From 11fa1bc259615ffa2847e82993494e1a3cd008c9 Mon Sep 17 00:00:00 2001 From: teastep Date: Wed, 8 Oct 2008 21:30:05 +0000 Subject: [PATCH] Allow Shorewall to work with iptables 1.4.1 git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@8762 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb --- Shorewall-perl/Shorewall/Chains.pm | 2 +- Shorewall-perl/Shorewall/Config.pm | 7 +++++++ 2 files changed, 8 insertions(+), 1 deletion(-) diff --git a/Shorewall-perl/Shorewall/Chains.pm b/Shorewall-perl/Shorewall/Chains.pm index 7f593ce65..463804c5f 100644 --- a/Shorewall-perl/Shorewall/Chains.pm +++ b/Shorewall-perl/Shorewall/Chains.pm @@ -1508,7 +1508,7 @@ sub match_orig_dest ( $ ) { if ( $net =~ s/^!// ) { validate_net $net, 1; - "-m conntrack --ctorigdst ! $net "; + $capabilities{NEW_CONNTRACK_MATCH} ? "-m conntrack ! --ctorigdst $net " : "-m conntrack --ctorigdst ! $net "; } else { validate_net $net, 1; $net eq ALLIPv4 ? '' : "-m conntrack --ctorigdst $net "; diff --git a/Shorewall-perl/Shorewall/Config.pm b/Shorewall-perl/Shorewall/Config.pm index 0877c68e3..5d5a0144f 100644 --- a/Shorewall-perl/Shorewall/Config.pm +++ b/Shorewall-perl/Shorewall/Config.pm @@ -177,6 +177,8 @@ our %capdesc = ( NAT_ENABLED => 'NAT', MULTIPORT => 'Multi-port Match' , XMULTIPORT => 'Extended Multi-port Match', CONNTRACK_MATCH => 'Connection Tracking Match', + NEW_CONNTRACK_MATCH => + 'New Connection Tracking Match syntax', USEPKTTYPE => 'Packet Type Match', POLICY_MATCH => 'Policy Match', PHYSDEV_MATCH => 'Physdev Match', @@ -385,6 +387,7 @@ sub initialize() { MULTIPORT => undef, XMULTIPORT => undef, CONNTRACK_MATCH => undef, + NEW_CONNTRACK_MATCH => undef, USEPKTTYPE => undef, POLICY_MATCH => undef, PHYSDEV_MATCH => undef, @@ -1551,6 +1554,10 @@ sub determine_capabilities( $ ) { qt1( "$iptables -N $sillyname" ); $capabilities{CONNTRACK_MATCH} = qt1( "$iptables -A $sillyname -m conntrack --ctorigdst 192.168.1.1 -j ACCEPT" ); + + if ( $capabilities{CONNTRACL_MATCH} ) { + $capabilities{NEW_CONNTRACK_MATCH} = qt1( "$iptables -A $sillyname -m conntrack ! --ctorigdst 192.168.1.1 -j ACCEPT" ); + } if ( qt1( "$iptables -A $sillyname -p tcp -m multiport --dports 21,22 -j ACCEPT" ) ) { $capabilities{MULTIPORT} = 1;