mirror of
https://gitlab.com/shorewall/code.git
synced 2025-06-21 18:21:27 +02:00
Add IPSET_WARNINGS option
Signed-off-by: Tom Eastep <teastep@shorewall.net>
This commit is contained in:
parent
955a9f0051
commit
15ca0fd1f0
@ -4483,13 +4483,17 @@ sub get_set_flags( $$ ) {
|
|||||||
my @options = split /,/, $options;
|
my @options = split /,/, $options;
|
||||||
my %typemap = ( src => 'Source', dst => 'Destination' );
|
my %typemap = ( src => 'Source', dst => 'Destination' );
|
||||||
|
|
||||||
|
if ( $config{IPSET_WARNINGS} ) {
|
||||||
for ( @options ) {
|
for ( @options ) {
|
||||||
warning_message( "The '$_' ipset flag is used in a $typemap{$option} column" ), last unless $_ eq $option;
|
warning_message( "The '$_' ipset flag is used in a $typemap{$option} column" ), last unless $_ eq $option;
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
}
|
||||||
|
|
||||||
$setname =~ s/^\+//;
|
$setname =~ s/^\+//;
|
||||||
|
|
||||||
|
|
||||||
|
if ( $config{IPSET_WARNINGS} ) {
|
||||||
unless ( $export || $> != 0 ) {
|
unless ( $export || $> != 0 ) {
|
||||||
unless ( $ipset_exists{$setname} ) {
|
unless ( $ipset_exists{$setname} ) {
|
||||||
warning_message "Ipset $setname does not exist" unless qt "ipset -L $setname";
|
warning_message "Ipset $setname does not exist" unless qt "ipset -L $setname";
|
||||||
@ -4497,6 +4501,8 @@ sub get_set_flags( $$ ) {
|
|||||||
|
|
||||||
$ipset_exists{$setname} = 1; # Suppress subsequent checks/warnings
|
$ipset_exists{$setname} = 1; # Suppress subsequent checks/warnings
|
||||||
}
|
}
|
||||||
|
}
|
||||||
|
|
||||||
fatal_error "Invalid ipset name ($setname)" unless $setname =~ /^(6_)?[a-zA-Z]\w*/;
|
fatal_error "Invalid ipset name ($setname)" unless $setname =~ /^(6_)?[a-zA-Z]\w*/;
|
||||||
|
|
||||||
have_capability 'OLD_IPSET_MATCH' ? "--set $setname $options " : "--match-set $setname $options ";
|
have_capability 'OLD_IPSET_MATCH' ? "--set $setname $options " : "--match-set $setname $options ";
|
||||||
|
@ -568,6 +568,7 @@ sub initialize( $ ) {
|
|||||||
MAPOLDACTIONS => undef,
|
MAPOLDACTIONS => undef,
|
||||||
FASTACCEPT => undef,
|
FASTACCEPT => undef,
|
||||||
IMPLICIT_CONTINUE => undef,
|
IMPLICIT_CONTINUE => undef,
|
||||||
|
IPSET_WARNINGS => undef,
|
||||||
HIGH_ROUTE_MARKS => undef,
|
HIGH_ROUTE_MARKS => undef,
|
||||||
USE_ACTIONS=> undef,
|
USE_ACTIONS=> undef,
|
||||||
OPTIMIZE => undef,
|
OPTIMIZE => undef,
|
||||||
@ -3866,6 +3867,7 @@ sub get_configuration( $$$ ) {
|
|||||||
default_yes_no 'EXPORTMODULES' , '';
|
default_yes_no 'EXPORTMODULES' , '';
|
||||||
default_yes_no 'LEGACY_FASTSTART' , 'Yes';
|
default_yes_no 'LEGACY_FASTSTART' , 'Yes';
|
||||||
default_yes_no 'USE_PHYSICAL_NAMES' , '';
|
default_yes_no 'USE_PHYSICAL_NAMES' , '';
|
||||||
|
default_yes_no 'IPSET_WARNINGS' , 'Yes';
|
||||||
|
|
||||||
require_capability 'MARK' , 'FORWARD_CLEAR_MARK=Yes', 's', if $config{FORWARD_CLEAR_MARK};
|
require_capability 'MARK' , 'FORWARD_CLEAR_MARK=Yes', 's', if $config{FORWARD_CLEAR_MARK};
|
||||||
|
|
||||||
|
@ -138,6 +138,8 @@ FORWARD_CLEAR_MARK=
|
|||||||
|
|
||||||
IMPLICIT_CONTINUE=No
|
IMPLICIT_CONTINUE=No
|
||||||
|
|
||||||
|
IPSET_WARNINGS=Yes
|
||||||
|
|
||||||
IP_FORWARDING=On
|
IP_FORWARDING=On
