forked from extern/shorewall_code
Add CONNMARK and ipp2p support
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@1698 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
parent
32abe114e7
commit
db932e0b16
@ -47,9 +47,12 @@
|
||||
# Format the same as the SOURCE column.
|
||||
#
|
||||
# PROTOCOL A protocol name (from /etc/protocols), a protocol
|
||||
# number.
|
||||
# number, or "ipp2p"
|
||||
#
|
||||
# DEST PORT Destination Port number
|
||||
# DEST PORT Destination Port number. If the PROTOCOL is "ipp2p" then
|
||||
# this column must contain an ipp2p option ("iptables -m
|
||||
# ipp2p --help") without the leading "--". If no option
|
||||
# is given in this column, "ipp2p" is assumed.
|
||||
#
|
||||
# Service name from /etc/services or port number. May
|
||||
# only be specified if the protocol is TCP or UDP (6
|
||||
|
@ -2292,7 +2292,7 @@ setup_ecn() # $1 = file name
|
||||
#
|
||||
process_tc_rule()
|
||||
{
|
||||
chain=$MARKING_CHAIN
|
||||
chain=$MARKING_CHAIN target="MARK --set-mark"
|
||||
|
||||
verify_designator() {
|
||||
[ "$chain" = tcout ] && \
|
||||
@ -2343,10 +2343,18 @@ process_tc_rule()
|
||||
fi
|
||||
|
||||
[ "x$dest" = "x-" ] || r="${r}$(dest_ip_range $dest) "
|
||||
[ "x$proto" = "x-" ] && proto=all
|
||||
[ "x$proto" = "x" ] && proto=all
|
||||
[ "$proto" = "all" ] || r="${r}-p $proto "
|
||||
[ "x$port" = "x-" ] || r="${r}--dport $port "
|
||||
|
||||
if [ "x$proto" = xipp2p ]; then
|
||||
r="${r} -p tcp -m ipp2p"
|
||||
[ "x$port" = "x-" ] && port="ipp2p"
|
||||
r="${r} --${port}"
|
||||
else
|
||||
[ "x$proto" = "x-" ] && proto=all
|
||||
[ "x$proto" = "x" ] && proto=all
|
||||
[ "$proto" = "all" ] || r="${r}-p $proto "
|
||||
[ "x$port" = "x-" ] || r="${r}--dport $port "
|
||||
fi
|
||||
|
||||
[ "x$sport" = "x-" ] || r="${r}--sport $sport "
|
||||
|
||||
case $chain in
|
||||
@ -2354,7 +2362,7 @@ process_tc_rule()
|
||||
run_iptables2 -t mangle -A tcpost $r -j CLASSIFY --set-class $mark
|
||||
;;
|
||||
*)
|
||||
run_iptables2 -t mangle -A $chain $r -j MARK --set-mark $mark
|
||||
run_iptables2 -t mangle -A $chain $r -j $target $mark
|
||||
;;
|
||||
esac
|
||||
|
||||
@ -2365,16 +2373,46 @@ process_tc_rule()
|
||||
p|P)
|
||||
verify_designator tcpre
|
||||
;;
|
||||
cp|CP)
|
||||
verify_designator tcpre
|
||||
target="CONNMARK --set-mark"
|
||||
;;
|
||||
f|F)
|
||||
verify_designator tcfor
|
||||
;;
|
||||
cf|CF)
|
||||
verify_designator tcfor
|
||||
target="CONNMARK --set-mark"
|
||||
;;
|
||||
c|C)
|
||||
target="CONNMARK --set-mark"
|
||||
mark=${mark%:*}
|
||||
;;
|
||||
*)
|
||||
chain=tcpost
