diff --git a/Shorewall/Perl/Shorewall/Chains.pm b/Shorewall/Perl/Shorewall/Chains.pm index 70bed0fb7..19403a31e 100644 --- a/Shorewall/Perl/Shorewall/Chains.pm +++ b/Shorewall/Perl/Shorewall/Chains.pm @@ -2484,7 +2484,7 @@ sub get_set_flags( $$ ) { fatal_error "Invalid ipset name ($setname)" unless $setname =~ /^[a-zA-Z]\w*/; - "--set $setname $options " + have_capability 'OLD_IPSET_MATCH' ? "--set $setname $options " : "--match-set $setname $options"; } # diff --git a/Shorewall/Perl/Shorewall/Config.pm b/Shorewall/Perl/Shorewall/Config.pm index d575fa762..ffd1ed019 100644 --- a/Shorewall/Perl/Shorewall/Config.pm +++ b/Shorewall/Perl/Shorewall/Config.pm @@ -218,6 +218,7 @@ our %capdesc = ( NAT_ENABLED => 'NAT', RECENT_MATCH => 'Recent Match', OWNER_MATCH => 'Owner Match', IPSET_MATCH => 'Ipset Match', + OLD_IPSET_MATCH => 'Old Ipset Match', CONNMARK => 'CONNMARK Target', XCONNMARK => 'Extended CONNMARK Target', CONNMARK_MATCH => 'Connmark Match', @@ -641,6 +642,7 @@ sub initialize( $ ) { RECENT_MATCH => undef, OWNER_MATCH => undef, IPSET_MATCH => undef, + OLD_IPSET_MATCH => undef, CONNMARK => undef, XCONNMARK => undef, CONNMARK_MATCH => undef, @@ -2372,7 +2374,7 @@ sub Raw_Table() { qt1( "$iptables -t raw -L -n" ); } -sub IPSet_Match() { +sub Old_IPSet_Match() { my $ipset = $config{IPSET} || 'ipset'; my $result = 0; @@ -2384,7 +2386,31 @@ sub IPSet_Match() { if ( qt( "$ipset -N $sillyname iphash" ) ) { if ( qt1( "$iptables -A $sillyname -m set --set $sillyname src -j ACCEPT" ) ) { qt1( "$iptables -D $sillyname -m set --set $sillyname src -j ACCEPT" ); - $result = 1; + $result = $capabilities{IPSET_MATCH} = 1; + } + + qt( "$ipset -X $sillyname" ); + } + } + + $result; +} + +sub IPSet_Match() { + my $ipset = $config{IPSET} || 'ipset'; + my $result = 0; + + $ipset = which $ipset unless $ipset =~ '/'; + + if ( $ipset && -x $ipset ) { + qt( "$ipset -X $sillyname" ); + + if ( qt( "$ipset -N $sillyname iphash" ) ) { + if ( qt1( "$iptables -A $sillyname -m set --match-set $sillyname src -j ACCEPT" ) ) { + qt1( "$iptables -D $sillyname -m set --match-set $sillyname src -j ACCEPT" ); + $result = ! ( $capabilities{OLD_IPSET_MATCH} = 0 ); + } else { + have_capability 'OLD_IPSET_MATCH'; } qt( "$ipset -X $sillyname" ); @@ -2465,6 +2491,7 @@ our %detect_capability = IPP2P_MATCH => \&Ipp2p_Match, IPRANGE_MATCH => \&IPRange_Match, IPSET_MATCH => \&IPSet_Match, + OLD_IPSET_MATCH => \&Old_IPSet_Match, KLUDGEFREE => \&Kludgefree, LENGTH_MATCH => \&Length_Match, LOGMARK_TARGET => \&Logmark_Target, diff --git a/Shorewall/changelog.txt b/Shorewall/changelog.txt index 48bd2aedf..08981cfc2 100644 --- a/Shorewall/changelog.txt +++ b/Shorewall/changelog.txt @@ -18,6 +18,8 @@ Changes in Shorewall 4.4.12 9) Make ICMP a synonym for IPV6-ICMP in ipv6 configs. +10) Support new set match syntax. + Changes in Shorewall 4.4.11 1) Apply patch from Gabriel. diff --git a/Shorewall/lib.base b/Shorewall/lib.base index 146e556c4..ba117db3f 100644 --- a/Shorewall/lib.base +++ b/Shorewall/lib.base @@ -29,7 +29,7 @@ # SHOREWALL_LIBVERSION=40407 -SHOREWALL_CAPVERSION=40411 +SHOREWALL_CAPVERSION=40412 [ -n "${VARDIR:=/var/lib/shorewall}" ] [ -n "${SHAREDIR:=/usr/share/shorewall}" ] diff --git a/Shorewall/lib.cli b/Shorewall/lib.cli index da38fbd5b..7eea7b53f 100644 --- a/Shorewall/lib.cli +++ b/Shorewall/lib.cli @@ -1511,6 +1511,7 @@ determine_capabilities() { RECENT_MATCH= OWNER_MATCH= IPSET_MATCH= + OLD_IPSET_MATCH= CONNMARK= XCONNMARK= CONNMARK_MATCH= @@ -1653,9 +1654,13 @@ determine_capabilities() { qt ipset -X $chain # Just in