holm/shorewall_code
1
0
Fork 0
forked from extern/shorewall_code
Code Pull Requests Activity

Merge branch '5.0.13'

Browse Source
This commit is contained in:
Tom Eastep 2016-10-24 12:52:01 -07:00
commit fdfd8b919b
No known key found for this signature in database
GPG Key ID: 96E6B3F2423A4D10
3 changed files with 24 additions and 16 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
Shorewall/Perl/Shorewall/Chains.pm
View File

@ -2747,11 +2747,13 @@ sub accounting_chainrefs() {
grep $_->{accounting} , values %$filter_table; grep $_->{accounting} , values %$filter_table;
} }
sub ensure_mangle_chain($) { sub ensure_mangle_chain($;$$) {
my $chain = $_[0]; my ( $chain, $number, $restriction ) = @_;
my $chainref = ensure_chain 'mangle', $chain; my $chainref = ensure_chain 'mangle', $chain;
$chainref->{referenced} = 1; $chainref->{referenced} = 1;
$chainref->{chainnumber} = $number if $number;
$chainref->{restriction} = $restriction if $restriction;
$chainref; $chainref;
} }
@ -8305,7 +8307,7 @@ sub ensure_ipsets( @ ) {
if ( $family == F_IPV4 ) { if ( $family == F_IPV4 ) {
if ( have_capability 'IPSET_V5' ) { if ( have_capability 'IPSET_V5' ) {
emit ( qq( if ! qt \$IPSET list $set -n; then) , emit ( qq( if ! qt \$IPSET list $set -n; then) ,
qq( error_message "WARNING: ipset $set does not exist; creating it as an hash:net set") , qq( error_message "WARNING: ipset $set does not exist; creating it as a hash:net set") ,
qq( \$IPSET create $set hash:net family inet timeout 0${counters}) , qq( \$IPSET create $set hash:net family inet timeout 0${counters}) ,
qq( fi) ); qq( fi) );
} else { } else {
@ -8316,7 +8318,7 @@ sub ensure_ipsets( @ ) {
} }
} else { } else {
emit ( qq( if ! qt \$IPSET list $set -n; then) , emit ( qq( if ! qt \$IPSET list $set -n; then) ,
qq( error_message "WARNING: ipset $set does not exist; creating it as an hash:net set") , qq( error_message "WARNING: ipset $set does not exist; creating it as a hash:net set") ,
qq( \$IPSET create $set hash:net family inet6 timeout 0${counters}) , qq( \$IPSET create $set hash:net family inet6 timeout 0${counters}) ,
qq( fi) ); qq( fi) );
} }

8
Shorewall/Perl/Shorewall/Rules.pm
View File

@ -4183,11 +4183,13 @@ sub process_mangle_rule1( $$$$$$$$$$$$$$$$$$ ) {
my $chainref = ensure_chain( 'mangle', $chain = $chainnames{$chain} ); my $chainref = ensure_chain( 'mangle', $chain = $chainnames{$chain} );
$restriction |= $chainref->{restriction};
for ( my $packet = 0; $packet < $marks; $packet++, $markval += $increment ) { for ( my $packet = 0; $packet < $marks; $packet++, $markval += $increment ) {
my $match = "-m statistic --mode nth --every $marks --packet $packet "; my $match = "-m statistic --mode nth --every $marks --packet $packet ";
expand_rule( $chainref, expand_rule( $chainref,
$restrictions{$chain} | $restriction, $restriction,
$prerule , $prerule ,
$match . $match .
do_user( $user ) . do_user( $user ) .
@ -4930,8 +4932,10 @@ sub process_mangle_rule1( $$$$$$$$$$$$$$$$$$ ) {
$chainref = ensure_chain( 'mangle', $chainnames{$chain} ); $chainref = ensure_chain( 'mangle', $chainnames{$chain} );
} }
$restriction |= $chainref->{restriction};
if ( ( my $result = expand_rule( $chainref , if ( ( my $result = expand_rule( $chainref ,
( $restrictions{$chain} || 0 ) | $restriction, $restriction,
$prerule, $prerule,
do_proto( $proto, $ports, $sports) . $matches . do_proto( $proto, $ports, $sports) . $matches .
do_user( $user ) . do_user( $user ) .

