From 4cc8e5422dc55d3a61ecc21429e1fb204fc4a73d Mon Sep 17 00:00:00 2001 From: Tom Eastep Date: Sat, 29 Jan 2011 14:18:53 -0800 Subject: [PATCH] Add ACCOUNT target detection --- Shorewall/Perl/Shorewall/Config.pm | 15 +++++++++++++-- Shorewall/lib.base | 2 +- Shorewall/lib.cli | 4 ++++ Shorewall6/lib.base | 2 +- Shorewall6/lib.cli | 4 ++++ 5 files changed, 23 insertions(+), 4 deletions(-) diff --git a/Shorewall/Perl/Shorewall/Config.pm b/Shorewall/Perl/Shorewall/Config.pm index 4909864e4..d0ac8fd8d 100644 --- a/Shorewall/Perl/Shorewall/Config.pm +++ b/Shorewall/Perl/Shorewall/Config.pm @@ -258,6 +258,7 @@ our %capdesc = ( NAT_ENABLED => 'NAT', FWMARK_RT_MASK => 'fwmark route mask', MARK_ANYWHERE => 'Mark in any table', HEADER_MATCH => 'Header Match', + ACCOUNT_TARGET => 'ACCOUNT Target', CAPVERSION => 'Capability Version', KERNELVERSION => 'Kernel Version', ); @@ -365,7 +366,7 @@ sub initialize( $ ) { STATEMATCH => '-m state --state', UNTRACKED => 0, VERSION => "4.4.17-Beta2", - CAPVERSION => 40415 , + CAPVERSION => 40417 , ); # # From shorewall.conf file @@ -2457,8 +2458,17 @@ sub Header_Match() { qt1( "$iptables -A $sillyname -m ipv6header --header 255 -j ACCEPT" ); } +sub Account_Target() { + if ( $family == F_IPV4 ) { + qt1( "$iptables -A $sillyname -j ACCOUNT --addr 192.168.1.0/29 --tname $sillyname" ); + } else { + qt1( "$iptables -A $sillyname -j ACCOUNT --addr 1::/122 --tname $sillyname" ); + } +} + our %detect_capability = - ( ADDRTYPE => \&Addrtype, + ( ACCOUNT_TARGET =>\&Account_Target, + ADDRTYPE => \&Addrtype, CLASSIFY_TARGET => \&Classify_Target, COMMENTS => \&Comments, CONNLIMIT_MATCH => \&Connlimit_Match, @@ -2631,6 +2641,7 @@ sub determine_capabilities() { $capabilities{FLOW_FILTER} = detect_capability( 'FLOW_FILTER' ); $capabilities{FWMARK_RT_MASK} = detect_capability( 'FWMARK_RT_MASK' ); $capabilities{MARK_ANYWHERE} = detect_capability( 'MARK_ANYWHERE' ); + $capabilities{ACCOUNT_TARGET} = detect_capability( 'ACCOUNT_TARGET' ); qt1( "$iptables -F $sillyname" ); diff --git a/Shorewall/lib.base b/Shorewall/lib.base index d3ba701fc..5adad0e93 100644 --- a/Shorewall/lib.base +++ b/Shorewall/lib.base @@ -29,7 +29,7 @@ # SHOREWALL_LIBVERSION=40407 -SHOREWALL_CAPVERSION=40415 +SHOREWALL_CAPVERSION=40417 [ -n "${VARDIR:=/var/lib/shorewall}" ] [ -n "${SHAREDIR:=/usr/share/shorewall}" ] diff --git a/Shorewall/lib.cli b/Shorewall/lib.cli index d928cfa74..d77440ceb 100644 --- a/Shorewall/lib.cli +++ b/Shorewall/lib.cli @@ -1660,6 +1660,7 @@ determine_capabilities() { FWMARK_RT_MASK= MARK_ANYWHERE= HEADER_MATCH= + ACCOUNT_TARGET= chain=fooX$$ @@ -1798,6 +1799,7 @@ determine_capabilities() { qt $IPTABLES -A $chain -j LOGMARK && LOGMARK_TARGET=Yes qt $IPTABLES -A $chain -j LOG || LOG_TARGET= qt $IPTABLES -A $chain -j MARK --set-mark 5 && MARK_ANYWHERE=Yes + qt $IPTABLES -A $chain -j ACCOUNT --addr 192.168.1.0/29 --tname $chain && ACCOUNT_TARGET=Yes qt $IPTABLES -F $chain qt $IPTABLES -X $chain @@ -1879,6 +1881,7 @@ report_capabilities() { report_capability "fwmark route mask" $FWMARK_RT_MASK report_capability "Mark in any table" $MARK_ANYWHERE report_capability "Header Match" $HEADER_MATCH + report_capability "ACCOUNT Target" $ACCOUNT_TARGET fi [ -n "$PKTTYPE" ] || USEPKTTYPE= @@ -1945,6 +1948,7 @@ report_capabilities1() { report_capability1 FWMARK_RT_MASK report_capability1 MARK_ANYWHERE report_capability1 HEADER_MATCH + report_capability1 ACCOUNT_TARGET echo CAPVERSION=$SHOREWALL_CAPVERSION echo KERNELVERSION=$KERNELVERSION diff --git a/Shorewall6/lib.base b/Shorewall6/lib.base index 30698be6c..13736ab3e 100644 --- a/Shorewall6/lib.base +++ b/Shorewall6/lib.base @@ -33,7 +33,7 @@ # SHOREWALL_LIBVERSION=40407 -SHOREWALL_CAPVERSION=40415 +SHOREWALL_CAPVERSION=40417 [ -n "${VARDIR:=/var/lib/shorewall6}" ] [ -n "${SHAREDIR:=/usr/share/shorewall6}" ] diff --git a/Shorewall6/lib.cli b/Shorewall6/lib.cli index 8745951d4..bf15b74ae 100644 --- a/Shorewall6/lib.cli +++ b/Shorewall6/lib.cli @@ -1335,6 +1335,7 @@ determine_capabilities() { FWMARK_RT_MASK= MARK_ANYWHERE= HEADER_MATCH= + ACCOUNT_TARGET= chain=fooX$$ @@ -1478,6 +1479,7 @@ determine_capabilities() { qt $IP6TABLES -A $chain -j LOG || LOG_TARGET= qt $IP6TABLES -A $chain -j MARK --set-mark 5 && MARK_ANYWHERE=Yes qt $IP6TABLES -A $chain -m ipv6header --header 255 && HEADER_MATCH=Yes + qt $IP6TABLES -A $chain -j ACCOUNT --addr 1::/29 --tname $chain qt $IP6TABLES -F $chain qt $IP6TABLES -X $chain @@ -1556,6 +1558,7 @@ report_capabilities() { report_capability "fwmark route mask" $FWMARK_RT_MASK report_capability "Mark in any table" $MARK_ANYWHERE report_capability "Header Match" $HEADER_MATCH + report_capability "ACCOUNT Match" $ACCOUNT_TARGET fi [ -n "$PKTTYPE" ] || USEPKTTYPE= @@ -1619,6 +1622,7 @@ report_capabilities1() { report_capability1 FWMARK_RT_MASK report_capability1 MARK_ANYWHERE report_capability1 HEADER_MATCH + report_capability1 ACCOUNT_TARGET echo CAPVERSION=$SHOREWALL_CAPVERSION echo KERNELVERSION=$KERNELVERSION