From 25f6c5c1ccdf361f09b0e571517e632252c00441 Mon Sep 17 00:00:00 2001 From: teastep Date: Tue, 4 Apr 2006 19:45:42 +0000 Subject: [PATCH] Detect extended connmark capabilities and fix mktempdir bug git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@3771 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb --- Shorewall/changelog.txt | 2 ++ Shorewall/compiler | 2 ++ Shorewall/functions | 21 ++++++++++++++++++--- Shorewall/releasenotes.txt | 8 ++++++++ Shorewall/shorecap | 16 ++++++++++++++-- 5 files changed, 44 insertions(+), 5 deletions(-) diff --git a/Shorewall/changelog.txt b/Shorewall/changelog.txt index 6560ecbef..c859bf179 100644 --- a/Shorewall/changelog.txt +++ b/Shorewall/changelog.txt @@ -4,6 +4,8 @@ Changes in 3.2.0 Beta 4 2) Add support for explicit routing rules. +3) Fix mktempdir problem. + Changes in 3.2.0 Beta 3 1) Correct handling of verbosity in the 'try' command. diff --git a/Shorewall/compiler b/Shorewall/compiler index 49ad2c36f..7b03d1e66 100755 --- a/Shorewall/compiler +++ b/Shorewall/compiler @@ -8517,6 +8517,8 @@ compile_firewall() # $1 = File Name STATEDIR=$(mktempdir) + [ -n "$STATEDIR" ] || fatal_error "Cannot create temporary directory in /tmp" + if [ $COMMAND = compile ]; then dir=$(dirname $1) [ -d $dir ] || fatal_error "Directory $dir does not exist" diff --git a/Shorewall/functions b/Shorewall/functions index d8bc5d9d3..428ca86f2 100644 --- a/Shorewall/functions +++ b/Shorewall/functions @@ -530,7 +530,8 @@ mktempdir() { # # Not all versions of the BSD mktemp support the -d option under Linux # - mkdir /tmp/shorewall-$$ && chmod 700 /tmp/shorewall-$$ && echo /tmp/shorewall-$$ + qt rm -rf /tmp/shorewall-$$ + mkdir -p /tmp/shorewall-$$ chmod 700 /tmp/shorewall-$$ && echo /tmp/shorewall-$$ ;; *) echo " ERROR:Internal error in mktempdir" >&2 @@ -1126,7 +1127,9 @@ determine_capabilities() { OWNER_MATCH= IPSET_MATCH= CONNMARK= + XCONNMARK= CONNMARK_MATCH= + XCONNMARK_MATCH= RAW_TABLE= IPP2P_MATCH= LENGTH_MATCH= @@ -1155,13 +1158,23 @@ determine_capabilities() { qt $IPTABLES -A fooX1234 -m recent --update -j ACCEPT && RECENT_MATCH=Yes qt $IPTABLES -A fooX1234 -m owner --uid-owner 0 -j ACCEPT && OWNER_MATCH=Yes - qt $IPTABLES -A fooX1234 -m connmark --mark 2 -j ACCEPT && CONNMARK_MATCH=Yes + + if qt $IPTABLES -A fooX1234 -m connmark --mark 2 -j ACCEPT; then + CONNMARK_MATCH=Yes + qt $IPTABLES -A fooX1234 -m connmark --mark 2/0xFF -j ACCEPT && XCONNMARK_MATCH=Yes + fi + qt $IPTABLES -A fooX1234 -p tcp -m ipp2p --ipp2p -j ACCEPT && IPP2P_MATCH=Yes qt $IPTABLES -A fooX1234 -m length --length 10:20 -j ACCEPT && LENGTH_MATCH=Yes qt $IPTABLES -A fooX1234 -j REJECT --reject-with icmp-host-prohibited && ENHANCED_REJECT=Yes qt $IPTABLES -t mangle -N fooX1234 - qt $IPTABLES -t mangle -A fooX1234 -j CONNMARK --save-mark && CONNMARK=Yes + + if qt $IPTABLES -t mangle -A fooX1234 -j CONNMARK --save-mark; then + CONNMARK=Yes + qt $IPTABLES -t mangle -A fooX1234 -j CONNMARK --save-mark --mask 0xFF && XCONNMARK=Yes + fi + qt $IPTABLES -t