|
||||
;;
|
||||
esac
|
||||
|
||||
fi
|
||||
|
||||
case $mark in
|
||||
SAVE)
|
||||
target="CONNMARK --save-mark"
|
||||
mark=
|
||||
;;
|
||||
SAVE/*)
|
||||
target="CONNMARK --save-mark --mask"
|
||||
mark=${mark#*/}
|
||||
;;
|
||||
RESTORE)
|
||||
target="CONNMARK --restore-mark"
|
||||
mark=
|
||||
;;
|
||||
RESTORE/*)
|
||||
target="CONNMARK --restore-mark --mask"
|
||||
mark=${mark#*/}
|
||||
;;
|
||||
esac
|
||||
|
||||
for source in $(separate_list ${sources:=-}); do
|
||||
for dest in $(separate_list ${dests:=-}); do
|
||||
for port in $(separate_list ${ports:=-}); do
|
||||
@ -2556,6 +2594,10 @@ process_accounting_rule() {
|
||||
[ -n "$proto" ] && case $proto in
|
||||
-|any|all)
|
||||
;;
|
||||
ipp2p)
|
||||
rule="$rule -p tcp -m ipp2p --${port:-ipp2p}"
|
||||
port=
|
||||
;;
|
||||
*)
|
||||
rule="$rule -p $proto"
|
||||
;;
|
||||
@ -3857,6 +3899,12 @@ add_a_rule()
|
||||
fatal_error "Port number not allowed with protocol \"all\"; rule: \"$rule\""
|
||||
proto=
|
||||
;;
|
||||
ipp2p)
|
||||
sport="-m ipp2p --${port:-ipp2p}"
|
||||
port=
|
||||
proto=tcp
|
||||
do_ports
|
||||
;;
|
||||
*)
|
||||
[ -n "$port" ] && \
|
||||
fatal_error "Port number not allowed with protocol \"$proto\"; rule: \"$rule\""
|
||||
|
@ -570,3 +570,32 @@ New Features:
|
||||
Example:
|
||||
|
||||
CLAMPMSS=1400
|
||||
|
||||
23) Shorewall now includes support for the ipp2p match facility. This
|
||||
is a departure from my usual policy in that the ipp2p match
|
||||
facility is included in Patch-O-Matic-NG and is unlikely to ever be
|
||||
included in the kernel.org source tree. Questions about how to
|
||||
install the patch or how to build your kernel and/or iptables
|
||||
should not be posted on the Shorewall mailing lists.
|
||||
|
||||
In the following files, the "PROTO" or "PROTOCOL" column may
|
||||
contain "ipp2p":
|
||||
|
||||
/etc/shorewall/rules
|
||||
/etc/shorewall/tcrules
|
||||
/etc/shorewall/accounting
|
||||
|
||||
When the PROTO or PROTOCOL column contains "ipp2p" then the DEST
|
||||
PORT(S) or PORT(S) column may contain a recognized ipp2p option;
|
||||
for a list of the options and their meaning, at a root prompt:
|
||||
|
||||
iptables -m ipp2p --help
|
||||
|
||||
You must not include the leading "--" on the option; Shorewall will
|
||||
supply those characters for you. If you do not include an option
|
||||
then "ipp2p" is assumed (Shorewall will generate "-m ipp2p
|
||||
--ipp2p").
|
||||
|
||||
24) Shorewall now has support for the CONNMARK target from iptables.
|
||||
See the /etc/shorewall/tcrules file for details.
