Make the migration to the xtables-addons version of IPP2P transparent for Shorewall-perl users

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@9261 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
teastep 2009-01-09 18:24:22 +00:00
parent 407eb2124a
commit 13748eb0e7
5 changed files with 53 additions and 14 deletions

View File

@ -35,7 +35,7 @@
# #
SHOREWALL_LIBVERSION=40000 SHOREWALL_LIBVERSION=40000
SHOREWALL_CAPVERSION=40203 SHOREWALL_CAPVERSION=40205
[ -n "${VARDIR:=/var/lib/shorewall}" ] [ -n "${VARDIR:=/var/lib/shorewall}" ]
[ -n "${SHAREDIR:=/usr/share/shorewall}" ] [ -n "${SHAREDIR:=/usr/share/shorewall}" ]
@ -1063,6 +1063,7 @@ determine_capabilities() {
XCONNMARK_MATCH= XCONNMARK_MATCH=
RAW_TABLE= RAW_TABLE=
IPP2P_MATCH= IPP2P_MATCH=
OLD_IPP2P_MATCH=
LENGTH_MATCH= LENGTH_MATCH=
CLASSIFY_TARGET= CLASSIFY_TARGET=
ENHANCED_REJECT= ENHANCED_REJECT=
@ -1151,6 +1152,10 @@ determine_capabilities() {
fi fi
qt $IPTABLES -A $chain -p tcp -m ipp2p --edk -j ACCEPT && IPP2P_MATCH=Yes qt $IPTABLES -A $chain -p tcp -m ipp2p --edk -j ACCEPT && IPP2P_MATCH=Yes
if [ -n "$IPP2P_MATCH" ]; then
qt $IPTABLES -A $chain -p tcp -m ipp2p --ipp2p -j ACCEPT && OLD_IPP2P_MATCH=Yes
fi
qt $IPTABLES -A $chain -m length --length 10:20 -j ACCEPT && LENGTH_MATCH=Yes qt $IPTABLES -A $chain -m length --length 10:20 -j ACCEPT && LENGTH_MATCH=Yes
qt $IPTABLES -A $chain -j REJECT --reject-with icmp-host-prohibited && ENHANCED_REJECT=Yes qt $IPTABLES -A $chain -j REJECT --reject-with icmp-host-prohibited && ENHANCED_REJECT=Yes
@ -1245,6 +1250,7 @@ report_capabilities() {
[ -n "$CONNMARK_MATCH" ] && report_capability "Extended Connmark Match" $XCONNMARK_MATCH [ -n "$CONNMARK_MATCH" ] && report_capability "Extended Connmark Match" $XCONNMARK_MATCH
report_capability "Raw Table" $RAW_TABLE report_capability "Raw Table" $RAW_TABLE
report_capability "IPP2P Match" $IPP2P_MATCH report_capability "IPP2P Match" $IPP2P_MATCH
[ -n "$IPP2P_MATCH" ] && report_capability "Old IPP2P Match" $OLD_IPP2P_MATCH
report_capability "CLASSIFY Target" $CLASSIFY_TARGET report_capability "CLASSIFY Target" $CLASSIFY_TARGET
report_capability "Extended REJECT" $ENHANCED_REJECT report_capability "Extended REJECT" $ENHANCED_REJECT
report_capability "Repeat match" $KLUDGEFREE report_capability "Repeat match" $KLUDGEFREE
@ -1298,6 +1304,7 @@ report_capabilities1() {
report_capability1 XCONNMARK_MATCH report_capability1 XCONNMARK_MATCH
report_capability1 RAW_TABLE report_capability1 RAW_TABLE
report_capability1 IPP2P_MATCH report_capability1 IPP2P_MATCH
report_capability1 OLD_IPP2P_MATCH
report_capability1 CLASSIFY_TARGET report_capability1 CLASSIFY_TARGET
report_capability1 ENHANCED_REJECT report_capability1 ENHANCED_REJECT
report_capability1 KLUDGEFREE report_capability1 KLUDGEFREE

View File

@ -1289,8 +1289,16 @@ sub do_proto( $$$ )
my $p = $2 ? lc $3 : 'tcp'; my $p = $2 ? lc $3 : 'tcp';
require_capability( 'IPP2P_MATCH' , "PROTO = $proto" , 's' ); require_capability( 'IPP2P_MATCH' , "PROTO = $proto" , 's' );
$proto = '-p ' . proto_name($p) . ' '; $proto = '-p ' . proto_name($p) . ' ';
$ports = 'ipp2p' unless $ports;
$output .= "${proto}-m ipp2p --$ports "; my $options = '';
if ( $ports ) {
$options .= " --$_" for split /,/, $ports;
} else {
$options = $capabilities{OLD_IPP2P_MATCH} ? '--ipp2p' : '--edk --kazza --gnu --dc';
}
$output .= "${proto}-m ipp2p${options} ";
} else { } else {
fatal_error "Invalid/Unknown protocol ($proto)" fatal_error "Invalid/Unknown protocol ($proto)"
} }

