On Wed, 2011-12-28 at 22:46 +0000, Steven Jan Springl wrote: > I have done some further testing of ':P' and ':F' and have found that: > > ':F' produces an iptables error if DEST is fw. > > ':P' produces an iptables error if DEST is fw. > > ':P' produces an iptables error if SOURCE is not fw.
Steven, This patch eliminates ':P' and complains if :F is used when the SOURCE or DEST is $FW. Thanks, -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________
diff --git a/Shorewall/Perl/Shorewall/Tc.pm b/Shorewall/Perl/Shorewall/Tc.pm
index f36e703..6bf0cc2 100644
--- a/Shorewall/Perl/Shorewall/Tc.pm
+++ b/Shorewall/Perl/Shorewall/Tc.pm
@@ -104,8 +104,7 @@ my %flow_keys = ( 'src' => 1,
'sk-gid' => 1,
'vlan-tag' => 1 );
-my %designator = ( P => 'tcpre' ,
- F => 'tcfor' ,
+my %designator = ( F => 'tcfor' ,
T => 'tcpost' );
my %tosoptions = ( 'tos-minimize-delay' => '0x10/0x10' ,
@@ -211,7 +210,8 @@ sub process_tc_rule( ) {
fatal_error "Invalid MARK ($originalmark)" unless supplied $mark;
- my $chain = $globals{MARKING_CHAIN};
+ my $chain = $globals{MARKING_CHAIN};
+ my $classid = 0;
if ( $remainder ) {
if ( $originalmark =~ /^\w+\(?.*\)$/ ) {
@@ -221,21 +221,26 @@ sub process_tc_rule( ) {
unless ( $mark =~ /^([0-9a-fA-F]+)$/ &&
$designator =~ /^([0-9a-fA-F]+)$/ &&
( $chain = $designator{$remainder} ) );
- $mark = join( ':', $mark, $designator );
+ $mark = join( ':', $mark, $designator );
+ $classid = 1;
}
}
my $target = 'MARK --set-mark';
my $tcsref;
my $connmark = 0;
- my $classid = 0;
my $device = '';
my $fw = firewall_zone;
my $list;
if ( $source ) {
if ( $source eq $fw ) {
- $chain = 'tcout';
+ if ( $classid ) {
+ fatal_error ":F is not allowed when the SOURCE is the firewall" if $chain eq 'tcfor';
+ } else {
+ $chain = 'tcout';
+ }
+
$source = '';
} else {
$chain = 'tcout' if $source =~ s/^($fw)://;
@@ -244,6 +249,7 @@ sub process_tc_rule( ) {
if ( $dest ) {
if ( $dest eq $fw ) {
+ fatal_error 'A CLASSIFY rule may not have $FW as the DEST' if $classify;
$chain = 'tcin';
$dest = '';
} else {
@@ -268,8 +274,9 @@ sub process_tc_rule( ) {
require_capability ('CONNMARK' , "CONNMARK Rules", '' ) if $connmark;
} else {
- unless ( $remainder ) {
+ unless ( $classid ) {
fatal_error "Invalid MARK ($originalmark)" unless $mark =~ /^([0-9a-fA-F]+)$/ and $designator =~ /^([0-9a-fA-F]+)$/;
+ fatal_error 'A CLASSIFY rule may not have $FW as the DEST' if $chain eq 'tcin';
$chain = 'tcpost';
$mark = $originalmark;
}
signature.asc
Description: This is a digitally signed message part
------------------------------------------------------------------------------ Ridiculously easy VDI. With Citrix VDI-in-a-Box, you don't need a complex infrastructure or vast IT resources to deliver seamless, secure access to virtual desktops. With this all-in-one solution, easily deploy virtual desktops for less than the cost of PCs and save 60% on VDI infrastructure costs. Try it free! http://p.sf.net/sfu/Citrix-VDIinabox
_______________________________________________ Shorewall-devel mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-devel
