From 0efc7a48996d33cd122315a492485b625dd64587 Mon Sep 17 00:00:00 2001 From: Tom Eastep Date: Sun, 23 Oct 2016 15:36:04 -0700 Subject: [PATCH 01/10] Correct restriction and chain number handling in the mangle files Signed-off-by: Tom Eastep --- Shorewall/Perl/Shorewall/Chains.pm | 8 +++++--- Shorewall/Perl/Shorewall/Rules.pm | 8 ++++++-- Shorewall/Perl/Shorewall/Tc.pm | 10 +++++----- 3 files changed, 16 insertions(+), 10 deletions(-) diff --git a/Shorewall/Perl/Shorewall/Chains.pm b/Shorewall/Perl/Shorewall/Chains.pm index 947ac301b..c3108eaff 100644 --- a/Shorewall/Perl/Shorewall/Chains.pm +++ b/Shorewall/Perl/Shorewall/Chains.pm @@ -2747,11 +2747,13 @@ sub accounting_chainrefs() { grep $_->{accounting} , values %$filter_table; } -sub ensure_mangle_chain($) { - my $chain = $_[0]; +sub ensure_mangle_chain($;$$) { + my ( $chain, $number, $restriction ) = @_; my $chainref = ensure_chain 'mangle', $chain; - $chainref->{referenced} = 1; + $chainref->{referenced} = 1; + $chainref->{chainnumber} = $number if $number; + $chainref->{restriction} = $restriction if $restriction; $chainref; } diff --git a/Shorewall/Perl/Shorewall/Rules.pm b/Shorewall/Perl/Shorewall/Rules.pm index ceb857159..551de86e8 100644 --- a/Shorewall/Perl/Shorewall/Rules.pm +++ b/Shorewall/Perl/Shorewall/Rules.pm @@ -4098,11 +4098,13 @@ sub process_mangle_rule1( $$$$$$$$$$$$$$$$$$ ) { my $chainref = ensure_chain( 'mangle', $chain = $chainnames{$chain} ); + $restriction |= $chainref->{restriction}; + for ( my $packet = 0; $packet < $marks; $packet++, $markval += $increment ) { my $match = "-m statistic --mode nth --every $marks --packet $packet "; expand_rule( $chainref, - $restrictions{$chain} | $restriction, + $restriction, $prerule , $match . do_user( $user ) . @@ -4845,8 +4847,10 @@ sub process_mangle_rule1( $$$$$$$$$$$$$$$$$$ ) { $chainref = ensure_chain( 'mangle', $chainnames{$chain} ); } + $restriction |= $chainref->{restriction} if defined $chainref->{restriction}; + if ( ( my $result = expand_rule( $chainref , - ( $restrictions{$chain} || 0 ) | $restriction, + $restriction, $prerule, do_proto( $proto, $ports, $sports) . $matches . do_user( $user ) . diff --git a/Shorewall/Perl/Shorewall/Tc.pm b/Shorewall/Perl/Shorewall/Tc.pm index f87d7f740..28ae16955 100644 --- a/Shorewall/Perl/Shorewall/Tc.pm +++ b/Shorewall/Perl/Shorewall/Tc.pm @@ -2276,13 +2276,13 @@ sub setup_tc( $ ) { $convert = $_[0]; if ( $config{MANGLE_ENABLED} ) { - ensure_mangle_chain 'tcpre'; - ensure_mangle_chain 'tcout'; + ensure_mangle_chain( 'tcpre', PREROUTING, PREROUTE_RESTRICT ); + ensure_mangle_chain( 'tcout', OUTPUT , OUTPUT_RESTRICT ); if ( have_capability( 'MANGLE_FORWARD' ) ) { - ensure_mangle_chain 'tcfor'; - ensure_mangle_chain 'tcpost'; - ensure_mangle_chain 'tcin'; + ensure_mangle_chain( 'tcfor', FORWARD ); + ensure_mangle_chain( 'tcpost', POSTROUTING, POSTROUTE_RESTRICT ); + ensure_mangle_chain( 'tcin', INPUT , INPUT_RESTRICT ); } my @mark_part; From 3df488e7107132c761c96a126db7abb17ff0148d Mon Sep 17 00:00:00 2001 From: Tom Eastep Date: Sun, 23 Oct 2016 16:28:36 -0700 Subject: [PATCH 02/10] Correct handling of ipsets in tcfilters Signed-off-by: Tom Eastep --- Shorewall/Perl/Shorewall/Tc.pm | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Shorewall/Perl/Shorewall/Tc.pm b/Shorewall/Perl/Shorewall/Tc.pm index 28ae16955..558ec739a 100644 --- a/Shorewall/Perl/Shorewall/Tc.pm +++ b/Shorewall/Perl/Shorewall/Tc.pm @@ -1518,7 +1518,7 @@ sub process_tc_filter2( $$$$$$$$$ ) { $rule .= ' and' if $have_rule; if ( $source =~ /^\+/ ) { - $rule = join( '', "\\\n ", handle_ematch( $source, 'src' ) ); + $rule .