Correct handling of SAME

Signed-off-by: Tom Eastep <teastep@shorewall.net>
2010-09-11 08:56:22 -07:00 · 2010-09-11 08:56:22 -07:00 · dbc9f6ac8f
commit dbc9f6ac8f
parent 05b6947aac
2 changed files with 7 additions and 3 deletions
--- a/Shorewall/Perl/Shorewall/Providers.pm
+++ b/Shorewall/Perl/Shorewall/Providers.pm
@ -1004,12 +1004,12 @@ sub handle_stickiness( $ ) {
 			$rule1 =~ s/-j sticky/-m mark --mark $mark\/$mask -m recent --name $list --set/;
 		    }

-		    $rule1 =~ s/-A tcpre //;
+		    $rule1 =~ s/-A //;

 		    add_rule $chainref, $rule1;

 		    if ( $rule2 ) {
-			$rule2 =~ s/-A tcpre //;
+			$rule2 =~ s/-A //;
 			add_rule $chainref, $rule2;
 		    }
 		}
--- a/Shorewall/Perl/Shorewall/Tc.pm
+++ b/Shorewall/Perl/Shorewall/Tc.pm
@ -294,6 +294,8 @@ sub process_tc_rule( ) {
 			    fatal_error "SAME rules are only allowed in the PREROUTING and OUTPUT chains" if $chain ne 'tcpre';
 			}

+			ensure_mangle_chain($target);
+
 			$sticky++;
 		    } elsif ( $target eq 'IPMARK ' ) {
 			my ( $srcdst, $mask1, $mask2, $shift ) = ('src', 255, 0, 0 );
@ -398,6 +400,8 @@ sub process_tc_rule( ) {
 	}
    }

+    $target =~ s/ +$// if $mark eq '';
+
    if ( ( my $result = expand_rule( ensure_chain( 'mangle' , $chain ) ,
 				     $restrictions{$chain} ,
 				     do_proto( $proto, $ports, $sports) .
@ -410,7 +414,7 @@ sub process_tc_rule( ) {
 				     $source ,
 				     $dest ,
 				     '' ,
-				     "$target $mark" ,
+				     $mark ? "$target $mark" : $target,
 				     '' ,
 				     $target ,
 				     '' ) )