mirror of
https://gitlab.com/shorewall/code.git
synced 2024-11-08 16:54:10 +01:00
Add support for future condition initial values.
Signed-off-by: Tom Eastep <teastep@shorewall.net>
This commit is contained in:
parent
7bdce1bc97
commit
409c427134
@ -25,7 +25,7 @@
|
|||||||
# loaded after this one and replaces some of the functions declared here.
|
# loaded after this one and replaces some of the functions declared here.
|
||||||
#
|
#
|
||||||
|
|
||||||
SHOREWALL_CAPVERSION=40509
|
SHOREWALL_CAPVERSION=40510
|
||||||
|
|
||||||
[ -n "${g_program:=shorewall}" ]
|
[ -n "${g_program:=shorewall}" ]
|
||||||
|
|
||||||
@ -2114,6 +2114,7 @@ determine_capabilities() {
|
|||||||
ACCOUNT_TARGET=
|
ACCOUNT_TARGET=
|
||||||
AUDIT_TARGET=
|
AUDIT_TARGET=
|
||||||
CONDITION_MATCH=
|
CONDITION_MATCH=
|
||||||
|
CONDITION_INIT=
|
||||||
IPTABLES_S=
|
IPTABLES_S=
|
||||||
BASIC_FILTER=
|
BASIC_FILTER=
|
||||||
CT_TARGET=
|
CT_TARGET=
|
||||||
@ -2415,7 +2416,12 @@ determine_capabilities() {
|
|||||||
fi
|
fi
|
||||||
|
|
||||||
qt $g_tool -A $chain -j AUDIT --type drop && AUDIT_TARGET=Yes
|
qt $g_tool -A $chain -j AUDIT --type drop && AUDIT_TARGET=Yes
|
||||||
qt $g_tool -A $chain -m condition --condition foo && CONDITION_MATCH=Yes
|
|
||||||
|
if qt $g_tool -A $chain -m condition --condition foo; then
|
||||||
|
CONDITION_MATCH=Yes
|
||||||
|
qt $g_tool -A $chain -m condition --condition foo --condinit 1 && CONDITION_INIT=Yes
|
||||||
|
fi
|
||||||
|
|
||||||
qt $g_tool -S INPUT && IPTABLES_S=Yes
|
qt $g_tool -S INPUT && IPTABLES_S=Yes
|
||||||
qt $g_tool -F $chain
|
qt $g_tool -F $chain
|
||||||
qt $g_tool -X $chain
|
qt $g_tool -X $chain
|
||||||
@ -2516,6 +2522,7 @@ report_capabilities() {
|
|||||||
report_capability "AUDIT Target (AUDIT_TARGET)" $AUDIT_TARGET
|
report_capability "AUDIT Target (AUDIT_TARGET)" $AUDIT_TARGET
|
||||||
report_capability "ipset V5 (IPSET_V5)" $IPSET_V5
|
report_capability "ipset V5 (IPSET_V5)" $IPSET_V5
|
||||||
report_capability "Condition Match (CONDITION_MATCH)" $CONDITION_MATCH
|
report_capability "Condition Match (CONDITION_MATCH)" $CONDITION_MATCH
|
||||||
|
[ -n "$CONDITION_MATCH" ] && report_capability "Condition Initialize (CONDITION_INIT)" $CONDITION_INIT
|
||||||
report_capability "Statistic Match (STATISTIC_MATCH)" $STATISTIC_MATCH
|
report_capability "Statistic Match (STATISTIC_MATCH)" $STATISTIC_MATCH
|
||||||
report_capability "IMQ Target (IMQ_TARGET)" $IMQ_TARGET
|
report_capability "IMQ Target (IMQ_TARGET)" $IMQ_TARGET
|
||||||
report_capability "DSCP Match (DSCP_MATCH)" $DSCP_MATCH
|
report_capability "DSCP Match (DSCP_MATCH)" $DSCP_MATCH
|
||||||
@ -2626,6 +2633,7 @@ report_capabilities1() {
|
|||||||
report_capability1 AUDIT_TARGET
|
report_capability1 AUDIT_TARGET
|
||||||
report_capability1 IPSET_V5
|
report_capability1 IPSET_V5
|
||||||
report_capability1 CONDITION_MATCH
|
report_capability1 CONDITION_MATCH
|
||||||
|
report_capability1 CONDITION_INIT
|
||||||
report_capability1 IPTABLES_S
