mirror of
https://gitlab.com/shorewall/code.git
synced 2024-12-23 14:48:51 +01:00
Retry return status 4 from iptables
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@7765 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
teastep
parent
c300f63de7
commit
43b00fbe35
@ -2,6 +2,10 @@ Changes in 4.1.2
|
||||
|
||||
1) Enhanced Operational Logging
|
||||
|
||||
2) Fix undefined value when config file missing.
|
||||
|
||||
3) Handle exit status 4 from iptables.
|
||||
|
||||
Changes in 4.1.1
|
||||
|
||||
1) Fix ULOG/NFLOG output.
|
||||
|
||||
@ -12,7 +12,9 @@ Shorewall 4.1 Patch Release 2.
|
||||
|
||||
Problems corrected in Shorewall 4.1.2.
|
||||
|
||||
None.
|
||||
1) The iptables utility doesn't retry operations that fail due to
|
||||
resource shortage. Beginning with this release, Shorewall reruns
|
||||
iptables when such a failure occurs.
|
||||
|
||||
Other changes in Shorewall 4.1.2.
|
||||
|
||||
|
||||
@ -901,7 +901,10 @@ sub split_line2( $$$ ) {
|
||||
my $columns = $no_pad{$first};
|
||||
|
||||
if ( defined $columns ) {
|
||||
fatal_error "Invalid $first entry" if $columns && @line != $columns;
|
||||
if ( $columns ) {
|
||||
fatal_error "Invalid $first entry" if @line != $columns;
|
||||
}
|
||||
|
||||
return @line
|
||||
}
|
||||
|
||||
@ -1469,6 +1472,11 @@ sub qt( $ ) {
|
||||
system( "@_ > /dev/null 2>&1" ) == 0;
|
||||
}
|
||||
|
||||
sub qt1( $ ) {
|
||||
1 while system( "@_ > /dev/null 2>&1" ) == 4;
|
||||
$? == 0;
|
||||
}
|
||||
|
||||
#
|
||||
# Determine which optional facilities are supported by iptables/netfilter
|
||||
#
|
||||
@ -1478,77 +1486,77 @@ sub determine_capabilities( $ ) {
|
||||
my $pid = $$;
|
||||
my $sillyname = "fooX$pid";
|
||||
|
||||
$capabilities{NAT_ENABLED} = qt( "$iptables -t nat -L -n" );
|
||||
$capabilities{MANGLE_ENABLED} = qt( "$iptables -t mangle -L -n" );
|
||||
$capabilities{NAT_ENABLED} = qt1( "$iptables -t nat -L -n" );
|
||||
$capabilities{MANGLE_ENABLED} = qt1( "$iptables -t mangle -L -n" );
|
||||
|
||||
qt( "$iptables -N $sillyname" );
|
||||
qt1( "$iptables -N $sillyname" );
|
||||
|
||||
$capabilities{CONNTRACK_MATCH} = qt( "$iptables -A $sillyname -m conntrack --ctorigdst 192.168.1.1 -j ACCEPT" );
|
||||
$capabilities{CONNTRACK_MATCH} = qt1( "$iptables -A $sillyname -m conntrack --ctorigdst 192.168.1.1 -j ACCEPT" );
|
||||
|
||||
if ( qt( "$iptables -A $sillyname -p tcp -m multiport --dports 21,22 -j ACCEPT" ) ) {
|
||||
if ( qt1( "$iptables -A $sillyname -p tcp -m multiport --dports 21,22 -j ACCEPT" ) ) {
|
||||
$capabilities{MULTIPORT} = 1;
|
||||
$capabilities{KLUDGEFREE} = qt( "$iptables -A $sillyname -p tcp -m multiport --sports 60 -m multiport --dports 99 -j ACCEPT" );
|
||||
$capabilities{KLUDGEFREE} = qt1( "$iptables -A $sillyname -p tcp -m multiport --sports 60 -m multiport --dports 99 -j ACCEPT" );
|
||||
}
|
||||
|
||||
