Reply To: Date of a new release

Home Page Forums Network Management ZeroShell Date of a new release Reply To: Date of a new release

#50008

atheling
Member

@fulvio wrote:

Could you post here the new patch so also ppalias can test it?

Bye
Fulvio

I’ve emailed it to him already, but here is the patch for anyone else who wants to try it.

On a Linux/Unix/Macintosh box you should be able to copy the following into a file, get the source files from the Zeroshell Beta 12 release then use the patch utility to update the sources.

(Edit: Rebuilt patch file telling diff to ignore white space changes.)


Index: kerbynet.cgi/scripts/fw_initrules
===================================================================
RCS file: /home/atheling/cvsroot/Zeroshell/Zeroshell/kerbynet.cgi/scripts/fw_initrules,v
retrieving revision 1.1.1.1
diff -w -u -6 -r1.1.1.1 fw_initrules
--- kerbynet.cgi/scripts/fw_initrules 26 Nov 2009 22:13:35 -0000 1.1.1.1
+++ kerbynet.cgi/scripts/fw_initrules 1 Dec 2009 03:51:40 -0000
@@ -2,13 +2,13 @@
. /etc/kerbynet.conf
CHAIN="$1"
[ -z "$CHAIN" ] && exit 1
CONFIG="$REGISTER/system/net/FW/"
if [ "$CHAIN" == QoS ] ; then
TABLE="-t mangle"
- CH=FORWARD
+ CH=QoS
else
if [ "$CHAIN" == NetBalancer ] ; then
TABLE="-t mangle"
CH=NetBalancer
else
TABLE=""
@@ -23,12 +23,16 @@
iptables -A INPUT -j SYS_INPUT
iptables -A INPUT -p tcp --dport 80 -j SYS_HTTPS
iptables -A INPUT -p tcp --dport 443 -j SYS_HTTPS
iptables -A INPUT -p tcp --dport 22 -j SYS_SSH
fi
[ "$CHAIN" == OUTPUT ] && iptables -A OUTPUT -j SYS_OUTPUT
+ # If we are doing the QoS chain, thenlear any marks left over from
+ # Netbalancing/failover routing. The QoS chain is applied after
+ # routing so there is no conflict.
+ [ "$CHAIN" == "QoS" ] && iptables $TABLE -A $CH -j MARK --set-mark 0x0
if [ -d $CONFIG/Chains/$CHAIN/Rules ] ; then
cd $CONFIG/Chains/$CHAIN/Rules
RULES=`ls`
for RULE in $RULES ; do
ENABLED="`cat $RULE/Enabled 2>/dev/null`"
if [ "$ENABLED" == yes ] ; then
Index: kerbynet.cgi/scripts/fw_makerule
===================================================================
RCS file: /home/atheling/cvsroot/Zeroshell/Zeroshell/kerbynet.cgi/scripts/fw_makerule,v
retrieving revision 1.1.1.1
diff -w -u -6 -r1.1.1.1 fw_makerule
--- kerbynet.cgi/scripts/fw_makerule 26 Nov 2009 22:13:35 -0000 1.1.1.1
+++ kerbynet.cgi/scripts/fw_makerule 1 Dec 2009 03:32:42 -0000
@@ -4,13 +4,13 @@
RULE="$2"
OPT="$3"
[ -z "$CHAIN" -a -z "$RULE" ] && exit 1
CONFIG="$REGISTER/system/net/FW"
if [ "$CHAIN" = QoS ] ; then
TABLE="-t mangle"
- CH=FORWARD
+ CH=QoS
else
if [ "$CHAIN" = NetBalancer ] ; then
TABLE="-t mangle"
CH=NetBalancer
else
TABLE=""
@@ -411,13 +411,13 @@
iptables $TABLE $IPT $TGT
if [ "$CHAIN" == QoS ] ; then
TGTDSCP=`cat $REGISTER/system/net/QoS/Class/$TARGET/DSCP 2>/dev/null`
if [ -n "$TGTDSCP" ] ; then
iptables $TABLE $IPT -j DSCP --set-dscp $TGTDSCP
fi
- iptables -t mangle -A FORWARD -m mark ! --mark 0 -j ACCEPT
+ iptables -t mangle -A QoS -m mark ! --mark 0 -j ACCEPT
fi
if [ "$CHAIN" == NetBalancer ] ; then
[ "$TARGET" != Auto ] && iptables -t mangle -A NetBalancer -m mark ! --mark 0 -j ACCEPT
fi
fi
fi
Index: kerbynet.cgi/scripts/fw_start
===================================================================
RCS file: /home/atheling/cvsroot/Zeroshell/Zeroshell/kerbynet.cgi/scripts/fw_start,v
retrieving revision 1.1.1.1
diff -w -u -6 -r1.1.1.1 fw_start
--- kerbynet.cgi/scripts/fw_start 26 Nov 2009 22:13:35 -0000 1.1.1.1
+++ kerbynet.cgi/scripts/fw_start 30 Nov 2009 22:10:47 -0000
@@ -10,12 +10,18 @@
iptables -t mangle -F NetBalancer 2>/dev/null
iptables -t mangle -X NetBalancer 2>/dev/null
