extern/shorewall_code
1
0
Fork 1
mirror of https://gitlab.com/shorewall/code.git synced 2025-06-21 10:18:58 +02:00
Code Issues Packages Projects Releases Wiki Activity

Add IPSET_WARNINGS option

Browse Source 
Signed-off-by: Tom Eastep <teastep@shorewall.net>
This commit is contained in:
Tom Eastep 2012-03-18 13:36:23 -07:00
parent 955a9f0051
commit 15ca0fd1f0
14 changed files with 101 additions and 29 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
Shorewall/Perl/Shorewall/Chains.pm
View File

@ -4483,13 +4483,17 @@ sub get_set_flags( $$ ) {
my @options = split /,/, $options; my @options = split /,/, $options;
my %typemap = ( src => 'Source', dst => 'Destination' ); my %typemap = ( src => 'Source', dst => 'Destination' );
if ( $config{IPSET_WARNINGS} ) {
for ( @options ) { for ( @options ) {
warning_message( "The '$_' ipset flag is used in a $typemap{$option} column" ), last unless $_ eq $option; warning_message( "The '$_' ipset flag is used in a $typemap{$option} column" ), last unless $_ eq $option;
} }
} }
}
$setname =~ s/^\+//; $setname =~ s/^\+//;
if ( $config{IPSET_WARNINGS} ) {
unless ( $export || $> != 0 ) { unless ( $export || $> != 0 ) {
unless ( $ipset_exists{$setname} ) { unless ( $ipset_exists{$setname} ) {
warning_message "Ipset $setname does not exist" unless qt "ipset -L $setname"; warning_message "Ipset $setname does not exist" unless qt "ipset -L $setname";
@ -4497,6 +4501,8 @@ sub get_set_flags( $$ ) {
$ipset_exists{$setname} = 1; # Suppress subsequent checks/warnings $ipset_exists{$setname} = 1; # Suppress subsequent checks/warnings
} }
}
fatal_error "Invalid ipset name ($setname)" unless $setname =~ /^(6_)?[a-zA-Z]\w*/; fatal_error "Invalid ipset name ($setname)" unless $setname =~ /^(6_)?[a-zA-Z]\w*/;
have_capability 'OLD_IPSET_MATCH' ? "--set $setname $options " : "--match-set $setname $options "; have_capability 'OLD_IPSET_MATCH' ? "--set $setname $options " : "--match-set $setname $options ";

2
Shorewall/Perl/Shorewall/Config.pm
View File

@ -568,6 +568,7 @@ sub initialize( $ ) {
MAPOLDACTIONS => undef, MAPOLDACTIONS => undef,
FASTACCEPT => undef, FASTACCEPT => undef,
IMPLICIT_CONTINUE => undef, IMPLICIT_CONTINUE => undef,
IPSET_WARNINGS => undef,
HIGH_ROUTE_MARKS => undef, HIGH_ROUTE_MARKS => undef,
USE_ACTIONS=> undef, USE_ACTIONS=> undef,
OPTIMIZE => undef, OPTIMIZE => undef,
@ -3866,6 +3867,7 @@ sub get_configuration( $$$ ) {
default_yes_no 'EXPORTMODULES' , ''; default_yes_no 'EXPORTMODULES' , '';
default_yes_no 'LEGACY_FASTSTART' , 'Yes'; default_yes_no 'LEGACY_FASTSTART' , 'Yes';
default_yes_no 'USE_PHYSICAL_NAMES' , ''; default_yes_no 'USE_PHYSICAL_NAMES' , '';
default_yes_no 'IPSET_WARNINGS' , 'Yes';
require_capability 'MARK' , 'FORWARD_CLEAR_MARK=Yes', 's', if $config{FORWARD_CLEAR_MARK}; require_capability 'MARK' , 'FORWARD_CLEAR_MARK=Yes', 's', if $config{FORWARD_CLEAR_MARK};

2
Shorewall/Samples/Universal/shorewall.conf
View File

@ -138,6 +138,8 @@ FORWARD_CLEAR_MARK=
IMPLICIT_CONTINUE=No IMPLICIT_CONTINUE=No
IPSET_WARNINGS=Yes
IP_FORWARDING=On IP_FORWARDING=On
KEEP_RT_TABLES=No KEEP_RT_TABLES=No

2
Shorewall/Samples/one-interface/shorewall.conf
View File

@ -149,6 +149,8 @@ FORWARD_CLEAR_MARK=
IMPLICIT_CONTINUE=No IMPLICIT_CONTINUE=No
IPSET_WARNINGS=Yes
IP_FORWARDING=Off IP_FORWARDING=Off
KEEP_RT_TABLES=No KEEP_RT_TABLES=No

2
Shorewall/Samples/three-interfaces/shorewall.conf
View File

@ -147,6 +147,8 @@ FORWARD_CLEAR_MARK=
IMPLICIT_CONTINUE=No IMPLICIT_CONTINUE=No
IPSET_WARNINGS=Yes
IP_FORWARDING=On IP_FORWARDING=On
KEEP_RT_TABLES=No KEEP_RT_TABLES=No

