Detect ipset V4 and use its syntax

Signed-off-by: Tom Eastep <teastep@shorewall.net>
This commit is contained in:
Tom Eastep 2011-06-22 16:43:42 -07:00
parent 000268f50c
commit 04d551d8ca
6 changed files with 47 additions and 7 deletions

View File

@ -4517,7 +4517,11 @@ sub ensure_ipset( $ ) {
my $set = shift;
if ( $family == F_IPV4 ) {
emit ( " qt \$IPSET -L $set -n || \$IPSET -N $_ iphash" );
if ( have_capability 'IPSET_V4' ) {
emit ( " qt \$IPSET -L $set -n || \$IPSET -N $_ hash:ip family inet" );
} else {
emit ( " qt \$IPSET -L $set -n || \$IPSET -N $_ iphash" );
}
} else {
emit ( " qt \$IPSET -L $set -n || \$IPSET -N $_ hash:ip family inet6" );
}

View File

@ -433,7 +433,7 @@ sub initialize( $ ) {
STATEMATCH => '-m state --state',
UNTRACKED => 0,
VERSION => "4.4.21-Beta3",
CAPVERSION => 40417 ,
CAPVERSION => 40421 ,
);
#
# From shorewall.conf file
@ -609,6 +609,7 @@ sub initialize( $ ) {
OWNER_MATCH => undef,
IPSET_MATCH => undef,
OLD_IPSET_MATCH => undef,
IPSET_V4 => undef,
CONNMARK => undef,
XCONNMARK => undef,
CONNMARK_MATCH => undef,
@ -2508,13 +2509,14 @@ sub Old_IPSet_Match() {
sub IPSet_Match() {
my $ipset = $config{IPSET} || 'ipset';
my $result = 0;
my $fam = $family == F_IPV4 ? 'inet' : 'inet6';
$ipset = which $ipset unless $ipset =~ '/';
if ( $ipset && -x $ipset ) {
qt( "$ipset -X $sillyname" );
if ( qt( "$ipset -N $sillyname iphash" ) ) {
if ( qt( "$ipset -N $sillyname iphash" ) || qt( "$ipset -N $sillyname hash:ip family $fam") ) {
if ( qt1( "$iptables -A $sillyname -m set --match-set $sillyname src -j ACCEPT" ) ) {
qt1( "$iptables -D $sillyname -m set --match-set $sillyname src -j ACCEPT" );
$result = ! ( $capabilities{OLD_IPSET_MATCH} = 0 );
@ -2529,6 +2531,24 @@ sub IPSet_Match() {
$result;
}
sub IPSET_V4() {
my $ipset = $config{IPSET} || 'ipset';
my $result = 0;
$ipset = which $ipset unless $ipset =~ '/';
if ( $ipset && -x $ipset ) {
qt( "$ipset -X $sillyname" );
if ( qt( "$ipset -N $sillyname hash:ip family inet" ) ) {
$result = 1;
qt( "$ipset -X $sillyname" );
}
}
$result;
}
sub Usepkttype() {
qt1( "$iptables -A $sillyname -m pkttype --pkt-type broadcast -j ACCEPT" );
}

View File

@ -29,7 +29,7 @@
#
SHOREWALL_LIBVERSION=40407
SHOREWALL_CAPVERSION=40417
SHOREWALL_CAPVERSION=40421
[ -n "${VARDIR:=/var/lib/shorewall}" ]
[ -n "${SHAREDIR:=/usr/share/shorewall}" ]

View File

@ -1672,6 +1672,7 @@ determine_capabilities() {
OWNER_MATCH=
IPSET_MATCH=
OLD_IPSET_MATCH=
IPSET_V4=
CONNMARK=
XCONNMARK=
CONNMARK_MATCH=
@ -1817,7 +1818,16 @@ determine_capabilities() {
if qt mywhich ipset; then
qt ipset -X $chain # Just in case something went wrong the last time
if qt ipset -N $chain iphash ; then
local have_ipset
if qt ipset -N $chain hash:ip family inet; then
IPSET_V4=Yes
have_ipset=Yes
elif qt ipset -N $chain iphash ; then
have_ipset=Yes
fi
if [ -n "$have_ipset" ]; then
if qt $IPTABLES -A $chain -m set --match-set $chain src -j ACCEPT; then
qt $IPTABLES -D $chain -m set --match-set $chain src -j ACCEPT
IPSET_MATCH=Yes
@ -1932,6 +1942,7 @@ report_capabilities() {
report_capability "Header Match" $HEADER_MATCH
report_capability "ACCOUNT Target" $ACCOUNT_TARGET
report_capability "AUDIT Target" $AUDIT_TARGET
report_capability "ipset V4" $IPSET_V4
fi
[ -n "$PKTTYPE" ] || USEPKTTYPE=

View File

@ -33,7 +33,7 @@
#
SHOREWALL_LIBVERSION=40407
SHOREWALL_CAPVERSION=40417
SHOREWALL_CAPVERSION=40421
[ -n "${VARDIR:=/var/lib/shorewall6}" ]
[ -n "${SHAREDIR:=/usr/share/shorewall6}" ]

View File

@ -1499,6 +1499,7 @@ determine_capabilities() {
OWNER_MATCH=
IPSET_MATCH=
OLD_IPSET_MATCH=
IPSET_V4=
CONNMARK=
XCONNMARK=
CONNMARK_MATCH=
@ -1534,6 +1535,7 @@ determine_capabilities() {
HEADER_MATCH=
ACCOUNT_TARGET=
AUDIT_TARGET=
IPSET_V4=
chain=fooX$$
@ -1651,7 +1653,8 @@ determine_capabilities() {
if qt mywhich ipset; then
qt ipset -X $chain # Just in case something went wrong the last time
if qt ipset -N $chain iphash ; then
if qt ipset -N $chain hash:ip family inet6; then
IPSET_V4=Yes
if qt $IP6TABLES -A $chain -m set --set $chain src -j ACCEPT; then
qt $IP6TABLES -D $chain -m set --set $chain src -j ACCEPT
IPSET_MATCH=Yes
@ -1764,6 +1767,7 @@ report_capabilities() {
report_capability "Header Match" $HEADER_MATCH
report_capability "ACCOUNT Target" $ACCOUNT_TARGET
report_capability "AUDIT Target" $AUDIT_TARGET
report_capability "IPSET V4" $IPSET_V4
fi
[ -n "$PKTTYPE" ] || USEPKTTYPE=
@ -1829,6 +1833,7 @@ report_capabilities1() {
report_capability1 HEADER_MATCH
report_capability1 ACCOUNT_TARGET
report_capability1 AUDIT_TARGET
report_capability1 IPSET_V4
echo CAPVERSION=$SHOREWALL_CAPVERSION
echo KERNELVERSION=$KERNELVERSION