Verify the availability of the LOG target

2025-02-02 10:59:27 +01:00 · 2009-06-25 13:50:27 -07:00 · 2009-06-25 13:50:27 -07:00 · 40bb8283d2
commit 40bb8283d2
parent 974ae7f3bf
5 changed files with 32 additions and 4 deletions
--- a/Shorewall/Perl/Shorewall/Config.pm
+++ b/Shorewall/Perl/Shorewall/Config.pm
@ -238,6 +238,7 @@ our %capdesc = ( NAT_ENABLED     => 'NAT',
 		 CONNLIMIT_MATCH => 'Connlimit Match',
 		 TIME_MATCH      => 'Time Match',
 		 GOTO_TARGET     => 'Goto Support',
+		 LOG_TARGET      => 'LOG Target',
 		 LOGMARK_TARGET  => 'LOGMARK Target',
 		 IPMARK_TARGET   => 'IPMARK Target',
 		 CAPVERSION      => 'Capability Version',
@ -327,7 +328,7 @@ sub initialize( $ ) {
 		    EXPORT => 0,
 		    UNTRACKED => 0,
 		    VERSION => "4.4.0-Beta2",
-		    CAPVERSION => 40309 ,
+		    CAPVERSION => 40310 ,
 		  );

    #
@ -608,6 +609,7 @@ sub initialize( $ ) {
 	       GOTO_TARGET => undef,
 	       LOGMARK_TARGET => undef,
 	       IPMARK_TARGET => undef,
+	       LOG_TARGET => 1,         # Assume that we have it.
 	       CAPVERSION => undef,
 	       );
    #
@ -1702,8 +1704,16 @@ sub validate_level( $ ) {
    if ( defined $level && $level ne '' ) {
 	$level =~ s/!$//;
 	my $value = $validlevels{$level};
-	return $value if defined $value;
-	return $level if $level =~ /^[0-7]$/;
+
+	if ( defined $value ) {
+	    require_capability ( 'LOG_TARGET' , 'A log level other than NONE', 's' ) unless $value eq '';
+	    return $value;
+	}
+
+	if ( $level =~ /^[0-7]$/ ) {
+	    require_capability ( 'LOG_TARGET' , 'A log level other than NONE', 's' );
+	    return $level;
+	}

 	if ( $level =~ /^(NFLOG|ULOG)[(](.*)[)]$/ ) {
 	    my $olevel  = $1;
@ -1722,14 +1732,17 @@ sub validate_level( $ ) {
 		$index++;
 	    }

+	    require_capability ( 'LOG_TARGET' , 'A log level other than NONE', 's' );
 	    return $olevel;
 	}

 	if ( $level =~ /^NFLOG --/ or $level =~ /^ULOG --/ ) {
+	    require_capability ( 'LOG_TARGET' , 'A log level other than NONE', 's' );
 	    return $rawlevel;
 	}

 	if ( $level eq 'LOGMARK' ) {
+	    require_capability ( 'LOG_TARGET' , 'A log level other than NONE', 's' );
 	    require_capability( 'LOGMARK_TARGET' , 'LOGMARK', 's' );
 	    return 'LOGMARK';
 	}
@ -2016,6 +2029,7 @@ sub determine_capabilities( $ ) {
    $capabilities{CONNLIMIT_MATCH} = qt1( "$iptables -A $sillyname -m connlimit --connlimit-above 8" );
    $capabilities{TIME_MATCH}      = qt1( "$iptables -A $sillyname -m time --timestart 11:00" );
    $capabilities{GOTO_TARGET}     = qt1( "$iptables -A $sillyname -g $sillyname1" );
+    $capabilities{LOG_TARGET}      = qt1( "$iptables -A $sillyname -j LOG" );
    $capabilities{LOGMARK_TARGET}  = qt1( "$iptables -A $sillyname -j LOGMARK" );

    qt1( "$iptables -F $sillyname" );
--- a/Shorewall/changelog.txt
+++ b/Shorewall/changelog.txt
@ -6,6 +6,8 @@ Changes in Shorewall 4.4.0-Beta3

 3)  Fix 'show dynamic'.

+4)  Check for xt_LOG.
+
 Changes in Shorewall 4.4.0-Beta2

 1)  The 'find_first_interface_address()' and
--- a/Shorewall/lib.base
+++ b/Shorewall/lib.base
@ -30,7 +30,7 @@
 #

 SHOREWALL_LIBVERSION=40000
-SHOREWALL_CAPVERSION=40309
+SHOREWALL_CAPVERSION=40310

 [ -n "${VARDIR:=/var/lib/shorewall}" ]
 [ -n "${SHAREDIR:=/usr/share/shorewall}" ]
@ -819,6 +819,7 @@ determine_capabilities() {
    GOTO_TARGET=
    LOGMARK_TARGET=
    IPMARK_TARGET=
+    LOG_TARGET=Yes

    chain=fooX$$

@ -943,6 +944,7 @@ determine_capabilities() {
    qt $IPTABLES -A $chain -m time --timestart 23:00 -j DROP && TIME_MATCH=Yes
    qt $IPTABLES -A $chain -g $chain1 && GOTO_TARGET=Yes
    qt $IPTABLES -A $chain -j LOGMARK && LOGMARK_TARGET=Yes
+    qt $IPTABLES -A $chain -j LOG || LOG_TARGET=

    qt $IPTABLES -F $chain
    qt $IPTABLES -X $chain
@ -1008,6 +1010,7 @@ report_capabilities() {
 	report_capability "Goto Support" $GOTO_TARGET
 	report_capability "LOGMARK Target" $LOGMARK_TARGET
 	report_capability "IPMARK Target" $IPMARK_TARGET
+	report_capability "LOG Target" $LOG_TARGET
    fi

    [ -n "$PKTTYPE" ] || USEPKTTYPE=
@ -1064,6 +1067,7 @@ report_capabilities1() {
    report_capability1 GOTO_TARGET
    report_capability1 LOGMARK_TARGET
    report_capability1 IPMARK_TARGET
+    report_capability1 LOG_TARGET
    
    echo CAPVERSION=$SHOREWALL_CAPVERSION
 }
--- a/Shorewall/modules
+++ b/Shorewall/modules
@ -27,6 +27,7 @@ loadmodule nf_conntrack_ipv4
 loadmodule iptable_nat
 loadmodule xt_state
 loadmodule xt_tcpudp
+loadmodule ipt_LOG
 #
 # Other xtables modules
 #
@ -120,6 +121,7 @@ loadmodule nf_nat_tftp
 #
 loadmodule sch_sfq
 loadmodule sch_ingress
+loadmodule sch_hfsc
 loadmodule sch_htb
 loadmodule cls_u32
 loadmodule cls_fw
--- a/Shorewall/releasenotes.txt
+++ b/Shorewall/releasenotes.txt
@ -146,6 +146,12 @@ None.
 	  macro.Citrix
 	  macro.Razor

+2)  The Shorewall compiler now checks for availability of the LOG
+    target if the configuration does any logging. This change involves
+    a new version of the capabilities file so users employing a
+    capabilties file should re-generate that file before trying to
+    start/restart Shorewall.
+
 ----------------------------------------------------------------------------
                 N E W   F E A T U R E S   IN   4 . 4
 ----------------------------------------------------------------------------