mirror of
https://gitlab.com/shorewall/code.git
synced 2024-12-22 14:20:40 +01:00
Add support for new ipset match syntax
This commit is contained in:
parent
2774ee1bd6
commit
364ad41cf5
@ -2484,7 +2484,7 @@ sub get_set_flags( $$ ) {
|
|||||||
|
|
||||||
fatal_error "Invalid ipset name ($setname)" unless $setname =~ /^[a-zA-Z]\w*/;
|
fatal_error "Invalid ipset name ($setname)" unless $setname =~ /^[a-zA-Z]\w*/;
|
||||||
|
|
||||||
"--set $setname $options "
|
have_capability 'OLD_IPSET_MATCH' ? "--set $setname $options " : "--match-set $setname $options";
|
||||||
}
|
}
|
||||||
|
|
||||||
#
|
#
|
||||||
|
@ -218,6 +218,7 @@ our %capdesc = ( NAT_ENABLED => 'NAT',
|
|||||||
RECENT_MATCH => 'Recent Match',
|
RECENT_MATCH => 'Recent Match',
|
||||||
OWNER_MATCH => 'Owner Match',
|
OWNER_MATCH => 'Owner Match',
|
||||||
IPSET_MATCH => 'Ipset Match',
|
IPSET_MATCH => 'Ipset Match',
|
||||||
|
OLD_IPSET_MATCH => 'Old Ipset Match',
|
||||||
CONNMARK => 'CONNMARK Target',
|
CONNMARK => 'CONNMARK Target',
|
||||||
XCONNMARK => 'Extended CONNMARK Target',
|
XCONNMARK => 'Extended CONNMARK Target',
|
||||||
CONNMARK_MATCH => 'Connmark Match',
|
CONNMARK_MATCH => 'Connmark Match',
|
||||||
@ -641,6 +642,7 @@ sub initialize( $ ) {
|
|||||||
RECENT_MATCH => undef,
|
RECENT_MATCH => undef,
|
||||||
OWNER_MATCH => undef,
|
OWNER_MATCH => undef,
|
||||||
IPSET_MATCH => undef,
|
IPSET_MATCH => undef,
|
||||||
|
OLD_IPSET_MATCH => undef,
|
||||||
CONNMARK => undef,
|
CONNMARK => undef,
|
||||||
XCONNMARK => undef,
|
XCONNMARK => undef,
|
||||||
CONNMARK_MATCH => undef,
|
CONNMARK_MATCH => undef,
|
||||||
@ -2372,7 +2374,7 @@ sub Raw_Table() {
|
|||||||
qt1( "$iptables -t raw -L -n" );
|
qt1( "$iptables -t raw -L -n" );
|
||||||
}
|
}
|
||||||
|
|
||||||
sub IPSet_Match() {
|
sub Old_IPSet_Match() {
|
||||||
my $ipset = $config{IPSET} || 'ipset';
|
my $ipset = $config{IPSET} || 'ipset';
|
||||||
my $result = 0;
|
my $result = 0;
|
||||||
|
|
||||||
@ -2384,7 +2386,31 @@ sub IPSet_Match() {
|
|||||||
if ( qt( "$ipset -N $sillyname iphash" ) ) {
|
if ( qt( "$ipset -N $sillyname iphash" ) ) {
|
||||||
if ( qt1( "$iptables -A $sillyname -m set --set $sillyname src -j ACCEPT" ) ) {
|
if ( qt1( "$iptables -A $sillyname -m set --set $sillyname src -j ACCEPT" ) ) {
|
||||||
qt1( "$iptables -D $sillyname -m set --set $sillyname src -j ACCEPT" );
|
qt1( "$iptables -D $sillyname -m set --set $sillyname src -j ACCEPT" );
|
||||||
$result = 1;
|
$result = $capabilities{IPSET_MATCH} = 1;
|
||||||
|
}
|
||||||
|
|
||||||
|
qt( "$ipset -X $sillyname" );
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
$result;
|
||||||
|
}
|
||||||
|
|
||||||
|
sub IPSet_Match() {
|
||||||
