holm/shorewall_code
1
0
Fork 0
forked from extern/shorewall_code
Code Pull Requests Activity

Bring forward tcrules enhancements from 3.2

Browse Source 
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@4369 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
teastep 2006-08-17 16:10:09 +00:00
parent 36603955ba
commit f9685d5ddd
4 changed files with 24 additions and 7 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
Shorewall/compiler
View File

@ -2804,7 +2804,7 @@ delete_nat() {
if [ -f \${VARDIR}/nat ]; then if [ -f \${VARDIR}/nat ]; then
while read external interface; do while read external interface; do
ip_addr_del \$external \$interface del_ip_addr \$external \$interface
done < \${VARDIR}/nat done < \${VARDIR}/nat
rm -f \${VARDIR}/nat rm -f \${VARDIR}/nat
@ -2955,7 +2955,7 @@ setup_tc1() {
# Route marks are restored in PREROUTING/OUTPUT prior to these rules. We only send # Route marks are restored in PREROUTING/OUTPUT prior to these rules. We only send
# packets that are not part of a marked connection to the 'tcpre/tcout' chains. # packets that are not part of a marked connection to the 'tcpre/tcout' chains.
# #
if [ -n "$ROUTEMARK_INTERFACES" ]; then if [ -n "$ROUTEMARK_INTERFACES" -a -z "$TC_EXPERT" ]; then
mark_part="-m mark --mark 0/0xFF00" mark_part="-m mark --mark 0/0xFF00"
# #
# But let marks in tcpre override those assigned by 'track' # But let marks in tcpre override those assigned by 'track'
@ -6459,7 +6459,7 @@ __EOF__
if [ -n "$address" ]; then if [ -n "$address" ]; then
for addr in $(ip_range_explicit ${address%:*}) ; do for addr in $(ip_range_explicit ${address%:*}) ; do
if ! list_search $addr $ALIASES_TO_ADD; then if ! list_search $addr $ALIASES_TO_ADD; then
[ -n "$RETAIN_ALIASES" ] || save_command ip_addr_del $addr $interface [ -n "$RETAIN_ALIASES" ] || save_command del_ip_addr $addr $interface
ALIASES_TO_ADD="$ALIASES_TO_ADD $addr $fullinterface" ALIASES_TO_ADD="$ALIASES_TO_ADD $addr $fullinterface"
case $fullinterface in case $fullinterface in
*:*) *:*)
@ -7781,7 +7781,7 @@ stop_firewall() {
if [ -f \${VARDIR}/nat ]; then if [ -f \${VARDIR}/nat ]; then
while read external interface; do while read external interface; do
ip_addr_del \$external dev \$interface del_ip_addr \$external \$interface
done < \${VARDIR}/nat done < \${VARDIR}/nat
rm -f \${VARDIR}/nat rm -f \${VARDIR}/nat
@ -8662,6 +8662,7 @@ do_initialize() {
MAPOLDACTIONS= MAPOLDACTIONS=
IMPLICIT_CONTINUE= IMPLICIT_CONTINUE=
HIGH_ROUTE_MARKS= HIGH_ROUTE_MARKS=
TC_EXPERT=
OUTPUT= OUTPUT=
TMP_DIR= TMP_DIR=
@ -8866,6 +8867,7 @@ do_initialize() {
FASTACCEPT=$(added_param_value_no FASTACCEPT $FASTACCEPT) FASTACCEPT=$(added_param_value_no FASTACCEPT $FASTACCEPT)
IMPLICIT_CONTINUE=$(added_param_value_no IMPLICIT_CONTINUE $IMPLICIT_CONTINUE) IMPLICIT_CONTINUE=$(added_param_value_no IMPLICIT_CONTINUE $IMPLICIT_CONTINUE)
HIGH_ROUTE_MARKS=$(added_param_value_no HIGH_ROUTE_MARKS $HIGH_ROUTE_MARKS) HIGH_ROUTE_MARKS=$(added_param_value_no HIGH_ROUTE_MARKS $HIGH_ROUTE_MARKS)
TC_EXPERT=$(added_param_value_no TC_EXPERT $TC_EXPERT)
[ -n "$XCONNMARK_MATCH" ] || XCONNMARK= [ -n "$XCONNMARK_MATCH" ] || XCONNMARK=
[ -n "$XMARK" ] || XCONNMARK= [ -n "$XMARK" ] || XCONNMARK=

3
Shorewall/firewall
View File

@ -1751,6 +1751,8 @@ do_initialize() {
RESTOREFILE= RESTOREFILE=
MAPOLDACTIONS= MAPOLDACTIONS=
IMPLICIT_CONTINUE= IMPLICIT_CONTINUE=
HIGH_ROUTE_MARKS=
TC_EXPERT=
RESTOREBASE= RESTOREBASE=
TMP_DIR= TMP_DIR=
@ -1953,6 +1955,7 @@ do_initialize() {
FASTACCEPT=$(added_param_value_no FASTACCEPT $FASTACCEPT) FASTACCEPT=$(added_param_value_no FASTACCEPT $FASTACCEPT)
IMPLICIT_CONTINUE=$(added_param_value_no IMPLICIT_CONTINUE $IMPLICIT_CONTINUE) IMPLICIT_CONTINUE=$(added_param_value_no IMPLICIT_CONTINUE $IMPLICIT_CONTINUE)
HIGH_ROUTE_MARKS=$(added_param_value_no HIGH_ROUTE_MARKS $HIGH_ROUTE_MARKS) HIGH_ROUTE_MARKS=$(added_param_value_no HIGH_ROUTE_MARKS $HIGH_ROUTE_MARKS)
TC_EXPERT=$(added_param_value_no TC_EXPERT $TC_EXPERT)
[ -n "$XCONNMARK_MATCH" ] || XCONNMARK= [ -n "$XCONNMARK_MATCH" ] || XCONNMARK=
[ -n "$XMARK" ] || XCONNMARK= [ -n "$XMARK" ] || XCONNMARK=

4
Shorewall/functions
View File

@ -1958,7 +1958,7 @@ process_tc_rule()
if [ "x$source" != "x-" ]; then if [ "x$source" != "x-" ]; then
case $source in case $source in
$FW:*) $FW:*)
[ $chain = tcpost ] || chain=tcout chain=tcout
r="$(source_ip_range ${source#*:}) " r="$(source_ip_range ${source#*:}) "
;; ;;
*:*) *:*)
@ -1973,7 +1973,7 @@ process_tc_rule()
r="$(mac_match $source) " r="$(mac_match $source) "
;; ;;
$FW) $FW)
[ $chain = tcpost ] || chain=tcout chain=tcout
;; ;;
*) *)
verify_interface $source || fatal_error "Unknown interface $source in rule \"$rule\"" verify_interface $source || fatal_error "Unknown interface $source in rule \"$rule\""

14
Shorewall/shorewall.conf
View File

@ -463,7 +463,19 @@ RETAIN_ALIASES=No
TC_ENABLED=Internal TC_ENABLED=Internal
# #
# Clear Traffic Shapping/Control # TRAFFIC SHAPING EXPERT
#
# Normally, Shorewall tries to protect users from themselves by preventing
# PREROUTING and OUTPUT tcrules from being applied to packets that have
# been marked by the 'track' option in /etc/shorewall/providers.
#
# If you know what you are doing, you can set TC_EXPERT=Yes and Shorewall
# will not include these cautionary checks.
TC_EXPERT=No
#
# Clear Traffic Shaping/Control
# #
# If this option is set to 'No' then Shorewall won't clear the current # If this option is set to 'No' then Shorewall won't clear the current
# traffic control rules during [re]start. This setting is intended # traffic control rules during [re]start. This setting is intended