Phase II of breaking marks into two smaller marks

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@3773 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb

Shorewall/changelog.txt

@@ -6,6 +6,8 @@ Changes in 3.2.0 Beta 4
 
 3)  Fix mktempdir problem.
 
+4)  Implement HIGH_ROUTE_MARKS
+
 Changes in 3.2.0 Beta 3
 
 1)  Correct handling of verbosity in the 'try' command.

Shorewall/compiler

@@ -9297,8 +9297,9 @@ do_initialize() {
     IMPLICIT_CONTINUE=$(added_param_value_no IMPLICIT_CONTINUE $IMPLICIT_CONTINUE)
     HIGH_ROUTE_MARKS=$(added_param_value_no HIGH_ROUTE_MARKS $HIGH_ROUTE_MARKS)
     [ -n "$XCONNMARK_MATCH" ] || XCONNMARK=
+    [ -n "$XMARK" ] || XCONNMARK=
 
-    [ -n "$HIGH_ROUTE_MARKS" -a -z "$XCONNMARK" ] && fatal_error "HIGH_ROUTE_MARKS=Yes requires extended CONNMARK target and extended CONNMARK match support"
+    [ -n "$HIGH_ROUTE_MARKS" -a -z "$XCONNMARK" ] && fatal_error "HIGH_ROUTE_MARKS=Yes requires extended CONNMARK target, extended CONNMARK match support and extended MARK support"
 
     case ${IPSECFILE:=ipsec} in
 	ipsec|zones)

Shorewall/functions

@@ -1137,6 +1137,8 @@ determine_capabilities() {
     ENHANCED_REJECT=
     USEPKTTYPE=
     KLUDGEFREE=
+    MARK=
+    XMARK=
 
     qt $IPTABLES -N fooX1234
     qt $IPTABLES -A fooX1234 -m conntrack --ctorigdst 192.168.1.1 -j ACCEPT             && CONNTRACK_MATCH=Yes
@@ -1170,6 +1172,11 @@ determine_capabilities() {
 
     qt $IPTABLES -t mangle -N fooX1234
 
+    if qt $IPTABLES -t mangle -A fooX1234 -j MARK --set-mark 1; then
+	MARK=Yes
+	qt $IPTABLES -t mangle -A fooX1234 -j MARK --and-mark 0xFF && XMARK=Yes
+    fi
+
     if qt $IPTABLES -t mangle -A fooX1234 -j CONNMARK --save-mark; then
 	CONNMARK=Yes
 	qt $IPTABLES -t mangle -A fooX1234 -j CONNMARK --save-mark --mask 0xFF && XCONNMARK=Yes
@@ -1225,14 +1232,16 @@ report_capabilities() {
 	report_capability "Owner Match" $OWNER_MATCH
 	report_capability "Ipset Match" $IPSET_MATCH
 	report_capability "CONNMARK Target" $CONNMARK
-	report_capability "Extended CONNMARK Target" $XCONNMARK
+	[ -n "$CONNMARK" ] && report_capability "Extended CONNMARK Target" $XCONNMARK
 	report_capability "Connmark Match" $CONNMARK_MATCH
-	report_capability "Extended Connmark Match" $XCONNMARK_MATCH
+	[ -n "$CONNMARK_MATCH" ] && report_capability "Extended Connmark Match" $XCONNMARK_MATCH
 	report_capability "Raw Table" $RAW_TABLE
 	report_capability "IPP2P Match" $IPP2P_MATCH
 	report_capability "CLASSIFY Target" $CLASSIFY_TARGET
 	report_capability "Extended REJECT" $ENHANCED_REJECT
 	report_capability "Repeat match" $KLUDGEFREE
+	report_capability "MARK Target" $MARK
+	[ -n "$MARK" ] && report_capability "Extended MARK Target" $XMARK
     fi
 
     [ -n "$PKTTYPE" ] || USEPKTTYPE=

Shorewall/releasenotes.txt

@@ -95,6 +95,32 @@ Other changes in 3.2.0 Beta 4
 	    #PROVIDER	PRIORITY	SOURCE			DEST
 	    ISP1	1000		eth1
 
+2)  Prior to now, it has not been possible to use connection marking in
+    /etc/shorewall/tcrules if you have a multi-ISP configuration that uses the
+    'track' option.
+
+    Beginning with this release, you may now set HIGH_ROUTE_MARKS=Yes in
+    shorewall.conf to effectively divide the packet mark and connection mark
+    into two 8-byte mark fields.
+
+    When you do this:
+
+	a) The MARK field in the providers file must have a value that is
+	   less than 65536 and that is a multiple of 256 (using hex
+	   representation, the values are 0x0100-0xFF00 with the low-order
+	   8 bits being zero).
+
+	b) You may only set those mark values in the FORWARD chain.
+
+	c) Marks used for traffic shaping must still be in the range of 1-255
+	   but these may now be set in any chain. If they are set in the
+	   FORWARD chain, they must be set before any routing marks (those
+	   with values greater than 255).
+
+	d) When you SAVE or RESTORE in tcrules, only the TC mark value is
+	   saved or restored. Shorewall handles saving and restoring the
+	   routing (provider) marks.
+
 Migration Considerations:
 
 1)  If you are upgrading from Shorewall 2.x, it is essential that you read

Shorewall/shorecap

@@ -234,6 +234,8 @@ determine_capabilities() {
     ENHANCED_REJECT=
     USEPKTTYPE=
     KLUDGEFREE=
+    MARK=
+    XMARK=
 
     qt $IPTABLES -N fooX1234
     qt $IPTABLES -A fooX1234 -m conntrack --ctorigdst 192.168.1.1 -j ACCEPT             && CONNTRACK_MATCH=Yes
@@ -267,6 +269,11 @@ determine_capabilities() {
 
     qt $IPTABLES -t mangle -N fooX1234
 
+    if qt $IPTABLES -t mangle -A fooX1234 -j MARK --set-mark 1; then
+	MARK=Yes
+	qt $IPTABLES -t mangle -A fooX1234 -j MARK --and-mark 0xFF && XMARK=Yes
+    fi
+
     if qt $IPTABLES -t mangle -A fooX1234 -j CONNMARK --save-mark; then
 	CONNMARK=Yes
 	qt $IPTABLES -t mangle -A fooX1234 -j CONNMARK --save-mark --mask 0xFF && XCONNMARK=Yes
@@ -308,7 +315,7 @@ report_capabilities() {
     report_capability NAT_ENABLED
     report_capability MANGLE_ENABLED
     report_capability MULTIPORT
-    [ -n "$MULTIPORT" ] && report_capability XMULTIPORT
+    report_capability XMULTIPORT
     report_capability CONNTRACK_MATCH
     report_capability USEPKTTYPE
     report_capability POLICY_MATCH
@@ -327,6 +334,8 @@ report_capabilities() {
     report_capability CLASSIFY_TARGET
     report_capability ENHANCED_REJECT
     report_capability KLUDGEFREE
+    report_capability MARK
+    report_capability XMARK
 }
 
 load_kernel_modules