iptables -t mangle -N NetBalancer 2>/dev/null
iptables -t mangle -F OpenVPN 2>/dev/null
iptables -t mangle -X OpenVPN 2>/dev/null
iptables -t mangle -N OpenVPN 2>/dev/null
+iptables -t mangle -F QoS 2>/dev/null
+iptables -t mangle -X QoS 2>/dev/null
+iptables -t mangle -N QoS 2>/dev/null
+iptables -t mangle -F NB_CT_PRE 2>/dev/null
+iptables -t mangle -X NB_CT_PRE 2>/dev/null
+iptables -t mangle -N NB_CT_PRE 2>/dev/null
[ "$CPGW" == yes ] && iptables -N CapPort
$SCRIPTS/fw_https_chain
$SCRIPTS/fw_ssh_chain
$SCRIPTS/fw_sys_chain
CHAINS=`ls`
for C in $CHAINS ; do
Index: kerbynet.cgi/scripts/fw_viewchain
===================================================================
RCS file: /home/atheling/cvsroot/Zeroshell/Zeroshell/kerbynet.cgi/scripts/fw_viewchain,v
retrieving revision 1.1.1.1
diff -w -u -6 -r1.1.1.1 fw_viewchain
--- kerbynet.cgi/scripts/fw_viewchain 26 Nov 2009 22:13:35 -0000 1.1.1.1
+++ kerbynet.cgi/scripts/fw_viewchain 30 Nov 2009 19:30:43 -0000
@@ -1,7 +1,7 @@
#!/bin/sh
. /etc/kerbynet.conf
CHAIN="$1"
[ -z "$CHAIN" ] && exit 1
-[ "$CHAIN" == QoS ] && CHAIN="FORWARD -t mangle"
+[ "$CHAIN" == QoS ] && CHAIN="QoS -t mangle"
[ "$CHAIN" == NetBalancer ] && CHAIN="NetBalancer -t mangle"
iptables -n -v -L $CHAIN
Index: kerbynet.cgi/scripts/nb_fw
===================================================================
RCS file: /home/atheling/cvsroot/Zeroshell/Zeroshell/kerbynet.cgi/scripts/nb_fw,v
retrieving revision 1.1.1.1
diff -w -u -6 -r1.1.1.1 nb_fw
--- kerbynet.cgi/scripts/nb_fw 26 Nov 2009 22:13:35 -0000 1.1.1.1
+++ kerbynet.cgi/scripts/nb_fw 10 Apr 2010 13:44:21 -0000
@@ -1,23 +1,35 @@
#!/bin/sh
. /etc/kerbynet.conf
iptables -t mangle -D PREROUTING -j CONNMARK --restore-mark 2>/dev/null
+iptables -t mangle -D PREROUTING -m state --state NEW -j NB_CT_PRE 2>/dev/null
iptables -t mangle -D PREROUTING -j NetBalancer 2>/dev/null
+iptables -t mangle -D INPUT -m state --state NEW -j NB_CT_POST 2>/dev/null
iptables -t mangle -D INPUT -j NetBalancer 2>/dev/null
+iptables -t mangle -D OUTPUT -j CONNMARK --restore-mark 2>/dev/null
iptables -t mangle -D OUTPUT -j NetBalancer 2>/dev/null
iptables -t mangle -D OUTPUT -j OpenVPN 2>/dev/null
iptables -t mangle -D POSTROUTING -m state --state NEW -j NB_CT_POST 2>/dev/null
iptables -t mangle -D POSTROUTING -j NB_STAT 2>/dev/null
+# Need QoS to be done in mangle POSTROUTING. Note that if NetBalance
+# is enabled then we will insert those rules/chains first. So any
+# routing marks will be handled before we blow them away with QoS
+# marks.
+iptables -t mangle -D POSTROUTING -j QoS 2>/dev/null
+iptables -t mangle -I POSTROUTING 1 -j QoS 2>/dev/null
if [ "`cat $REGISTER/system/net/nb/Enabled 2>/dev/null`" = yes ] ; then
iptables -t mangle -I PREROUTING 1 -j CONNMARK --restore-mark
- iptables -t mangle -I PREROUTING 2 -j NetBalancer
+ iptables -t mangle -I PREROUTING 2 -m state --state NEW -j NB_CT_PRE 2>/dev/null
+ iptables -t mangle -I PREROUTING 3 -j NetBalancer
+ iptables -t mangle -I INPUT 1 -m state --state NEW -j NB_CT_POST 2>/dev/null
+ iptables -t mangle -I INPUT 2 -j NetBalancer
+ iptables -t mangle -I OUTPUT 1 -j CONNMARK --restore-mark
+ iptables -t mangle -I OUTPUT 2 -j NetBalancer
+ iptables -t mangle -I OUTPUT 3 -j OpenVPN
iptables -t mangle -I POSTROUTING 1 -m state --state NEW -j NB_CT_POST 2>/dev/null
iptables -t mangle -I POSTROUTING 2 -j NB_STAT 2>/dev/null
- iptables -t mangle -I INPUT 1 -j NetBalancer
- iptables -t mangle -I OUTPUT 1 -j NetBalancer
- iptables -t mangle -I OUTPUT 2 -j OpenVPN
fi
$SCRIPTS/nb_vpn 2> /dev/null
$SCRIPTS/nb_setautomarking 2>/dev/null