$capabilities{XMULTIPORT} = qt( "$iptables -A $sillyname -p tcp -m multiport --dports 21:22 -j ACCEPT" );
|
||||
$capabilities{POLICY_MATCH} = qt( "$iptables -A $sillyname -m policy --pol ipsec --mode tunnel --dir in -j ACCEPT" );
|
||||
$capabilities{XMULTIPORT} = qt1( "$iptables -A $sillyname -p tcp -m multiport --dports 21:22 -j ACCEPT" );
|
||||
$capabilities{POLICY_MATCH} = qt1( "$iptables -A $sillyname -m policy --pol ipsec --mode tunnel --dir in -j ACCEPT" );
|
||||
|
||||
if ( qt( "$iptables -A $sillyname -m physdev --physdev-in eth0 -j ACCEPT" ) ) {
|
||||
if ( qt1( "$iptables -A $sillyname -m physdev --physdev-in eth0 -j ACCEPT" ) ) {
|
||||
$capabilities{PHYSDEV_MATCH} = 1;
|
||||
$capabilities{PHYSDEV_BRIDGE} = qt( "$iptables -A $sillyname -m physdev --physdev-is-bridged --physdev-in eth0 --physdev-out eth1 -j ACCEPT" );
|
||||
$capabilities{PHYSDEV_BRIDGE} = qt1( "$iptables -A $sillyname -m physdev --physdev-is-bridged --physdev-in eth0 --physdev-out eth1 -j ACCEPT" );
|
||||
unless ( $capabilities{KLUDGEFREE} ) {
|
||||
$capabilities{KLUDGEFREE} = qt( "$iptables -A $sillyname -m physdev --physdev-in eth0 -m physdev --physdev-out eth0 -j ACCEPT" );
|
||||
$capabilities{KLUDGEFREE} = qt1( "$iptables -A $sillyname -m physdev --physdev-in eth0 -m physdev --physdev-out eth0 -j ACCEPT" );
|
||||
}
|
||||
}
|
||||
|
||||
if ( qt( "$iptables -A $sillyname -m iprange --src-range 192.168.1.5-192.168.1.124 -j ACCEPT" ) ) {
|
||||
if ( qt1( "$iptables -A $sillyname -m iprange --src-range 192.168.1.5-192.168.1.124 -j ACCEPT" ) ) {
|
||||
$capabilities{IPRANGE_MATCH} = 1;
|
||||
unless ( $capabilities{KLUDGEFREE} ) {
|
||||
$capabilities{KLUDGEFREE} = qt( "$iptables -A $sillyname -m iprange --src-range 192.168.1.5-192.168.1.124 -m iprange --dst-range 192.168.1.5-192.168.1.124 -j ACCEPT" );
|
||||
$capabilities{KLUDGEFREE} = qt1( "$iptables -A $sillyname -m iprange --src-range 192.168.1.5-192.168.1.124 -m iprange --dst-range 192.168.1.5-192.168.1.124 -j ACCEPT" );
|
||||
}
|
||||
}
|
||||
|
||||
$capabilities{RECENT_MATCH} = qt( "$iptables -A $sillyname -m recent --update -j ACCEPT" );
|
||||
$capabilities{OWNER_MATCH} = qt( "$iptables -A $sillyname -m owner --uid-owner 0 -j ACCEPT" );
|
||||
$capabilities{RECENT_MATCH} = qt1( "$iptables -A $sillyname -m recent --update -j ACCEPT" );
|
||||
$capabilities{OWNER_MATCH} = qt1( "$iptables -A $sillyname -m owner --uid-owner 0 -j ACCEPT" );
|
||||
|
||||
if ( qt( "$iptables -A $sillyname -m connmark --mark 2 -j ACCEPT" )) {
|
||||
if ( qt1( "$iptables -A $sillyname -m connmark --mark 2 -j ACCEPT" )) {
|
||||
$capabilities{CONNMARK_MATCH} = 1;
|
||||
$capabilities{XCONNMARK_MATCH} = qt( "$iptables -A $sillyname -m connmark --mark 2/0xFF -j ACCEPT" );
|
||||
$capabilities{XCONNMARK_MATCH} = qt1( "$iptables -A $sillyname -m connmark --mark 2/0xFF -j ACCEPT" );
|
||||
}
|
||||
|
||||