|
my $ipset = $config{IPSET} || 'ipset';
|
||||||
|
my $result = 0;
|
||||||
|
|
||||||
|
$ipset = which $ipset unless $ipset =~ '/';
|
||||||
|
|
||||||
|
if ( $ipset && -x $ipset ) {
|
||||||
|
qt( "$ipset -X $sillyname" );
|
||||||
|
|
||||||
|
if ( qt( "$ipset -N $sillyname iphash" ) ) {
|
||||||
|
if ( qt1( "$iptables -A $sillyname -m set --match-set $sillyname src -j ACCEPT" ) ) {
|
||||||
|
qt1( "$iptables -D $sillyname -m set --match-set $sillyname src -j ACCEPT" );
|
||||||
|
$result = ! ( $capabilities{OLD_IPSET_MATCH} = 0 );
|
||||||
|
} else {
|
||||||
|
have_capability 'OLD_IPSET_MATCH';
|
||||||
}
|
}
|
||||||
|
|
||||||
qt( "$ipset -X $sillyname" );
|
qt( "$ipset -X $sillyname" );
|
||||||
@ -2465,6 +2491,7 @@ our %detect_capability =
|
|||||||
IPP2P_MATCH => \&Ipp2p_Match,
|
IPP2P_MATCH => \&Ipp2p_Match,
|
||||||
IPRANGE_MATCH => \&IPRange_Match,
|
IPRANGE_MATCH => \&IPRange_Match,
|
||||||
IPSET_MATCH => \&IPSet_Match,
|
IPSET_MATCH => \&IPSet_Match,
|
||||||
|
OLD_IPSET_MATCH => \&Old_IPSet_Match,
|
||||||
KLUDGEFREE => \&Kludgefree,
|
KLUDGEFREE => \&Kludgefree,
|
||||||
LENGTH_MATCH => \&Length_Match,
|
LENGTH_MATCH => \&Length_Match,
|
||||||
LOGMARK_TARGET => \&Logmark_Target,
|
LOGMARK_TARGET => \&Logmark_Target,
|
||||||
|
@ -18,6 +18,8 @@ Changes in Shorewall 4.4.12
|
|||||||
|
|
||||||
9) Make ICMP a synonym for IPV6-ICMP in ipv6 configs.
|
9) Make ICMP a synonym for IPV6-ICMP in ipv6 configs.
|
||||||
|
|
||||||
|
10) Support new set match syntax.
|
||||||
|
|
||||||
Changes in Shorewall 4.4.11
|
Changes in Shorewall 4.4.11
|
||||||
|
|
||||||
1) Apply patch from Gabriel.
|
1) Apply patch from Gabriel.
|
||||||
|
@ -29,7 +29,7 @@
|
|||||||
#
|
#
|
||||||
|
|
||||||
SHOREWALL_LIBVERSION=40407
|
SHOREWALL_LIBVERSION=40407
|
||||||
SHOREWALL_CAPVERSION=40411
|
SHOREWALL_CAPVERSION=40412
|
||||||
|
|
||||||
[ -n "${VARDIR:=/var/lib/shorewall}" ]
|
[ -n "${VARDIR:=/var/lib/shorewall}" ]
|
||||||
[ -n "${SHAREDIR:=/usr/share/shorewall}" ]
|
[ -n "${SHAREDIR:=/usr/share/shorewall}" ]
|
||||||
|
@ -1511,6 +1511,7 @@ determine_capabilities() {
|
|||||||
RECENT_MATCH=
|
RECENT_MATCH=
|
||||||
OWNER_MATCH=
|
OWNER_MATCH=
|
||||||
IPSET_MATCH=
|
IPSET_MATCH=
|
||||||
|
OLD_IPSET_MATCH=
|
||||||
CONNMARK=
|
CONNMARK=
|
||||||
XCONNMARK=
|
XCONNMARK=
|
||||||
CONNMARK_MATCH=
|
CONNMARK_MATCH=
|
||||||
@ -1653,9 +1654,13 @@ determine_capabilities() {
|
|||||||
qt ipset -X $chain # Just in case something went wrong the last time
|
qt ipset -X $chain # Just in case something went wrong the last time
|
||||||
|
|
||||||
if qt ipset -N $chain iphash ; then
|
if qt ipset -N $chain iphash ; then
|
||||||
if qt $IPTABLES -A $chain -m set --set $chain src -j ACCEPT; then
