--- rules.bak 2007-02-10 23:01:53.000000000 +0100 +++ rules 2007-02-25 14:59:27.000000000 +0100 @@ -385,6 +385,12 @@ # #removed from Netfilter in kernel # #version 2.6.14). # +# MARK (Optional) If you wish to restrict this entry to packets +# marked with a particular mark value. +# mark/mask values are acceptable. +# You can prepend "!" to the mark value to invert +# the sense of this rule. +# # Example: Accept SMTP requests from the DMZ to the internet # # #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL @@ -437,7 +443,7 @@ # DNAT net loc:192.168.3.4:22 tcp 2222 # ############################################################################################################# -#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ +#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ MARK # PORT(S) PORT(S) DEST LIMIT GROUP #SECTION ESTABLISHED #SECTION RELATED --- compiler.bak 2007-02-25 14:52:38.000000000 +0100 +++ compiler 2007-02-25 15:39:14.000000000 +0100 @@ -4441,6 +4441,7 @@ # $7 = address # $8 = ratelimit # $9 = userspec + # $10= mark { local target="$1" local clients="$2" @@ -4451,6 +4452,7 @@ local address="$7" local ratelimit="$8" local userspec="$9" + local mark="${10}" local userandgroup= local logtag= local nonat= @@ -4473,6 +4475,7 @@ # ratelimit = Optional rate limiting clause # userandgroup = -m owner clause # userspec = User name + # mark = packet mark # logtag = Log tag # policy = Applicable Policy # @@ -4615,6 +4618,7 @@ servport=$serverport multiport= user="$userandgroup" + mrk="$mark" # Restore $chain to the canonical chain. @@ -4657,7 +4661,7 @@ case "$logtarget" in ACCEPT|DROP|REJECT|CONTINUE) - if [ -z "$proto" -a -z "$cli" -a -z "$serv" -a -z "$servport" -a -z "$user" -a -z "$excludesource" -a -z "$excludedest" ] ; then + if [ -z "$proto" -a -z "$cli" -a -z "$serv" -a -z "$servport" -a -z "$user" -a -z "$excludesource" -a -z "$excludedest" -a -z "$mark" ] ; then error_message "WARNING -- Rule \"$rule\" is a POLICY" error_message " -- and should be moved to the policy file" fi @@ -4714,7 +4718,7 @@ if [ -n "$addr" -a -n "$CONNTRACK_MATCH" ]; then if [ "$addr" = detect ]; then indent >&3 << __EOF__ - run_iptables -A $chain $state $proto $ratelimit $multiport $cli $sports $(dest_ip_range $srv) $dports -m conntrack --ctorigdst \$adr $user -j $target + run_iptables -A $chain $state $proto $ratelimit $multiport $cli $sports $(dest_ip_range $srv) $dports -m conntrack --ctorigdst \$adr $user $mrk -j $target done __EOF__ @@ -4722,44 +4726,44 @@ for adr in $(separate_list $addr); do if [ -n "$loglevel" -a -z "$natrule" ]; then log_rule_limit $loglevel $chain $logchain $logtarget "$ratelimit" "$logtag" -A -m conntrack --ctorigdst $adr \ - $user $(fix_bang $proto $sports $multiport $cli $(dest_ip_range $srv) $dports) $state + $user $mrk $(fix_bang $proto $sports $multiport $cli $(dest_ip_range $srv) $dports) $state fi run_iptables2 -A $chain $state $proto $ratelimit $multiport $cli $sports \ - $(dest_ip_range $srv) $dports -m conntrack --ctorigdst $adr $user -j $target + $(dest_ip_range $srv) $dports -m conntrack --ctorigdst $adr $user $mrk -j $target done fi else if [ -n "$loglevel" -a -z "$natrule" ]; then - log_rule_limit $loglevel $chain $logchain $logtarget "$ratelimit" "$logtag" -A $user \ + log_rule_limit $loglevel $chain $logchain $logtarget "$ratelimit" "$logtag" -A $user $mrk \ $state $(fix_bang $proto $sports $multiport $cli $(dest_ip_range $srv) $dports) fi if [ -n "$nonat" ]; then addnatrule $(dnat_chain $source) $proto $multiport \ - $cli $sports $(dest_ip_range $srv) $dports $ratelimit $user -j RETURN + $cli $sports $(dest_ip_range $srv) $dports $ratelimit $user $mrk -j RETURN fi if [ "$logtarget" != NONAT ]; then run_iptables2 -A $chain $state $proto $multiport $cli $sports \ - $(dest_ip_range $srv) $dports $ratelimit $user -j $target + $(dest_ip_range $srv) $dports $ratelimit $user $mrk -j $target fi fi done done else if [ -n "$loglevel" -a -z "$natrule" ]; then - log_rule_limit $loglevel $chain $logchain $logtarget "$ratelimit" "$logtag" -A $user \ + log_rule_limit $loglevel $chain $logchain $logtarget "$ratelimit" "$logtag" -A $user $mrk \ $state $(fix_bang $proto $sports $multiport $cli $dports) fi [ -n "$nonat" ] && \ addnatrule $(dnat_chain $source) $proto $multiport \ - $cli $sports $dports $ratelimit $user -j RETURN + $cli $sports $dports $ratelimit $user $mrk -j RETURN [ "$logtarget" != NONAT ] && \ run_iptables2 -A $chain $state $proto $multiport $cli $sports \ - $dports $ratelimit $user -j $target + $dports $ratelimit $user $mrk -j $target fi fi else @@ -4773,37 +4777,37 @@ if [ -n "$addr" ]; then for adr in $(separate_list $addr); do if [ -n "$loglevel" ]; then - log_rule_limit $loglevel $chain $logchain $logtarget "$ratelimit" "$logtag" -A $user \ + log_rule_limit $loglevel $chain $logchain $logtarget "$ratelimit" "$logtag" -A $user $mrk \ $state $(fix_bang $proto $multiport $cli $dest_interface $sports $dports -m conntrack --ctorigdst $adr) fi if [ "$logtarget" != LOG ]; then if [ -n "$nonat" ]; then addnatrule $(dnat_chain $source) $proto $multiport \ - $cli $sports $dports $ratelimit $user -m conntrack --ctorigdst $adr -j RETURN + $cli $sports $dports $ratelimit $user $mrk -m conntrack --ctorigdst $adr -j RETURN fi if [ "$logtarget" != NONAT ]; then run_iptables2 -A $chain $state $proto $multiport $cli $dest_interface \ - $sports $dports $ratelimit $user -m conntrack --ctorigdst $adr -j $target + $sports $dports $ratelimit $user $mrk -m conntrack --ctorigdst $adr -j $target fi fi done else if [ -n "$loglevel" ]; then - log_rule_limit $loglevel $chain $logchain $logtarget "$ratelimit" "$logtag" -A $user \ + log_rule_limit $loglevel $chain $logchain $logtarget "$ratelimit" "$logtag" -A $user $mrk \ $state $(fix_bang $proto $multiport $cli $dest_interface $sports $dports) fi if [ "$logtarget" != LOG ]; then if [ -n "$nonat" ]; then addnatrule $(dnat_chain $source) $proto $multiport \ - $cli $sports $dports $ratelimit $user -j RETURN + $cli $sports $dports $ratelimit $user $mrk -j RETURN fi if [ "$logtarget" != NONAT ]; then run_iptables2 -A $chain $state $proto $multiport $cli $dest_interface \ - $sports $dports $ratelimit $user -j $target + $sports $dports $ratelimit $user $mrk -j $target fi fi fi @@ -4812,6 +4816,15 @@ # # # # # F u n c t i o n B o d y # # # # # + [ "x$mark" = "x-" ] && mark= + if [ -n "$mark" ]; then + if [ "$mark" = "${mark%!*}" ]; then + mark="-m mark --mark $mark" + else + mark="-m mark ! --mark ${mark#*!