From 486594fdd0cbbd28cca5049f977896eab41818be Mon Sep 17 00:00:00 2001 From: "bbruns@gmail.com" Date: Thu, 23 Sep 2010 02:17:08 +0000 Subject: [PATCH] Marking support --- ChangeLog | 4 ++++ bin/firewall-sosdg | 34 +++++++++++++++++++++++++++++++++- ipv4-marks | 6 ++++++ options.default | 2 ++ 4 files changed, 45 insertions(+), 1 deletion(-) create mode 100644 ipv4-marks diff --git a/ChangeLog b/ChangeLog index 31c30f4..8070ce2 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,7 @@ +0.9.7 - Brielle Bruns + - Support for marking packets, uses new config file and + IPv4_MARK file option + 0.9.6 - Brielle Bruns - Minor changes to procedures in planning of 1.0 diff --git a/bin/firewall-sosdg b/bin/firewall-sosdg index 9e8499c..ab77d07 100755 --- a/bin/firewall-sosdg +++ b/bin/firewall-sosdg @@ -18,7 +18,7 @@ # You should have received a copy of the GNU General Public License # along with this program. If not, see . -FW_VERSION="0.9.6" +FW_VERSION="0.9.7" # These option is here to help pre-1.0 users easily upgrade, defines critical defaults # that would otherwise require remaking their options file. I leave this on by default, @@ -354,6 +354,38 @@ if [ $LANDHCPSERVER ]; then fi +if [ -s "$BASEDIR/include/ipv4_custom_mark" ]; then + display_c YELLOW "Loading custom mark rules..." + . "$BASEDIR/include/ipv4_custom_mark" +fi + +if [ -r "$IPv4_MARK" ]; then + display_c YELLOW "Adding mark: " + for i in `grep -v "\#" $IPv4_MARK`; do + MARK=( ${i//:/ } ) + INIF=${MARK[0]} + INIP=${MARK[1]} + DSTIP=${MARK[2]} + IPMARK=${MARK[3]} + + case $INIP in + !*) INNEG="!" + INIP=${INIP#\!};; + esac + case $DSTIP in + !*) DSTNEG="!" + DSTIP=${DSTIP#\!};; + esac + + $IPTABLES -t mangle -A PREROUTING -i ${INIF} ${INNEG} -s ${INIP} \ + ${DSTNEG} -d ${DSTIP} -j MARK --set-mark=${IPMARK} + display_c DEFAULT "\t${GREEN}${INNEG}${INIF}:${PURPLE}${INIP}${AQUA}->${BLUE}${DSTNEG}${DSTIP}:${RED}${IPMARK}" + unset INNEG DSTNET + done +echo -ne "\n" +fi + + if [ -s "$BASEDIR/include/ipv4_custom_nat" ]; then display_c YELLOW "Loading custom nat rules..." diff --git a/ipv4-marks b/ipv4-marks new file mode 100644 index 0000000..f22b322 --- /dev/null +++ b/ipv4-marks @@ -0,0 +1,6 @@ +# IPv4 Packet Marking +# Used to mark packets for specific routing (or other) purposes +# incoming-interface:src-range:dst-range:mark-num +# Use ! before IP/range to negate +# eth0:192.168.0.0/24:192.168.1.0/24:5 +# ORDER MATTERS! \ No newline at end of file diff --git a/options.default b/options.default index 4fc3347..5470a10 100755 --- a/options.default +++ b/options.default @@ -57,6 +57,8 @@ DONTTRACK="127.0.0.1" # IP range(s) to forward ROUTING=$BASEDIR/ipv4-routing +# Mark ipv4 packets for advanced purposes +IPv4_MARK=$BASEDIR/ipv4-marks # Hacks to either block specific kinds of attacks or fix problems #