From 304015698129bdaba98d60c4aa93da29eff5c487 Mon Sep 17 00:00:00 2001 From: Tom Eastep Date: Wed, 21 Nov 2012 14:20:56 -0800 Subject: [PATCH] Add SWITCH column to the conntrack file Signed-off-by: Tom Eastep --- Shorewall/Perl/Shorewall/Raw.pm | 22 ++++++------ Shorewall/configfiles/conntrack | 4 +-- Shorewall/manpages/shorewall-conntrack.xml | 38 ++++++++++++++++++++ Shorewall6/manpages/shorewall6-conntrack.xml | 38 ++++++++++++++++++++ 4 files changed, 90 insertions(+), 12 deletions(-) diff --git a/Shorewall/Perl/Shorewall/Raw.pm b/Shorewall/Perl/Shorewall/Raw.pm index ddc19cfef..b3b9553ad 100644 --- a/Shorewall/Perl/Shorewall/Raw.pm +++ b/Shorewall/Perl/Shorewall/Raw.pm @@ -41,9 +41,9 @@ my %valid_ctevent = ( new => 1, related => 1, destroy => 1, reply => 1, assured # # Notrack # -sub process_conntrack_rule( $$$$$$$$$ ) { +sub process_conntrack_rule( $$$$$$$$$$ ) { - my ($chainref, $zoneref, $action, $source, $dest, $proto, $ports, $sports, $user ) = @_; + my ($chainref, $zoneref, $action, $source, $dest, $proto, $ports, $sports, $user, $switch ) = @_; require_capability 'RAW_TABLE', 'conntrack rules', ''; @@ -74,7 +74,7 @@ sub process_conntrack_rule( $$$$$$$$$ ) { my $target = $action; my $exception_rule = ''; - my $rule = do_proto( $proto, $ports, $sports ) . do_user ( $user ); + my $rule = do_proto( $proto, $ports, $sports ) . do_user ( $user ) . do_condition( $switch ); if ( $action eq 'NOTRACK' ) { # @@ -162,7 +162,9 @@ sub handle_helper_rule( $$$$$$$$$$$ ) { $proto , $ports , $sports , - $user ); + $user, + '-', + ); } else { assert( $action_target ); # @@ -224,17 +226,17 @@ sub setup_conntrack() { first_entry( "$doing $fn..." ); while ( read_a_line( NORMAL_READ ) ) { - my ( $source, $dest, $proto, $ports, $sports, $user ); + my ( $source, $dest, $proto, $ports, $sports, $user, $switch ); if ( $format == 1 ) { - ( $source, $dest, $proto, $ports, $sports, $user ) = split_line1 'Conntrack File', { source => 0, dest => 1, proto => 2, dport => 3, sport => 4, user => 5 }; + ( $source, $dest, $proto, $ports, $sports, $user, $switch ) = split_line1 'Conntrack File', { source => 0, dest => 1, proto => 2, dport => 3, sport => 4, user => 5, switch => 6 }; if ( $source eq 'FORMAT' ) { $format = process_format( $dest ); next; } } else { - ( $action, $source, $dest, $proto, $ports, $sports, $user ) = split_line1 'Conntrack File', { action => 0, source => 1, dest => 2, proto => 3, dport => 4, sport => 5, user => 6 }, { COMMENT => 0, FORMAT => 2 }; + ( $action, $source, $dest, $proto, $ports, $sports, $user, $switch ) = split_line1 'Conntrack File', { action => 0, source => 1, dest => 2, proto => 3, dport => 4, sport => 5, user => 6, switch => 7 }, { COMMENT => 0, FORMAT => 2 }; if ( $action eq 'FORMAT' ) { $format = process_format( $source ); @@ -252,10 +254,10 @@ sub setup_conntrack() { if ( $source =~ /^all(-)?(:(.+))?