View File

@ -300,7 +300,7 @@ sub initialize( $ ) {
TC_SCRIPT => '', TC_SCRIPT => '',
EXPORT => 0, EXPORT => 0,
VERSION => "4.2.4", VERSION => "4.2.4",
CAPVERSION => 40203 , CAPVERSION => 40205 ,
); );
# #
# From shorewall.conf file # From shorewall.conf file
@ -547,6 +547,7 @@ sub initialize( $ ) {
XCONNMARK_MATCH => undef, XCONNMARK_MATCH => undef,
RAW_TABLE => undef, RAW_TABLE => undef,
IPP2P_MATCH => undef, IPP2P_MATCH => undef,
OLD_IPP2P_MATCH => undef,
CLASSIFY_TARGET => undef, CLASSIFY_TARGET => undef,
ENHANCED_REJECT => undef, ENHANCED_REJECT => undef,
KLUDGEFREE => undef, KLUDGEFREE => undef,
@ -1769,6 +1770,7 @@ sub determine_capabilities( $ ) {
} }
$capabilities{IPP2P_MATCH} = qt1( "$iptables -A $sillyname -p tcp -m ipp2p --edk -j ACCEPT" ); $capabilities{IPP2P_MATCH} = qt1( "$iptables -A $sillyname -p tcp -m ipp2p --edk -j ACCEPT" );
$capabilities{OLD_IPP2P_MATCH} = qt1( "$iptables -A $sillyname -p tcp -m ipp2p --ipp2p -j ACCEPT" ) if $capabilities{IPP2P_MATCH};
$capabilities{LENGTH_MATCH} = qt1( "$iptables -A $sillyname -m length --length 10:20 -j ACCEPT" ); $capabilities{LENGTH_MATCH} = qt1( "$iptables -A $sillyname -m length --length 10:20 -j ACCEPT" );
$capabilities{ENHANCED_REJECT} = qt1( "$iptables -A $sillyname -j REJECT --reject-with icmp6-admt-prohibited" ); $capabilities{ENHANCED_REJECT} = qt1( "$iptables -A $sillyname -j REJECT --reject-with icmp6-admt-prohibited" );
$capabilities{COMMENTS} = qt1( qq($iptables -A $sillyname -j ACCEPT -m comment --comment "This is a comment" ) ); $capabilities{COMMENTS} = qt1( qq($iptables -A $sillyname -j ACCEPT -m comment --comment "This is a comment" ) );

View File

@ -77,14 +77,32 @@
</simplelist> </simplelist>
<para>When the PROTO or PROTOCOL column contains "ipp2p" then the DEST <para>When the PROTO or PROTOCOL column contains "ipp2p" then the DEST
PORT(S) or PORT(S) column may contain a recognized ipp2p option; for a PORT(S) or PORT(S) column may contain a recognized ipp2p option
list of the options and their meaning, at a root prompt type:</para> (Shorewall-perl 4.2.5 and later accepts a list of options); for a list of
the options and their meaning, at a root prompt type:</para>
<programlisting><command>iptables -m ipp2p --help</command></programlisting> <programlisting><command>iptables -m ipp2p --help</command></programlisting>
<para>You must not include the leading "--" on the option; Shorewall will <para>You must not include the leading "--" on the option; Shorewall will
supply those characters for you. If you do not include an option then supply those characters for you. If you do not include an option
"ipp2p" is assumed (Shorewall will generate "-m ipp2p --ipp2p").</para> then:</para>
<itemizedlist>
<listitem>
<para>Shorewall-shell and Shorewall-perl up through 4.2.4 will assume
"ipp2p". Note that the xtables version of IPP2P does not support this
option.</para>
</listitem>
<listitem>
<para>Shorewall-perl 4.2.5 and later will assume "ipp2p" if that
option is supported by the installed iptables/Netfilter. Otherwise, it
will assume "edk,kazza,gnu,dc"</para>
</listitem>
</itemizedlist>
<para>If 'ipp2p' is specified, Shorewall-perl 4.2.5 and later will
substitute "edk,kazza,gnu,dc".</para>
</section> </section>
<section id="Example"> <section id="Example">

View File

@ -231,12 +231,16 @@
role="bold">fallback[=<replaceable>weight</replaceable>]</emphasis></term> role="bold">fallback[=<replaceable>weight</replaceable>]</emphasis></term>
<listitem> <listitem>
<para>Added in Shorewall-perl 4.2.5. Indicates that a balanced <para>Added in Shorewall-perl 4.2.5. Indicates that a default
default route through the provider should be added to the route through the provider should be added to the default
default routing table (table 253). The route is added with a routing table (table 253). If a
weight equal to the specified <replaceable>weight</replaceable> is given, a balanced route
<replaceable>weight</replaceable> (default 1). The option is is added with the weight of this provider equal to the
ignored with a warning message if USE_DEFAULT_RT=Yes in specified <replaceable>weight</replaceable>. If the option is
given without a <replaceable>weight</replaceable>, an separate
default route is added through the provider's gateway; the
route has a metric equal to the provider's NUMBER. The option
is ignored with a warning message if USE_DEFAULT_RT=Yes in
<filename>shorewall.conf</filename>.</para> <filename>shorewall.conf</filename>.</para>
</listitem> </listitem>
</varlistentry> </varlistentry>