Add MarkOffsetBits to support the qos-scripts to work together

* The qos-scripts using 8 bits marks (0x01 - 0xff) for their
  classification purpose which it has overlapped with the wifidog
  marks.

  Therefore, MarkOffsetBits should be specified in the config file
  for the proper offset, in this case of the qos-scripts is 8 bits
  and the wifidog mark then left shifted as below,

    0x1  => 0x100
    0x2  => 0x200
    0xfe => 0xfe00

  The default value of MarkOffsetBits is 0 that is no offset.

Author: neutronth

src/conf.c

@@ -101,6 +101,7 @@ typedef enum {
     oSSLPeerVerification,
     oSSLCertPath,
     oSSLAllowedCipherList,
+    oMarkOffsetBits,
 } OpCodes;
 
 /** @internal
@@ -145,6 +146,7 @@ static const struct {
     "sslpeerverification", oSSLPeerVerification}, {
     "sslcertpath", oSSLCertPath}, {
     "sslallowedcipherlist", oSSLAllowedCipherList}, {
+    "markoffsetbits", oMarkOffsetBits}, {
 NULL, oBadOption},};
 
 static void config_notnull(const void *parm, const char *parmname);
@@ -194,6 +196,7 @@ config_init(void)
     config.ssl_verify = DEFAULT_AUTHSERVSSLPEERVER;
     config.ssl_cipher_list = NULL;
     config.arp_table_path = safe_strdup(DEFAULT_ARPTABLE);
+    config.markoffsetbits = DEFAULT_MARKOFFSETBITS;
 
     debugconf.log_stderr = 1;
     debugconf.debuglevel = DEFAULT_DEBUGLEVEL;
@@ -775,6 +778,10 @@ config_read(const char *filename)
                     debug(LOG_WARNING, "SSLAllowedCipherList is set but no SSL compiled in. Ignoring!");
 #endif
                     break;
+                case oMarkOffsetBits:
+                    sscanf(p1, "%u", &config.markoffsetbits);
+                    config.markoffsetbits = config.markoffsetbits > 31 ? 0 : config.markoffsetbits;
+                    break;
                 case oBadOption:
                     /* FALL THROUGH */
                 default:

src/conf.h

@@ -67,6 +67,7 @@
 #define DEFAULT_AUTHSERVSSLPEERVER 1    /* 0 means: Enable peer verification */
 #define DEFAULT_ARPTABLE "/proc/net/arp"
 /*@}*/
+#define DEFAULT_MARKOFFSETBITS 0
 
 /*@{*/
 /** Defines for firewall rule sets. */
@@ -183,6 +184,8 @@ typedef struct {
     t_trusted_mac *trustedmaclist; /**< @brief list of trusted macs */
     char *arp_table_path; /**< @brief Path to custom ARP table, formatted
         like /proc/net/arp */
+    unsigned int markoffsetbits; /**< @brief bits, left shifted mark values
+        for n bits */
 } s_config;
 
 /** @brief Get the current gateway configuration */

src/fw_iptables.c

@@ -287,8 +287,8 @@ iptables_fw_init(void)
     iptables_do_command("-t mangle -I POSTROUTING 1 -o %s -j " CHAIN_INCOMING, config->gw_interface);
 
     for (p = config->trustedmaclist; p != NULL; p = p->next)
-        iptables_do_command("-t mangle -A " CHAIN_TRUSTED " -m mac --mac-source %s -j MARK --set-mark %d", p->mac,
-                            FW_MARK_KNOWN);
+        iptables_do_command("-t mangle -A " CHAIN_TRUSTED " -m mac --mac-source %s -j MARK --set-mark 0x%x", p->mac,
+                            FW_MARK_KNOWN << config->markoffsetbits);
 
