mirror of
https://gitlab.com/shorewall/code.git
synced 2025-01-10 15:48:13 +01:00
Detect ipset V4 and use its syntax
Signed-off-by: Tom Eastep <teastep@shorewall.net>
This commit is contained in:
parent
000268f50c
commit
04d551d8ca
@ -4517,7 +4517,11 @@ sub ensure_ipset( $ ) {
|
||||
my $set = shift;
|
||||
|
||||
if ( $family == F_IPV4 ) {
|
||||
if ( have_capability 'IPSET_V4' ) {
|
||||
emit ( " qt \$IPSET -L $set -n || \$IPSET -N $_ hash:ip family inet" );
|
||||
} else {
|
||||
emit ( " qt \$IPSET -L $set -n || \$IPSET -N $_ iphash" );
|
||||
}
|
||||
} else {
|
||||
emit ( " qt \$IPSET -L $set -n || \$IPSET -N $_ hash:ip family inet6" );
|
||||
}
|
||||
|
@ -433,7 +433,7 @@ sub initialize( $ ) {
|
||||
STATEMATCH => '-m state --state',
|
||||
UNTRACKED => 0,
|
||||
VERSION => "4.4.21-Beta3",
|
||||
CAPVERSION => 40417 ,
|
||||
CAPVERSION => 40421 ,
|
||||
);
|
||||
#
|
||||
# From shorewall.conf file
|
||||
@ -609,6 +609,7 @@ sub initialize( $ ) {
|
||||
OWNER_MATCH => undef,
|
||||
IPSET_MATCH => undef,
|
||||
OLD_IPSET_MATCH => undef,
|
||||
IPSET_V4 => undef,
|
||||
CONNMARK => undef,
|
||||
XCONNMARK => undef,
|
||||
CONNMARK_MATCH => undef,
|
||||
@ -2508,13 +2509,14 @@ sub Old_IPSet_Match() {
|
||||
sub IPSet_Match() {
|
||||
my $ipset = $config{IPSET} || 'ipset';
|
||||
my $result = 0;
|
||||
my $fam = $family == F_IPV4 ? 'inet' : 'inet6';
|
||||
|
||||
$ipset = which $ipset unless $ipset =~ '/';
|
||||
|
||||
if ( $ipset && -x $ipset ) {
|
||||
qt( "$ipset -X $sillyname" );
|
||||
|
||||
if ( qt( "$ipset -N $sillyname iphash" ) ) {
|
||||
if ( qt( "$ipset -N $sillyname iphash" ) || qt( "$ipset -N $sillyname hash:ip family $fam") ) {
|
||||
if ( qt1( "$iptables -A $sillyname -m set --match-set $sillyname src -j ACCEPT" ) ) {
|
||||
qt1( "$iptables -D $sillyname -m set --match-set $sillyname src -j ACCEPT" );
|
||||
$result = ! ( $capabilities{OLD_IPSET_MATCH} = 0 );
|
||||
@ -2529,6 +2531,24 @@ sub IPSet_Match() {
|
||||
$result;
|
||||
}
|
||||
|
||||
sub IPSET_V4() {
|
||||
my $ipset = $config{IPSET} || 'ipset';
|
||||
my $result = 0;
|
||||
|
||||
$ipset = which $ipset unless $ipset =~ '/';
|
||||
|
||||
if ( $ipset && -x $ipset ) {
|
||||
qt( "$ipset -X $sillyname" );
|
||||
|
||||
if ( qt( "$ipset -N $sillyname hash:ip family inet" ) ) {
|
||||
$result = 1;
|
||||
qt( "$ipset -X $sillyname" );
|
||||
}
|
||||
}
|
||||
|
||||
$result;
|
||||
}
|
||||
|
||||
sub Usepkttype() {
|
||||
qt1( "$iptables -A $sillyname -m pkttype --pkt-type broadcast -j ACCEPT" );
|
||||
}
|
||||
|
@ -29,7 +29,7 @@
|
||||
#
|
||||
|
||||
SHOREWALL_LIBVERSION=40407
|
||||
SHOREWALL_CAPVERSION=40417
|
||||
SHOREWALL_CAPVERSION=40421
|
||||
|
||||
[ -n "${VARDIR:=/var/lib/shorewall}" ]
|
||||
[ -n "${SHAREDIR:=/usr/share/shorewall}" ]
|
||||
|
@ -1672,6 +1672,7 @@ determine_capabilities() {
|
