Add some decimal->hex convertions in routing rules.

Signed-off-by: Tom Eastep <teastep@shorewall.net>
Deprecate the current TPROXY implementation.
2012-05-10 11:11:15 -07:00 · 2012-05-10 11:02:08 -07:00 · 2012-05-10 07:29:59 -07:00
5 changed files with 7 additions and 106 deletions
--- a/Shorewall/Perl/Shorewall/Config.pm
+++ b/Shorewall/Perl/Shorewall/Config.pm
@@ -1030,7 +1030,9 @@ sub normalize_hex( $ ) {
 # Return the argument expressed in Hex
 #
 sub in_hex( $ ) {
-    sprintf '0x%x', $_[0];
+    my $value = $_[0];
+
+    $value =~ /^0x/ ? $value : sprintf '0x%x', $_[0];
 }

 sub in_hex2( $ ) {
--- a/Shorewall/Perl/Shorewall/Providers.pm
+++ b/Shorewall/Perl/Shorewall/Providers.pm
@@ -632,12 +632,13 @@ CEOF
    setup_interface_proc( $interface );

    if ( $mark ne '-' ) {
+	my $hexmark = in_hex( $mark );
 	my $mask = have_capability 'FWMARK_RT_MASK' ? '/' . in_hex $globals{PROVIDER_MASK} : '';

-	emit ( "qt \$IP -$family rule del fwmark ${mark}${mask}" ) if $config{DELETE_THEN_ADD};
+	emit ( "qt \$IP -$family rule del fwmark ${hexmark}${mask}" ) if $config{DELETE_THEN_ADD};

-	emit ( "run_ip rule add fwmark ${mark}${mask} pref $pref table $number",
-	       "echo \"qt \$IP -$family rule del fwmark ${mark}${mask}\" >> \${VARDIR}/undo_${table}_routing"
+	emit ( "run_ip rule add fwmark ${hexmark}${mask} pref $pref table $number",
+	       "echo \"qt \$IP -$family rule del fwmark ${hexmark}${mask}\" >> \${VARDIR}/undo_${table}_routing"
 	     );
    }

--- a/Shorewall/manpages/shorewall-tcrules.xml
+++ b/Shorewall/manpages/shorewall-tcrules.xml
@@ -407,39 +407,6 @@ SAME              $FW            0.0.0.0/0    tcp        80,443</programlisting>
              classes will have a value &gt; 256.</para>
            </listitem>

-            <listitem>
-              <para><emphasis
-              role="bold">TPROXY</emphasis>(<replaceable>mark</replaceable>[/<replaceable>mask</replaceable>][,[<replaceable>port</replaceable>][,[<replaceable>address</replaceable>]]])</para>
-
-              <para>Transparently redirects a packet without altering the IP
-              header. Requires a local provider to be defined in <ulink
-              url="shorewall-providers.html">shorewall-providers</ulink>(5).</para>
-
-              <para>There are three parameters to TPROXY - only the first
-              (mark) is required:</para>
-
-              <itemizedlist>
-                <listitem>
-                  <para><replaceable>mark</replaceable> - the MARK value
-                  corresponding to the local provider in <ulink
-                  url="shorewall-providers.html">shorewall-providers</ulink>(5).</para>
-                </listitem>
-
-                <listitem>
-                  <para><replaceable>port</replaceable> - the port on which
-                  the proxy server is listening. If omitted, the original
-                  destination port.</para>
-                </listitem>
-
-                <listitem>
-                  <para><replaceable>address</replaceable> - a local (to the
-                  firewall) IP address on which the proxy server is listening.
-                  If omitted, the IP address of the interface on which the
-                  request arrives.</para>
-                </listitem>
-              </itemizedlist>
-            </listitem>
-
            <listitem>
              <para><emphasis role="bold">TTL</emphasis>([<emphasis
              role="bold">-</emphasis>|<emphasis
--- a/Shorewall6/manpages/shorewall6-tcrules.xml
+++ b/Shorewall6/manpages/shorewall6-tcrules.xml
@@ -304,39 +304,6 @@ SAME              $FW            0.0.0.0/0    tcp        80,443</programlisting>
              simply include COMMENT on a line by itself.</para>
            </listitem>