     /*
      *
@@ -317,22 +317,32 @@ iptables_fw_init(void)
     if ((proxy_port = config_get_config()->proxy_port) != 0) {
         debug(LOG_DEBUG, "Proxy port set, setting proxy rule");
         iptables_do_command("-t nat -A " CHAIN_TO_INTERNET
-                            " -p tcp --dport 80 -m mark --mark 0x%u -j REDIRECT --to-port %u", FW_MARK_KNOWN,
+                            " -p tcp --dport 80 -m mark --mark 0x%x/0x%x -j REDIRECT --to-port %u",
+                            FW_MARK_KNOWN << config->markoffsetbits,
+                            FW_MARK_KNOWN << config->markoffsetbits,
                             proxy_port);
         iptables_do_command("-t nat -A " CHAIN_TO_INTERNET
-                            " -p tcp --dport 80 -m mark --mark 0x%u -j REDIRECT --to-port %u", FW_MARK_PROBATION,
+                            " -p tcp --dport 80 -m mark --mark 0x%x/0x%x -j REDIRECT --to-port %u",
+                            FW_MARK_PROBATION << config->markoffsetbits,
+                            FW_MARK_PROBATION << config->markoffsetbits,
                             proxy_port);
     }
 
-    iptables_do_command("-t nat -A " CHAIN_TO_INTERNET " -m mark --mark 0x%u -j ACCEPT", FW_MARK_KNOWN);
-    iptables_do_command("-t nat -A " CHAIN_TO_INTERNET " -m mark --mark 0x%u -j ACCEPT", FW_MARK_PROBATION);
+    iptables_do_command("-t nat -A " CHAIN_TO_INTERNET " -m mark --mark 0x%x/0x%x -j ACCEPT",
+                        FW_MARK_KNOWN << config->markoffsetbits,
+                        FW_MARK_KNOWN << config->markoffsetbits);
+    iptables_do_command("-t nat -A " CHAIN_TO_INTERNET " -m mark --mark 0x%x/0x%x -j ACCEPT",
+                        FW_MARK_PROBATION << config->markoffsetbits,
+                        FW_MARK_PROBATION << config->markoffsetbits);
     iptables_do_command("-t nat -A " CHAIN_TO_INTERNET " -j " CHAIN_UNKNOWN);
 
     iptables_do_command("-t nat -A " CHAIN_UNKNOWN " -j " CHAIN_AUTHSERVERS);
     iptables_do_command("-t nat -A " CHAIN_UNKNOWN " -j " CHAIN_GLOBAL);
     if (got_authdown_ruleset) {
         iptables_do_command("-t nat -A " CHAIN_UNKNOWN " -j " CHAIN_AUTH_IS_DOWN);
-        iptables_do_command("-t nat -A " CHAIN_AUTH_IS_DOWN " -m mark --mark 0x%u -j ACCEPT", FW_MARK_AUTH_IS_DOWN);
+        iptables_do_command("-t nat -A " CHAIN_AUTH_IS_DOWN " -m mark --mark 0x%x/0x%x -j ACCEPT",
+                            FW_MARK_AUTH_IS_DOWN << config->markoffsetbits,
+                            FW_MARK_AUTH_IS_DOWN << config->markoffsetbits);
     }
     iptables_do_command("-t nat -A " CHAIN_UNKNOWN " -p tcp --dport 80 -j REDIRECT --to-ports %d", gw_port);
 
@@ -374,22 +384,29 @@ iptables_fw_init(void)
     iptables_do_command("-t filter -A " CHAIN_TO_INTERNET " -j " CHAIN_AUTHSERVERS);
     iptables_fw_set_authservers();
 
-    iptables_do_command("-t filter -A " CHAIN_TO_INTERNET " -m mark --mark 0x%u -j " CHAIN_LOCKED, FW_MARK_LOCKED);
+    iptables_do_command("-t filter -A " CHAIN_TO_INTERNET " -m mark --mark 0x%x/0x%x -j " CHAIN_LOCKED,
+                        FW_MARK_LOCKED << config->markoffsetbits,
+                        FW_MARK_LOCKED << config->markoffsetbits);
     iptables_load_ruleset("filter", FWRULESET_LOCKED_USERS, CHAIN_LOCKED);
 
     iptables_do_command("-t filter -A " CHAIN_TO_INTERNET " -j " CHAIN_GLOBAL);
     iptables_load_ruleset("filter", FWRULESET_GLOBAL, CHAIN_GLOBAL);
     iptables_load_ruleset("nat", FWRULESET_GLOBAL, CHAIN_GLOBAL);
 
