On 23/04/2012 05:26, Ed W wrote:
Hmm, I just found something I need this for:
- Squid, DNSMasq and some apps I have written read the incoming
*connection* mark, and copy that to the outgoing packet mark.
The intention is that marks applied to local ips (users) get copied
through such proxy servers and applied to the outgoing connection. So
these "proxy" type servers look like the original user rather than an
app on your router. This is helpful for certain applications, such as
counting per user traffic, captive portals, etc.
So I need to copy my route markings (probably the whole fwmark actually)
to the connection mark... Would you mind recommending a workaround I
might use for that long term, given that this might not represent your
average user action? What about
- an accidently undocumented option TOTAL_BITS (or better name) which
defaults to the current formula, but is used to set the size of the
SAVE/RESTORE mask (ideally we don't want extra options though)
- re-use TC_EXPERT to let you shoot yourself even harder?
Hi, please see attached for a possible patch to allow saving routing
fwmarks up into the conntrack mark. It's almost certainly wrong, so
lets assume it's a talking point...
Also attached a patch for what appears to be a typo in the configure
file? I did mention it a couple of emails back, but I think it might
have been in the middle of a bunch of hot air from me and you missed it?
Many thanks
Ed W
--- shorewall-core-4.5.2.2/configure 2012-04-15 19:46:09.000000000 +0100
+++ shorewall-core-4.5.2.2/configure.orig 2012-04-15 19:45:57.000000000
+0100
@@ -132,7 +132,7 @@
vendor=${params[HOST]}
elif [ $vendor = linux ]; then
- rcfile=$shorewallrc.default;
+ rcfile=shorewallrc.default;
else
rcfile=shorewallrc.$vendor
if [ ! -f $rcfile ]; then
--- Perl/Shorewall/Tc.pm.orig 2012-04-23 12:56:20.000000000 +0100
+++ Perl/Shorewall/Tc.pm 2012-04-23 12:58:06.000000000 +0100
@@ -1959,13 +1959,13 @@
if ( $config{TC_ENABLED} ) {
our @tccmd = ( { match => sub ( $ ) { $_[0] eq 'SAVE' } ,
target => 'CONNMARK --save-mark --mask' ,
- mark => SMALLMARK ,
+ mark => $config{TC_EXPERT} ? HIGHMARK :
SMALLMARK ,
mask => in_hex( $globals{TC_MASK} ) ,
connmark => 1
} ,
{ match => sub ( $ ) { $_[0] eq 'RESTORE' },
target => 'CONNMARK --restore-mark --mask' ,
- mark => SMALLMARK ,
+ mark => $config{TC_EXPERT} ? HIGHMARK :
SMALLMARK ,
mask => in_hex( $globals{TC_MASK} ) ,
connmark => 1
} ,
--- Perl/Shorewall/Chains.pm.orig 2012-04-23 13:42:02.000000000 +0100
+++ Perl/Shorewall/Chains.pm 2012-04-23 13:42:14.000000000 +0100
@@ -3892,7 +3892,8 @@
fatal_error "Invalid Mark or Mask value ($mark)"
unless( ( $value & $globals{PROVIDER_MASK} ) == $value ||
( $value & $globals{USER_MASK} ) == $value ||
- ( $value & $globals{ZONE_MASK} ) == $value );
+ ( $value & $globals{ZONE_MASK} ) == $value ||
+ $config{TC_EXPERT} );
}
}
------------------------------------------------------------------------------
For Developers, A Lot Can Happen In A Second.
Boundary is the first to Know...and Tell You.
Monitor Your Applications in Ultra-Fine Resolution. Try it FREE!
http://p.sf.net/sfu/Boundary-d2dvs2
_______________________________________________
Shorewall-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/shorewall-users
