_BLACKLIST => undef,
 	      LOAD_HELPERS_ONLY => undef,
 	      REQUIRE_INTERFACE => undef,
+	      FORWARD_CLEAR_MARK => undef,
 	      #
 	      # Packet Disposition
 	      #
@ -582,6 +583,7 @@ sub initialize( $ ) {
 	      DYNAMIC_BLACKLIST => undef,
 	      LOAD_HELPERS_ONLY => undef,
 	      REQUIRE_INTERFACE => undef,
+	      FORWARD_CLEAR_MARK => undef,
 	      #
 	      # Packet Disposition
 	      #
@ -2952,6 +2954,9 @@ sub get_configuration( $ ) {
    default_yes_no 'OPTIMIZE_ACCOUNTING'        , '';
    default_yes_no 'DYNAMIC_BLACKLIST'          , 'Yes';
    default_yes_no 'REQUIRE_INTERFACE'          , '';
+    default_yes_no 'FORWARD_CLEAR_MARK'         , have_capability 'MARK' ? 'Yes' : '';
+
+    require_capability 'MARK' , 'FOREWARD_CLEAR_MARK=Yes', 's', if $config{FORWARD_CLEAR_MARK};

    numeric_option 'TC_BITS',          $config{WIDE_TC_MARKS} ? 14 : 8 , 0;
    numeric_option 'MASK_BITS',        $config{WIDE_TC_MARKS} ? 16 : 8,  $config{TC_BITS};
--- a/Shorewall/Perl/Shorewall/Tc.pm
+++ b/Shorewall/Perl/Shorewall/Tc.pm
@ -1383,7 +1383,7 @@ sub setup_tc() {
 	add_jump $mangle_table->{OUTPUT} ,     'tcout', 0, $mark_part;

 	if ( have_capability( 'MANGLE_FORWARD' ) ) {
-	    add_rule( $mangle_table->{FORWARD},     '-j MARK --set-mark 0' ) if have_capability 'MARK';
+	    add_rule( $mangle_table->{FORWARD},     '-j MARK --set-mark 0' ) if $config{FORWARD_CLEAR_MARK};
 	    add_jump $mangle_table->{FORWARD} ,     'tcfor',  0;
 	    add_jump $mangle_table->{POSTROUTING} , 'tcpost', 0;
 	}
--- a/Shorewall/changelog.txt
+++ b/Shorewall/changelog.txt
@ -18,6 +18,8 @@ Changes in Shorewall 4.4.11
 8)  Make find_hosts_by_option() work correctly where ALL_IP appears in
    hosts file.

+9)  Add CLEAR_FORWARD_MARK option.
+
 Changes in Shorewall 4.4.10

 1)  Fix regression with scripts.
--- a/Shorewall/releasenotes.txt
+++ b/Shorewall/releasenotes.txt
@ -278,6 +278,15 @@ None.

    See http://www.shorewall.net/Vserver.html for details.

+2)  A new CLEAR_FORWARD_MARK option has been added to shorewall.conf
+    and shorewall6.conf. 
+
+    Traditionally, Shorewall has cleared the packet mark in the first
+    rule in the mangle FORWARD chain. This behavior is maintained with
+    the default setting (CLEAR_FORWARD_MARK=Yes). If the new option is
+    set to No, packet marks set in the PREROUTING chain are retained in
+    the FORWARD chains.
+
 ----------------------------------------------------------------------------
 V I.  P R O B L E M S  C O R R E C T E D  A N D  N E W   F E A T U R E S
      I N   P R I O R  R E L E A S E S
--- a/manpages/shorewall.conf.xml
+++ b/manpages/shorewall.conf.xml
@ -562,6 +562,20 @@ net     all  DROP   info</programlisting>then the chain name is 'net2all'
        </listitem>
      </varlistentry>

+      <varlistentry>
+        <term><emphasis role="bold">FORWARD_CLEAR_MARK=</emphasis>{<emphasis
+        role="bold">Yes</emphasis>|<emphasis role="bold">No</emphasis>}</term>
+
+        <listitem>
+          <para>Added in Shorewall 4.4.11 Beta 3. Traditionally, Shorewall has
+          cleared the packet mark in the first rule in the mangle FORWARD
+          chain. This behavior is maintained with the default setting of this
+          option (CLEAR_FORWARD_MARK=Yes). If FORWARD_CLEAR_MARK is set to
+          'No', packet marks set in the mangle PREROUTING chain are retained
+          in the FORWARD chains.</para>
+        </listitem>
+      </varlistentry>
+
      <varlistentry>
        <term><emphasis role="bold">HIGH_ROUTE_MARKS=</emphasis>{<emphasis
        role="bold">Yes</emphasis>|<emphasis role="bold">No</emphasis>}</term>
--- a/manpages6/shorewall6.conf.xml
+++ b/manpages6/shorewall6.conf.xml
@ -477,6 +477,20 @@ net     all  DROP   info</programlisting>then the chain name is 'net2all'
        </listitem>
      </varlistentry>

+      <varlistentry>
+        <term><emphasis role="bold">FORWARD_CLEAR_MARK=</emphasis>{<emphasis
+        role="bold">Yes</emphasis>|<emphasis role="bold">No</emphasis>}</term>
+
+        <listitem>
+          <para>Added in Shorewall 4.4.11 Beta 3. Traditionally, Shorewall has
+          cleared the packet mark in the first rule in the mangle FORWARD
+          chain. This behavior is maintained with the default setting of this
+          option (CLEAR_FORWARD_MARK=Yes). If FORWARD_CLEAR_MARK is set to
+          'No', packet marks set in the mangle PREROUTING chain are retained
+          in the FORWARD chains.</para>
+        </listitem>
+      </varlistentry>
+
      <varlistentry>
        <term><emphasis role="bold">HIGH_ROUTE_MARKS=</emphasis>{<emphasis
        role="bold">Yes</emphasis>|<emphasis role="bold">No</emphasis>}</term>