|
||||||
|
|
||||||
KEEP_RT_TABLES=No
|
KEEP_RT_TABLES=No
|
||||||
|
@ -149,6 +149,8 @@ FORWARD_CLEAR_MARK=
|
|||||||
|
|
||||||
IMPLICIT_CONTINUE=No
|
IMPLICIT_CONTINUE=No
|
||||||
|
|
||||||
|
IPSET_WARNINGS=Yes
|
||||||
|
|
||||||
IP_FORWARDING=Off
|
IP_FORWARDING=Off
|
||||||
|
|
||||||
KEEP_RT_TABLES=No
|
KEEP_RT_TABLES=No
|
||||||
|
@ -147,6 +147,8 @@ FORWARD_CLEAR_MARK=
|
|||||||
|
|
||||||
IMPLICIT_CONTINUE=No
|
IMPLICIT_CONTINUE=No
|
||||||
|
|
||||||
|
IPSET_WARNINGS=Yes
|
||||||
|
|
||||||
IP_FORWARDING=On
|
IP_FORWARDING=On
|
||||||
|
|
||||||
KEEP_RT_TABLES=No
|
KEEP_RT_TABLES=No
|
||||||
|
@ -150,6 +150,8 @@ FORWARD_CLEAR_MARK=
|
|||||||
|
|
||||||
IMPLICIT_CONTINUE=No
|
IMPLICIT_CONTINUE=No
|
||||||
|
|
||||||
|
IPSET_WARNINGS=Yes
|
||||||
|
|
||||||
IP_FORWARDING=On
|
IP_FORWARDING=On
|
||||||
|
|
||||||
KEEP_RT_TABLES=No
|
KEEP_RT_TABLES=No
|
||||||
|
@ -138,6 +138,8 @@ FORWARD_CLEAR_MARK=
|
|||||||
|
|
||||||
IMPLICIT_CONTINUE=No
|
IMPLICIT_CONTINUE=No
|
||||||
|
|
||||||
|
IPSET_WARNINGS=Yes
|
||||||
|
|
||||||
IP_FORWARDING=On
|
IP_FORWARDING=On
|
||||||
|
|
||||||
KEEP_RT_TABLES=No
|
KEEP_RT_TABLES=No
|
||||||
|
@ -848,6 +848,29 @@ net all DROP info</programlisting>then the chain name is 'net2all'
|
|||||||
</listitem>
|
</listitem>
|
||||||
</varlistentry>
|
</varlistentry>
|
||||||
|
|
||||||
|
<varlistentry>
|
||||||
|
<term><emphasis role="bold">IPSET_WARNINGS=</emphasis>{<emphasis
|
||||||
|
role="bold">Yes</emphasis>|<emphasis role="bold">No</emphasis>}</term>
|
||||||
|
|
||||||
|
<listitem>
|
||||||
|
<para>Added in Shorewall 4.5.2. Default is Yes. When set, causes the
|
||||||
|
rules compiler to issue a warning when:</para>
|
||||||
|
|
||||||
|
<itemizedlist>
|
||||||
|
<listitem>
|
||||||
|
<para>The compiler is being run by root and an ipset specified
|
||||||
|
in the configuration does not exists. Only one warning is issued
|
||||||
|
for each missing ipset.</para>
|
||||||
|
</listitem>
|
||||||
|
|
||||||
|
<listitem>
|
||||||
|
<para>When [src] is specified in a destination column and when
|
||||||
|
[dst] is specified in a source column.</para>
|
||||||
|
</listitem>
|
||||||
|
</itemizedlist>
|
||||||
|
</listitem>
|
||||||
|
</varlistentry>
|
||||||
|
|
||||||
<varlistentry>
|
<varlistentry>
|
||||||
<term><emphasis
|
<term><emphasis
|
||||||
role="bold">IPTABLES=</emphasis>[<emphasis>pathname</emphasis>]</term>
|
role="bold">IPTABLES=</emphasis>[<emphasis>pathname</emphasis>]</term>
|
||||||
@ -2092,14 +2115,14 @@ net all DROP info</programlisting>then the chain name is 'net2all'
|
|||||||
tcrules. This was done so that tcrules could reset the packet mark
|
tcrules. This was done so that tcrules could reset the packet mark
|
||||||
to zero, thus allowing the packet to be routed using the 'main'
|
to zero, thus allowing the packet to be routed using the 'main'
|
||||||
routing table. Using the main table allowed dynamic routes (such as
|
routing table. Using the main table allowed dynamic routes (such as
|
||||||
those added for VPNs) to be effective. The rtrules file was
|
those added for VPNs) to be effective. The rtrules file was created
|
||||||
created to provide a better alternative to clearing the packet mark.