$capabilities{IPP2P_MATCH} = qt( "$iptables -A $sillyname -p tcp -m ipp2p --ipp2p -j ACCEPT" );
|
||||
$capabilities{LENGTH_MATCH} = qt( "$iptables -A $sillyname -m length --length 10:20 -j ACCEPT" );
|
||||
$capabilities{ENHANCED_REJECT} = qt( "$iptables -A $sillyname -j REJECT --reject-with icmp-host-prohibited" );
|
||||
$capabilities{COMMENTS} = qt( qq($iptables -A $sillyname -j ACCEPT -m comment --comment "This is a comment" ) );
|
||||
$capabilities{IPP2P_MATCH} = qt1( "$iptables -A $sillyname -p tcp -m ipp2p --ipp2p -j ACCEPT" );
|
||||
$capabilities{LENGTH_MATCH} = qt1( "$iptables -A $sillyname -m length --length 10:20 -j ACCEPT" );
|
||||
$capabilities{ENHANCED_REJECT} = qt1( "$iptables -A $sillyname -j REJECT --reject-with icmp-host-prohibited" );
|
||||
$capabilities{COMMENTS} = qt1( qq($iptables -A $sillyname -j ACCEPT -m comment --comment "This is a comment" ) );
|
||||
|
||||
if ( $capabilities{MANGLE_ENABLED} ) {
|
||||
qt( "$iptables -t mangle -N $sillyname" );
|
||||
qt1( "$iptables -t mangle -N $sillyname" );
|
||||
|
||||
if ( qt( "$iptables -t mangle -A $sillyname -j MARK --set-mark 1" ) ) {
|
||||
if ( qt1( "$iptables -t mangle -A $sillyname -j MARK --set-mark 1" ) ) {
|
||||
$capabilities{MARK} = 1;
|
||||
$capabilities{XMARK} = qt( "$iptables -t mangle -A $sillyname -j MARK --and-mark 0xFF" );
|
||||
$capabilities{XMARK} = qt1( "$iptables -t mangle -A $sillyname -j MARK --and-mark 0xFF" );
|
||||
}
|
||||
|
||||
if ( qt( "$iptables -t mangle -A $sillyname -j CONNMARK --save-mark" ) ) {
|
||||
if ( qt1( "$iptables -t mangle -A $sillyname -j CONNMARK --save-mark" ) ) {
|
||||
$capabilities{CONNMARK} = 1;
|
||||
$capabilities{XCONNMARK} = qt( "$iptables -t mangle -A $sillyname -j CONNMARK --save-mark --mask 0xFF" );
|
||||
$capabilities{XCONNMARK} = qt1( "$iptables -t mangle -A $sillyname -j CONNMARK --save-mark --mask 0xFF" );
|
||||
}
|
||||
|
||||
$capabilities{CLASSIFY_TARGET} = qt( "$iptables -t mangle -A $sillyname -j CLASSIFY --set-class 1:1" );
|
||||
qt( "$iptables -t mangle -F $sillyname" );
|
||||
qt( "$iptables -t mangle -X $sillyname" );
|
||||
$capabilities{CLASSIFY_TARGET} = qt1( "$iptables -t mangle -A $sillyname -j CLASSIFY --set-class 1:1" );
|
||||
qt1( "$iptables -t mangle -F $sillyname" );
|
||||
qt1( "$iptables -t mangle -X $sillyname" );
|
||||
|
||||
$capabilities{MANGLE_FORWARD} = qt( "$iptables -t mangle -L FORWARD -n" );
|
||||
$capabilities{MANGLE_FORWARD} = qt1( "$iptables -t mangle -L FORWARD -n" );
|
||||
}
|
||||
|
||||
$capabilities{RAW_TABLE} = qt( "$iptables -t raw -L -n" );
|
||||
$capabilities{RAW_TABLE} = qt1( "$iptables -t raw -L -n" );
|
||||
|
||||
if ( which 'ipset' ) {
|
||||
qt( "ipset -X $sillyname" );
|
||||
|
||||
if ( qt( "ipset -N $sillyname iphash" ) ) {
|
||||
if ( qt( "$iptables -A $sillyname -m set --set $sillyname src -j ACCEPT" ) ) {
|
||||
