I have shorewall 4.6.1.2 (Debian package version 4.6.1.2-1).
I am trying to set mark with "|" and "&" in the tcrules
file, and
it doesn't work.
The relevant lines in tcrules look ilke this:
# "OR" 0x40 into flags for packets to or from address 10.1.2.3,
# provided the connection mark is zero.
|0x40:P 10.1.2.3 0.0.0.0/0 - { test=0:C }
|0x40:T 0.0.0.0/0 10.1.2.3 - { test=0:C }
The relevant lines in the output from /sbin/shorewall trace safe-restart
look like this:
Compiling /etc/shorewall/tcrules...
IN===> |0x40:P 10.1.2.3 0.0.0.0/0 - { test=0:C }
NF-(A)-> mangle:tcpre:1 -A tcpre -s 10.1.2.3 -m
connmark --mark 0/0xff -j MARK --set-mark 0x40
IN===> |0x40:T 0.0.0.0/0 10.1.2.3 - { test=0:C }
NF-(A)-> mangle:tcpost:1 -A tcpost -d 10.1.2.3 -m
connmark --mark 0/0xff -j MARK --set-mark 0x40
WARNING: Non-empty tcrules file (/etc/shorewall/tcrules); consider running
'shorewall update -t' at /usr/share/shorewall/Shorewall/Tc.pm line 3191.
Shorewall::Tc::setup_tc(0) called at
/usr/share/shorewall/Shorewall/Compiler.pm line 796
Shorewall::Compiler::compiler('script',
'/var/lib/shorewall/.restart', 'directory', '',
'verbosity', 1, 'timestamp', 0, 'debug', ...) called at
/usr/share/shorewall/compiler.pl line 152
See it using "--set-mark" instead of "--or-mark". Also, the
message suggests that the tcrules file is deprecated, but the
shorewall-tcrules man page does not appear to say it's deprecated.
I think this is a bug, and line 560 of Shorewall/Tc.pm look
suspicious:
handle_mark_param('--set-mark' , , HIGHMARK );
handle_mark_param seems to expect the first argument to be false
in the case that AND and OR handling is desired.
--apb (Alan Barrett)
------------------------------------------------------------------------------
Want fast and easy access to all the code in your enterprise? Index and
search up to 200,000 lines of code with a free copy of Black Duck
Code Sight - the same software that powers the world's largest code
search on Ohloh, the Black Duck Open Hub! Try it now.
http://p.sf.net/sfu/bds