= join( '', "\\\n ", handle_ematch( $source, 'src' ) ); } else { my @parts = decompose_net_u32( $source ); From f9cfde91e56ca475a5589d52d1b434a251d7914b Mon Sep 17 00:00:00 2001 From: Tom Eastep Date: Sun, 23 Oct 2016 16:43:49 -0700 Subject: [PATCH 03/10] Correctly handle ipset in tcfilter DEST Signed-off-by: Tom Eastep --- Shorewall/Perl/Shorewall/Tc.pm | 2 ++ 1 file changed, 2 insertions(+) diff --git a/Shorewall/Perl/Shorewall/Tc.pm b/Shorewall/Perl/Shorewall/Tc.pm index 558ec739a..8737f82da 100644 --- a/Shorewall/Perl/Shorewall/Tc.pm +++ b/Shorewall/Perl/Shorewall/Tc.pm @@ -1556,6 +1556,8 @@ sub process_tc_filter2( $$$$$$$$$ ) { $offset += 4; $rule .= ' and' if @parts; } + + $have_rule = 1; } $have_rule = 1; From 0ed813972b6301f253b95770a295d113abc0a227 Mon Sep 17 00:00:00 2001 From: Tom Eastep Date: Sun, 23 Oct 2016 16:44:07 -0700 Subject: [PATCH 04/10] Auto-create ipsets used in tcfilters Signed-off-by: Tom Eastep --- Shorewall/Perl/Shorewall/Tc.pm | 2 ++ 1 file changed, 2 insertions(+) diff --git a/Shorewall/Perl/Shorewall/Tc.pm b/Shorewall/Perl/Shorewall/Tc.pm index 8737f82da..e8098ba55 100644 --- a/Shorewall/Perl/Shorewall/Tc.pm +++ b/Shorewall/Perl/Shorewall/Tc.pm @@ -1308,6 +1308,8 @@ sub handle_ematch( $$ ) { $setname =~ s/\+//; + add_ipset($setname); + return "ipset\\($setname $options\\)"; } From 46b8e2e9578a67178b93ddb9355019ee4e057087 Mon Sep 17 00:00:00 2001 From: Tom Eastep Date: Mon, 24 Oct 2016 08:14:12 -0700 Subject: [PATCH 05/10] Avoid exception when validating 'occurs' in TC Signed-off-by: Tom Eastep --- Shorewall/Perl/Shorewall/Tc.pm | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Shorewall/Perl/Shorewall/Tc.pm b/Shorewall/Perl/Shorewall/Tc.pm index e8098ba55..1cf504d50 100644 --- a/Shorewall/Perl/Shorewall/Tc.pm +++ b/Shorewall/Perl/Shorewall/Tc.pm @@ -827,7 +827,7 @@ sub validate_tc_class( ) { fatal_error "Invalid 'occurs' ($val)" unless defined $occurs && $occurs > 1 && $occurs <= 256; fatal_error "Invalid 'occurs' ($val)" if $occurs > $globals{TC_MAX}; fatal_error q(Duplicate 'occurs') if $tcref->{occurs} > 1; - fatal_error q(The 'occurs' option is not valid with 'default') if $devref->{default} == $classnumber; + fatal_error q(The 'occurs' option is not valid with 'default') if defined($devref->{default}) && $devref->{default} == $classnumber; fatal_error q(The 'occurs' option is not valid with 'tos') if @{$tcref->{tos}}; warning_message "MARK ($mark) is ignored on an occurring class" if $mark ne '-'; From b8ec460a1a1bb1fc9f7f5f318b154d9cdd2f0dea Mon Sep 17 00:00:00 2001 From: Tom Eastep Date: Mon, 24 Oct 2016 08:49:51 -0700 Subject: [PATCH 06/10] Correct grammar in the ipset creation message Signed-off-by: Tom Eastep --- Shorewall/Perl/Shorewall/Chains.pm | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/Shorewall/Perl/Shorewall/Chains.pm b/Shorewall/Perl/Shorewall/Chains.pm index c3108eaff..e9258186e 100644 --- a/Shorewall/Perl/Shorewall/Chains.pm +++ b/Shorewall/Perl/Shorewall/Chains.pm @@ -8307,18 +8307,18 @@ sub ensure_ipsets( @ ) { if ( $family == F_IPV4 ) { if ( have_capability 'IPSET_V5' ) { emit ( qq( if ! qt \$IPSET list $set -n; then) , - qq( error_message "WARNING: ipset $set does not exist; creating it as an hash:net set") , + qq( error_message "WARNING: ipset $set does not exist; creating it as a hash:net set") , qq( \$IPSET create $set hash:net family inet timeout 0${counters}) , qq( fi) ); } else { emit ( qq( if ! qt \$IPSET -L $set -n; then) , - qq( error_message "WARNING: ipset $set does not exist; creating it as an iphash set") , + qq( error_message "WARNING: ipset $set