mirror of
https://gitlab.com/shorewall/code.git
synced 2025-06-23 03:01:27 +02:00
Make the migration to the xtables-addons version of IPP2P transparent for Shorewall-perl users
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@9261 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
parent
407eb2124a
commit
13748eb0e7
@ -35,7 +35,7 @@
|
|||||||
#
|
#
|
||||||
|
|
||||||
SHOREWALL_LIBVERSION=40000
|
SHOREWALL_LIBVERSION=40000
|
||||||
SHOREWALL_CAPVERSION=40203
|
SHOREWALL_CAPVERSION=40205
|
||||||
|
|
||||||
[ -n "${VARDIR:=/var/lib/shorewall}" ]
|
[ -n "${VARDIR:=/var/lib/shorewall}" ]
|
||||||
[ -n "${SHAREDIR:=/usr/share/shorewall}" ]
|
[ -n "${SHAREDIR:=/usr/share/shorewall}" ]
|
||||||
@ -1063,6 +1063,7 @@ determine_capabilities() {
|
|||||||
XCONNMARK_MATCH=
|
XCONNMARK_MATCH=
|
||||||
RAW_TABLE=
|
RAW_TABLE=
|
||||||
IPP2P_MATCH=
|
IPP2P_MATCH=
|
||||||
|
OLD_IPP2P_MATCH=
|
||||||
LENGTH_MATCH=
|
LENGTH_MATCH=
|
||||||
CLASSIFY_TARGET=
|
CLASSIFY_TARGET=
|
||||||
ENHANCED_REJECT=
|
ENHANCED_REJECT=
|
||||||
@ -1151,6 +1152,10 @@ determine_capabilities() {
|
|||||||
fi
|
fi
|
||||||
|
|
||||||
qt $IPTABLES -A $chain -p tcp -m ipp2p --edk -j ACCEPT && IPP2P_MATCH=Yes
|
qt $IPTABLES -A $chain -p tcp -m ipp2p --edk -j ACCEPT && IPP2P_MATCH=Yes
|
||||||
|
if [ -n "$IPP2P_MATCH" ]; then
|
||||||
|
qt $IPTABLES -A $chain -p tcp -m ipp2p --ipp2p -j ACCEPT && OLD_IPP2P_MATCH=Yes
|
||||||
|
fi
|
||||||
|
|
||||||
qt $IPTABLES -A $chain -m length --length 10:20 -j ACCEPT && LENGTH_MATCH=Yes
|
qt $IPTABLES -A $chain -m length --length 10:20 -j ACCEPT && LENGTH_MATCH=Yes
|
||||||
qt $IPTABLES -A $chain -j REJECT --reject-with icmp-host-prohibited && ENHANCED_REJECT=Yes
|
qt $IPTABLES -A $chain -j REJECT --reject-with icmp-host-prohibited && ENHANCED_REJECT=Yes
|
||||||
|
|
||||||
@ -1245,6 +1250,7 @@ report_capabilities() {
|
|||||||
[ -n "$CONNMARK_MATCH" ] && report_capability "Extended Connmark Match" $XCONNMARK_MATCH
|
[ -n "$CONNMARK_MATCH" ] && report_capability "Extended Connmark Match" $XCONNMARK_MATCH
|
||||||
report_capability "Raw Table" $RAW_TABLE
|
report_capability "Raw Table" $RAW_TABLE
|
||||||
report_capability "IPP2P Match" $IPP2P_MATCH
|
report_capability "IPP2P Match" $IPP2P_MATCH
|
||||||
|
[ -n "$IPP2P_MATCH" ] && report_capability "Old IPP2P Match" $OLD_IPP2P_MATCH
|
||||||
report_capability "CLASSIFY Target" $CLASSIFY_TARGET
|
report_capability "CLASSIFY Target" $CLASSIFY_TARGET
|
||||||
report_capability "Extended REJECT" $ENHANCED_REJECT
|
report_capability "Extended REJECT" $ENHANCED_REJECT
|
||||||
report_capability "Repeat match" $KLUDGEFREE
|
report_capability "Repeat match" $KLUDGEFREE
|
||||||
@ -1298,6 +1304,7 @@ report_capabilities1() {
|
|||||||
report_capability1 XCONNMARK_MATCH
|
report_capability1 XCONNMARK_MATCH
|
||||||
report_capability1 RAW_TABLE
|
report_capability1 RAW_TABLE
|
||||||
report_capability1 IPP2P_MATCH
|
report_capability1 IPP2P_MATCH
|
||||||
|
report_capability1 OLD_IPP2P_MATCH
|
||||||
report_capability1 CLASSIFY_TARGET
|
report_capability1 CLASSIFY_TARGET
|
||||||
report_capability1 ENHANCED_REJECT
|
report_capability1 ENHANCED_REJECT
|
||||||