2
Shorewall/Samples/two-interfaces/shorewall.conf
View File

@ -150,6 +150,8 @@ FORWARD_CLEAR_MARK=
IMPLICIT_CONTINUE=No IMPLICIT_CONTINUE=No
IPSET_WARNINGS=Yes
IP_FORWARDING=On IP_FORWARDING=On
KEEP_RT_TABLES=No KEEP_RT_TABLES=No

2
Shorewall/configfiles/shorewall.conf
View File

@ -138,6 +138,8 @@ FORWARD_CLEAR_MARK=
IMPLICIT_CONTINUE=No IMPLICIT_CONTINUE=No
IPSET_WARNINGS=Yes
IP_FORWARDING=On IP_FORWARDING=On
KEEP_RT_TABLES=No KEEP_RT_TABLES=No

39
Shorewall/manpages/shorewall.conf.xml
View File

@ -848,6 +848,29 @@ net all DROP info</programlisting>then the chain name is 'net2all'
</listitem> </listitem>
</varlistentry> </varlistentry>
<varlistentry>
<term><emphasis role="bold">IPSET_WARNINGS=</emphasis>{<emphasis
role="bold">Yes</emphasis>|<emphasis role="bold">No</emphasis>}</term>
<listitem>
<para>Added in Shorewall 4.5.2. Default is Yes. When set, causes the
rules compiler to issue a warning when:</para>
<itemizedlist>
<listitem>
<para>The compiler is being run by root and an ipset specified
in the configuration does not exists. Only one warning is issued
for each missing ipset.</para>
</listitem>
<listitem>
<para>When [src] is specified in a destination column and when
[dst] is specified in a source column.</para>
</listitem>
</itemizedlist>
</listitem>
</varlistentry>
<varlistentry> <varlistentry>
<term><emphasis <term><emphasis
role="bold">IPTABLES=</emphasis>[<emphasis>pathname</emphasis>]</term> role="bold">IPTABLES=</emphasis>[<emphasis>pathname</emphasis>]</term>
@ -2092,14 +2115,14 @@ net all DROP info</programlisting>then the chain name is 'net2all'
tcrules. This was done so that tcrules could reset the packet mark tcrules. This was done so that tcrules could reset the packet mark
to zero, thus allowing the packet to be routed using the 'main' to zero, thus allowing the packet to be routed using the 'main'
routing table. Using the main table allowed dynamic routes (such as routing table. Using the main table allowed dynamic routes (such as
those added for VPNs) to be effective. The rtrules file was those added for VPNs) to be effective. The rtrules file was created
created to provide a better alternative to clearing the packet mark. to provide a better alternative to clearing the packet mark. As a
As a consequence, passing these packets to PREROUTING complicates consequence, passing these packets to PREROUTING complicates things
things without providing any real benefit. Beginning with Shorewall without providing any real benefit. Beginning with Shorewall 4.4.6,
4.4.6, when TRACK_PROVIDERS=Yes and TC_EXPERT=No, packets arriving when TRACK_PROVIDERS=Yes and TC_EXPERT=No, packets arriving through
through 'tracked' interfaces will not be passed to the PREROUTING 'tracked' interfaces will not be passed to the PREROUTING rules.
rules. Since TRACK_PROVIDERS was just introduced in 4.4.3, this Since TRACK_PROVIDERS was just introduced in 4.4.3, this change
change should be transparent to most, if not all, users.</para> should be transparent to most, if not all, users.</para>
</listitem> </listitem>
</varlistentry> </varlistentry>

2
Shorewall6/Samples6/Universal/shorewall6.conf
View File

@ -129,6 +129,8 @@ FORWARD_CLEAR_MARK=
IMPLICIT_CONTINUE=No IMPLICIT_CONTINUE=No
IPSET_WARNINGS=Yes
IP_FORWARDING=Off IP_FORWARDING=Off
KEEP_RT_TABLES=Yes KEEP_RT_TABLES=Yes

2
Shorewall6/Samples6/one-interface/shorewall6.conf
View File

@ -129,6 +129,8 @@ FORWARD_CLEAR_MARK=
IMPLICIT_CONTINUE=No IMPLICIT_CONTINUE=No
IPSET_WARNINGS=Yes
IP_FORWARDING=Off IP_FORWARDING=Off
KEEP_RT_TABLES=Yes KEEP_RT_TABLES=Yes

2
Shorewall6/Samples6/three-interfaces/shorewall6.conf
View File

@ -129,6 +129,8 @@ FORWARD_CLEAR_MARK=
IMPLICIT_CONTINUE=No IMPLICIT_CONTINUE=No
IPSET_WARNINGS=Yes
IP_FORWARDING=On IP_FORWARDING=On
KEEP_RT_TABLES=Yes KEEP_RT_TABLES=Yes