|
if qt $IPTABLES -A $chain -m set --match-set $chain src -j ACCEPT; then
|
||||||
|
qt $IPTABLES -D $chain -m set --match-set $chain src -j ACCEPT
|
||||||
|
IPSET_MATCH=Yes
|
||||||
|
elif qt $IPTABLES -A $chain -m set --set $chain src -j ACCEPT; then
|
||||||
qt $IPTABLES -D $chain -m set --set $chain src -j ACCEPT
|
qt $IPTABLES -D $chain -m set --set $chain src -j ACCEPT
|
||||||
IPSET_MATCH=Yes
|
IPSET_MATCH=Yes
|
||||||
|
OLD_IPSET_MATCH=Yes
|
||||||
fi
|
fi
|
||||||
qt ipset -X $chain
|
qt ipset -X $chain
|
||||||
fi
|
fi
|
||||||
@ -1720,7 +1725,10 @@ report_capabilities() {
|
|||||||
report_capability "IP range Match" $IPRANGE_MATCH
|
report_capability "IP range Match" $IPRANGE_MATCH
|
||||||
report_capability "Recent Match" $RECENT_MATCH
|
report_capability "Recent Match" $RECENT_MATCH
|
||||||
report_capability "Owner Match" $OWNER_MATCH
|
report_capability "Owner Match" $OWNER_MATCH
|
||||||
|
if [ -n "$IPSET_MATCH" ]; then
|
||||||
report_capability "Ipset Match" $IPSET_MATCH
|
report_capability "Ipset Match" $IPSET_MATCH
|
||||||
|
[ -n "$OLD_IPSET_MATCH" ] && report_capability "OLD_Ipset Match" $OLD_IPSET_MATCH
|
||||||
|
fi
|
||||||
report_capability "CONNMARK Target" $CONNMARK
|
report_capability "CONNMARK Target" $CONNMARK
|
||||||
[ -n "$CONNMARK" ] && report_capability "Extended CONNMARK Target" $XCONNMARK
|
[ -n "$CONNMARK" ] && report_capability "Extended CONNMARK Target" $XCONNMARK
|
||||||
report_capability "Connmark Match" $CONNMARK_MATCH
|
report_capability "Connmark Match" $CONNMARK_MATCH
|
||||||
@ -1784,6 +1792,7 @@ report_capabilities1() {
|
|||||||
report_capability1 RECENT_MATCH
|
report_capability1 RECENT_MATCH
|
||||||
report_capability1 OWNER_MATCH
|
report_capability1 OWNER_MATCH
|
||||||
report_capability1 IPSET_MATCH
|
report_capability1 IPSET_MATCH
|
||||||
|
report_capability1 OLD_IPSET_MATCH
|
||||||
report_capability1 CONNMARK
|
report_capability1 CONNMARK
|
||||||
report_capability1 XCONNMARK
|
report_capability1 XCONNMARK
|
||||||
report_capability1 CONNMARK_MATCH
|
report_capability1 CONNMARK_MATCH
|
||||||
|
@ -300,6 +300,12 @@ None.
|
|||||||
4) 'icmp' is now accepted as a synonym for 'ipv6-icmp' in IPv6
|
4) 'icmp' is now accepted as a synonym for 'ipv6-icmp' in IPv6
|
||||||
compilations.
|
compilations.
|
||||||
|
|
||||||
|
5) Shorewall now detects the presence of a recent ipset iptables
|
||||||
|
module and uses its new syntax. This avoids a warning on iptables
|
||||||
|
1.4.9. This change involves a new capabilities file version so if
|
||||||
|
you use a capabilities file, be sure to regenerate it with 4.4.12
|
||||||
|
shorewall-lite or shorewall6-lite.