report_capability1 KLUDGEFREE
|
report_capability1 KLUDGEFREE
|
||||||
|
@ -1289,8 +1289,16 @@ sub do_proto( $$$ )
|
|||||||
my $p = $2 ? lc $3 : 'tcp';
|
my $p = $2 ? lc $3 : 'tcp';
|
||||||
require_capability( 'IPP2P_MATCH' , "PROTO = $proto" , 's' );
|
require_capability( 'IPP2P_MATCH' , "PROTO = $proto" , 's' );
|
||||||
$proto = '-p ' . proto_name($p) . ' ';
|
$proto = '-p ' . proto_name($p) . ' ';
|
||||||
$ports = 'ipp2p' unless $ports;
|
|
||||||
$output .= "${proto}-m ipp2p --$ports ";
|
my $options = '';
|
||||||
|
|
||||||
|
if ( $ports ) {
|
||||||
|
$options .= " --$_" for split /,/, $ports;
|
||||||
|
} else {
|
||||||
|
$options = $capabilities{OLD_IPP2P_MATCH} ? '--ipp2p' : '--edk --kazza --gnu --dc';
|
||||||
|
}
|
||||||
|
|
||||||
|
$output .= "${proto}-m ipp2p${options} ";
|
||||||
} else {
|
} else {
|
||||||
fatal_error "Invalid/Unknown protocol ($proto)"
|
fatal_error "Invalid/Unknown protocol ($proto)"
|
||||||
}
|
}
|
||||||
|
@ -300,7 +300,7 @@ sub initialize( $ ) {
|
|||||||
TC_SCRIPT => '',
|
TC_SCRIPT => '',
|
||||||
EXPORT => 0,
|
EXPORT => 0,
|
||||||
VERSION => "4.2.4",
|
VERSION => "4.2.4",
|
||||||
CAPVERSION => 40203 ,
|
CAPVERSION => 40205 ,
|
||||||
);
|
);
|
||||||
#
|
#
|
||||||
# From shorewall.conf file
|
# From shorewall.conf file
|
||||||
@ -547,6 +547,7 @@ sub initialize( $ ) {
|
|||||||
XCONNMARK_MATCH => undef,
|
XCONNMARK_MATCH => undef,
|
||||||
RAW_TABLE => undef,
|
RAW_TABLE => undef,
|
||||||
IPP2P_MATCH => undef,
|
IPP2P_MATCH => undef,
|
||||||
|
OLD_IPP2P_MATCH => undef,
|
||||||
CLASSIFY_TARGET => undef,
|
CLASSIFY_TARGET => undef,
|
||||||
ENHANCED_REJECT => undef,
|
ENHANCED_REJECT => undef,
|
||||||
KLUDGEFREE => undef,
|
KLUDGEFREE => undef,
|
||||||
@ -1769,6 +1770,7 @@ sub determine_capabilities( $ ) {
|
|||||||
}
|
}
|
||||||
|
|
||||||
$capabilities{IPP2P_MATCH} = qt1( "$iptables -A $sillyname -p tcp -m ipp2p --edk -j ACCEPT" );
|
$capabilities{IPP2P_MATCH} = qt1( "$iptables -A $sillyname -p tcp -m ipp2p --edk -j ACCEPT" );
|
||||||
|
$capabilities{OLD_IPP2P_MATCH} = qt1( "$iptables -A $sillyname -p tcp -m ipp2p --ipp2p -j ACCEPT" ) if $capabilities{IPP2P_MATCH};
|
||||||
$capabilities{LENGTH_MATCH} = qt1( "$iptables -A $sillyname -m length --length 10:20 -j ACCEPT" );
|
$capabilities{LENGTH_MATCH} = qt1( "$iptables -A $sillyname -m length --length 10:20 -j ACCEPT" );
|
||||||
$capabilities{ENHANCED_REJECT} = qt1( "$iptables -A $sillyname -j REJECT --reject-with icmp6-admt-prohibited" );
|
$capabilities{ENHANCED_REJECT} = qt1( "$iptables -A $sillyname -j REJECT --reject-with icmp6-admt-prohibited" );
|
||||||
$capabilities{COMMENTS} = qt1( qq($iptables -A $sillyname -j ACCEPT -m comment --comment "This is a comment" ) );
|
$capabilities{COMMENTS} = qt1( qq($iptables -A $sillyname -j ACCEPT -m comment --comment "This is a comment" ) );
|
||||||
|
@ -77,14 +77,32 @@
|
|||||||
</simplelist>
|
</simplelist>
|
||||||
|
|
||||||
<para>When the PROTO or PROTOCOL column contains "ipp2p" then the DEST
|
<para>When the PROTO or PROTOCOL column contains "ipp2p" then the DEST
|
||||||
PORT(S) or PORT(S) column may contain a recognized ipp2p option; for a
|