||||
OWNER_MATCH=
|
||||
IPSET_MATCH=
|
||||
OLD_IPSET_MATCH=
|
||||
IPSET_V4=
|
||||
CONNMARK=
|
||||
XCONNMARK=
|
||||
CONNMARK_MATCH=
|
||||
@ -1817,7 +1818,16 @@ determine_capabilities() {
|
||||
if qt mywhich ipset; then
|
||||
qt ipset -X $chain # Just in case something went wrong the last time
|
||||
|
||||
if qt ipset -N $chain iphash ; then
|
||||
local have_ipset
|
||||
|
||||
if qt ipset -N $chain hash:ip family inet; then
|
||||
IPSET_V4=Yes
|
||||
have_ipset=Yes
|
||||
elif qt ipset -N $chain iphash ; then
|
||||
have_ipset=Yes
|
||||
fi
|
||||
|
||||
if [ -n "$have_ipset" ]; then
|
||||
if qt $IPTABLES -A $chain -m set --match-set $chain src -j ACCEPT; then
|
||||
qt $IPTABLES -D $chain -m set --match-set $chain src -j ACCEPT
|
||||
IPSET_MATCH=Yes
|
||||
@ -1932,6 +1942,7 @@ report_capabilities() {
|
||||
report_capability "Header Match" $HEADER_MATCH
|
||||
report_capability "ACCOUNT Target" $ACCOUNT_TARGET
|
||||
report_capability "AUDIT Target" $AUDIT_TARGET
|
||||
report_capability "ipset V4" $IPSET_V4
|
||||
fi
|
||||
|
||||
[ -n "$PKTTYPE" ] || USEPKTTYPE=
|
||||
|
@ -33,7 +33,7 @@
|
||||
#
|
||||
|
||||
SHOREWALL_LIBVERSION=40407
|
||||
SHOREWALL_CAPVERSION=40417
|
||||
SHOREWALL_CAPVERSION=40421
|
||||
|
||||
[ -n "${VARDIR:=/var/lib/shorewall6}" ]
|
||||
[ -n "${SHAREDIR:=/usr/share/shorewall6}" ]
|
||||
|
@ -1499,6 +1499,7 @@ determine_capabilities() {
|
||||
OWNER_MATCH=
|
||||
IPSET_MATCH=
|
||||
OLD_IPSET_MATCH=
|
||||
IPSET_V4=
|
||||
CONNMARK=
|
||||
XCONNMARK=
|
||||
CONNMARK_MATCH=
|
||||
@ -1534,6 +1535,7 @@ determine_capabilities() {
|
||||
HEADER_MATCH=
|
||||
ACCOUNT_TARGET=
|
||||
AUDIT_TARGET=
|
||||
IPSET_V4=
|
||||
|
||||
chain=fooX$$
|
||||
|
||||
@ -1651,7 +1653,8 @@ determine_capabilities() {
|
||||
if qt mywhich ipset; then
|
||||
qt ipset -X $chain # Just in case something went wrong the last time
|
||||
|
||||
if qt ipset -N $chain iphash ; then
|
||||
if qt ipset -N $chain hash:ip family inet6; then
|
||||
IPSET_V4=Yes
|
||||
if qt $IP6TABLES -A $chain -m set --set $chain src -j ACCEPT; then
|
||||
qt $IP6TABLES -D $chain -m set --set $chain src -j ACCEPT
|
||||
IPSET_MATCH=Yes
|
||||
@ -1764,6 +1767,7 @@ report_capabilities() {
|
||||
report_capability "Header Match" $HEADER_MATCH
|
||||
report_capability "ACCOUNT Target" $ACCOUNT_TARGET
|
||||
report_capability "AUDIT Target" $AUDIT_TARGET
|
||||
report_capability "IPSET V4" $IPSET_V4
|
||||
fi
|
||||
|
||||
[ -n "$PKTTYPE" ] || USEPKTTYPE=
|
||||
@ -1829,6 +1833,7 @@ report_capabilities1() {
|
||||
report_capability1 HEADER_MATCH
|
||||
report_capability1 ACCOUNT_TARGET
|
||||
report_capability1 AUDIT_TARGET
|
||||
report_capability1 IPSET_V4
|
||||
|
||||
echo CAPVERSION=$SHOREWALL_CAPVERSION
|
||||
echo KERNELVERSION=$KERNELVERSION
|
||||
|
Loading…
Reference in New Issue
Block a user