From 409c427134cf0342ba190505e836831afe77e3ab Mon Sep 17 00:00:00 2001 From: Tom Eastep Date: Thu, 29 Nov 2012 12:15:15 -0800 Subject: [PATCH] Add support for future condition initial values. Signed-off-by: Tom Eastep --- Shorewall-core/lib.cli | 12 ++++++++++-- Shorewall/Perl/Shorewall/Chains.pm | 21 +++++++++++++-------- Shorewall/Perl/Shorewall/Config.pm | 10 +++++++++- 3 files changed, 32 insertions(+), 11 deletions(-) diff --git a/Shorewall-core/lib.cli b/Shorewall-core/lib.cli index 79b36cc88..08b1c1f92 100644 --- a/Shorewall-core/lib.cli +++ b/Shorewall-core/lib.cli @@ -25,7 +25,7 @@ # loaded after this one and replaces some of the functions declared here. # -SHOREWALL_CAPVERSION=40509 +SHOREWALL_CAPVERSION=40510 [ -n "${g_program:=shorewall}" ] @@ -2114,6 +2114,7 @@ determine_capabilities() { ACCOUNT_TARGET= AUDIT_TARGET= CONDITION_MATCH= + CONDITION_INIT= IPTABLES_S= BASIC_FILTER= CT_TARGET= @@ -2415,7 +2416,12 @@ determine_capabilities() { fi qt $g_tool -A $chain -j AUDIT --type drop && AUDIT_TARGET=Yes - qt $g_tool -A $chain -m condition --condition foo && CONDITION_MATCH=Yes + + if qt $g_tool -A $chain -m condition --condition foo; then + CONDITION_MATCH=Yes + qt $g_tool -A $chain -m condition --condition foo --condinit 1 && CONDITION_INIT=Yes + fi + qt $g_tool -S INPUT && IPTABLES_S=Yes qt $g_tool -F $chain qt $g_tool -X $chain @@ -2516,6 +2522,7 @@ report_capabilities() { report_capability "AUDIT Target (AUDIT_TARGET)" $AUDIT_TARGET report_capability "ipset V5 (IPSET_V5)" $IPSET_V5 report_capability "Condition Match (CONDITION_MATCH)" $CONDITION_MATCH + [ -n "$CONDITION_MATCH" ] && report_capability "Condition Initialize (CONDITION_INIT)" $CONDITION_INIT report_capability "Statistic Match (STATISTIC_MATCH)" $STATISTIC_MATCH report_capability "IMQ Target (IMQ_TARGET)" $IMQ_TARGET report_capability "DSCP Match (DSCP_MATCH)" $DSCP_MATCH @@ -2626,6 +2633,7 @@ report_capabilities1() { report_capability1 AUDIT_TARGET report_capability1 IPSET_V5 report_capability1 CONDITION_MATCH + report_capability1 CONDITION_INIT report_capability1 IPTABLES_S report_capability1 BASIC_FILTER report_capability1 CT_TARGET diff --git a/Shorewall/Perl/Shorewall/Chains.pm b/Shorewall/Perl/Shorewall/Chains.pm index 5d5cfdbb5..dd33060cf 100644 --- a/Shorewall/Perl/Shorewall/Chains.pm +++ b/Shorewall/Perl/Shorewall/Chains.pm @@ -4662,15 +4662,18 @@ sub do_condition( $$ ) { fatal_error "Invalid switch name ($condition)" unless $condition =~ /^[a-zA-Z][-\w]*$/ && length $condition <= 30; + my $initialization = ''; + if ( defined $initialize ) { if ( my $switchref = $switches{$condition} ) { fatal_error "Switch $condition was previously initialized to $switchref->{setting} at $switchref->{where}" unless $switchref->{setting} == $initialize; } else { + $initialization = "--condinit $initialize " if have_capability 'CONDITION_INIT'; $switches{$condition} = { setting => $initialize, where => currentlineinfo }; } } - "-m condition ${invert}--condition $condition " + "-m condition ${invert}--condition $condition" } @@ -7483,14 +7486,16 @@ sub create_stop_load( $ ) { } sub initialize_switches() { - if ( keys %switches ) { - emit( ' if [ $COMMAND = start ]; then' ); - push_indent; - while ( my ( $switch, $setting ) = each %switches ) { - emit " echo $setting->{setting} > /proc/net/nf_condition/$switch"; + unless ( have_capability 'CONDITION_INIT' ) { + if ( keys %switches ) { + emit( ' if [ $COMMAND = start ]; then' ); + push_indent; + while ( my ( $switch, $setting ) = each %switches ) { + emit " echo $setting->{setting} > /proc/net/nf_condition/$switch"; + } + pop_indent; + emit " fi\n"; } - pop_indent; - emit " fi\n"; } } diff --git a/Shorewall/Perl/Shorewall/Config.pm b/Shorewall/Perl/Shorewall/Config.pm index 9c19f68e6..d34d98bf3 100644 --- a/Shorewall/Perl/Shorewall/Config.pm +++ b/Shorewall/Perl/Shorewall/Config.pm @@ -329,6 +329,7 @@ my %capdesc = ( NAT_ENABLED => 'NAT', AUDIT_TARGET => 'AUDIT Target', RAWPOST_TABLE => 'Rawpost Table', CONDITION_MATCH => 'Condition Match', + CONDITION_INIT => 'Condition Initialization', IPTABLES_S => 'iptables -S', BASIC_FILTER => 'Basic Filter', CT_TARGET => 'CT Target', @@ -609,7 +610,7 @@ sub initialize( $;$$) { KLUDGEFREE => '', STATEMATCH => '-m state --state', VERSION => "4.5.8-Beta2", - CAPVERSION => 40509 , + CAPVERSION => 40510 , ); # # From shorewall.conf file @@ -840,6 +841,7 @@ sub initialize( $;$$) { ACCOUNT_TARGET => undef, AUDIT_TARGET => undef, CONDITION_MATCH => undef, + CONDITION_INIT => undef, IPTABLES_S => undef, BASIC_FILTER => undef, CT_TARGET => undef, @@ -3440,6 +3442,10 @@ sub Condition_Match() { qt1( "$iptables -A $sillyname -m condition --condition foo" ); } +sub Condition_Init() { + qt1( "$iptables -A $sillyname -m condition --condition foo --condinit 1" ); +} + sub Audit_Target() { qt1( "$iptables -A $sillyname -j AUDIT --type drop" ); } @@ -3509,6 +3515,7 @@ our %detect_capability = CHECKSUM_TARGET => \&Checksum_Target, CLASSIFY_TARGET => \&Classify_Target, CONDITION_MATCH => \&Condition_Match, + CONDITION_INIT => \&Condition_Init, COMMENTS => \&Comments, CONNLIMIT_MATCH => \&Connlimit_Match, CONNMARK => \&Connmark, @@ -3706,6 +3713,7 @@ sub determine_capabilities() { $capabilities{AUDIT_TARGET} = detect_capability( 'AUDIT_TARGET' ); $capabilities{IPSET_V5} = detect_capability( 'IPSET_V5' ); $capabilities{CONDITION_MATCH} = detect_capability( 'CONDITION_MATCH' ); + $capabilities{CONDITION_INIT} = detect_capability( 'CONDITION_INIT' ); $capabilities{IPTABLES_S} = detect_capability( 'IPTABLES_S' ); $capabilities{BASIC_FILTER} = detect_capability( 'BASIC_FILTER' ); $capabilities{CT_TARGET} = detect_capability( 'CT_TARGET' );