|
||||
|
||||
|
@ -188,14 +188,20 @@
|
||||
# contain the port number on the firewall that the
|
||||
# request should be redirected to.
|
||||
#
|
||||
# PROTO Protocol - Must be "tcp", "udp", "icmp", a number, or
|
||||
# "all".
|
||||
# PROTO Protocol - Must be "tcp", "udp", "icmp", "ipp2p",
|
||||
# a number, or "all". "ipp2p" requires ipp2p match
|
||||
# support in your kernel and iptables.
|
||||
#
|
||||
# DEST PORT(S) Destination Ports. A comma-separated list of Port
|
||||
# names (from /etc/services), port numbers or port
|
||||
# ranges; if the protocol is "icmp", this column is
|
||||
# interpreted as the destination icmp-type(s).
|
||||
#
|
||||
# If the protocol is ipp2p, this column is interpreted
|
||||
# as an ipp2p option without the leading "--" (example "bit"
|
||||
# for bit-torrent). If no port is given, "ipp2p" is
|
||||
# assumed.
|
||||
#
|
||||
# A port range is expressed as <low port>:<high port>.
|
||||
#
|
||||
# This column is ignored if PROTOCOL = all but must be
|
||||
|
@ -29,6 +29,22 @@
|
||||
# determined by the setting of MARK_IN_FORWARD_CHAIN in
|
||||
# /etc/shorewall/shorewall.conf.
|
||||
#
|
||||
# If your kernel and iptables include CONNMARK support
|
||||
# then you can also mark the connection rather than
|
||||
# the packet.
|
||||
#
|
||||
# The mark value may be optionally followed by "/"
|
||||
# and a mask value (used to determine those bits of
|
||||
# the connection mark to actually be set). The
|
||||
# mark and optional mask are then followed by one of:
|
||||
#
|
||||
# C - Mark the connection in the chain determined
|
||||
# by the setting of MARK_IN_FORWARD_CHAIN
|
||||
#
|
||||
# CF: Mark the conneciton in the FORWARD chain
|
||||
#
|
||||
# CP: Mark the connection in the PREROUTING chain.
|
||||
#
|
||||
# b) A classification of the form <major>:<minor> where
|
||||
# <major> and <minor> are integers. Corresponds to
|
||||
# the 'class' specification in these traffic shaping
|
||||
@ -41,7 +57,17 @@
|
||||
# - htb
|
||||
# - prio
|
||||
#
|
||||
# Marking always occurs in the POSTROUTING chain.
|
||||
# Classify always occurs in the POSTROUTING chain.
|
||||
#
|
||||
# c) RESTORE[/mask] -- restore the packet's mark from the
|
||||
# connection's mark using the supplied mask if any.
|
||||
# Your kernel and iptables must include CONNMARK support.
|
||||
# As in a) above, may be followed by ":P" or ":F
|
||||
#
|
||||
# c) SAVE[/mask] -- save the packet's mark to the
|
||||
# connection's mark using the supplied mask if any.
|
||||
# Your kernel and iptables must include CONNMARK support.
|
||||
# As in a) above, may be followed by ":P" or ":F
|
||||
#
|
||||
# SOURCE Source of the packet. A comma-separated list of
|
||||
# interface names, IP addresses, MAC addresses
|
||||
@ -62,14 +88,20 @@
|
||||
# iptables include iprange match support, IP address
|
||||
# ranges are also allowed.
|
||||
#
|
||||
# PROTO Protocol - Must be "tcp", "udp", "icmp", a number,
|
||||
# or "all".
|
||||
# PROTO Protocol - Must be "tcp", "udp", "icmp", "ipp2p",
|
||||
# a number, or "all". "ipp2p" requires ipp2p match
|
||||
# support in your kernel and iptables.
|
||||
#
|
||||
# PORT(S) Destination Ports. A comma-separated list of Port
|
||||
# names (from /etc/services), port numbers or port
|
||||
# ranges; if the protocol is "icmp", this column is
|
||||
# interpreted as the destination icmp-type(s).
|
||||
#
|
||||
# If the protocol is ipp2p, this column is interpreted
|
||||
# as an ipp2p option without the leading "--" (example "bit"
|
||||
# for bit-torrent). If no PORT is given, "ipp2p" is
|
||||
# assumed.
|
||||
#
|
||||
# This column is ignored if PROTOCOL = all but must be
|
||||
# entered if any of the following field is supplied.
|
||||
# In that case, it is suggested that this field contain
|
||||
|
Loading…
Reference in New Issue
Block a user