does not exist; creating it as a iphash set") , qq( \$IPSET -N $set iphash) , qq( fi) ); } } else { emit ( qq( if ! qt \$IPSET list $set -n; then) , - qq( error_message "WARNING: ipset $set does not exist; creating it as an hash:net set") , + qq( error_message "WARNING: ipset $set does not exist; creating it as a hash:net set") , qq( \$IPSET create $set hash:net family inet6 timeout 0${counters}) , qq( fi) ); } From c9b1b7684ce87c1d0b297f529cae7f55a0003903 Mon Sep 17 00:00:00 2001 From: Tom Eastep Date: Mon, 24 Oct 2016 09:06:05 -0700 Subject: [PATCH 07/10] Correct handling of dest IPSET. Signed-off-by: Tom Eastep --- Shorewall/Perl/Shorewall/Tc.pm | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-) diff --git a/Shorewall/Perl/Shorewall/Tc.pm b/Shorewall/Perl/Shorewall/Tc.pm index 1cf504d50..db01b72e4 100644 --- a/Shorewall/Perl/Shorewall/Tc.pm +++ b/Shorewall/Perl/Shorewall/Tc.pm @@ -1558,12 +1558,10 @@ sub process_tc_filter2( $$$$$$$$$ ) { $offset += 4; $rule .= ' and' if @parts; } - - $have_rule = 1; } - - $have_rule = 1; } + + $have_rule = 1; } if ( $have_rule ) { From fc0ad7cd2e4a0772c4da0b596e57909fa80834a5 Mon Sep 17 00:00:00 2001 From: Tom Eastep Date: Mon, 24 Oct 2016 11:37:40 -0700 Subject: [PATCH 08/10] Be sure that the 'restriction' member exists for the FORWARD chain Signed-off-by: Tom Eastep --- Shorewall/Perl/Shorewall/Tc.pm | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Shorewall/Perl/Shorewall/Tc.pm b/Shorewall/Perl/Shorewall/Tc.pm index db01b72e4..a4fae1bd3 100644 --- a/Shorewall/Perl/Shorewall/Tc.pm +++ b/Shorewall/Perl/Shorewall/Tc.pm @@ -2282,7 +2282,7 @@ sub setup_tc( $ ) { ensure_mangle_chain( 'tcout', OUTPUT , OUTPUT_RESTRICT ); if ( have_capability( 'MANGLE_FORWARD' ) ) { - ensure_mangle_chain( 'tcfor', FORWARD ); + ensure_mangle_chain( 'tcfor', FORWARD , NO_RESTRICT ); ensure_mangle_chain( 'tcpost', POSTROUTING, POSTROUTE_RESTRICT ); ensure_mangle_chain( 'tcin', INPUT , INPUT_RESTRICT ); } From 3b6b89336ee42655f142efd593f2e6b3b4001edc Mon Sep 17 00:00:00 2001 From: Tom Eastep Date: Mon, 24 Oct 2016 11:57:56 -0700 Subject: [PATCH 09/10] Eliminate superfluous test Signed-off-by: Tom Eastep --- Shorewall/Perl/Shorewall/Rules.pm | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Shorewall/Perl/Shorewall/Rules.pm b/Shorewall/Perl/Shorewall/Rules.pm index 551de86e8..5f8879f68 100644 --- a/Shorewall/Perl/Shorewall/Rules.pm +++ b/Shorewall/Perl/Shorewall/Rules.pm @@ -4847,7 +4847,7 @@ sub process_mangle_rule1( $$$$$$$$$$$$$$$$$$ ) { $chainref = ensure_chain( 'mangle', $chainnames{$chain} ); } - $restriction |= $chainref->{restriction} if defined $chainref->{restriction}; + $restriction |= $chainref->{restriction}; if ( ( my $result = expand_rule( $chainref , $restriction, From 3d3ae81bceeb4c309259d459c692245d6754e455 Mon Sep 17 00:00:00 2001 From: Tom Eastep Date: Mon, 24 Oct 2016 12:51:43 -0700 Subject: [PATCH 10/10] Restore old wording for Version 4 ipset creation message Signed-off-by: Tom Eastep --- Shorewall/Perl/Shorewall/Chains.pm | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Shorewall/Perl/Shorewall/Chains.pm b/Shorewall/Perl/Shorewall/Chains.pm index e9258186e..c83ab7d71 100644 --- a/Shorewall/Perl/Shorewall/Chains.pm +++ b/Shorewall/Perl/Shorewall/Chains.pm @@ -8312,7 +8312,7 @@ sub ensure_ipsets( @ ) { qq( fi) ); } else { emit ( qq( if ! qt \$IPSET -L $set -n; then) , - qq( error_message "WARNING: ipset $set does not exist; creating it as a iphash set") , + qq( error_message "WARNING: ipset $set does not exist; creating it as an iphash set") , qq( \$IPSET -N $set iphash) , qq( fi) ); }