}" + fi + fi + [ "x$ratelimit" = "x-" ] && ratelimit= if [ -n "$ratelimit" ]; then @@ -5211,6 +5224,7 @@ # $7 = address # $8 = ratelimit # $9 = userspec + # $10= mark { local itarget="$1" local param="$2" @@ -5222,6 +5236,7 @@ local iaddress="$8" local iratelimit="$9" local iuserspec="${10}" + local imark="${11}" progress_message "..Expanding Macro $(find_file macro.${itarget%%:*})..." @@ -5292,7 +5307,7 @@ [ -n "$iuserspec" ] && [ "x${iuserspec}" != x- ] && muserspec=$iuserspec rule="$mtarget ${mclients=-} ${mservers:=-} ${mprotocol:=-} ${mports:=-} ${mcports:=-} ${xaddress:=-} ${mratelimit:=-} ${muserspec:=-}" - process_rule $mtarget $mclients $mservers $mprotocol $mports $mcports ${iaddress:=-} $mratelimit $muserspec + process_rule $mtarget $mclients $mservers $mprotocol $mports $mcports ${iaddress:=-} $mratelimit $muserspec $imark done < $TMP_DIR/macro.${itarget%%:*} @@ -5320,10 +5335,10 @@ eval ypolicy=\$${ysourcezone}2${ydestzone}_policy if [ "$ypolicy" != NONE ] ; then if [ "$1" = Yes ]; then - process_macro $xtarget "$xparam" $yclients $yservers $xprotocol $xports $xcports $xaddress $xratelimit $xuserspec + process_macro $xtarget "$xparam" $yclients $yservers $xprotocol $xports $xcports $xaddress $xratelimit $xuserspec $xmark else - rule="$xtarget $yclients $yservers $xprotocol $xports $xcports $xaddress $xratelimit $xuserspec" - process_rule $xtarget $yclients $yservers $xprotocol $xports $xcports $xaddress $xratelimit $xuserspec + rule="$xtarget $yclients $yservers $xprotocol $xports $xcports $xaddress $xratelimit $xuserspec $xmark" + process_rule $xtarget $yclients $yservers $xprotocol $xports $xcports $xaddress $xratelimit $xuserspec $xmark fi fi fi @@ -5335,7 +5350,7 @@ { local intrazone= - expandv xprotocol xports xcports xaddress xratelimit xuserspec + expandv xprotocol xports xcports xaddress xratelimit xuserspec xmark if [ -z "$SECTIONS" ]; then finish_section ESTABLISHED,RELATED @@ -5389,14 +5404,14 @@ esac if [ "$1" = Yes ]; then - process_macro $xtarget "$xparam" $xclients $xservers $xprotocol $xports $xcports $xaddress $xratelimit $xuserspec + process_macro $xtarget "$xparam" $xclients $xservers $xprotocol $xports $xcports $xaddress $xratelimit $xuserspec $xmark else - rule="$xtarget $xclients $xservers $xprotocol $xports $xcports $xaddress $xratelimit $xuserspec" - process_rule $xtarget $xclients $xservers $xprotocol $xports $xcports $xaddress $xratelimit $xuserspec + rule="$xtarget $xclients $xservers $xprotocol $xports $xcports $xaddress $xratelimit $xuserspec $xmark" + process_rule $xtarget $xclients $xservers $xprotocol $xports $xcports $xaddress $xratelimit $xuserspec $xmark fi } - while read xtarget xclients xservers xprotocol xports xcports xaddress xratelimit xuserspec; do + while read xtarget xclients xservers xprotocol xports xcports xaddress xratelimit xuserspec xmark; do expandv xtarget xclients xservers if [ "x$xclients" = xnone -o "x$servers" = xnone ]; then @@ -5467,7 +5482,7 @@ strip_file $f $fn do_it Yes else - rule="$xtarget $xclients $xservers $xprotocol $xports $xcports $xaddress $xratelimit $xuserspec" + rule="$xtarget $xclients $xservers $xprotocol $xports $xcports $xaddress $xratelimit $xuserspec $xmark" fatal_error "Invalid Action in rule \"$rule\"" fi fi