PORT(S) or PORT(S) column may contain a recognized ipp2p option
|
||||||
list of the options and their meaning, at a root prompt type:</para>
|
(Shorewall-perl 4.2.5 and later accepts a list of options); for a list of
|
||||||
|
the options and their meaning, at a root prompt type:</para>
|
||||||
|
|
||||||
<programlisting><command>iptables -m ipp2p --help</command></programlisting>
|
<programlisting><command>iptables -m ipp2p --help</command></programlisting>
|
||||||
|
|
||||||
<para>You must not include the leading "--" on the option; Shorewall will
|
<para>You must not include the leading "--" on the option; Shorewall will
|
||||||
supply those characters for you. If you do not include an option then
|
supply those characters for you. If you do not include an option
|
||||||
"ipp2p" is assumed (Shorewall will generate "-m ipp2p --ipp2p").</para>
|
then:</para>
|
||||||
|
|
||||||
|
<itemizedlist>
|
||||||
|
<listitem>
|
||||||
|
<para>Shorewall-shell and Shorewall-perl up through 4.2.4 will assume
|
||||||
|
"ipp2p". Note that the xtables version of IPP2P does not support this
|
||||||
|
option.</para>
|
||||||
|
</listitem>
|
||||||
|
|
||||||
|
<listitem>
|
||||||
|
<para>Shorewall-perl 4.2.5 and later will assume "ipp2p" if that
|
||||||
|
option is supported by the installed iptables/Netfilter. Otherwise, it
|
||||||
|
will assume "edk,kazza,gnu,dc"</para>
|
||||||
|
</listitem>
|
||||||
|
</itemizedlist>
|
||||||
|
|
||||||
|
<para>If 'ipp2p' is specified, Shorewall-perl 4.2.5 and later will
|
||||||
|
substitute "edk,kazza,gnu,dc".</para>
|
||||||
</section>
|
</section>
|
||||||
|
|
||||||
<section id="Example">
|
<section id="Example">
|
||||||
|
@ -231,12 +231,16 @@
|
|||||||
role="bold">fallback[=<replaceable>weight</replaceable>]</emphasis></term>
|
role="bold">fallback[=<replaceable>weight</replaceable>]</emphasis></term>
|
||||||
|
|
||||||
<listitem>
|
<listitem>
|
||||||
<para>Added in Shorewall-perl 4.2.5. Indicates that a balanced
|
<para>Added in Shorewall-perl 4.2.5. Indicates that a default
|
||||||
default route through the provider should be added to the
|
route through the provider should be added to the default
|
||||||
default routing table (table 253). The route is added with a
|
routing table (table 253). If a
|
||||||
weight equal to the specified
|
<replaceable>weight</replaceable> is given, a balanced route
|
||||||
<replaceable>weight</replaceable> (default 1). The option is
|
is added with the weight of this provider equal to the
|
||||||
ignored with a warning message if USE_DEFAULT_RT=Yes in
|
specified <replaceable>weight</replaceable>. If the option is
|
||||||
|
given without a <replaceable>weight</replaceable>, an separate
|
||||||
|
default route is added through the provider's gateway; the
|
||||||
|
route has a metric equal to the provider's NUMBER. The option
|
||||||
|
is ignored with a warning message if USE_DEFAULT_RT=Yes in
|
||||||
<filename>shorewall.conf</filename>.</para>
|
<filename>shorewall.conf</filename>.</para>
|
||||||
</listitem>
|
</listitem>
|
||||||
</varlistentry>
|
</varlistentry>
|
||||||
|
Loading…
x
Reference in New Issue
Block a user