mirror of
https://gitlab.com/shorewall/code.git
synced 2025-06-19 17:28:35 +02:00
Add ACCOUNT target detection
This commit is contained in:
Tom Eastep
parent
4a040135e5
commit
4cc8e5422d
@ -258,6 +258,7 @@ our %capdesc = ( NAT_ENABLED => 'NAT',
|
|||||||
FWMARK_RT_MASK => 'fwmark route mask',
|
FWMARK_RT_MASK => 'fwmark route mask',
|
||||||
MARK_ANYWHERE => 'Mark in any table',
|
MARK_ANYWHERE => 'Mark in any table',
|
||||||
HEADER_MATCH => 'Header Match',
|
HEADER_MATCH => 'Header Match',
|
||||||
|
ACCOUNT_TARGET => 'ACCOUNT Target',
|
||||||
CAPVERSION => 'Capability Version',
|
CAPVERSION => 'Capability Version',
|
||||||
KERNELVERSION => 'Kernel Version',
|
KERNELVERSION => 'Kernel Version',
|
||||||
);
|
);
|
||||||
@ -365,7 +366,7 @@ sub initialize( $ ) {
|
|||||||
STATEMATCH => '-m state --state',
|
STATEMATCH => '-m state --state',
|
||||||
UNTRACKED => 0,
|
UNTRACKED => 0,
|
||||||
VERSION => "4.4.17-Beta2",
|
VERSION => "4.4.17-Beta2",
|
||||||
CAPVERSION => 40415 ,
|
CAPVERSION => 40417 ,
|
||||||
);
|
);
|
||||||
#
|
#
|
||||||
# From shorewall.conf file
|
# From shorewall.conf file
|
||||||
@ -2457,8 +2458,17 @@ sub Header_Match() {
|
|||||||
qt1( "$iptables -A $sillyname -m ipv6header --header 255 -j ACCEPT" );
|
qt1( "$iptables -A $sillyname -m ipv6header --header 255 -j ACCEPT" );
|
||||||
}
|
}
|
||||||
|
|
||||||
|
sub Account_Target() {
|
||||||
|
if ( $family == F_IPV4 ) {
|
||||||
|
qt1( "$iptables -A $sillyname -j ACCOUNT --addr 192.168.1.0/29 --tname $sillyname" );
|
||||||
|
} else {
|
||||||
|
qt1( "$iptables -A $sillyname -j ACCOUNT --addr 1::/122 --tname $sillyname" );
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
our %detect_capability =
|
our %detect_capability =
|
||||||
( ADDRTYPE => \&Addrtype,
|
( ACCOUNT_TARGET =>\&Account_Target,
|
||||||
|
ADDRTYPE => \&Addrtype,
|
||||||
CLASSIFY_TARGET => \&Classify_Target,
|
CLASSIFY_TARGET => \&Classify_Target,
|
||||||
COMMENTS => \&Comments,
|
COMMENTS => \&Comments,
|
||||||
CONNLIMIT_MATCH => \&Connlimit_Match,
|
CONNLIMIT_MATCH => \&Connlimit_Match,
|
||||||
@ -2631,6 +2641,7 @@ sub determine_capabilities() {
|
|||||||
$capabilities{FLOW_FILTER} = detect_capability( 'FLOW_FILTER' );
|
$capabilities{FLOW_FILTER} = detect_capability( 'FLOW_FILTER' );
|
||||||
$capabilities{FWMARK_RT_MASK} = detect_capability( 'FWMARK_RT_MASK' );
|
$capabilities{FWMARK_RT_MASK} = detect_capability( 'FWMARK_RT_MASK' );
|
||||||
$capabilities{MARK_ANYWHERE} = detect_capability( 'MARK_ANYWHERE' );
|