18
Shorewall/Perl/Shorewall/Tc.pm
View File

@ -827,7 +827,7 @@ sub validate_tc_class( ) {
fatal_error "Invalid 'occurs' ($val)" unless defined $occurs && $occurs > 1 && $occurs <= 256; fatal_error "Invalid 'occurs' ($val)" unless defined $occurs && $occurs > 1 && $occurs <= 256;
fatal_error "Invalid 'occurs' ($val)" if $occurs > $globals{TC_MAX}; fatal_error "Invalid 'occurs' ($val)" if $occurs > $globals{TC_MAX};
fatal_error q(Duplicate 'occurs') if $tcref->{occurs} > 1; fatal_error q(Duplicate 'occurs') if $tcref->{occurs} > 1;
fatal_error q(The 'occurs' option is not valid with 'default') if $devref->{default} == $classnumber; fatal_error q(The 'occurs' option is not valid with 'default') if defined($devref->{default}) && $devref->{default} == $classnumber;
fatal_error q(The 'occurs' option is not valid with 'tos') if @{$tcref->{tos}}; fatal_error q(The 'occurs' option is not valid with 'tos') if @{$tcref->{tos}};
warning_message "MARK ($mark) is ignored on an occurring class" if $mark ne '-'; warning_message "MARK ($mark) is ignored on an occurring class" if $mark ne '-';
@ -1308,6 +1308,8 @@ sub handle_ematch( $$ ) {
$setname =~ s/\+//; $setname =~ s/\+//;
add_ipset($setname);
return "ipset\\($setname $options\\)"; return "ipset\\($setname $options\\)";
} }
@ -1518,7 +1520,7 @@ sub process_tc_filter2( $$$$$$$$$ ) {
$rule .= ' and' if $have_rule; $rule .= ' and' if $have_rule;
if ( $source =~ /^\+/ ) { if ( $source =~ /^\+/ ) {
$rule = join( '', "\\\n ", handle_ematch( $source, 'src' ) ); $rule .= join( '', "\\\n ", handle_ematch( $source, 'src' ) );
} else { } else {
my @parts = decompose_net_u32( $source ); my @parts = decompose_net_u32( $source );
@ -1557,10 +1559,10 @@ sub process_tc_filter2( $$$$$$$$$ ) {
$rule .= ' and' if @parts; $rule .= ' and' if @parts;
} }
} }
}
$have_rule = 1; $have_rule = 1;
} }
}
if ( $have_rule ) { if ( $have_rule ) {
push @$filtersref, ( "\nrun_tc $rule\\" , push @$filtersref, ( "\nrun_tc $rule\\" ,
@ -2276,13 +2278,13 @@ sub setup_tc( $ ) {
$convert = $_[0]; $convert = $_[0];
if ( $config{MANGLE_ENABLED} ) { if ( $config{MANGLE_ENABLED} ) {
ensure_mangle_chain 'tcpre'; ensure_mangle_chain( 'tcpre', PREROUTING, PREROUTE_RESTRICT );
ensure_mangle_chain 'tcout'; ensure_mangle_chain( 'tcout', OUTPUT , OUTPUT_RESTRICT );
if ( have_capability( 'MANGLE_FORWARD' ) ) { if ( have_capability( 'MANGLE_FORWARD' ) ) {
ensure_mangle_chain 'tcfor'; ensure_mangle_chain( 'tcfor', FORWARD , NO_RESTRICT );
ensure_mangle_chain 'tcpost'; ensure_mangle_chain( 'tcpost', POSTROUTING, POSTROUTE_RESTRICT );
ensure_mangle_chain 'tcin'; ensure_mangle_chain( 'tcin', INPUT , INPUT_RESTRICT );
} }
my @mark_part; my @mark_part;