qt( "$iptables -D $sillyname -m set --set $sillyname src -j ACCEPT" );
|
||||
if ( qt1( "$iptables -A $sillyname -m set --set $sillyname src -j ACCEPT" ) ) {
|
||||
qt1( "$iptables -D $sillyname -m set --set $sillyname src -j ACCEPT" );
|
||||
$capabilities{IPSET_MATCH} = 1;
|
||||
}
|
||||
|
||||
@ -1556,16 +1564,16 @@ sub determine_capabilities( $ ) {
|
||||
}
|
||||
}
|
||||
|
||||
$capabilities{USEPKTTYPE} = qt( "$iptables -A $sillyname -m pkttype --pkt-type broadcast -j ACCEPT" );
|
||||
$capabilities{ADDRTYPE} = qt( "$iptables -A $sillyname -m addrtype --src-type BROADCAST -j ACCEPT" );
|
||||
$capabilities{TCPMSS_MATCH} = qt( "$iptables -A $sillyname -p tcp --tcp-flags SYN,RST SYN -m tcpmss --mss 1000:1500 -j ACCEPT" );
|
||||
$capabilities{HASHLIMIT_MATCH} = qt( "$iptables -A $sillyname -m hashlimit --hashlimit 4 --hashlimit-burst 5 --hashlimit-name fooX1234 --hashlimit-mode dstip -j ACCEPT" );
|
||||
$capabilities{NFQUEUE_TARGET} = qt( "$iptables -A $sillyname -j NFQUEUE --queue-num 4" );
|
||||
$capabilities{USEPKTTYPE} = qt1( "$iptables -A $sillyname -m pkttype --pkt-type broadcast -j ACCEPT" );
|
||||
$capabilities{ADDRTYPE} = qt1( "$iptables -A $sillyname -m addrtype --src-type BROADCAST -j ACCEPT" );
|
||||
$capabilities{TCPMSS_MATCH} = qt1( "$iptables -A $sillyname -p tcp --tcp-flags SYN,RST SYN -m tcpmss --mss 1000:1500 -j ACCEPT" );
|
||||
$capabilities{HASHLIMIT_MATCH} = qt1( "$iptables -A $sillyname -m hashlimit --hashlimit 4 --hashlimit-burst 5 --hashlimit-name fooX1234 --hashlimit-mode dstip -j ACCEPT" );
|
||||
$capabilities{NFQUEUE_TARGET} = qt1( "$iptables -A $sillyname -j NFQUEUE --queue-num 4" );
|
||||
|
||||
$capabilities{REALM_MATCH} = qt( "$iptables -A $sillyname -m realm --realm 1" );
|
||||
$capabilities{REALM_MATCH} = qt1( "$iptables -A $sillyname -m realm --realm 1" );
|
||||
|
||||
qt( "$iptables -F $sillyname" );
|
||||
qt( "$iptables -X $sillyname" );
|
||||
qt1( "$iptables -F $sillyname" );
|
||||
qt1( "$iptables -X $sillyname" );
|
||||
|
||||
$capabilities{CAPVERSION} = $globals{CAPVERSION};
|
||||
}
|
||||
|
||||
@ -103,7 +103,12 @@ startup_error() # $* = Error Message
|
||||
#
|
||||
run_iptables()
|
||||
{
|
||||
if ! $IPTABLES $@; then
|
||||
while [ 1 ]; do
|
||||
$IPTABLES $@
|
||||
[ $? -ne 4 ] && break
|
||||
done
|
||||
|
||||
if [ $? -ne 0 ]; then
|
||||
error_message "ERROR: Command \"$IPTABLES $@\" Failed"
|
||||
stop_firewall
|
||||
exit 2
|
||||
|
||||
@ -1,7 +1,7 @@
|
||||
#!/bin/sh
|
||||
|
||||
#STYLESHEET=/home/teastep/Shorewall/docbook-xsl-1.62.4//xhtml/docbook.xsl
|
||||
STYLESHEET=/usr/share/xml/docbook/stylesheet/nwalsh/xhtml/docbook.xsl
|
||||
STYLESHEET=/usr/share/xml/docbook/stylesheet/nwalsh/current/xhtml/docbook.xsl
|
||||
WEBSITE=/home/teastep/Shorewall/Website
|
||||
HTMFILES="
|
||||
6to4.htm
|
||||
|
||||
Loading…
Reference in New Issue
Block a user