$capabilities{MARK_ANYWHERE} = detect_capability( 'MARK_ANYWHERE' );
|
||||||
|
$capabilities{ACCOUNT_TARGET} = detect_capability( 'ACCOUNT_TARGET' );
|
||||||
|
|
||||||
|
|
||||||
qt1( "$iptables -F $sillyname" );
|
qt1( "$iptables -F $sillyname" );
|
||||||
|
|||||||
@ -29,7 +29,7 @@
|
|||||||
#
|
#
|
||||||
|
|
||||||
SHOREWALL_LIBVERSION=40407
|
SHOREWALL_LIBVERSION=40407
|
||||||
SHOREWALL_CAPVERSION=40415
|
SHOREWALL_CAPVERSION=40417
|
||||||
|
|
||||||
[ -n "${VARDIR:=/var/lib/shorewall}" ]
|
[ -n "${VARDIR:=/var/lib/shorewall}" ]
|
||||||
[ -n "${SHAREDIR:=/usr/share/shorewall}" ]
|
[ -n "${SHAREDIR:=/usr/share/shorewall}" ]
|
||||||
|
|||||||
@ -1660,6 +1660,7 @@ determine_capabilities() {
|
|||||||
FWMARK_RT_MASK=
|
FWMARK_RT_MASK=
|
||||||
MARK_ANYWHERE=
|
MARK_ANYWHERE=
|
||||||
HEADER_MATCH=
|
HEADER_MATCH=
|
||||||
|
ACCOUNT_TARGET=
|
||||||
|
|
||||||
chain=fooX$$
|
chain=fooX$$
|
||||||
|
|
||||||
@ -1798,6 +1799,7 @@ determine_capabilities() {
|
|||||||
qt $IPTABLES -A $chain -j LOGMARK && LOGMARK_TARGET=Yes
|
qt $IPTABLES -A $chain -j LOGMARK && LOGMARK_TARGET=Yes
|
||||||
qt $IPTABLES -A $chain -j LOG || LOG_TARGET=
|
qt $IPTABLES -A $chain -j LOG || LOG_TARGET=
|
||||||
qt $IPTABLES -A $chain -j MARK --set-mark 5 && MARK_ANYWHERE=Yes
|
qt $IPTABLES -A $chain -j MARK --set-mark 5 && MARK_ANYWHERE=Yes
|
||||||
|
qt $IPTABLES -A $chain -j ACCOUNT --addr 192.168.1.0/29 --tname $chain && ACCOUNT_TARGET=Yes
|
||||||
|
|
||||||
qt $IPTABLES -F $chain
|
qt $IPTABLES -F $chain
|
||||||
qt $IPTABLES -X $chain
|
qt $IPTABLES -X $chain
|
||||||
@ -1879,6 +1881,7 @@ report_capabilities() {
|
|||||||
report_capability "fwmark route mask" $FWMARK_RT_MASK
|
report_capability "fwmark route mask" $FWMARK_RT_MASK
|
||||||
report_capability "Mark in any table" $MARK_ANYWHERE
|
report_capability "Mark in any table" $MARK_ANYWHERE
|
||||||
report_capability "Header Match" $HEADER_MATCH
|
report_capability "Header Match" $HEADER_MATCH
|
||||||
|
report_capability "ACCOUNT Target" $ACCOUNT_TARGET
|
||||||
fi
|
fi
|
||||||
|
|
||||||
[ -n "$PKTTYPE" ] || USEPKTTYPE=
|
[ -n "$PKTTYPE" ] || USEPKTTYPE=
|
||||||
@ -1945,6 +1948,7 @@ report_capabilities1() {
|
|||||||
report_capability1 FWMARK_RT_MASK
|
report_capability1 FWMARK_RT_MASK
|
||||||
report_capability1 MARK_ANYWHERE
|
report_capability1 MARK_ANYWHERE
|
||||||
report_capability1 HEADER_MATCH
|
report_capability1 HEADER_MATCH
|
||||||
|
report_capability1 ACCOUNT_TARGET
|
||||||
|
|
||||||
echo CAPVERSION=$SHOREWALL_CAPVERSION
|
echo CAPVERSION=$SHOREWALL_CAPVERSION
|
||||||