$/ ) { fatal_error 'USER/GROUP is not allowed unless the SOURCE zone is $FW or a Vserver zone' if $user ne '-'; - process_conntrack_rule( $raw_table->{OUTPUT}, undef, $action, $3 || '-', $dest, $proto, $ports, $sports, $user ) unless $1; - process_conntrack_rule( $raw_table->{PREROUTING}, undef, $action, $3 || '-', $dest, $proto, $ports, $sports, $user ); + process_conntrack_rule( $raw_table->{OUTPUT}, undef, $action, $3 || '-', $dest, $proto, $ports, $sports, $user , $switch ) unless $1; + process_conntrack_rule( $raw_table->{PREROUTING}, undef, $action, $3 || '-', $dest, $proto, $ports, $sports, $user , $switch ); } else { - process_conntrack_rule( undef, undef, $action, $source, $dest, $proto, $ports, $sports, $user ); + process_conntrack_rule( undef, undef, $action, $source, $dest, $proto, $ports, $sports, $user, $switch ); } } diff --git a/Shorewall/configfiles/conntrack b/Shorewall/configfiles/conntrack index 09ad2d43c..0a2084f4d 100644 --- a/Shorewall/configfiles/conntrack +++ b/Shorewall/configfiles/conntrack @@ -3,9 +3,9 @@ # # For information about entries in this file, type "man shorewall-conntrack" # -############################################################################################# +############################################################################################################## FORMAT 2 -#ACTION SOURCE DESTINATION PROTO DEST SOURCE USER/ +#ACTION SOURCE DESTINATION PROTO DEST SOURCE USER/ SWITCH # PORT(S) PORT(S) GROUP ?if $AUTOHELPERS && __CT_TARGET diff --git a/Shorewall/manpages/shorewall-conntrack.xml b/Shorewall/manpages/shorewall-conntrack.xml index 5496269c6..1ac3c2ac1 100644 --- a/Shorewall/manpages/shorewall-conntrack.xml +++ b/Shorewall/manpages/shorewall-conntrack.xml @@ -339,6 +339,44 @@ id and or group id of the process sending the traffic. + + + SWITCH - + [!]switch-name + + + Added in Shorewall 4.5.10 and allows enabling and disabling + the rule without requiring shorewall + restart. + + The rule is enabled if the value stored in + /proc/net/nf_condition/switch-name + is 1. The rule is disabled if that file contains 0 (the default). If + '!' is supplied, the test is inverted such that the rule is enabled + if the file contains 0. switch-name must + begin with a letter and be composed of letters, decimal digits, + underscores or hyphens. Switch names must be 30 characters or less + in length. + + Switches are normally off. To + turn a switch on: + + + echo 1 > + /proc/net/nf_condition/switch-name + + + To turn it off again: + + + echo 0 > + /proc/net/nf_condition/switch-name + + + Switch settings are retained over shorewall + restart. + + diff --git a/Shorewall6/manpages/shorewall6-conntrack.xml b/Shorewall6/manpages/shorewall6-conntrack.xml index 0348d3b85..a04bc5d9a 100644 --- a/Shorewall6/manpages/shorewall6-conntrack.xml +++ b/Shorewall6/manpages/shorewall6-conntrack.xml @@ -225,6 +225,44 @@ id and or group id of the process sending the traffic. + + + SWITCH - + [!]switch-name + + + Added in Shorewall6 4.5.10 and allows enabling and disabling + the rule without requiring shorewall6 + restart. + + Enables the rule if the value stored in + /proc/net/nf_condition/switch-name + is 1. Disables the rule if that file contains 0 (the default). If + '!' is supplied, the test is inverted such that the rule is enabled + if the file contains 0. The switch-name + must begin with a letter and be composed of letters, decimal digits, + underscores or hyphens. Switch names must be 30 characters or less + in length. + + Switches are normally off. To + turn a switch on: + + + echo 1 > + /proc/net/nf_condition/switch-name + + + To turn it off again: + + + echo 0 > + /proc/net/nf_condition/switch-name + + + Switch settings are retained over shorewall6 + restart. + +