Bring forward tcrules enhancements from 3.2

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@4369 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb

Shorewall/compiler

@@ -2804,7 +2804,7 @@ delete_nat() {
 
 if [ -f \${VARDIR}/nat ]; then
    while read external interface; do
-       ip_addr_del \$external \$interface
+       del_ip_addr \$external \$interface
     done < \${VARDIR}/nat
 
     rm -f \${VARDIR}/nat
@@ -2955,7 +2955,7 @@ setup_tc1() {
     # Route marks are restored in PREROUTING/OUTPUT prior to these rules. We only send
     # packets that are not part of a marked connection to the 'tcpre/tcout' chains.
     #
-    if [ -n "$ROUTEMARK_INTERFACES" ]; then
+    if [ -n "$ROUTEMARK_INTERFACES" -a -z "$TC_EXPERT" ]; then
 	mark_part="-m mark --mark 0/0xFF00"
 	#
 	# But let marks in tcpre override those assigned by 'track'
@@ -6459,7 +6459,7 @@ __EOF__
 		    if [ -n "$address" ]; then
 			for addr in $(ip_range_explicit ${address%:*}) ; do
 			    if ! list_search $addr $ALIASES_TO_ADD; then
-				[ -n "$RETAIN_ALIASES" ] || save_command ip_addr_del $addr $interface
+				[ -n "$RETAIN_ALIASES" ] || save_command del_ip_addr $addr $interface
 				ALIASES_TO_ADD="$ALIASES_TO_ADD $addr $fullinterface"
 				case $fullinterface in
 				    *:*)
@@ -7781,7 +7781,7 @@ stop_firewall() {
 
 	if [ -f \${VARDIR}/nat ]; then
 	    while read external interface; do
-		ip_addr_del \$external dev \$interface
+		del_ip_addr \$external \$interface
 	    done < \${VARDIR}/nat
 
 	    rm -f \${VARDIR}/nat
@@ -8662,6 +8662,7 @@ do_initialize() {
     MAPOLDACTIONS=
     IMPLICIT_CONTINUE=
     HIGH_ROUTE_MARKS=
+    TC_EXPERT=
 
     OUTPUT=
     TMP_DIR=
@@ -8866,6 +8867,7 @@ do_initialize() {
     FASTACCEPT=$(added_param_value_no FASTACCEPT $FASTACCEPT)
     IMPLICIT_CONTINUE=$(added_param_value_no IMPLICIT_CONTINUE $IMPLICIT_CONTINUE)
     HIGH_ROUTE_MARKS=$(added_param_value_no HIGH_ROUTE_MARKS $HIGH_ROUTE_MARKS)
+    TC_EXPERT=$(added_param_value_no TC_EXPERT $TC_EXPERT)
     [ -n "$XCONNMARK_MATCH" ] || XCONNMARK=
     [ -n "$XMARK" ] || XCONNMARK=
 

Shorewall/firewall

@@ -1751,6 +1751,8 @@ do_initialize() {
     RESTOREFILE=
     MAPOLDACTIONS=
     IMPLICIT_CONTINUE=
+    HIGH_ROUTE_MARKS=
+    TC_EXPERT=
 
     RESTOREBASE=
     TMP_DIR=
@@ -1953,6 +1955,7 @@ do_initialize() {
     FASTACCEPT=$(added_param_value_no FASTACCEPT $FASTACCEPT)
     IMPLICIT_CONTINUE=$(added_param_value_no IMPLICIT_CONTINUE $IMPLICIT_CONTINUE)
     HIGH_ROUTE_MARKS=$(added_param_value_no HIGH_ROUTE_MARKS $HIGH_ROUTE_MARKS)
+    TC_EXPERT=$(added_param_value_no TC_EXPERT $TC_EXPERT)
     [ -n "$XCONNMARK_MATCH" ] || XCONNMARK=
     [ -n "$XMARK" ] || XCONNMARK=
 

Shorewall/functions

@@ -1958,7 +1958,7 @@ process_tc_rule()
 	if [ "x$source" != "x-"	 ]; then
 	    case $source in
 		$FW:*)
-		    [ $chain = tcpost ] || chain=tcout
+		    chain=tcout
 		    r="$(source_ip_range ${source#*:}) "
 		    ;;
 		*:*)
@@ -1973,7 +1973,7 @@ process_tc_rule()
 		    r="$(mac_match $source) "
 		    ;;
 		$FW)
-		    [ $chain = tcpost ] || chain=tcout
+		    chain=tcout
 		    ;;
 		*)
 		    verify_interface $source || fatal_error "Unknown interface $source in rule \"$rule\""

Shorewall/shorewall.conf

@@ -463,7 +463,19 @@ RETAIN_ALIASES=No
 TC_ENABLED=Internal
 
 #
-# Clear Traffic Shapping/Control
+# TRAFFIC SHAPING EXPERT
+#
+# Normally, Shorewall tries to protect users from themselves by preventing
+# PREROUTING and OUTPUT tcrules from being applied to packets that have
+# been marked by the 'track' option in /etc/shorewall/providers.
+#
+# If you know what you are doing, you can set TC_EXPERT=Yes and Shorewall
+# will not include these cautionary checks.
+
+TC_EXPERT=No
+
+#
+# Clear Traffic Shaping/Control
 #
 # If this option is set to 'No' then Shorewall won't clear the current
 # traffic control rules during [re]start. This setting is intended