From 2c2aaf262ccbe572477f1ffd1fb9d076b816be9a Mon Sep 17 00:00:00 2001 From: Tom Eastep Date: Wed, 1 Jan 2014 07:18:36 -0800 Subject: [PATCH] Add IP[6]TABLES support for the conntrack file. Signed-off-by: Tom Eastep --- Shorewall/Perl/Shorewall/Compiler.pm | 1 + Shorewall/Perl/Shorewall/Raw.pm | 24 +++++++++++++++++++++--- 2 files changed, 22 insertions(+), 3 deletions(-) diff --git a/Shorewall/Perl/Shorewall/Compiler.pm b/Shorewall/Perl/Shorewall/Compiler.pm index 1002fffe2..0165d3476 100644 --- a/Shorewall/Perl/Shorewall/Compiler.pm +++ b/Shorewall/Perl/Shorewall/Compiler.pm @@ -68,6 +68,7 @@ sub initialize_package_globals( $$$ ) { Shorewall::Proxyarp::initialize($family); Shorewall::IPAddrs::initialize($family); Shorewall::Misc::initialize($family); + Shorewall::Raw::initialize($family); } # diff --git a/Shorewall/Perl/Shorewall/Raw.pm b/Shorewall/Perl/Shorewall/Raw.pm index ee7392c80..524437f00 100644 --- a/Shorewall/Perl/Shorewall/Raw.pm +++ b/Shorewall/Perl/Shorewall/Raw.pm @@ -47,6 +47,12 @@ our %valid_ctevent = ( new => 1, natseqinfo => 1, secmark => 1 ); +our $family; + +sub initialize($) { + $family = shift; +} + # # Notrack # @@ -105,10 +111,24 @@ sub process_conntrack_rule( $$$$$$$$$$ ) { $action = $1; $disposition = $1; } + } elsif ( $action =~ /^IP(6)?TABLES\((.+)\)(:(.*))$/ ) { + if ( $family == F_IPV4 ) { + fatal_error 'Invalid conntrack ACTION (IP6TABLES)' if $1; + } else { + fatal_error "Invalid conntrack ACTION (IPTABLES)" unless $1; + } + + my ( $tgt, $options ) = split( ' ', $2 ); + my $target_type = $builtin_target{$tgt}; + fatal_error "Unknown target ($tgt)" unless $target_type; + fatal_error "The $tgt TARGET is not allowed in the raw table" unless $target_type & RAW_TABLE; + $disposition = $tgt; + $action = 2; + validate_level( $level = $3 ) if supplied $3; } else { ( $disposition, my ( $option, $args ), $level ) = split ':', $action, 4; - fatal_error "Invalid notrack ACTION ( $action )" if $disposition ne 'CT'; + fatal_error "Invalid conntrack ACTION ( $action )" if $disposition ne 'CT'; validate_level( $level ) if supplied $level; @@ -243,8 +263,6 @@ sub process_format( $ ) { sub setup_conntrack() { - $format = 1; - for my $name ( qw/notrack conntrack/ ) { my $fn = open_file( $name, 3 , 1 );