echo KERNELVERSION=$KERNELVERSION
|
echo KERNELVERSION=$KERNELVERSION
|
||||||
|
|||||||
@ -33,7 +33,7 @@
|
|||||||
#
|
#
|
||||||
|
|
||||||
SHOREWALL_LIBVERSION=40407
|
SHOREWALL_LIBVERSION=40407
|
||||||
SHOREWALL_CAPVERSION=40415
|
SHOREWALL_CAPVERSION=40417
|
||||||
|
|
||||||
[ -n "${VARDIR:=/var/lib/shorewall6}" ]
|
[ -n "${VARDIR:=/var/lib/shorewall6}" ]
|
||||||
[ -n "${SHAREDIR:=/usr/share/shorewall6}" ]
|
[ -n "${SHAREDIR:=/usr/share/shorewall6}" ]
|
||||||
|
|||||||
@ -1335,6 +1335,7 @@ determine_capabilities() {
|
|||||||
FWMARK_RT_MASK=
|
FWMARK_RT_MASK=
|
||||||
MARK_ANYWHERE=
|
MARK_ANYWHERE=
|
||||||
HEADER_MATCH=
|
HEADER_MATCH=
|
||||||
|
ACCOUNT_TARGET=
|
||||||
|
|
||||||
chain=fooX$$
|
chain=fooX$$
|
||||||
|
|
||||||
@ -1478,6 +1479,7 @@ determine_capabilities() {
|
|||||||
qt $IP6TABLES -A $chain -j LOG || LOG_TARGET=
|
qt $IP6TABLES -A $chain -j LOG || LOG_TARGET=
|
||||||
qt $IP6TABLES -A $chain -j MARK --set-mark 5 && MARK_ANYWHERE=Yes
|
qt $IP6TABLES -A $chain -j MARK --set-mark 5 && MARK_ANYWHERE=Yes
|
||||||
qt $IP6TABLES -A $chain -m ipv6header --header 255 && HEADER_MATCH=Yes
|
qt $IP6TABLES -A $chain -m ipv6header --header 255 && HEADER_MATCH=Yes
|
||||||
|
qt $IP6TABLES -A $chain -j ACCOUNT --addr 1::/29 --tname $chain
|
||||||
|
|
||||||
qt $IP6TABLES -F $chain
|
qt $IP6TABLES -F $chain
|
||||||
qt $IP6TABLES -X $chain
|
qt $IP6TABLES -X $chain
|
||||||
@ -1556,6 +1558,7 @@ report_capabilities() {
|
|||||||
report_capability "fwmark route mask" $FWMARK_RT_MASK
|
report_capability "fwmark route mask" $FWMARK_RT_MASK
|
||||||
report_capability "Mark in any table" $MARK_ANYWHERE
|
report_capability "Mark in any table" $MARK_ANYWHERE
|
||||||
report_capability "Header Match" $HEADER_MATCH
|
report_capability "Header Match" $HEADER_MATCH
|
||||||
|
report_capability "ACCOUNT Match" $ACCOUNT_TARGET
|
||||||
fi
|
fi
|
||||||
|
|
||||||
[ -n "$PKTTYPE" ] || USEPKTTYPE=
|
[ -n "$PKTTYPE" ] || USEPKTTYPE=
|
||||||
@ -1619,6 +1622,7 @@ report_capabilities1() {
|
|||||||
report_capability1 FWMARK_RT_MASK
|
report_capability1 FWMARK_RT_MASK
|
||||||
report_capability1 MARK_ANYWHERE
|
report_capability1 MARK_ANYWHERE
|
||||||
report_capability1 HEADER_MATCH
|
report_capability1 HEADER_MATCH
|
||||||
|
report_capability1 ACCOUNT_TARGET
|
||||||
|
|
||||||
echo CAPVERSION=$SHOREWALL_CAPVERSION
|
echo CAPVERSION=$SHOREWALL_CAPVERSION
|
||||||
echo KERNELVERSION=$KERNELVERSION
|
echo KERNELVERSION=$KERNELVERSION
|
||||||
|
|||||||
Loading…
x
Reference in New Issue
Block a user