|
to provide a better alternative to clearing the packet mark. As a
|
||||||
As a consequence, passing these packets to PREROUTING complicates
|
consequence, passing these packets to PREROUTING complicates things
|
||||||
things without providing any real benefit. Beginning with Shorewall
|
without providing any real benefit. Beginning with Shorewall 4.4.6,
|
||||||
4.4.6, when TRACK_PROVIDERS=Yes and TC_EXPERT=No, packets arriving
|
when TRACK_PROVIDERS=Yes and TC_EXPERT=No, packets arriving through
|
||||||
through 'tracked' interfaces will not be passed to the PREROUTING
|
'tracked' interfaces will not be passed to the PREROUTING rules.
|
||||||
rules. Since TRACK_PROVIDERS was just introduced in 4.4.3, this
|
Since TRACK_PROVIDERS was just introduced in 4.4.3, this change
|
||||||
change should be transparent to most, if not all, users.</para>
|
should be transparent to most, if not all, users.</para>
|
||||||
</listitem>
|
</listitem>
|
||||||
</varlistentry>
|
</varlistentry>
|
||||||
|
|
||||||
|
@ -129,6 +129,8 @@ FORWARD_CLEAR_MARK=
|
|||||||
|
|
||||||
IMPLICIT_CONTINUE=No
|
IMPLICIT_CONTINUE=No
|
||||||
|
|
||||||
|
IPSET_WARNINGS=Yes
|
||||||
|
|
||||||
IP_FORWARDING=Off
|
IP_FORWARDING=Off
|
||||||
|
|
||||||
KEEP_RT_TABLES=Yes
|
KEEP_RT_TABLES=Yes
|
||||||
|
@ -129,6 +129,8 @@ FORWARD_CLEAR_MARK=
|
|||||||
|
|
||||||
IMPLICIT_CONTINUE=No
|
IMPLICIT_CONTINUE=No
|
||||||
|
|
||||||
|
IPSET_WARNINGS=Yes
|
||||||
|
|
||||||
IP_FORWARDING=Off
|
IP_FORWARDING=Off
|
||||||
|
|
||||||
KEEP_RT_TABLES=Yes
|
KEEP_RT_TABLES=Yes
|
||||||
|
@ -129,6 +129,8 @@ FORWARD_CLEAR_MARK=
|
|||||||
|
|
||||||
IMPLICIT_CONTINUE=No
|
IMPLICIT_CONTINUE=No
|
||||||
|
|
||||||
|
IPSET_WARNINGS=Yes
|
||||||
|
|
||||||
IP_FORWARDING=On
|
IP_FORWARDING=On
|
||||||
|
|
||||||
KEEP_RT_TABLES=Yes
|
KEEP_RT_TABLES=Yes
|
||||||
|
@ -129,6 +129,8 @@ FORWARD_CLEAR_MARK=
|
|||||||
|
|
||||||
IMPLICIT_CONTINUE=No
|
IMPLICIT_CONTINUE=No
|
||||||
|
|
||||||
|
IPSET_WARNINGS=Yes
|
||||||
|
|
||||||
IP_FORWARDING=On
|
IP_FORWARDING=On
|
||||||
|
|
||||||
KEEP_RT_TABLES=Yes
|
KEEP_RT_TABLES=Yes
|
||||||
|
@ -129,6 +129,8 @@ FORWARD_CLEAR_MARK=Yes
|
|||||||
|
|
||||||
IMPLICIT_CONTINUE=No
|
IMPLICIT_CONTINUE=No
|
||||||
|
|
||||||
|
IPSET_WARNINGS=Yes
|
||||||
|
|
||||||
IP_FORWARDING=Off
|
IP_FORWARDING=Off
|
||||||
|
|
||||||
KEEP_RT_TABLES=Yes
|
KEEP_RT_TABLES=Yes
|
||||||
|
@ -756,6 +756,29 @@ net all DROP info</programlisting>then the chain name is 'net2all'
|
|||||||
</listitem>
|
</listitem>
|
||||||
</varlistentry>
|
</varlistentry>
|
||||||
|
|
||||||
|
<varlistentry>
|
||||||
|
<term><emphasis role="bold">IPSET_WARNINGS=</emphasis>{<emphasis
|
||||||
|
role="bold">Yes</emphasis>|<emphasis role="bold">No</emphasis>}</term>
|
||||||
|
|
||||||
|
<listitem>
|
||||||
|
<para>Added in Shorewall 4.5.2. Default is Yes. When set, causes the
|
||||||
|
rules compiler to issue a warning when:</para>
|
||||||
|
|
||||||
|
<itemizedlist>
|
||||||
|
<listitem>
|
||||||
|
<para>The compiler is being run by root and an ipset specified
|
||||||
|
in the configuration does not exists. Only one warning is issued
|
||||||
|
for each missing ipset.</para>
|
||||||
|
</listitem>
|
||||||
|
|
||||||
|
<listitem>
|
||||||
|
<para>When [src] is specified in a destination column and when
|
||||||
|
[dst] is specified in a source column.</para>
|
||||||
