Add CONNMARK and ipp2p support

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@1698 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb

Shorewall2/accounting

@@ -47,9 +47,12 @@
 #			Format the same as the SOURCE column.
 #
 #	PROTOCOL	A protocol name (from /etc/protocols), a protocol
-#			number.
+#			number, or "ipp2p"
 #
-#	DEST PORT	Destination Port number
+#	DEST PORT	Destination Port number. If the PROTOCOL is "ipp2p" then
+#			this column must contain an ipp2p option ("iptables -m 
+#			ipp2p --help") without the leading "--". If no option
+#			is given in this column, "ipp2p" is assumed.
 #
 #			Service name from /etc/services or port number. May
 #			only be specified if the protocol is TCP or UDP (6

Shorewall2/firewall

@@ -2292,7 +2292,7 @@ setup_ecn() # $1 = file name
 #
 process_tc_rule()
 {
-    chain=$MARKING_CHAIN
+    chain=$MARKING_CHAIN target="MARK --set-mark"
 
     verify_designator() {
 	[ "$chain" = tcout ] && \
@@ -2343,10 +2343,18 @@ process_tc_rule()
 	fi
 
 	[ "x$dest"   = "x-"  ] || r="${r}$(dest_ip_range $dest) "
+
+	if [ "x$proto" = xipp2p ]; then
+	    r="${r} -p tcp -m ipp2p"
+	    [ "x$port" = "x-" ] && port="ipp2p"
+	    r="${r} --${port}"
+	else
 	    [ "x$proto"  = "x-"  ] && proto=all
 	    [ "x$proto"  = "x"   ] && proto=all
 	    [ "$proto"   = "all" ] || r="${r}-p $proto "
 	    [ "x$port"   = "x-"  ] || r="${r}--dport $port "
+	fi
+
 	[ "x$sport"  = "x-"  ] || r="${r}--sport $sport "
 
 	case $chain in
@@ -2354,7 +2362,7 @@ process_tc_rule()
 		run_iptables2 -t mangle -A tcpost $r -j CLASSIFY --set-class $mark
 		;;
 	    *)
-		run_iptables2 -t mangle -A $chain $r -j MARK --set-mark $mark
+		run_iptables2 -t mangle -A $chain $r -j $target $mark
 		;;
 	esac
 
@@ -2365,16 +2373,46 @@ process_tc_rule()
 	    p|P)
 		verify_designator tcpre
 		;;
+	    cp|CP)
+		verify_designator tcpre
+		target="CONNMARK --set-mark"
+		;;
 	    f|F)
 		verify_designator tcfor
 		;;
+	    cf|CF)
+		verify_designator tcfor
+		target="CONNMARK --set-mark"
+		;;
+	    c|C)
+		target="CONNMARK --set-mark"
+		mark=${mark%:*}
+		;;
 	    *)
 		chain=tcpost
 		;;
 	esac
-
     fi
 
+    case $mark in
+	SAVE)
+	    target="CONNMARK --save-mark"
+	    mark=
+	    ;;
+	SAVE/*)
+	    target="CONNMARK --save-mark --mask"
+	    mark=${mark#*/}
+	    ;;
+	RESTORE)
+	    target="CONNMARK --restore-mark"
+	    mark=
+	    ;;
+	RESTORE/*)
+	    target="CONNMARK --restore-mark --mask"
+	    mark=${mark#*/}
+	    ;;	    
+    esac
+
     for source in $(separate_list ${sources:=-}); do
 	for dest in $(separate_list ${dests:=-}); do
 	    for port in $(separate_list ${ports:=-}); do
@@ -2556,6 +2594,10 @@ process_accounting_rule() {
     [ -n "$proto" ] && case $proto in
 	-|any|all)
 	    ;;
+	ipp2p)
+	    rule="$rule -p tcp -m ipp2p --${port:-ipp2p}"
+	    port=
+	    ;;
 	*)
 	    rule="$rule -p $proto"
 	    ;;
@@ -3857,6 +3899,12 @@ add_a_rule()
 		fatal_error "Port number not allowed with protocol \"all\"; rule: \"$rule\""
 	    proto=
 	    ;;
+	ipp2p)
+	    sport="-m ipp2p --${port:-ipp2p}"
+	    port=
+	    proto=tcp
+	    do_ports
+	    ;;
 	*)
 	    [ -n "$port" ] && \
 		fatal_error "Port number not allowed with protocol \"$proto\"; rule: \"$rule\""

Shorewall2/releasenotes.txt

@@ -570,3 +570,32 @@ New Features:
     Example:
 