|
report_capability1 IPTABLES_S
|
||||||
report_capability1 BASIC_FILTER
|
report_capability1 BASIC_FILTER
|
||||||
report_capability1 CT_TARGET
|
report_capability1 CT_TARGET
|
||||||
|
@ -4662,15 +4662,18 @@ sub do_condition( $$ ) {
|
|||||||
|
|
||||||
fatal_error "Invalid switch name ($condition)" unless $condition =~ /^[a-zA-Z][-\w]*$/ && length $condition <= 30;
|
fatal_error "Invalid switch name ($condition)" unless $condition =~ /^[a-zA-Z][-\w]*$/ && length $condition <= 30;
|
||||||
|
|
||||||
|
my $initialization = '';
|
||||||
|
|
||||||
if ( defined $initialize ) {
|
if ( defined $initialize ) {
|
||||||
if ( my $switchref = $switches{$condition} ) {
|
if ( my $switchref = $switches{$condition} ) {
|
||||||
fatal_error "Switch $condition was previously initialized to $switchref->{setting} at $switchref->{where}" unless $switchref->{setting} == $initialize;
|
fatal_error "Switch $condition was previously initialized to $switchref->{setting} at $switchref->{where}" unless $switchref->{setting} == $initialize;
|
||||||
} else {
|
} else {
|
||||||
|
$initialization = "--condinit $initialize " if have_capability 'CONDITION_INIT';
|
||||||
$switches{$condition} = { setting => $initialize, where => currentlineinfo };
|
$switches{$condition} = { setting => $initialize, where => currentlineinfo };
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
"-m condition ${invert}--condition $condition "
|
"-m condition ${invert}--condition $condition"
|
||||||
|
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -7483,14 +7486,16 @@ sub create_stop_load( $ ) {
|
|||||||
}
|
}
|
||||||
|
|
||||||
sub initialize_switches() {
|
sub initialize_switches() {
|
||||||
if ( keys %switches ) {
|
unless ( have_capability 'CONDITION_INIT' ) {
|
||||||
emit( ' if [ $COMMAND = start ]; then' );
|
if ( keys %switches ) {
|
||||||
push_indent;
|
emit( ' if [ $COMMAND = start ]; then' );
|
||||||
while ( my ( $switch, $setting ) = each %switches ) {
|
push_indent;
|
||||||
emit " echo $setting->{setting} > /proc/net/nf_condition/$switch";
|
while ( my ( $switch, $setting ) = each %switches ) {
|
||||||
|
emit " echo $setting->{setting} > /proc/net/nf_condition/$switch";
|
||||||
|
}
|
||||||
|
pop_indent;
|
||||||
|
emit " fi\n";
|
||||||
}
|
}
|
||||||
pop_indent;
|
|
||||||
emit " fi\n";
|
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -329,6 +329,7 @@ my %capdesc = ( NAT_ENABLED => 'NAT',
|
|||||||
AUDIT_TARGET => 'AUDIT Target',
|
AUDIT_TARGET => 'AUDIT Target',
|
||||||
RAWPOST_TABLE => 'Rawpost Table',
|
RAWPOST_TABLE => 'Rawpost Table',
|
||||||
CONDITION_MATCH => 'Condition Match',
|
CONDITION_MATCH => 'Condition Match',
|
||||||
|
CONDITION_INIT => 'Condition Initialization',
|
||||||
IPTABLES_S => 'iptables -S',
|
IPTABLES_S => 'iptables -S',
|
||||||
BASIC_FILTER => 'Basic Filter',
|
BASIC_FILTER => 'Basic Filter',
|
||||||
CT_TARGET => 'CT Target',
|
CT_TARGET => 'CT Target',
|
||||||