-            <listitem>
-              <para><emphasis
-              role="bold">TPROXY</emphasis>(<replaceable>mark</replaceable>[/<replaceable>mask</replaceable>][,[<replaceable>port</replaceable>][,[<replaceable>address</replaceable>]]])</para>
-
-              <para>Transparently redirects a packet without altering the IP
-              header. Requires a local provider to be defined in <ulink
-              url="shorewall6-providers.html">shorewall6-providers</ulink>(5).</para>
-
-              <para>There are three parameters to TPROXY - only the first
-              (mark) is required:</para>
-
-              <itemizedlist>
-                <listitem>
-                  <para><replaceable>mark</replaceable> - the MARK value
-                  corresponding to the local provider in <ulink
-                  url="shorewall6-providers.html">shorewall6-providers</ulink>(5).</para>
-                </listitem>
-
-                <listitem>
-                  <para><replaceable>port</replaceable> - the port on which
-                  the proxy server is listening. If omitted, the original
-                  destination port.</para>
-                </listitem>
-
-                <listitem>
-                  <para><replaceable>address</replaceable> - a local (to the
-                  firewall) IP address on which the proxy server is listening.
-                  If omitted, the IP address of the interface on which the
-                  request arrives.</para>
-                </listitem>
-              </itemizedlist>
-            </listitem>
-
            <listitem>
              <para><emphasis role="bold">HL</emphasis>([<emphasis
              role="bold">-</emphasis>|<emphasis
--- a/docs/Shorewall_Squid_Usage.xml
+++ b/docs/Shorewall_Squid_Usage.xml
@@ -308,40 +308,4 @@ ACCEPT    loc      $FW    tcp      8080
 ACCEPT    $FW      net    tcp      80,443</programlisting></para>
    </example>
  </section>
-
-  <section id="TPROXY">
-    <title>Transparent with TPROXY</title>
-
-    <para>Shorewall 4.4.7 contains support for TPROXY. TPROXY differs from
-    REDIRECT in that it does not modify the IP header. Because the IP header
-    stays intact, TPROXY requires policy routing to direct the packets to the
-    proxy server running on the firewall. This approach requires TPROXY
-    support in your kernel and iptables and Squid 3. See <ulink
-    url="http://wiki.squid-cache.org/Features/Tproxy4">http://wiki.squid-cache.org/Features/Tproxy4</ulink>.</para>
-
-    <para>The following configuration works with Squid running on the firewall
-    itself (assume that Squid is listening on port 3128).</para>
-
-    <para><filename>/etc/shorewall/interfaces:</filename></para>
-
-    <programlisting>#ZONE        INTERFACE        BROADCAST         OPTIONS
-            lo               -                 -</programlisting>
-
-    <para><filename>/etc/shorewall/providers</filename>:</para>
-
-    <programlisting>#NAME   NUMBER   MARK    DUPLICATE  INTERFACE  GATEWAY         OPTIONS               COPY
-Tproxy    1        1        -           lo        -            local</programlisting>
-
-    <para><filename>/etc/shorewall/tcrules</filename> (assume loc interface is
-    eth1):</para>
-
-    <programlisting>MARK            SOURCE      DEST        PROTO      PORT(S)
-TPROXY(1,3128)  eth1        0.0.0.0/0   tcp        80</programlisting>
-
-    <para>/etc/shorewall/rules:</para>
-
-    <programlisting>#ACTION   SOURCE   DEST   PROTO   DEST PORT(S)
-ACCEPT    loc      $FW    tcp     80
-ACCEPT    $FW      net    tcp     80</programlisting>
-  </section>
 </article>
Author	SHA1	Message	Date
Tom Eastep	746a363d41	Add some decimal->hex convertions in routing rules. Signed-off-by: Tom Eastep <teastep@shorewall.net>	2012-05-10 11:11:15 -07:00
Tom Eastep	6e5b07c804	Deprecate the current TPROXY implementation. Signed-off-by: Tom Eastep <teastep@shorewall.net>	2012-05-10 11:02:08 -07:00
Tom Eastep	865078f925	Allow Shorewall::Config::in_hex() to accept an argument already expressed in hex. Signed-off-by: Tom Eastep <teastep@shorewall.net>	2012-05-10 07:29:59 -07:00