In order to use the highest two bits for surciata bypass, we will need to make sure that whenever we compare any other marks, we do not care about anything else.
Signed-off-by: Michael Tremer michael.tremer@ipfire.org --- config/firewall/rules.pl | 11 +++++++---- src/initscripts/system/firewall | 8 +++++--- 2 files changed, 12 insertions(+), 7 deletions(-)
diff --git a/config/firewall/rules.pl b/config/firewall/rules.pl index 0dd1c9024..9d280045a 100644 --- a/config/firewall/rules.pl +++ b/config/firewall/rules.pl @@ -55,6 +55,9 @@ my @PRIVATE_NETWORKS = ( "100.64.0.0/10", );
+# MARK masks +my $NAT_MASK = 0x0f000000; + my %fwdfwsettings=(); my %fwoptions = (); my %defaultNetworks=(); @@ -829,10 +832,8 @@ sub add_dnat_mangle_rules { my $interface = shift; my @options = @_;
- my $mark = 0; + my $mark = 0x01000000; foreach my $zone ("GREEN", "BLUE", "ORANGE") { - $mark++; - # Skip rule if not all required information exists. next unless (exists $defaultNetworks{$zone . "_NETADDRESS"}); next unless (exists $defaultNetworks{$zone . "_NETMASK"}); @@ -845,9 +846,11 @@ sub add_dnat_mangle_rules { $netaddress .= "/" . $defaultNetworks{$zone . "_NETMASK"};
push(@mangle_options, ("-s", $netaddress, "-d", $nat_address)); - push(@mangle_options, ("-j", "MARK", "--set-mark", $mark)); + push(@mangle_options, ("-j", "MARK", "--set-xmark", "$mark/$NAT_MASK"));
run("$IPTABLES -t mangle -A $CHAIN_MANGLE_NAT_DESTINATION_FIX @mangle_options"); + + $mark <<= 1; } }
diff --git a/src/initscripts/system/firewall b/src/initscripts/system/firewall index baa39abe1..9d023a349 100644 --- a/src/initscripts/system/firewall +++ b/src/initscripts/system/firewall @@ -12,6 +12,8 @@ if [ -f /var/ipfire/red/device ]; then DEVICE=`/bin/cat /var/ipfire/red/device 2> /dev/null | /usr/bin/tr -d '\012'` fi
+NAT_MASK="0x0f000000" + function iptables() { /sbin/iptables --wait "$@" } @@ -282,17 +284,17 @@ iptables_init() {
if [ -n "${GREEN_ADDRESS}" ]; then iptables -t nat -A NAT_DESTINATION_FIX \ - -m mark --mark 1 -j SNAT --to-source "${GREEN_ADDRESS}" + -m mark --mark "0x01000000/${NAT_MASK}" -j SNAT --to-source "${GREEN_ADDRESS}" fi
if [ -n "${BLUE_ADDRESS}" ]; then iptables -t nat -A NAT_DESTINATION_FIX \ - -m mark --mark 2 -j SNAT --to-source "${BLUE_ADDRESS}" + -m mark --mark "0x02000000/${NAT_MASK}" -j SNAT --to-source "${BLUE_ADDRESS}" fi
if [ -n "${ORANGE_ADDRESS}" ]; then iptables -t nat -A NAT_DESTINATION_FIX \ - -m mark --mark 3 -j SNAT --to-source "${ORANGE_ADDRESS}" + -m mark --mark "0x04000000/${NAT_MASK}" -j SNAT --to-source "${ORANGE_ADDRESS}" fi
# RED chain, used for the red interface