From 40bb8283d29d0965e73711bb89768a030fde8436 Mon Sep 17 00:00:00 2001 From: Tom Eastep Date: Thu, 25 Jun 2009 13:50:27 -0700 Subject: [PATCH] Verify the availability of the LOG target --- Shorewall/Perl/Shorewall/Config.pm | 20 +++++++++++++++++--- Shorewall/changelog.txt | 2 ++ Shorewall/lib.base | 6 +++++- Shorewall/modules | 2 ++ Shorewall/releasenotes.txt | 6 ++++++ 5 files changed, 32 insertions(+), 4 deletions(-) diff --git a/Shorewall/Perl/Shorewall/Config.pm b/Shorewall/Perl/Shorewall/Config.pm index ecc231ca6..eb50cac64 100644 --- a/Shorewall/Perl/Shorewall/Config.pm +++ b/Shorewall/Perl/Shorewall/Config.pm @@ -238,6 +238,7 @@ our %capdesc = ( NAT_ENABLED => 'NAT', CONNLIMIT_MATCH => 'Connlimit Match', TIME_MATCH => 'Time Match', GOTO_TARGET => 'Goto Support', + LOG_TARGET => 'LOG Target', LOGMARK_TARGET => 'LOGMARK Target', IPMARK_TARGET => 'IPMARK Target', CAPVERSION => 'Capability Version', @@ -327,7 +328,7 @@ sub initialize( $ ) { EXPORT => 0, UNTRACKED => 0, VERSION => "4.4.0-Beta2", - CAPVERSION => 40309 , + CAPVERSION => 40310 , ); # @@ -608,6 +609,7 @@ sub initialize( $ ) { GOTO_TARGET => undef, LOGMARK_TARGET => undef, IPMARK_TARGET => undef, + LOG_TARGET => 1, # Assume that we have it. CAPVERSION => undef, ); # @@ -1702,8 +1704,16 @@ sub validate_level( $ ) { if ( defined $level && $level ne '' ) { $level =~ s/!$//; my $value = $validlevels{$level}; - return $value if defined $value; - return $level if $level =~ /^[0-7]$/; + + if ( defined $value ) { + require_capability ( 'LOG_TARGET' , 'A log level other than NONE', 's' ) unless $value eq ''; + return $value; + } + + if ( $level =~ /^[0-7]$/ ) { + require_capability ( 'LOG_TARGET' , 'A log level other than NONE', 's' ); + return $level; + } if ( $level =~ /^(NFLOG|ULOG)[(](.*)[)]$/ ) { my $olevel = $1; @@ -1722,14 +1732,17 @@ sub validate_level( $ ) { $index++; } + require_capability ( 'LOG_TARGET' , 'A log level other than NONE', 's' ); return $olevel; } if ( $level =~ /^NFLOG --/ or $level =~ /^ULOG --/ ) { + require_capability ( 'LOG_TARGET' , 'A log level other than NONE', 's' ); return $rawlevel; } if ( $level eq 'LOGMARK' ) { + require_capability ( 'LOG_TARGET' , 'A log level other than NONE', 's' ); require_capability( 'LOGMARK_TARGET' , 'LOGMARK', 's' ); return 'LOGMARK'; } @@ -2016,6 +2029,7 @@ sub determine_capabilities( $ ) { $capabilities{CONNLIMIT_MATCH} = qt1( "$iptables -A $sillyname -m connlimit --connlimit-above 8" ); $capabilities{TIME_MATCH} = qt1( "$iptables -A $sillyname -m time --timestart 11:00" ); $capabilities{GOTO_TARGET} = qt1( "$iptables -A $sillyname -g $sillyname1" ); + $capabilities{LOG_TARGET} = qt1( "$iptables -A $sillyname -j LOG" ); $capabilities{LOGMARK_TARGET} = qt1( "$iptables -A $sillyname -j LOGMARK" ); qt1( "$iptables -F $sillyname" ); diff --git a/Shorewall/changelog.txt b/Shorewall/changelog.txt index 816e63b11..b87e711de 100644 --- a/Shorewall/changelog.txt +++ b/Shorewall/changelog.txt @@ -6,6 +6,8 @@ Changes in Shorewall 4.4.0-Beta3 3) Fix 'show dynamic'. +4) Check for xt_LOG. + Changes in Shorewall 4.4.0-Beta2 1) The 'find_first_interface_address()' and diff --git a/Shorewall/lib.base b/Shorewall/lib.base index 6ba82b93e..ded768e34 100644 --- a/Shorewall/lib.base +++ b/Shorewall/lib.base @@ -30,7 +30,7 @@ # SHOREWALL_LIBVERSION=40000 -SHOREWALL_CAPVERSION=40309 +SHOREWALL_CAPVERSION=40310 [ -n "${VARDIR:=/var/lib/shorewall}" ] [ -n "${SHAREDIR:=/usr/share/shorewall}" ] @@ -819,6 +819,7 @@ determine_capabilities() { GOTO_TARGET= LOGMARK_TARGET= IPMARK_TARGET= + LOG_TARGET=Yes chain=fooX$$ @@ -943,6 +944,7 @@ determine_capabilities() { qt $IPTABLES -A $chain -m time --timestart 23:00 -j DROP && TIME_MATCH=Yes qt $IPTABLES -A $chain -g $chain1 && GOTO_TARGET=Yes qt $IPTABLES -A $chain -j LOGMARK && LOGMARK_TARGET=Yes + qt $IPTABLES -A $chain -j LOG || LOG_TARGET= qt $IPTABLES -F $chain qt $IPTABLES -X $chain @@ -1008,6 +1010,7 @@ report_capabilities() { report_capability "Goto Support" $GOTO_TARGET report_capability "LOGMARK Target" $LOGMARK_TARGET report_capability "IPMARK Target" $IPMARK_TARGET + report_capability "LOG Target" $LOG_TARGET fi [ -n "$PKTTYPE" ] || USEPKTTYPE= @@ -1064,6 +1067,7 @@ report_capabilities1() { report_capability1 GOTO_TARGET report_capability1 LOGMARK_TARGET report_capability1 IPMARK_TARGET + report_capability1 LOG_TARGET echo CAPVERSION=$SHOREWALL_CAPVERSION } diff --git a/Shorewall/modules b/Shorewall/modules index 2c4be4204..1552ec74c 100644 --- a/Shorewall/modules +++ b/Shorewall/modules @@ -27,6 +27,7 @@ loadmodule nf_conntrack_ipv4 loadmodule iptable_nat loadmodule xt_state loadmodule xt_tcpudp +loadmodule ipt_LOG # # Other xtables modules # @@ -120,6 +121,7 @@ loadmodule nf_nat_tftp # loadmodule sch_sfq loadmodule sch_ingress +loadmodule sch_hfsc loadmodule sch_htb loadmodule cls_u32 loadmodule cls_fw diff --git a/Shorewall/releasenotes.txt b/Shorewall/releasenotes.txt index 9d9a3fa3e..185b61306 100644 --- a/Shorewall/releasenotes.txt +++ b/Shorewall/releasenotes.txt @@ -146,6 +146,12 @@ None. macro.Citrix macro.Razor +2) The Shorewall compiler now checks for availability of the LOG + target if the configuration does any logging. This change involves + a new version of the capabilities file so users employing a + capabilties file should re-generate that file before trying to + start/restart Shorewall. + ---------------------------------------------------------------------------- N E W F E A T U R E S IN 4 . 4 ----------------------------------------------------------------------------