Index: kerbynet.cgi/scripts/nb_setautomarking
===================================================================
RCS file: /home/atheling/cvsroot/Zeroshell/Zeroshell/kerbynet.cgi/scripts/nb_setautomarking,v
retrieving revision 1.1.1.1
diff -w -u -6 -r1.1.1.1 nb_setautomarking
--- kerbynet.cgi/scripts/nb_setautomarking 26 Nov 2009 22:13:35 -0000 1.1.1.1
+++ kerbynet.cgi/scripts/nb_setautomarking 4 Dec 2009 03:41:47 -0000
@@ -3,27 +3,56 @@
CONFIG=$REGISTER/system/net/nb/Gateways
cd $CONFIG
function set_gwmark {
xGW="$1"
INTERFACE=`cat $xGW/Interface 2>/dev/null`
IP=`cat $xGW/IP 2>/dev/null`
+ # Set up the pre-routing chain for new connections from this Gateway. We want
+ # to mark all traffic originating from this gateway to be routed back out to the
+ #same gateway.
+
+ # If this Gateway has no interface device defined for it, see if we can get
+ # one based on the next hop IP address
+ if [ "$INTERFACE" == "" ] ; then
+ if [ "$IP" != "" ] ; then
+ INTERFACE=`ip route get $IP | grep -o "dev w*" | awk 'BEGIN {FS=" "}{print $2}'`
+ fi
+ fi
+ # If we have found the interface, then mark all traffic coming in on it to use
+ # it for outbound responses
+ if [ "$INTERFACE" != "" ] ; then
+ if ! iptables -t mangle -L NB_CT_PRE -n | grep -q -w `echo 1$xGW |awk '{printf ("0x%x",$0)}'` ; then
+ [ "`cat $xGW/Enabled 2>/dev/null`" = yes ] && iptables -t mangle -I NB_CT_PRE 1 -i $INTERFACE -j MARK --set-mark 1$xGW
+ else
+ [ "`cat $xGW/Enabled 2>/dev/null`" != yes ] && iptables -t mangle -D NB_CT_PRE -i $INTERFACE -j MARK --set-mark 1$xGW
+ fi
+ fi
+
+ # In the post routing phase, we want to get the the routing realm used for new
+ # connections and save it in the connection. First setp here is to get the mark
+ # and put it on the packet. Our caller will emit the code to save the marks to
+ # the connection.
if ! iptables -t mangle -L NB_CT_POST -n | grep -q -w `echo 1$xGW |awk '{printf ("0x%x",$0)}'` ; then
[ "`cat $xGW/Enabled 2>/dev/null`" = yes ] && iptables -t mangle -I NB_CT_POST 1 -m realm --realm 1$xGW -j MARK --set-mark 1$xGW
else
[ "`cat $xGW/Enabled 2>/dev/null`" != yes ] && iptables -t mangle -D NB_CT_POST -m realm --realm 1$xGW -j MARK --set-mark 1$xGW
fi
+
+ # Make the entry in the statistics chain so we can track how much traffic went
+ # over each gateway
if ! iptables -t mangle -L NB_STAT -n | grep -q -w `echo 1$xGW |awk '{printf ("0x%x",$0)}'` ; then
[ "`cat $xGW/Enabled 2>/dev/null`" = yes ] && iptables -t mangle -I NB_STAT 1 -m mark --mark 1$xGW
else
[ "`cat $xGW/Enabled 2>/dev/null`" != yes ] && iptables -t mangle -D NB_STAT -m mark --mark 1$xGW
fi
}
GW="$1"
if [ -z "$GW" ] ; then
GW=`ls -d ?? 2>/dev/null`
iptables -t mangle -F NB_CT_POST
+ iptables -t mangle -F NB_CT_PRE
iptables -t mangle -F NB_STAT
for G in $GW ; do
set_gwmark $G
done
iptables -t mangle -D NB_CT_POST -j CONNMARK --save-mark 2> /dev/null
iptables -t mangle -A NB_CT_POST -j CONNMARK --save-mark