From d6805282834a923b2d050f4ec26e63dcb65bb319 Mon Sep 17 00:00:00 2001 From: teastep Date: Fri, 7 Oct 2005 22:16:03 +0000 Subject: [PATCH] Replace TC_ENABLED with TC_SCRIPT git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@2829 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb --- Shorewall/changelog.txt | 4 ++ Shorewall/firewall | 23 +++++----- Shorewall/releasenotes.txt | 92 +++++++++++++++++++++++++++----------- Shorewall/shorewall.conf | 15 ++++--- 4 files changed, 90 insertions(+), 44 deletions(-) diff --git a/Shorewall/changelog.txt b/Shorewall/changelog.txt index 9fd9bebf4..5c2376f8a 100755 --- a/Shorewall/changelog.txt +++ b/Shorewall/changelog.txt @@ -1,3 +1,7 @@ +Changes in 2.5.9 + +1) Add TC_SCRIPT + Changes in 2.5.8 1) Fix 'shorewall refresh' with long tcrules entries. diff --git a/Shorewall/firewall b/Shorewall/firewall index 188d5fcd7..ea970ec27 100755 --- a/Shorewall/firewall +++ b/Shorewall/firewall @@ -3703,16 +3703,12 @@ setup_tc1() { run_iptables -t mangle -A FORWARD -j tcfor run_iptables -t mangle -A POSTROUTING -j tcpost - f=$(find_file tcstart) + if [ -n "$TC_SCRIPT" ]; then - if [ -f $f ]; then - - run_user_exit tcstart - - f=$(find_file tcstart) # In case the script used this variable + run_user_exit $TC_SCRIPT save_progress_message "Restoring Traffic Control..." - save_command . $f + save_command . $TC_SCRIPT else setup_traffic_shaping fi @@ -4133,8 +4129,8 @@ refresh_tc() { setup_tc1 fi - if [ -n "$TC_ENABLED" ]; then - run_user_exit tcstart + if [ -n "$TC_SCRIPT" ]; then + run_user_exit $TC_SCRIPT else setup_traffic_shaping fi @@ -9171,7 +9167,7 @@ do_initialize() { LOGLIMIT= ADD_IP_ALIASES= ADD_SNAT_ALIASES= - TC_ENABLED= + TC_SCRIPT= BLACKLIST_DISPOSITION= BLACKLIST_LOGLEVEL= CLAMPMSS= @@ -9295,7 +9291,6 @@ do_initialize() { [ -n "$ALLOWRELATED" ] || \ startup_error "ALLOWRELATED=No is not supported" ADD_IP_ALIASES="$(added_param_value_yes ADD_IP_ALIASES $ADD_IP_ALIASES)" - TC_ENABLED="$(added_param_value_yes TC_ENABLED $TC_ENABLED)" if [ -n "${LOGRATE}${LOGBURST}" ]; then LOGLIMIT="--match limit" @@ -9421,6 +9416,12 @@ do_initialize() { ;; esac + if [ -n "$TC_SCRIPT" ] ; then + f="$TC_SCRIPT" + TC_SCRIPT=$(find_file $TC_SCRIPT) + [ -f $TC_SCRIPT ] || startup_error "Unable to find TC_SCRIPT file ($f)" + fi + [ "x${SHOREWALL_DIR}" = "x." ] && SHOREWALL_DIR="$PWD" # diff --git a/Shorewall/releasenotes.txt b/Shorewall/releasenotes.txt index 0e90169f3..96af6443c 100755 --- a/Shorewall/releasenotes.txt +++ b/Shorewall/releasenotes.txt @@ -1,24 +1,16 @@ -Shorewall 2.5.8. +Shorewall 2.5.9. -Problems Corrected in 2.5.8: +Problems Corrected in 2.5.9: -1) "shorewall refresh" will fail if there are entries in - /etc/shorewall/tcrules with non-empty USER/GROUP or TEST columns. +New Features in 2.5.9: -New Features in 2.5.8: +1) A new TC_SCRIPT option replaces TC_ENABLED in shorewall.conf. If the + option is not set then the internal shaper (tc4shorewall by Arne + Bernin) is used. Otherwise, the script named in the variable is + used. -1) Normally MAC verification triggered by the 'maclist' interface and host - options is done out of the INPUT and FORWARD chains of the filter table. - Users have reported that under some circumstances, MAC verification is - failing for forwarded packets when the packets are being forwarded out - of a bridge. - - To work around this problem, a MACLIST_TABLE option has been added to - shorewall.conf. The default value is MACLIST_TABLE=filter which results - in the current behavior. If MACLIST_TABLE=mangle then filtering will - take place out of the PREROUTING chain of the mangle table. Because - the REJECT target may not be used in the PREROUTING chain, the settings - MACLIST_DISPOSITION=REJECT and MACLIST_TABLE=mangle are incompatible. + Users who currently use an /etc/shorewall/tcstart file should set + TC_SCRIPT=/etc/shorewall/tcstart in shorewall.conf. Migration Considerations: @@ -61,6 +53,14 @@ Migration Considerations: and a comma-separated list of the parent zones. The parent zones must have been defined in earlier records in this file. +1) A new TC_SCRIPT option replaces TC_ENABLED in shorewall.conf. If the + option is not set then the internal shaper (tc4shorewall by Arne + Bernin) is used. Otherwise, the script named in the variable is + used. + + Users who currently use an /etc/shorewall/tcstart file should set + TC_SCRIPT=/etc/shorewall/tcstart in shorewall.conf. + Example: @@ -89,7 +89,15 @@ Migration Considerations: exactly one 'firewall' zone. No options are permitted with a 'firewall' zone. - OPTIONS, A comma-separated