mangle -A fooX1234 -j CLASSIFY --set-class 1:1 && CLASSIFY_TARGET=Yes qt $IPTABLES -t mangle -F fooX1234 qt $IPTABLES -t mangle -X fooX1234 @@ -1212,7 +1225,9 @@ report_capabilities() { report_capability "Owner Match" $OWNER_MATCH report_capability "Ipset Match" $IPSET_MATCH report_capability "CONNMARK Target" $CONNMARK + report_capability "Extended CONNMARK Target" $XCONNMARK report_capability "Connmark Match" $CONNMARK_MATCH + report_capability "Extended Connmark Match" $XCONNMARK_MATCH report_capability "Raw Table" $RAW_TABLE report_capability "IPP2P Match" $IPP2P_MATCH report_capability "CLASSIFY Target" $CLASSIFY_TARGET diff --git a/Shorewall/releasenotes.txt b/Shorewall/releasenotes.txt index 1c36dc224..626b9f1fa 100644 --- a/Shorewall/releasenotes.txt +++ b/Shorewall/releasenotes.txt @@ -36,6 +36,14 @@ Problems Corrected in 3.2.0 Beta 4 dmz xenbr0:vif+ routeback +2) Previously, if 'mktemp' was not installed on the firewall system and if + a directory or file with the name /tmp/shorewall- existed (where + is the pid of the shell attempting to compile the Shorewall configuration), + then the current command would fail with error messages such as: + + /usr/share/shorewall/compiler: 1: cannot create /tmp/shorewall-20000 + ERROR: Cannot create temporary file in /tmp + Other changes in 3.2.0 Beta 4 1) Shorewall now includes support for explicit routing rules when the diff --git a/Shorewall/shorecap b/Shorewall/shorecap index 997b97894..f52217a92 100755 --- a/Shorewall/shorecap +++ b/Shorewall/shorecap @@ -255,13 +255,23 @@ determine_capabilities() { qt $IPTABLES -A fooX1234 -m recent --update -j ACCEPT && RECENT_MATCH=Yes qt $IPTABLES -A fooX1234 -m owner --uid-owner 0 -j ACCEPT && OWNER_MATCH=Yes - qt $IPTABLES -A fooX1234 -m connmark --mark 2 -j ACCEPT && CONNMARK_MATCH=Yes + + if qt $IPTABLES -A fooX1234 -m connmark --mark 2 -j ACCEPT; then + CONNMARK_MATCH=Yes + qt $IPTABLES -A fooX1234 -m connmark --mark 2/0xFF -j ACCEPT && XCONNMARK_MATCH=Yes + fi + qt $IPTABLES -A fooX1234 -p tcp -m ipp2p --ipp2p -j ACCEPT && IPP2P_MATCH=Yes qt $IPTABLES -A fooX1234 -m length --length 10:20 -j ACCEPT && LENGTH_MATCH=Yes qt $IPTABLES -A fooX1234 -j REJECT --reject-with icmp-host-prohibited && ENHANCED_REJECT=Yes qt $IPTABLES -t mangle -N fooX1234 - qt $IPTABLES -t mangle -A fooX1234 -j CONNMARK --save-mark && CONNMARK=Yes + + if qt $IPTABLES -t mangle -A fooX1234 -j CONNMARK --save-mark; then + CONNMARK=Yes + qt $IPTABLES -t mangle -A fooX1234 -j CONNMARK --save-mark --mask 0xFF && XCONNMARK=Yes + fi + qt $IPTABLES -t mangle -A fooX1234 -j CLASSIFY --set-class 1:1 && CLASSIFY_TARGET=Yes qt $IPTABLES -t mangle -F fooX1234 qt $IPTABLES -t mangle -X fooX1234 @@ -309,7 +319,9 @@ report_capabilities() { report_capability OWNER_MATCH report_capability IPSET_MATCH report_capability CONNMARK + report_capability XCONNMARK report_capability CONNMARK_MATCH + report_capability XCONNMARK_MATCH report_capability RAW_TABLE report_capability IPP2P_MATCH report_capability CLASSIFY_TARGET