From f9685d5ddd99fcb303e5b40791075e2810a37c51 Mon Sep 17 00:00:00 2001
From: teastep <teastep@fbd18981-670d-0410-9b5c-8dc0c1a9a2bb>
Date: Thu, 17 Aug 2006 16:10:09 +0000
Subject: [PATCH] Bring forward tcrules enhancements from 3.2

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@4369 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
---
 Shorewall/compiler       | 10 ++++++----
 Shorewall/firewall       |  3 +++
 Shorewall/functions      |  4 ++--
 Shorewall/shorewall.conf | 14 +++++++++++++-
 4 files changed, 24 insertions(+), 7 deletions(-)

diff --git a/Shorewall/compiler b/Shorewall/compiler
index 09ba8e81b..ae80f958a 100755
--- a/Shorewall/compiler
+++ b/Shorewall/compiler
@@ -2804,7 +2804,7 @@ delete_nat() {
 
 if [ -f \${VARDIR}/nat ]; then
    while read external interface; do
-       ip_addr_del \$external \$interface
+       del_ip_addr \$external \$interface
     done < \${VARDIR}/nat
 
     rm -f \${VARDIR}/nat
@@ -2955,7 +2955,7 @@ setup_tc1() {
     # Route marks are restored in PREROUTING/OUTPUT prior to these rules. We only send
     # packets that are not part of a marked connection to the 'tcpre/tcout' chains.
     #
-    if [ -n "$ROUTEMARK_INTERFACES" ]; then
+    if [ -n "$ROUTEMARK_INTERFACES" -a -z "$TC_EXPERT" ]; then
 	mark_part="-m mark --mark 0/0xFF00"
 	#
 	# But let marks in tcpre override those assigned by 'track'
@@ -6459,7 +6459,7 @@ __EOF__
 		    if [ -n "$address" ]; then
 			for addr in $(ip_range_explicit ${address%:*}) ; do
 			    if ! list_search $addr $ALIASES_TO_ADD; then
-				[ -n "$RETAIN_ALIASES" ] || save_command ip_addr_del $addr $interface
+				[ -n "$RETAIN_ALIASES" ] || save_command del_ip_addr $addr $interface
 				ALIASES_TO_ADD="$ALIASES_TO_ADD $addr $fullinterface"
 				case $fullinterface in
 				    *:*)
@@ -7781,7 +7781,7 @@ stop_firewall() {
 
 	if [ -f \${VARDIR}/nat ]; then
 	    while read external interface; do
-		ip_addr_del \$external dev \$interface
+		del_ip_addr \$external \$interface
 	    done < \${VARDIR}/nat
 
 	    rm -f \${VARDIR}/nat
@@ -8662,6 +8662,7 @@ do_initialize() {
     MAPOLDACTIONS=
     IMPLICIT_CONTINUE=
     HIGH_ROUTE_MARKS=
+    TC_EXPERT=
 
     OUTPUT=
     TMP_DIR=
@@ -8866,6 +8867,7 @@ do_initialize() {
     FASTACCEPT=$(added_param_value_no FASTACCEPT $FASTACCEPT)
     IMPLICIT_CONTINUE=$(added_param_value_no IMPLICIT_CONTINUE $IMPLICIT_CONTINUE)
     HIGH_ROUTE_MARKS=$(added_param_value_no HIGH_ROUTE_MARKS $HIGH_ROUTE_MARKS)
+    TC_EXPERT=$(added_param_value_no TC_EXPERT $TC_EXPERT)
     [ -n "$XCONNMARK_MATCH" ] || XCONNMARK=
     [ -n "$XMARK" ] || XCONNMARK=
 
diff --git a/Shorewall/firewall b/Shorewall/firewall
index 418082f22..fb8710efe 100755
--- a/Shorewall/firewall
+++ b/Shorewall/firewall
@@ -1751,6 +1751,8 @@ do_initialize() {
     RESTOREFILE=
     MAPOLDACTIONS=
     IMPLICIT_CONTINUE=
+    HIGH_ROUTE_MARKS=
+    TC_EXPERT=
 
     RESTOREBASE=
     TMP_DIR=
@@ -1953,6 +1955,7 @@ do_initialize() {
     FASTACCEPT=$(added_param_value_no FASTACCEPT $FASTACCEPT)
     IMPLICIT_CONTINUE=$(added_param_value_no IMPLICIT_CONTINUE $IMPLICIT_CONTINUE)
     HIGH_ROUTE_MARKS=$(added_param_value_no HIGH_ROUTE_MARKS $HIGH_ROUTE_MARKS)
+    TC_EXPERT=$(added_param_value_no TC_EXPERT $TC_EXPERT)
     [ -n "$XCONNMARK_MATCH" ] || XCONNMARK=
     [ -n "$XMARK" ] || XCONNMARK=
 
diff --git a/Shorewall/functions b/Shorewall/functions
index 499ff952f..3a565de81 100644
--- a/Shorewall/functions
+++ b/Shorewall/functions
@@ -1958,7 +1958,7 @@ process_tc_rule()
 	if [ "x$source" != "x-"	 ]; then
 	    case $source in
 		$FW:*)
-		    [ $chain = tcpost ] || chain=tcout
+		    chain=tcout
 		    r="$(source_ip_range ${source#*:}) "
 		    ;;
 		*:*)
@@ -1973,7 +1973,7 @@ process_tc_rule()
 		    r="$(mac_match $source) "
 		    ;;
 		$FW)
-		    [ $chain = tcpost ] || chain=tcout
+		    chain=tcout
 		    ;;
 		*)
 		    verify_interface $source || fatal_error "Unknown interface $source in rule \"$rule\""
diff --git a/Shorewall/shorewall.conf b/Shorewall/shorewall.conf
index bdc8f7b8c..aa969836e 100644
--- a/Shorewall/shorewall.conf
+++ b/Shorewall/shorewall.conf
@@ -463,7 +463,19 @@ RETAIN_ALIASES=No
 TC_ENABLED=Internal
 
 #
-# Clear Traffic Shapping/Control
+# TRAFFIC SHAPING EXPERT
+#
+# Normally, Shorewall tries to protect users from themselves by preventing
+# PREROUTING and OUTPUT tcrules from being applied to packets that have
+# been marked by the 'track' option in /etc/shorewall/providers.
+#
+# If you know what you are doing, you can set TC_EXPERT=Yes and Shorewall
+# will not include these cautionary checks.
+
+TC_EXPERT=No
+
+#
+# Clear Traffic Shaping/Control
 #
 # If this option is set to 'No' then Shorewall won't clear the current
 # traffic control rules during [re]start. This setting is intended