list of options as + OPTIONS, A comma-separated list of options as1) A new TC_SCRIPT option replaces TC_ENABLED in shorewall.conf. If the + option is not set then the internal shaper (tc4shorewall by Arne + Bernin) is used. Otherwise, the script named in the variable is + used. + + Users who currently use an /etc/shorewall/tcstart file should set + TC_SCRIPT=/etc/shorewall/tcstart in shorewall.conf. + + IN OPTIONS, follows: OUT OPTIONS reqid= where is @@ -115,7 +123,15 @@ Migration Considerations: available with mode=tunnel) - strict Means that packets must match + strict Means that packets must ma1) A new TC_SCRIPT option replaces TC_ENABLED in shorewall.conf. If the + option is not set then the internal shaper (tc4shorewall by Arne + Bernin) is used. Otherwise, the script named in the variable is + used. + + Users who currently use an /etc/shorewall/tcstart file should set + TC_SCRIPT=/etc/shorewall/tcstart in shorewall.conf. + +tch all rules. @@ -160,7 +176,15 @@ Migration Considerations: it is not set (such as if you are using your old shorewall.conf file) then Shorewall will perform the substitution. Once you have converted to use the new macros, you can set MAPOLDACTIONS=No and - invocations of those actions will go much quicker during 'shorewall + invocations of those actions will go much quicker during 'shore1) A new TC_SCRIPT option replaces TC_ENABLED in shorewall.conf. If the + option is not set then the internal shaper (tc4shorewall by Arne + Bernin) is used. Otherwise, the script named in the variable is + used. + + Users who currently use an /etc/shorewall/tcstart file should set + TC_SCRIPT=/etc/shorewall/tcstart in shorewall.conf. + +wall [re]start'. 6) The STATEDIR variable in /etc/shorewall/shorewall.conf has been @@ -211,13 +235,14 @@ Migration Considerations: Note that the rule is added at the front of the NEW section of the rules file. -11) The meaning of TC_ENABLED has been changed to coincide with the - integration of tc4shorewall. Beginning with this release, - the /etc/shorewall/tcrules file will be processed unconditionally - (assuming that your kernel and iptables have Packet Mangling support). - TC_ENABLED=Yes will cause Shorewall to look for an external tcstart - script as it does today. TC_ENABLED=No will cause Shorewall to use - its internal traffic shaper (tc4shorewall). +11) A new TC_SCRIPT option replaces TC_ENABLED in shorewall.conf. If the + option is not set then the internal shaper (tc4shorewall by Arne + Bernin) is used. Otherwise, the script named in the variable is + used. + + Users who currently use an /etc/shorewall/tcstart file and wish to + continue to do so should set + TC_SCRIPT=/etc/shorewall/tcstart in shorewall.conf. New Features in Shorewall 2.5.* @@ -564,4 +589,17 @@ New Features in Shorewall 2.5.* ipp2p:all Matches both UDP and TCP traffic. You may not specify a SOURCE PORT with this PROTOCOL. +28) Normally MAC verification triggered by the 'maclist' interface and host + options is done out of the INPUT and FORWARD chains of the filter table. + Users have reported that under some circumstances, MAC verification is + failing for forwarded packets when the packets are being forwarded out + of a bridge. + + To work around this problem, a MACLIST_TABLE option has been added to + shorewall.conf. The default value is MACLIST_TABLE=filter which results + in the current behavior. If MACLIST_TABLE=mangle then filtering will + take place out of the PREROUTING chain of the mangle table. Because + the REJECT target may not be used in the PREROUTING chain, the settings + MACLIST_DISPOSITION=REJECT and MACLIST_TABLE=mangle are incompatible. + diff --git a/Shorewall/shorewall.conf b/Shorewall/shorewall.conf index 4066ac08f..4d3c3167c 100755 --- a/Shorewall/shorewall.conf +++ b/Shorewall/shorewall.conf @@ -394,15 +394,18 @@ ADD_SNAT_ALIASES=No RETAIN_ALIASES=No # -# ENABLE TRAFFIC SHAPING +# ENABLE EXTERNAL TRAFFIC SHAPER # -# If you say "Yes" or "yes" here, Shorewall will look for an executable script -# in the CONFIG_PATH to execute to configure traffic shaping. -# If you say "No" or "no" then Shorewall will use it's internal traffic shaper -# "tc4shorewall" by Arne Bernin. +# If you wish for Shorewall to run an external traffic shaping script such as +# WonderShaper then set TC_SCRIPT to the file name of that script. +# +# Example: TC_SCRIPT=/etc/shorewall/tcstart +# +# If you leave the option empty then Shorewall will use its internal traffic +# shaper "tc4shorewall" by Arne Bernin. # -TC_ENABLED=No +TC_SCRIPT= # # Clear Traffic Shapping/Control