On 7/18/2014 2:03 AM, Alan Barrett wrote:
> I have shorewall 4.6.1.2 (Debian package version 4.6.1.2-1).
>
> I am trying to set mark with "|" and "&" in the tcrules file, and
> it doesn't work.
>
> The relevant lines in tcrules look ilke this:
>
> # "OR" 0x40 into flags for packets to or from address 10.1.2.3,
> # provided the connection mark is zero.
> |0x40:P 10.1.2.3 0.0.0.0/0 - { test=0:C }
> |0x40:T 0.0.0.0/0 10.1.2.3 - { test=0:C }
>
> The relevant lines in the output from /sbin/shorewall trace safe-restart
> look like this:
>
> Compiling /etc/shorewall/tcrules...
> IN===> |0x40:P 10.1.2.3 0.0.0.0/0 - { test=0:C }
> NF-(A)-> mangle:tcpre:1 -A tcpre -s 10.1.2.3 -m
> connmark --mark 0/0xff -j MARK --set-mark 0x40
> IN===> |0x40:T 0.0.0.0/0 10.1.2.3 - { test=0:C }
> NF-(A)-> mangle:tcpost:1 -A tcpost -d 10.1.2.3 -m
> connmark --mark 0/0xff -j MARK --set-mark 0x40
> WARNING: Non-empty tcrules file (/etc/shorewall/tcrules); consider running
> 'shorewall update -t' at /usr/share/shorewall/Shorewall/Tc.pm line 3191.
> Shorewall::Tc::setup_tc(0) called at
> /usr/share/shorewall/Shorewall/Compiler.pm line 796
> Shorewall::Compiler::compiler('script',
> '/var/lib/shorewall/.restart', 'directory', '', 'verbosity', 1, 'timestamp',
> 0, 'debug', ...) called at /usr/share/shorewall/compiler.pl line 152
>
> See it using "--set-mark" instead of "--or-mark". Also, the
> message suggests that the tcrules file is deprecated, but the
> shorewall-tcrules man page does not appear to say it's deprecated.
>
> I think this is a bug, and line 560 of Shorewall/Tc.pm look
> suspicious:
>
> handle_mark_param('--set-mark' , , HIGHMARK );
>
> handle_mark_param seems to expect the first argument to be false
> in the case that AND and OR handling is desired.The first and second hunks of the attached patch correct this problem. The third hunk corrects the problem that you reported with SAVE. Thanks, -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________
diff --git a/Shorewall/Perl/Shorewall/Tc.pm b/Shorewall/Perl/Shorewall/Tc.pm
index 6ad585c..5c45d4c 100644
--- a/Shorewall/Perl/Shorewall/Tc.pm
+++ b/Shorewall/Perl/Shorewall/Tc.pm
@@ -231,6 +231,8 @@ sub process_mangle_rule1( $$$$$$$$$$$$$$$$$$ ) {
my ( $option, $marktype ) = @_;
my $and_or = $1 if $params =~ s/^([|&])//;
+ $and_or ||= '';
+
if ( $params =~ /-/ ) {
#
# A Mark Range
@@ -556,7 +558,7 @@ sub process_mangle_rule1( $$$$$$$$$$$$$$$$$$ ) {
mask => in_hex( $globals{TC_MASK} ),
function => sub () {
$target = 'MARK';
- handle_mark_param('--set-mark', , HIGHMARK );
+ handle_mark_param('', , HIGHMARK );
},
},
@@ -927,21 +929,22 @@ sub process_tc_rule1( $$$$$$$$$$$$$$$$ ) {
$designator = '';
}
- my ( $cmd, $rest );
-
- if ( $mark =~ /^TOS/ ) {
- $cmd = $mark;
- $rest = '';
- } else {
- ($cmd, $rest) = split( '/', $mark, 2 );
- }
-
unless ( $command ) {
{
- if ( $cmd =~ /^([A-Z]+)/ ) {
+ my ( $cmd, $rest ) = split( '/', $mark, 2 );
+
+ if ( $cmd =~ /^([A-Z]+)(?:\((.+)\))?/ ) {
if ( my $tccmd = $tccmd{$1} ) {
fatal_error "Invalid $1 ACTION ($originalmark)" unless $tccmd->{match}($cmd);
- $command = $tccmd->{command} if $tccmd->{command};
+ $command = $1;
+ if ( supplied $rest ) {
+ fatal_error "Invalid $1 ACTION ($originalmark)" if supplied $2;
+ $mark = $rest;
+ } elsif ( supplied $2 ) {
+ $mark = $2;
+ } else {
+ $mark = '';
+ }
}
} else {
$command = 'MARK';
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------------ Want fast and easy access to all the code in your enterprise? Index and search up to 200,000 lines of code with a free copy of Black Duck Code Sight - the same software that powers the world's largest code search on Ohloh, the Black Duck Open Hub! Try it now. http://p.sf.net/sfu/bds
_______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