|
</listitem>
|
||||||
|
</itemizedlist>
|
||||||
|
</listitem>
|
||||||
|
</varlistentry>
|
||||||
|
|
||||||
<varlistentry>
|
<varlistentry>
|
||||||
<term><emphasis role="bold">KEEP_RT_TABLES=</emphasis>{<emphasis
|
<term><emphasis role="bold">KEEP_RT_TABLES=</emphasis>{<emphasis
|
||||||
role="bold">Yes</emphasis>|<emphasis role="bold">No</emphasis>}</term>
|
role="bold">Yes</emphasis>|<emphasis role="bold">No</emphasis>}</term>
|
||||||
@ -1809,15 +1832,14 @@ net all DROP info</programlisting>then the chain name is 'net2all'
|
|||||||
to zero, thus allowing the packet to be routed using the 'main'
|
to zero, thus allowing the packet to be routed using the 'main'
|
||||||
routing table. Using the main table allowed dynamic routes (such as
|
routing table. Using the main table allowed dynamic routes (such as
|
||||||
those added for VPNs) to be effective. The <ulink
|
those added for VPNs) to be effective. The <ulink
|
||||||
url="shorewall6-rtrules.html">shorewall6-rtrules</ulink>(5)
|
url="shorewall6-rtrules.html">shorewall6-rtrules</ulink>(5) file was
|
||||||
file was created to provide a better alternative to clearing the
|
created to provide a better alternative to clearing the packet mark.
|
||||||
packet mark. As a consequence, passing these packets to PREROUTING
|
As a consequence, passing these packets to PREROUTING complicates
|
||||||
complicates things without providing any real benefit. Beginning
|
things without providing any real benefit. Beginning with Shorewall
|
||||||
with Shorewall 4.4.6, when TRACK_PROVIDERS=Yes and TC_EXPERT=No,
|
4.4.6, when TRACK_PROVIDERS=Yes and TC_EXPERT=No, packets arriving
|
||||||
packets arriving through 'tracked' interfaces will not be passed to
|
through 'tracked' interfaces will not be passed to the PREROUTING
|
||||||
the PREROUTING rules. Since TRACK_PROVIDERS was just introduced in
|
rules. Since TRACK_PROVIDERS was just introduced in 4.4.3, this
|
||||||
4.4.3, this change should be transparent to most, if not all,
|
change should be transparent to most, if not all, users.</para>
|
||||||
users.</para>
|
|
||||||
</listitem>
|
</listitem>
|
||||||
</varlistentry>
|
</varlistentry>
|
||||||
|
|
||||||
@ -1977,10 +1999,9 @@ net all DROP info</programlisting>then the chain name is 'net2all'
|
|||||||
shorewall6-ipsec(5), shorewall6-maclist(5), shorewall6-masq(5),
|
shorewall6-ipsec(5), shorewall6-maclist(5), shorewall6-masq(5),
|
||||||
shorewall6-nat(5), shorewall6-netmap(5),
|
shorewall6-nat(5), shorewall6-netmap(5),
|
||||||
shoewall6-netmap(5),shorewall6-params(5), shorewall6-policy(5),
|
shoewall6-netmap(5),shorewall6-params(5), shorewall6-policy(5),
|
||||||
shorewall6-providers(5), shorewall6-proxyarp(5),
|
shorewall6-providers(5), shorewall6-proxyarp(5), shorewall6-rtrules(5),
|
||||||
shorewall6-rtrules(5), shorewall6-routestopped(5),
|
shorewall6-routestopped(5), shorewall6-rules(5), shorewall6-tcclasses(5),
|
||||||
shorewall6-rules(5), shorewall6-tcclasses(5), shorewall6-tcdevices(5),
|
shorewall6-tcdevices(5), shorewall6-tcrules(5), shorewall6-tos(5),
|
||||||
shorewall6-tcrules(5), shorewall6-tos(5), shorewall6-tunnels(5),
|
shorewall6-tunnels(5), shorewall6-zones(5)</para>
|
||||||
shorewall6-zones(5)</para>
|
|
||||||
</refsect1>
|
</refsect1>
|
||||||
</refentry>
|
</refentry>
|
||||||
|
Loading…
x
Reference in New Issue
Block a user