--- compiler.bak 2007-02-10 23:01:53.000000000 +0100 +++ compiler 2007-02-25 12:44:26.000000000 +0100 @@ -6045,6 +6045,8 @@ [ "x$proto" = x- ] && proto= [ "x$ports" = x- ] && ports= + [ "x$mark" = x- ] && mark= + if [ -n "$proto" ]; then displayproto="($proto)" @@ -6094,6 +6096,15 @@ [ -n "$ports" ] && fatal_error "Ports only allowed with UDP or TCP ($ports)" fi + if [ -n "$mark" ]; then + displaymark="($mark)" + if [ "$mark" = "${mark%!*}" ]; then + mark="-m mark --mark $mark" + else + mark="-m mark ! --mark ${mark#*!}" + fi + fi + destination=${destnets:=0.0.0.0/0} [ -z "$pre_nat" ] && chain=$(masq_chain $interface) || chain=$(snat_chain $interface) @@ -6108,7 +6119,7 @@ if [ -n "$networks" ]; then for s in $networks; do - addnatrule $chain $(source_ip_range $s) $proto $ports $policy -j $newchain + addnatrule $chain $(source_ip_range $s) $proto $ports $mark $policy -j $newchain done networks= elif [ -n "$detectinterface" ]; then @@ -6119,7 +6130,7 @@ [ -z "\$networks" ] && fatal_error "Unable to determine the routes through interface \"$detectinterface\"" for network in \$networks; do - run_iptables -t nat -A $chain -s \$network $proto $ports $policy -j $newchain + run_iptables -t nat -A $chain -s \$network $proto $ports $mark $policy -j $newchain done __EOF__ @@ -6143,7 +6154,7 @@ if [ -n "$networks" ]; then for s in $networks; do for destnet in $(separate_list $destnets); do - addnatrule $chain $(both_ip_ranges $s $destnet) $proto $ports $policy -j $newchain + addnatrule $chain $(both_ip_ranges $s $destnet) $proto $ports $mark $policy -j $newchain done done elif [ -n "$detectinterface" ]; then @@ -6157,7 +6168,7 @@ __EOF__ for destnet in $(separate_list $destnets); do indent >&3 << __EOF__ - run_iptables -t nat -A $chain -s \$network $(dest_ip_range $destnet) $proto $ports $policy -j $newchain + run_iptables -t nat -A $chain -s \$network $(dest_ip_range $destnet) $proto $ports $mark $policy -j $newchain __EOF__ done indent >&3 << __EOF__ @@ -6166,7 +6177,7 @@ __EOF__ else for destnet in $(separate_list $destnets); do - addnatrule $chain $(dest_ip_range $destnet) $proto $ports $policy -j $newchain + addnatrule $chain $(dest_ip_range $destnet) $proto $ports $mark $policy -j $newchain done fi @@ -6270,7 +6281,7 @@ if [ -n "$networks" ]; then for network in $networks; do for destnet in $(separate_list $destnets); do - addnatrule $chain $(both_ip_ranges $network $destnet) $proto $ports $policy -j $target $addrlist + addnatrule $chain $(both_ip_ranges $network $destnet) $proto $ports $mark $policy -j $target $addrlist done if [ -n "$addresses" ]; then @@ -6290,7 +6301,7 @@ __EOF__ for destnet in $(separate_list $destnets); do indent >&3 << __EOF__ - run_iptables -t nat -A $chain -s \$network $(dest_ip_range $destnet) $proto $ports $policy -j $target $addrlist + run_iptables -t nat -A $chain -s \$network $(dest_ip_range $destnet) $proto $ports $mark $policy -j $target $addrlist __EOF__ done @@ -6308,7 +6319,7 @@ else for destnet in $(separate_list $destnets); do - addnatrule $chain $(dest_ip_range $destnet) $proto $ports $policy -j $target $addrlist + addnatrule $chain $(dest_ip_range $destnet) $proto $ports $mark $policy -j $target $addrlist done if [ -n "$addresses" ]; then @@ -6327,8 +6338,8 @@ save_progress_message "Setting up Masquerading/SNAT..." fi - while read fullinterface networks addresses proto ports ipsec; do - expandv fullinterface networks addresses proto ports ipsec + while read fullinterface networks addresses proto ports ipsec mark; do + expandv fullinterface networks addresses proto ports ipsec mark if [ -n "$NAT_ENABLED" ]; then setup_one else --- masq.bak 2007-02-10 23:01:53.000000000 +0100 +++ masq 2007-02-25 12:37:46.000000000 +0100 @@ -178,6 +178,12 @@ # next Separates rules; can only be # used with strict.. # +# MARK -- (Optional) If you wish to restrict this entry to packets +# marked with a particular mark value. +# mark/mask values are acceptable. +# You can prepend "!" to the mark value to invert +# the sense of this rule. +# # Example 1: # # You have a simple masquerading setup where eth0 connects to @@ -233,5 +239,5 @@ # For additional information, see http://shorewall.net/Documentation.htm#Masq # ############################################################################### -#INTERFACE SUBNET ADDRESS PROTO PORT(S) IPSEC +#INTERFACE SUBNET ADDRESS PROTO PORT(S) IPSEC MARK #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE