On Mon, Apr 27, 2009 at 11:41:19AM -0700, Tom Eastep wrote:
> I think that the logical approach is to clone the current
> /etc/shorewall/tos file handling (or modify it to set the entire DSCP
> field rather than just the TOS).
As part of this, would this addition be useful for shorewall 4.3.x:
Adds support for matching in tcrules on dscp marks using -m dscp target
of iptables. Against latest git (also fixed a typo from when i sent the
tos patch for shorewall-perl quite a while ago in the comment of do_tos).
After all tcclasses already supports arbitrary tos byte values, while
tcrules only supports the 5 fixed tos values. Adding a new column to
the end of tcrules for dscp target matching should be fully backwards
compatible with existing configs (even though having it next to TOS
would have been nice, but not worth it).
dscp can either be the numerical value (0-32 I believe), or a diffserv
name (CS0-CS7, BE, AF[1-4][1-3], EF).
Does this look acceptable? Adding a mangle target for dscp is going to
be a bit more work of course.
I did NOT test this patch. I have a variant against 4.0.15 which I
tested and it nicely creates rules in iptables. It is almost the same
though just varying due to the differences between 4.0 and the git tree.
diff --git a/Shorewall/Perl/Shorewall/Chains.pm
b/Shorewall/Perl/Shorewall/Chains.pm
index 95e4725..8857e71 100644
--- a/Shorewall/Perl/Shorewall/Chains.pm
+++ b/Shorewall/Perl/Shorewall/Chains.pm
@@ -133,6 +133,7 @@ our %EXPORT_TAGS = (
do_tos
do_connbytes
do_helper
+ do_dscp
match_source_dev
match_dest_dev
iprange_match
@@ -1740,7 +1741,16 @@ sub do_helper( $ ) {
}
#
-# Create a "-m length" match for the passed TOS
+# Create a "-m dscp" match for the passed DSCP
+#
+sub do_dscp( $ ) {
+ my $dscp = $_[0];
+
+ $dscp ne '-' ? ( $dscp =~ /^[ABCE]/ ? "-m dscp --dscp-class $dscp " : "-m
dscp --dscp $dscp ") : '';
+}
+
+#
+# Create a "-m length" match for the passed LENGTH
#
sub do_length( $ ) {
my $length = $_[0];
diff --git a/Shorewall/Perl/Shorewall/Tc.pm b/Shorewall/Perl/Shorewall/Tc.pm
index 4923bb2..77c06b5 100644
--- a/Shorewall/Perl/Shorewall/Tc.pm
+++ b/Shorewall/Perl/Shorewall/Tc.pm
@@ -220,7 +220,7 @@ INIT {
}
sub process_tc_rule( ) {
- my ( $originalmark, $source, $dest, $proto, $ports, $sports, $user,
$testval, $length, $tos , $connbytes, $helper ) = split_line1 2, 12, 'tcrules
file';
+ my ( $originalmark, $source, $dest, $proto, $ports, $sports, $user,
$testval, $length, $tos, $connbytes, $helper, $dscp ) = split_line1 2, 13,
'tcrules file';
if ( $originalmark eq 'COMMENT' ) {
process_comment;
@@ -386,7 +386,8 @@ sub process_tc_rule( ) {
do_length( $length ) .
do_tos( $tos ) .
do_connbytes( $connbytes ) .
- do_helper( $helper ),
+ do_helper( $helper ) .
+ do_dscp( $dscp ),
$source ,
$dest ,
'' ,
--
Len Sorensen
------------------------------------------------------------------------------
The NEW KODAK i700 Series Scanners deliver under ANY circumstances! Your
production scanning environment may not be a perfect world - but thanks to
Kodak, there's a perfect scanner to get the job done! With the NEW KODAK i700
Series Scanner you'll get full speed at 300 dpi even with all image
processing features enabled. http://p.sf.net/sfu/kodak-com
_______________________________________________
Shorewall-devel mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/shorewall-devel