@ -609,7 +610,7 @@ sub initialize( $;$$) {
|
|||||||
KLUDGEFREE => '',
|
KLUDGEFREE => '',
|
||||||
STATEMATCH => '-m state --state',
|
STATEMATCH => '-m state --state',
|
||||||
VERSION => "4.5.8-Beta2",
|
VERSION => "4.5.8-Beta2",
|
||||||
CAPVERSION => 40509 ,
|
CAPVERSION => 40510 ,
|
||||||
);
|
);
|
||||||
#
|
#
|
||||||
# From shorewall.conf file
|
# From shorewall.conf file
|
||||||
@ -840,6 +841,7 @@ sub initialize( $;$$) {
|
|||||||
ACCOUNT_TARGET => undef,
|
ACCOUNT_TARGET => undef,
|
||||||
AUDIT_TARGET => undef,
|
AUDIT_TARGET => undef,
|
||||||
CONDITION_MATCH => undef,
|
CONDITION_MATCH => undef,
|
||||||
|
CONDITION_INIT => undef,
|
||||||
IPTABLES_S => undef,
|
IPTABLES_S => undef,
|
||||||
BASIC_FILTER => undef,
|
BASIC_FILTER => undef,
|
||||||
CT_TARGET => undef,
|
CT_TARGET => undef,
|
||||||
@ -3440,6 +3442,10 @@ sub Condition_Match() {
|
|||||||
qt1( "$iptables -A $sillyname -m condition --condition foo" );
|
qt1( "$iptables -A $sillyname -m condition --condition foo" );
|
||||||
}
|
}
|
||||||
|
|
||||||
|
sub Condition_Init() {
|
||||||
|
qt1( "$iptables -A $sillyname -m condition --condition foo --condinit 1" );
|
||||||
|
}
|
||||||
|
|
||||||
sub Audit_Target() {
|
sub Audit_Target() {
|
||||||
qt1( "$iptables -A $sillyname -j AUDIT --type drop" );
|
qt1( "$iptables -A $sillyname -j AUDIT --type drop" );
|
||||||
}
|
}
|
||||||
@ -3509,6 +3515,7 @@ our %detect_capability =
|
|||||||
CHECKSUM_TARGET => \&Checksum_Target,
|
CHECKSUM_TARGET => \&Checksum_Target,
|
||||||
CLASSIFY_TARGET => \&Classify_Target,
|
CLASSIFY_TARGET => \&Classify_Target,
|
||||||
CONDITION_MATCH => \&Condition_Match,
|
CONDITION_MATCH => \&Condition_Match,
|
||||||
|
CONDITION_INIT => \&Condition_Init,
|
||||||
COMMENTS => \&Comments,
|
COMMENTS => \&Comments,
|
||||||
CONNLIMIT_MATCH => \&Connlimit_Match,
|
CONNLIMIT_MATCH => \&Connlimit_Match,
|
||||||
CONNMARK => \&Connmark,
|
CONNMARK => \&Connmark,
|
||||||
@ -3706,6 +3713,7 @@ sub determine_capabilities() {
|
|||||||
$capabilities{AUDIT_TARGET} = detect_capability( 'AUDIT_TARGET' );
|
$capabilities{AUDIT_TARGET} = detect_capability( 'AUDIT_TARGET' );
|
||||||
$capabilities{IPSET_V5} = detect_capability( 'IPSET_V5' );
|
$capabilities{IPSET_V5} = detect_capability( 'IPSET_V5' );
|
||||||
$capabilities{CONDITION_MATCH} = detect_capability( 'CONDITION_MATCH' );
|
$capabilities{CONDITION_MATCH} = detect_capability( 'CONDITION_MATCH' );
|
||||||
|
$capabilities{CONDITION_INIT} = detect_capability( 'CONDITION_INIT' );
|
||||||
$capabilities{IPTABLES_S} = detect_capability( 'IPTABLES_S' );
|
$capabilities{IPTABLES_S} = detect_capability( 'IPTABLES_S' );
|
||||||
$capabilities{BASIC_FILTER} = detect_capability( 'BASIC_FILTER' );
|
$capabilities{BASIC_FILTER} = detect_capability( 'BASIC_FILTER' );
|
||||||
$capabilities{CT_TARGET} = detect_capability( 'CT_TARGET' );
|
$capabilities{CT_TARGET} = detect_capability( 'CT_TARGET' );
|
||||||
|
Loading…
Reference in New Issue
Block a user