-    iptables_do_command("-t filter -A " CHAIN_TO_INTERNET " -m mark --mark 0x%u -j " CHAIN_VALIDATE, FW_MARK_PROBATION);
+    iptables_do_command("-t filter -A " CHAIN_TO_INTERNET " -m mark --mark 0x%x/0x%x -j " CHAIN_VALIDATE,
+                        FW_MARK_PROBATION << config->markoffsetbits,
+                        FW_MARK_PROBATION << config->markoffsetbits);
     iptables_load_ruleset("filter", FWRULESET_VALIDATING_USERS, CHAIN_VALIDATE);
 
-    iptables_do_command("-t filter -A " CHAIN_TO_INTERNET " -m mark --mark 0x%u -j " CHAIN_KNOWN, FW_MARK_KNOWN);
+    iptables_do_command("-t filter -A " CHAIN_TO_INTERNET " -m mark --mark 0x%x/0x%x -j " CHAIN_KNOWN,
+                        FW_MARK_KNOWN << config->markoffsetbits,
+                        FW_MARK_KNOWN << config->markoffsetbits);
     iptables_load_ruleset("filter", FWRULESET_KNOWN_USERS, CHAIN_KNOWN);
 
     if (got_authdown_ruleset) {
-        iptables_do_command("-t filter -A " CHAIN_TO_INTERNET " -m mark --mark 0x%u -j " CHAIN_AUTH_IS_DOWN,
-                            FW_MARK_AUTH_IS_DOWN);
+        iptables_do_command("-t filter -A " CHAIN_TO_INTERNET " -m mark --mark 0x%x/0x%x -j " CHAIN_AUTH_IS_DOWN,
+                            FW_MARK_AUTH_IS_DOWN << config->markoffsetbits,
+                            FW_MARK_AUTH_IS_DOWN << config->markoffsetbits);
         iptables_load_ruleset("filter", FWRULESET_AUTH_IS_DOWN, CHAIN_AUTH_IS_DOWN);
     }
 
@@ -554,20 +571,21 @@ iptables_fw_destroy_mention(const char *table, const char *chain, const char *me
 int
 iptables_fw_access(fw_access_t type, const char *ip, const char *mac, int tag)
 {
+    const s_config *config = config_get_config ();
     int rc;
 
     fw_quiet = 0;
 
     switch (type) {
     case FW_ACCESS_ALLOW:
-        iptables_do_command("-t mangle -A " CHAIN_OUTGOING " -s %s -m mac --mac-source %s -j MARK --set-mark %d", ip,
-                            mac, tag);
+        iptables_do_command("-t mangle -A " CHAIN_OUTGOING " -s %s -m mac --mac-source %s -j MARK --set-mark 0x%x", ip,
+                            mac, tag << config->markoffsetbits);
         rc = iptables_do_command("-t mangle -A " CHAIN_INCOMING " -d %s -j ACCEPT", ip);
         break;
     case FW_ACCESS_DENY:
         /* XXX Add looping to really clear? */
-        iptables_do_command("-t mangle -D " CHAIN_OUTGOING " -s %s -m mac --mac-source %s -j MARK --set-mark %d", ip,
-                            mac, tag);
+        iptables_do_command("-t mangle -D " CHAIN_OUTGOING " -s %s -m mac --mac-source %s -j MARK --set-mark 0x%x", ip,
+                            mac, tag << config->markoffsetbits);
         rc = iptables_do_command("-t mangle -D " CHAIN_INCOMING " -d %s -j ACCEPT", ip);
         break;
     default:
@@ -606,9 +624,11 @@ iptables_fw_access_host(fw_access_t type, const char *host)
 int
 iptables_fw_auth_unreachable(int tag)
 {
+    const s_config *config = config_get_config ();
     int got_authdown_ruleset = NULL == get_ruleset(FWRULESET_AUTH_IS_DOWN) ? 0 : 1;
     if (got_authdown_ruleset)
-        return iptables_do_command("-t mangle -A " CHAIN_AUTH_IS_DOWN " -j MARK --set-mark 0x%u", tag);
+        return iptables_do_command("-t mangle -A " CHAIN_AUTH_IS_DOWN " -j MARK --set-mark 0x%x",
+                                   tag << config->markoffsetbits);
     else
         return 1;
 }