From 0a6b091d5a2538eca96e74aaed9d89ade75e1d97 Mon Sep 17 00:00:00 2001 From: Stephen Hemminger Date: Mon, 12 Jul 2010 09:42:01 -0700 Subject: Remove limiter firewall mark match template There is no way for firewall mark to be useful in limiter policy since limiter is only allowed on ingress. And ingress takes place before firewall rules are applied. --- .../limiter/node.tag/class/node.tag/match/node.tag/mark/node.def | 2 -- 1 file changed, 2 deletions(-) delete mode 100644 templates/traffic-policy/limiter/node.tag/class/node.tag/match/node.tag/mark/node.def diff --git a/templates/traffic-policy/limiter/node.tag/class/node.tag/match/node.tag/mark/node.def b/templates/traffic-policy/limiter/node.tag/class/node.tag/match/node.tag/mark/node.def deleted file mode 100644 index a3a805e..0000000 --- a/templates/traffic-policy/limiter/node.tag/class/node.tag/match/node.tag/mark/node.def +++ /dev/null @@ -1,2 +0,0 @@ -type: u32 -help: Match on mark applied by firewall -- cgit v1.2.3 From 738affa4b8f5adf66c7451f50698fd76651d1f88 Mon Sep 17 00:00:00 2001 From: Stephen Hemminger Date: Mon, 12 Jul 2010 09:44:13 -0700 Subject: Allow firewall mark combined with interface match Bug 5815 Allow match on firewall mark and interface id. Using meta match it is possible to match on both. --- lib/Vyatta/Qos/Match.pm | 40 +++++++++++++++++----------------------- 1 file changed, 17 insertions(+), 23 deletions(-) diff --git a/lib/Vyatta/Qos/Match.pm b/lib/Vyatta/Qos/Match.pm index 839ef43..48e92c3 100644 --- a/lib/Vyatta/Qos/Match.pm +++ b/lib/Vyatta/Qos/Match.pm @@ -24,17 +24,13 @@ sub new { my ( $that, $config ) = @_; my $self = {}; my $class = ref($that) || $that; - my %filter; + my $ptype; bless $self, $class; foreach my $proto (qw(ip ipv6 ether)) { next unless $config->exists($proto); - foreach my $t (qw(vif dev)) { - die "can not match on $proto and $t\n" if $config->exists($t); - } - my %fields; if ( $proto eq 'ether' ) { @@ -55,11 +51,10 @@ sub new { $self->{$proto} = \%fields; - my $other = $filter{'protocol'}; + my $other = $ptype; die "Can not match on both $proto and $other protocol in same match\n" if $other; - - $filter{'protocol'} = $proto; + $ptype = $other; } my $vif = $config->returnValue("vif"); @@ -67,17 +62,18 @@ sub new { my $iif = $config->returnValue("interface"); $self->{_indev} = getIfIndex($iif); - $filter{'interface'} = 1 if defined($vif) | defined($iif); my $fwmark = $config->returnValue("mark"); $self->{_fwmark} = $fwmark; - $filter{'mark'} = 1 if $fwmark; - # Firewall mark, packet contents, and meta data use different - # tc filters - my @filters = (keys %filter); - die "Can not combine match on both ", join(' and ',@filters), "\n" - if $#filters > 0; + if ($ptype) { + die "Can not combine protocol and firewall mark match\n" + if ($fwmark); + die "Can not combine protocol and vlan tag match\n" + if ($vif); + die "Can not combine protocol and interface match\n" + if ($iif); + } return $self; } @@ -148,14 +144,6 @@ sub filter { } my $fwmark = $self->{_fwmark}; - if ( $fwmark ) { - printf "filter add dev %s parent %x: prio %d", $dev, $parent, $prio; - printf " protocol all handle %d fw", $fwmark; - print " $police" if $police; - printf " flowid %x:%x\n", $parent, $classid; - return; - } - my $indev = $self->{_indev}; my $vif = $self->{_vif}; if ( defined($vif) || defined($indev) ) { @@ -163,7 +151,13 @@ sub filter { print " protocol all basic"; print " match meta\(rt_iif eq $indev\)" if $indev; print " match meta\(vlan mask 0xfff eq $vif\)" if $vif; + print " match meta\(fw_mark eq $fwmark\)" if $fwmark; + print " $police" if $police; + printf " flowid %x:%x\n", $parent, $classid; + } elsif ( $fwmark ) { + printf "filter add dev %s parent %x: prio %d", $dev, $parent, $prio; + printf " protocol all handle %d fw", $fwmark; print " $police" if $police; printf " flowid %x:%x\n", $parent, $classid; } -- cgit v1.2.3