 	CLAMPMSS=1400 
+
+23) Shorewall now includes support for the ipp2p match facility. This
+    is a departure from my usual policy in that the ipp2p match
+    facility is included in Patch-O-Matic-NG and is unlikely to ever be
+    included in the kernel.org source tree. Questions about how to
+    install the patch or how to build your kernel and/or iptables
+    should not be posted on the Shorewall mailing lists.
+
+    In the following files, the "PROTO" or "PROTOCOL" column may
+    contain "ipp2p":
+
+       /etc/shorewall/rules
+       /etc/shorewall/tcrules
+       /etc/shorewall/accounting
+
+    When the PROTO or PROTOCOL column contains "ipp2p" then the DEST
+    PORT(S) or PORT(S) column may contain a recognized ipp2p option;
+    for a list of the options and their meaning, at a root prompt:
+
+	iptables -m ipp2p --help
+
+    You must not include the leading "--" on the option; Shorewall will
+    supply those characters for you. If you do not include an option
+    then "ipp2p" is assumed (Shorewall will generate "-m ipp2p
+    --ipp2p").
+
+24) Shorewall now has support for the CONNMARK target from iptables.
+    See the /etc/shorewall/tcrules file for details.
+    

Shorewall2/rules

@@ -188,14 +188,20 @@
 #			contain the port number on the firewall that the
 #			request should be redirected to.
 #
-#	PROTO		Protocol - Must be "tcp", "udp", "icmp", a number, or
+#	PROTO		Protocol - Must be "tcp", "udp", "icmp", "ipp2p", 
-#			"all".
+#			a number, or "all". "ipp2p" requires ipp2p match
+#			support in your kernel and iptables.
 #
 #	DEST PORT(S)    Destination Ports. A comma-separated list of Port
 #			names (from /etc/services), port numbers or port
 #			ranges; if the protocol is "icmp", this column is
 #			interpreted as the destination icmp-type(s).
 #
+#			If the protocol is ipp2p, this column is interpreted
+#			as an ipp2p option without the leading "--" (example "bit"
+#			for bit-torrent). If no port is given, "ipp2p" is
+#			assumed.
+#
 #			A port range is expressed as <low port>:<high port>.
 #
 #			This column is ignored if PROTOCOL = all but must be

Shorewall2/tcrules

@@ -29,6 +29,22 @@
 #			   determined by the setting of MARK_IN_FORWARD_CHAIN in
 #			   /etc/shorewall/shorewall.conf.
 #
+#			   If your kernel and iptables include CONNMARK support
+#			   then you can also mark the connection rather than
+#			   the packet.
+#
+#			   The mark value may be optionally followed by "/" 
+#		           and a mask value (used to determine those bits of
+#                          the connection mark to actually be set). The
+#                          mark and optional mask are then followed by one of:
+#
+#				C - Mark the connection in the chain determined
+#                                   by the setting of MARK_IN_FORWARD_CHAIN
+#
+#			        CF: Mark the conneciton in the FORWARD chain
+#
+#				CP: Mark the connection in the PREROUTING chain.
+#
 #			b) A classification of the form <major>:<minor> where
 #		    	   <major> and <minor> are integers. Corresponds to 
 #			   the 'class' specification in these traffic shaping
@@ -41,7 +57,17 @@
 #				- htb
 #				- prio
 #
-#			   Marking always occurs in the POSTROUTING chain.
+#			   Classify always occurs in the POSTROUTING chain.
+#
+#			c) RESTORE[/mask] -- restore the packet's mark from the
+#			   connection's mark using the supplied mask if any.
+#			   Your kernel and iptables must  include CONNMARK support.
+#			   As in a) above, may be followed by ":P" or ":F
+#
+#			c) SAVE[/mask] -- save the packet's mark to the
+#			   connection's mark using the supplied mask if any.
+#			   Your kernel and iptables must  include CONNMARK support.
+#			   As in a) above, may be followed by ":P" or ":F
 #
 #	SOURCE 		Source of the packet. A comma-separated list of
 #			interface names, IP addresses, MAC addresses
@@ -62,14 +88,20 @@
 #			iptables include iprange match support, IP address
 #			ranges are also allowed.
 #
-#	PROTO		Protocol - Must be "tcp", "udp", "icmp", a number,
+#	PROTO		Protocol - Must be "tcp", "udp", "icmp", "ipp2p", 
-#			or "all".
+#			a number, or "all". "ipp2p" requires ipp2p match
+#			support in your kernel and iptables.
 #
 #	PORT(S)		Destination Ports. A comma-separated list of Port
 #			names (from /etc/services), port numbers or port
 #			ranges; if the protocol is "icmp", this column is
 #			interpreted as the destination icmp-type(s).
 #
+#			If the protocol is ipp2p, this column is interpreted
+#			as an ipp2p option without the leading "--" (example "bit"
+#			for bit-torrent). If no PORT is given, "ipp2p" is
+#			assumed.
+#
 #			This column is ignored if PROTOCOL = all but must be
 #			entered if any of the following field is supplied.
 #			In that case, it is suggested that this field contain