|
||||||
|
|
||||||
----------------------------------------------------------------------------
|
----------------------------------------------------------------------------
|
||||||
V I. P R O B L E M S C O R R E C T E D A N D N E W F E A T U R E S
|
V I. P R O B L E M S C O R R E C T E D A N D N E W F E A T U R E S
|
||||||
I N P R I O R R E L E A S E S
|
I N P R I O R R E L E A S E S
|
||||||
|
@ -33,7 +33,7 @@
|
|||||||
#
|
#
|
||||||
|
|
||||||
SHOREWALL_LIBVERSION=40407
|
SHOREWALL_LIBVERSION=40407
|
||||||
SHOREWALL_CAPVERSION=40411
|
SHOREWALL_CAPVERSION=40412
|
||||||
|
|
||||||
[ -n "${VARDIR:=/var/lib/shorewall6}" ]
|
[ -n "${VARDIR:=/var/lib/shorewall6}" ]
|
||||||
[ -n "${SHAREDIR:=/usr/share/shorewall6}" ]
|
[ -n "${SHAREDIR:=/usr/share/shorewall6}" ]
|
||||||
|
@ -1200,6 +1200,7 @@ determine_capabilities() {
|
|||||||
RECENT_MATCH=
|
RECENT_MATCH=
|
||||||
OWNER_MATCH=
|
OWNER_MATCH=
|
||||||
IPSET_MATCH=
|
IPSET_MATCH=
|
||||||
|
OLD_IPSET_MATCH=
|
||||||
CONNMARK=
|
CONNMARK=
|
||||||
XCONNMARK=
|
XCONNMARK=
|
||||||
CONNMARK_MATCH=
|
CONNMARK_MATCH=
|
||||||
@ -1414,7 +1415,10 @@ report_capabilities() {
|
|||||||
report_capability "IP range Match" $IPRANGE_MATCH
|
report_capability "IP range Match" $IPRANGE_MATCH
|
||||||
report_capability "Recent Match" $RECENT_MATCH
|
report_capability "Recent Match" $RECENT_MATCH
|
||||||
report_capability "Owner Match" $OWNER_MATCH
|
report_capability "Owner Match" $OWNER_MATCH
|
||||||
|
if [ -n "$IPSET_MATCH" ]; then
|
||||||
report_capability "Ipset Match" $IPSET_MATCH
|
report_capability "Ipset Match" $IPSET_MATCH
|
||||||
|
[ -n "$OLD_IPSET_MATCH" ] && report_capability "OLD_Ipset Match" $OLD_IPSET_MATCH
|
||||||
|
fi
|
||||||
report_capability "CONNMARK Target" $CONNMARK
|
report_capability "CONNMARK Target" $CONNMARK
|
||||||
[ -n "$CONNMARK" ] && report_capability "Extended CONNMARK Target" $XCONNMARK
|
[ -n "$CONNMARK" ] && report_capability "Extended CONNMARK Target" $XCONNMARK
|
||||||
report_capability "Connmark Match" $CONNMARK_MATCH
|
report_capability "Connmark Match" $CONNMARK_MATCH
|
||||||
@ -1475,6 +1479,7 @@ report_capabilities1() {
|
|||||||
report_capability1 RECENT_MATCH
|
report_capability1 RECENT_MATCH
|
||||||
report_capability1 OWNER_MATCH
|
report_capability1 OWNER_MATCH
|
||||||
report_capability1 IPSET_MATCH
|
report_capability1 IPSET_MATCH
|
||||||
|
report_capability1 OLD_IPSET_MATCH
|
||||||
report_capability1 CONNMARK
|
report_capability1 CONNMARK
|
||||||
report_capability1 XCONNMARK
|
report_capability1 XCONNMARK
|
||||||
report_capability1 CONNMARK_MATCH
|
report_capability1 CONNMARK_MATCH
|
||||||
|
Loading…
Reference in New Issue
Block a user