2
Shorewall6/Samples6/two-interfaces/shorewall6.conf
View File

@ -129,6 +129,8 @@ FORWARD_CLEAR_MARK=
IMPLICIT_CONTINUE=No IMPLICIT_CONTINUE=No
IPSET_WARNINGS=Yes
IP_FORWARDING=On IP_FORWARDING=On
KEEP_RT_TABLES=Yes KEEP_RT_TABLES=Yes

2
Shorewall6/configfiles/shorewall6.conf
View File

@ -129,6 +129,8 @@ FORWARD_CLEAR_MARK=Yes
IMPLICIT_CONTINUE=No IMPLICIT_CONTINUE=No
IPSET_WARNINGS=Yes
IP_FORWARDING=Off IP_FORWARDING=Off
KEEP_RT_TABLES=Yes KEEP_RT_TABLES=Yes

49
Shorewall6/manpages/shorewall6.conf.xml
View File

@ -756,6 +756,29 @@ net all DROP info</programlisting>then the chain name is 'net2all'
</listitem> </listitem>
</varlistentry> </varlistentry>
<varlistentry>
<term><emphasis role="bold">IPSET_WARNINGS=</emphasis>{<emphasis
role="bold">Yes</emphasis>|<emphasis role="bold">No</emphasis>}</term>
<listitem>
<para>Added in Shorewall 4.5.2. Default is Yes. When set, causes the
rules compiler to issue a warning when:</para>
<itemizedlist>
<listitem>
<para>The compiler is being run by root and an ipset specified
in the configuration does not exists. Only one warning is issued
for each missing ipset.</para>
</listitem>
<listitem>
<para>When [src] is specified in a destination column and when
[dst] is specified in a source column.</para>
</listitem>
</itemizedlist>
</listitem>
</varlistentry>
<varlistentry> <varlistentry>
<term><emphasis role="bold">KEEP_RT_TABLES=</emphasis>{<emphasis <term><emphasis role="bold">KEEP_RT_TABLES=</emphasis>{<emphasis
role="bold">Yes</emphasis>|<emphasis role="bold">No</emphasis>}</term> role="bold">Yes</emphasis>|<emphasis role="bold">No</emphasis>}</term>
@ -1809,15 +1832,14 @@ net all DROP info</programlisting>then the chain name is 'net2all'
to zero, thus allowing the packet to be routed using the 'main' to zero, thus allowing the packet to be routed using the 'main'
routing table. Using the main table allowed dynamic routes (such as routing table. Using the main table allowed dynamic routes (such as
those added for VPNs) to be effective. The <ulink those added for VPNs) to be effective. The <ulink
url="shorewall6-rtrules.html">shorewall6-rtrules</ulink>(5) url="shorewall6-rtrules.html">shorewall6-rtrules</ulink>(5) file was
file was created to provide a better alternative to clearing the created to provide a better alternative to clearing the packet mark.
packet mark. As a consequence, passing these packets to PREROUTING As a consequence, passing these packets to PREROUTING complicates
complicates things without providing any real benefit. Beginning things without providing any real benefit. Beginning with Shorewall
with Shorewall 4.4.6, when TRACK_PROVIDERS=Yes and TC_EXPERT=No, 4.4.6, when TRACK_PROVIDERS=Yes and TC_EXPERT=No, packets arriving
packets arriving through 'tracked' interfaces will not be passed to through 'tracked' interfaces will not be passed to the PREROUTING
the PREROUTING rules. Since TRACK_PROVIDERS was just introduced in rules. Since TRACK_PROVIDERS was just introduced in 4.4.3, this
4.4.3, this change should be transparent to most, if not all, change should be transparent to most, if not all, users.</para>
users.</para>
</listitem> </listitem>
</varlistentry> </varlistentry>
@ -1977,10 +1999,9 @@ net all DROP info</programlisting>then the chain name is 'net2all'
shorewall6-ipsec(5), shorewall6-maclist(5), shorewall6-masq(5), shorewall6-ipsec(5), shorewall6-maclist(5), shorewall6-masq(5),
shorewall6-nat(5), shorewall6-netmap(5), shorewall6-nat(5), shorewall6-netmap(5),
shoewall6-netmap(5),shorewall6-params(5), shorewall6-policy(5), shoewall6-netmap(5),shorewall6-params(5), shorewall6-policy(5),
shorewall6-providers(5), shorewall6-proxyarp(5), shorewall6-providers(5), shorewall6-proxyarp(5), shorewall6-rtrules(5),
shorewall6-rtrules(5), shorewall6-routestopped(5), shorewall6-routestopped(5), shorewall6-rules(5), shorewall6-tcclasses(5),
shorewall6-rules(5), shorewall6-tcclasses(5), shorewall6-tcdevices(5), shorewall6-tcdevices(5), shorewall6-tcrules(5), shorewall6-tos(5),
shorewall6-tcrules(5), shorewall6-tos(5), shorewall6-tunnels(5), shorewall6-tunnels(5), shorewall6-zones(5)</para>
shorewall6-zones(5)</para>
</refsect1> </refsect1>
</refentry> </refentry>