case something went wrong the last time if qt ipset -N $chain iphash ; then - if qt $IPTABLES -A $chain -m set --set $chain src -j ACCEPT; then + if qt $IPTABLES -A $chain -m set --match-set $chain src -j ACCEPT; then + qt $IPTABLES -D $chain -m set --match-set $chain src -j ACCEPT + IPSET_MATCH=Yes + elif qt $IPTABLES -A $chain -m set --set $chain src -j ACCEPT; then qt $IPTABLES -D $chain -m set --set $chain src -j ACCEPT IPSET_MATCH=Yes + OLD_IPSET_MATCH=Yes fi qt ipset -X $chain fi @@ -1720,7 +1725,10 @@ report_capabilities() { report_capability "IP range Match" $IPRANGE_MATCH report_capability "Recent Match" $RECENT_MATCH report_capability "Owner Match" $OWNER_MATCH - report_capability "Ipset Match" $IPSET_MATCH + if [ -n "$IPSET_MATCH" ]; then + report_capability "Ipset Match" $IPSET_MATCH + [ -n "$OLD_IPSET_MATCH" ] && report_capability "OLD_Ipset Match" $OLD_IPSET_MATCH + fi report_capability "CONNMARK Target" $CONNMARK [ -n "$CONNMARK" ] && report_capability "Extended CONNMARK Target" $XCONNMARK report_capability "Connmark Match" $CONNMARK_MATCH @@ -1784,6 +1792,7 @@ report_capabilities1() { report_capability1 RECENT_MATCH report_capability1 OWNER_MATCH report_capability1 IPSET_MATCH + report_capability1 OLD_IPSET_MATCH report_capability1 CONNMARK report_capability1 XCONNMARK report_capability1 CONNMARK_MATCH diff --git a/Shorewall/releasenotes.txt b/Shorewall/releasenotes.txt index 096cedf93..05ce978d5 100644 --- a/Shorewall/releasenotes.txt +++ b/Shorewall/releasenotes.txt @@ -300,6 +300,12 @@ None. 4) 'icmp' is now accepted as a synonym for 'ipv6-icmp' in IPv6 compilations. +5) Shorewall now detects the presence of a recent ipset iptables + module and uses its new syntax. This avoids a warning on iptables + 1.4.9. This change involves a new capabilities file version so if + you use a capabilities file, be sure to regenerate it with 4.4.12 + shorewall-lite or shorewall6-lite. + ---------------------------------------------------------------------------- V I. P R O B L E M S C O R R E C T E D A N D N E W F E A T U R E S I N P R I O R R E L E A S E S diff --git a/Shorewall6/lib.base b/Shorewall6/lib.base index db604eeaf..cbb3f9175 100644 --- a/Shorewall6/lib.base +++ b/Shorewall6/lib.base @@ -33,7 +33,7 @@ # SHOREWALL_LIBVERSION=40407 -SHOREWALL_CAPVERSION=40411 +SHOREWALL_CAPVERSION=40412 [ -n "${VARDIR:=/var/lib/shorewall6}" ] [ -n "${SHAREDIR:=/usr/share/shorewall6}" ] diff --git a/Shorewall6/lib.cli b/Shorewall6/lib.cli index dbbabcb4d..7c61be08e 100644 --- a/Shorewall6/lib.cli +++ b/Shorewall6/lib.cli @@ -1200,6 +1200,7 @@ determine_capabilities() { RECENT_MATCH= OWNER_MATCH= IPSET_MATCH= + OLD_IPSET_MATCH= CONNMARK= XCONNMARK= CONNMARK_MATCH= @@ -1414,7 +1415,10 @@ report_capabilities() { report_capability "IP range Match" $IPRANGE_MATCH report_capability "Recent Match" $RECENT_MATCH report_capability "Owner Match" $OWNER_MATCH - report_capability "Ipset Match" $IPSET_MATCH + if [ -n "$IPSET_MATCH" ]; then + report_capability "Ipset Match" $IPSET_MATCH + [ -n "$OLD_IPSET_MATCH" ] && report_capability "OLD_Ipset Match" $OLD_IPSET_MATCH + fi report_capability "CONNMARK Target" $CONNMARK [ -n "$CONNMARK" ] && report_capability "Extended CONNMARK Target" $XCONNMARK report_capability "Connmark Match" $CONNMARK_MATCH @@ -1475,6 +1479,7 @@ report_capabilities1() { report_capability1 RECENT_MATCH report_capability1 OWNER_MATCH report_capability1 IPSET_MATCH + report_capability1 OLD_IPSET_MATCH report_capability1 CONNMARK report_capability1 XCONNMARK report_capability1 CONNMARK_MATCH