Drop hard requirement for CONNTRACK_MATCH

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@5735 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb

New/Shorewall/Chains.pm

@@ -738,7 +738,6 @@ sub do_test ( $$ )
     "${invert}$match $testval ";
 }
 
-
 #
 # Create a "-m limit" match for the passed LIMIT/BURST
 #
@@ -882,6 +881,7 @@ sub match_orig_dest ( $ ) {
     my $net = $_[0];
 
     return '' if $net eq ALLIPv4;
+    return '' unless $capabilities{CONNTRACK_MATCH};
  
     if ( $net =~ /^!/ ) {
 	$net =~ s/!//;
@@ -1207,7 +1207,7 @@ sub expand_rule( $$$$$$$$$$ )
     }
 
     if ( $origdest ) {
-	if ( $origdest eq '-' ) {
+	if ( $origdest eq '-' || ! $capabilities{CONNTRACK_MATCH} ) {
 	    $origdest = '';
 	} elsif ( $origdest =~ /^detect:(.*)$/ ) {
 	    #

New/Shorewall/Config.pm

@@ -28,7 +28,19 @@ use warnings;
 use Shorewall::Common;
 
 our @ISA = qw(Exporter);
-our @EXPORT = qw(find_file expand_shell_variables get_configuration report_capabilities propagateconfig append_file run_user_exit generate_aux_config %config %env %capabilities );
+our @EXPORT = qw(find_file 
+                 expand_shell_variables 
+                 get_configuration
+                 require_capability
+                 report_capabilities
+                 propagateconfig
+                 append_file
+                 run_user_exit
+                 generate_aux_config
+
+                 %config
+                 %env
+                 %capabilities );
 our @EXPORT_OK = ();
 our @VERSION = 1.00;
 
@@ -251,6 +263,13 @@ sub report_capabilities() {
     }
 }
 
+sub require_capability( $$ ) {
+    my ( $capability, $description ) = @_;
+
+    fatal_error "$description requires $capdesc{$capability} in your kernel and iptables"
+      unless $capabilities{$capability};
+}
+
 #
 # Some files can have shell variables embedded. This function expands them from %ENV.
 #

New/Shorewall/Rules.pm

@@ -988,7 +988,9 @@ sub process_rule1 ( $$$$$$$$$ ) {
 		}
 	    }
 
-	    unless ( $origdest && $origdest ne '-' && $origdest ne 'detect' ) {
+	    if ( $origdest && $origdest ne '-' ) {
+		require_capability( 'CONNTRACK_MATCH', 'ORIGINAL DEST in non-NAT rule' ) unless $actiontype & NATRULE;
+	    } elsif ( $origdest ne 'detect' ) {
 		if ( $config{DETECT_DNAT_IPADDRS} ) {
 		    my $interfacesref = $zones{$sourcezone}{interfaces};
 		    my @interfaces = keys %$interfacesref;

New/compiler.pl

@@ -179,7 +179,7 @@ sub compile_stop_firewall() {
 
     emit <<'EOF';
 #
-# Stop/restore the firewall after an error or because of a \'stop\' or \'clear\' command
+# Stop/restore the firewall after an error or because of a 'stop' or 'clear' command
 #
 stop_firewall() {
 
@@ -544,6 +544,7 @@ sub generate_script_2 () {
 #    Generate the end of 'setup_routing_and_traffic_shaping()':
 #        Generate code for loading the various files in /var/lib/shorewall[-lite]
 #        Generate code to add IP addresses under ADD_IP_ALIASES and ADD_SNAT_ALIASES
+#
 #    Generate the 'setup_netfilter()' function that runs iptables-restore.
 #    Generate the 'define_firewall()' function.  
 #
@@ -575,7 +576,9 @@ sub generate_script_3() {
     emit "#\n# Start/Restart the Firewall\n#";
     emit 'define_firewall() {';
     push_indent;
-    emit 'setup_routing_and_traffic_shaping;
+
+    emit<<'EOF';
+setup_routing_and_traffic_shaping;
 
 if [ $COMMAND = restore ]; then
     iptables_save_file=${VARDIR}/$(basename $0)-iptables
@@ -611,7 +614,8 @@ case $COMMAND in
     restore)
         logger -p kern.info "$PRODUCT restored"
         ;;
-esac';
+esac
+EOF
 
     pop_indent;
 
@@ -632,21 +636,11 @@ sub compiler( $ ) {
 
     report_capabilities if $ENV{VERBOSE} > 1;
 
-    fatal_error join( '', 'Shorewall-perl ', $env{VERSION}, ' requires Conntrack Match Support' )
+    require_capability( 'MULTIPORT'       , "Shorewall-perl $env{VERSION}" ); 
-	unless $capabilities{CONNTRACK_MATCH};
+    require_capability( 'ADDRTYPE'        , "Shorewall-perl $env{VERSION}" );
-    fatal_error join ( '', 'Shorewall-perl ', $env{VERSION}, ' requires Multi-port Match Support' )
+    require_capability( 'RECENT_MATCH'    , 'MACLIST_TTL' )           if $config{MACLIST_TTL};
-	unless $capabilities{MULTIPORT};
+    require_capability( 'XCONNMARK'       , 'HIGH_ROUTE_MARKS=Yes' )  if $config{HIGH_ROUTE_MARKS};
-    fatal_error join( '', 'Shorewall-perl ', $env{VERSION}, ' requires Address Type Match Support' )
+    require_capability( 'MANGLE_ENABLED'  , 'Traffic Shaping'      )  if $config{TC_ENABLED};
-	unless $capabilities{ADDRTYPE};
-    fatal_error 'MACLIST_TTL requires the Recent Match capability which is not present in your Kernel and/or iptables'
-	if $config{MACLIST_TTL} && ! $capabilities{RECENT_MATCH};
-    fatal_error 'RFC1918_STRICT=Yes requires Connection Tracking match'
-	if $config{RFC1918_STRICT} && ! $capabilities{CONNTRACK_MATCH};
-    fatal_error 'HIGH_ROUTE_MARKS=Yes requires extended MARK support'
-	if $config{HIGH_ROUTE_MARKS} && ! $capabilities{XCONNMARK};
-    if ( $config{MANGLE_ENABLED} ) {
-	fatal_error 'Traffic Shaping requires mangle support in your kernel and iptables' unless $capabilities{MANGLE_ENABLED};
-    }
 
     ( $command, $doing, $done ) = qw/ check Checking Checked / unless $objectfile;
 

New/releasenotes.txt

@@ -47,7 +47,6 @@ a) The Perl-based compiler requires the following capabilities in your
    kernel and iptables. 
 
    - addrtype match (may be relaxed later)
-   - conntrack match (may be relaxed later)
    - multiport match (will not be relaxed)
 
    These capabilities are in current distributions.