forked from extern/shorewall_code
Clean up of u32 filter code
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@8306 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
parent
affa4684b8
commit
f7e5b3124b
@ -553,47 +553,50 @@ sub process_tc_filter( $$$$$$ ) {
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
unless ( $port eq '-' ) {
|
unless ( $port eq '-' && $sport eq '-' ) {
|
||||||
fatal_error "Only TCP, UDP, SCTP and ICMP may specify DEST PORT"
|
#
|
||||||
unless $protonumber == TCP || $protonumber == UDP || $protonumber == SCTP || $protonumber == ICMP;
|
# In order to be able to access the protocol header, we must create another hash table and link to it.
|
||||||
|
#
|
||||||
|
# Create the Table:
|
||||||
|
#
|
||||||
my $tnum = in_hex3 $devref->{tablenumber}++;
|
my $tnum = in_hex3 $devref->{tablenumber}++;
|
||||||
|
|
||||||
emit( "run_tc filter add dev $device parent $devref->{number}:0 protocol ip pref 10 handle $tnum: u32 divisor 1" );
|
emit( "run_tc filter add dev $device parent $devref->{number}:0 protocol ip pref 10 handle $tnum: u32 divisor 1" );
|
||||||
|
#
|
||||||
|
# And link to it using the current contents of $rule
|
||||||
|
#
|
||||||
emit( "run_tc $rule link $tnum:0 offset at 0 mask 0x0F00 shift 6 plus 0 eat" );
|
emit( "run_tc $rule link $tnum:0 offset at 0 mask 0x0F00 shift 6 plus 0 eat" );
|
||||||
|
#
|
||||||
|
# The rule to match the port(s) will be inserted into the new table
|
||||||
|
#
|
||||||
$rule = "filter add dev $device protocol ip parent $devref->{number}:0 pref 10 u32 ht $tnum:0";
|
$rule = "filter add dev $device protocol ip parent $devref->{number}:0 pref 10 u32 ht $tnum:0";
|
||||||
|
|
||||||
if ( $protonumber == ICMP ) {
|
unless ( $port eq '-' ) {
|
||||||
my ( $icmptype , $icmpcode ) = split '//', validate_icmp( $port );
|
fatal_error "Only TCP, UDP, SCTP and ICMP may specify DEST PORT"
|
||||||
|
unless $protonumber == TCP || $protonumber == UDP || $protonumber == SCTP || $protonumber == ICMP;
|
||||||
|
|
||||||
$icmptype = in_hex2 numeric_value $icmptype;
|
if ( $protonumber == ICMP ) {
|
||||||
$icmpcode = in_hex2 numeric_value $icmpcode if defined $icmpcode;
|
my ( $icmptype , $icmpcode ) = split '//', validate_icmp( $port );
|
||||||
|
|
||||||
$rule .= "\\\n match u8 $icmptype 0xFF at nexthdr+0";
|
$icmptype = in_hex2 numeric_value $icmptype;
|
||||||
$rule .= "\\\n match u8 $icmpcode 0xFF at nexthdr+1" if defined $icmpcode;
|
$icmpcode = in_hex2 numeric_value $icmpcode if defined $icmpcode;
|
||||||
} else {
|
|
||||||
my $portnumber = in_hex8 validate_port( $protonumber , $port );
|
|
||||||
$rule .= "\\\n match u32 $portnumber 0x0000FFFF at nexthdr+0";
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
unless ( $sport eq '-' ) {
|
$rule .= "\\\n match u8 $icmptype 0xFF at nexthdr+0";
|
||||||
fatal_error "Only TCP, UDP and SCTP may specify SOURCE PORT"
|
$rule .= "\\\n match u8 $icmpcode 0xFF at nexthdr+1" if defined $icmpcode;
|
||||||
unless $protonumber == TCP || $protonumber == UDP || $protonumber == SCTP;
|
} else {
|
||||||
my $portnumber = in_hex8 validate_port( $protonumber , $sport );
|
my $portnumber = in_hex8 validate_port( $protonumber , $port );
|
||||||
|
$rule .= "\\\n match u32 $portnumber 0x0000FFFF at nexthdr+0";
|
||||||
if ( $port eq '-' ) {
|
}
|
||||||
my $tnum = in_hex3 $devref->{tablenumber}++;
|
|
||||||
|
|
||||||
emit( "run_tc filter add dev $device parent $devref->{number}:0 protocol ip pref 10 handle $tnum: u32 divisor 1" );
|
|
||||||
emit( "run_tc $rule link $tnum:0 offset at 0 mask 0x0F00 shift 6 plus 0 eat" );
|
|
||||||
|
|
||||||
$rule = "filter add dev $device protocol ip parent $devref->{number}:0 pref 10 u32 ht $tnum:0";
|
|
||||||
}
|
}
|
||||||
|
|
||||||
$portnumber =~ s/0x0000/0x/;
|
unless ( $sport eq '-' ) {
|
||||||
$rule .= "\\\n match u32 ${portnumber}0000 0xFFFF0000 at nexthdr+0";
|
fatal_error "Only TCP, UDP and SCTP may specify SOURCE PORT"
|
||||||
|
unless $protonumber == TCP || $protonumber == UDP || $protonumber == SCTP;
|
||||||
|
my $portnumber = in_hex8 validate_port( $protonumber , $sport );
|
||||||
|
|
||||||
|
$portnumber =~ s/0x0000/0x/;
|
||||||
|
$rule .= "\\\n match u32 ${portnumber}0000 0xFFFF0000 at nexthdr+0";
|
||||||
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
emit( "run_tc $rule\\" ,
|
emit( "run_tc $rule\\" ,
|
||||||
|
Loading…
Reference in New Issue
Block a user