Drop hard requirement for CONNTRACK_MATCH

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@5735 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
2024-11-15 12:14:32 +01:00 · 2007-03-28 23:21:37 +00:00 · 2007-03-28 23:21:37 +00:00 · 50195b17ce
commit 50195b17ce
parent ba2dcd6d45
5 changed files with 37 additions and 23 deletions
--- a/New/Shorewall/Chains.pm
+++ b/New/Shorewall/Chains.pm
@ -738,7 +738,6 @@ sub do_test ( $$ )
    "${invert}$match $testval ";
 }

-
 #
 # Create a "-m limit" match for the passed LIMIT/BURST
 #
@ -882,6 +881,7 @@ sub match_orig_dest ( $ ) {
    my $net = $_[0];

    return '' if $net eq ALLIPv4;
+    return '' unless $capabilities{CONNTRACK_MATCH};
 
    if ( $net =~ /^!/ ) {
 	$net =~ s/!//;
@ -1207,7 +1207,7 @@ sub expand_rule( $$$$$$$$$$ )
    }

    if ( $origdest ) {
-	if ( $origdest eq '-' ) {
+	if ( $origdest eq '-' || ! $capabilities{CONNTRACK_MATCH} ) {
 	    $origdest = '';
 	} elsif ( $origdest =~ /^detect:(.*)$/ ) {
 	    #
--- a/New/Shorewall/Config.pm
+++ b/New/Shorewall/Config.pm
@ -28,7 +28,19 @@ use warnings;
 use Shorewall::Common;

 our @ISA = qw(Exporter);
-our @EXPORT = qw(find_file expand_shell_variables get_configuration report_capabilities propagateconfig append_file run_user_exit generate_aux_config %config %env %capabilities );
+our @EXPORT = qw(find_file 
+                 expand_shell_variables 
+                 get_configuration
+                 require_capability
+                 report_capabilities
+                 propagateconfig
+                 append_file
+                 run_user_exit
+                 generate_aux_config
+
+                 %config
+                 %env
+                 %capabilities );
 our @EXPORT_OK = ();
 our @VERSION = 1.00;

@ -251,6 +263,13 @@ sub report_capabilities() {
    }
 }

+sub require_capability( $$ ) {
+    my ( $capability, $description ) = @_;
+
+    fatal_error "$description requires $capdesc{$capability} in your kernel and iptables"
+      unless $capabilities{$capability};
+}
+
 #
 # Some files can have shell variables embedded. This function expands them from %ENV.
 #
--- a/New/Shorewall/Rules.pm
+++ b/New/Shorewall/Rules.pm
@ -988,7 +988,9 @@ sub process_rule1 ( $$$$$$$$$ ) {
 		}
 	    }

-	    unless ( $origdest && $origdest ne '-' && $origdest ne 'detect' ) {
+	    if ( $origdest && $origdest ne '-' ) {
+		require_capability( 'CONNTRACK_MATCH', 'ORIGINAL DEST in non-NAT rule' ) unless $actiontype & NATRULE;
+	    } elsif ( $origdest ne 'detect' ) {
 		if ( $config{DETECT_DNAT_IPADDRS} ) {
 		    my $interfacesref = $zones{$sourcezone}{interfaces};
 		    my @interfaces = keys %$interfacesref;
--- a/New/compiler.pl
+++ b/New/compiler.pl
@ -179,7 +179,7 @@ sub compile_stop_firewall() {

    emit <<'EOF';
 #
-# Stop/restore the firewall after an error or because of a \'stop\' or \'clear\' command
+# Stop/restore the firewall after an error or because of a 'stop' or 'clear' command
 #
 stop_firewall() {

@ -544,6 +544,7 @@ sub generate_script_2 () {
 #    Generate the end of 'setup_routing_and_traffic_shaping()':
 #        Generate code for loading the various files in /var/lib/shorewall[-lite]
 #        Generate code to add IP addresses under ADD_IP_ALIASES and ADD_SNAT_ALIASES
+#
 #    Generate the 'setup_netfilter()' function that runs iptables-restore.
 #    Generate the 'define_firewall()' function.  
 #
@ -575,7 +576,9 @@ sub generate_script_3() {
    emit "#\n# Start/Restart the Firewall\n#";
    emit 'define_firewall() {';
    push_indent;
-    emit 'setup_routing_and_traffic_shaping;
+
+    emit<<'EOF';
+setup_routing_and_traffic_shaping;

 if [ $COMMAND = restore ]; then
    iptables_save_file=${VARDIR}/$(basename $0)-iptables
@ -611,7 +614,8 @@ case $COMMAND in
    restore)
        logger -p kern.info "$PRODUCT restored"
        ;;
-esac';
+esac
+EOF

    pop_indent;

@ -632,21 +636,11 @@ sub compiler( $ ) {

    report_capabilities if $ENV{VERBOSE} > 1;

-    fatal_error join( '', 'Shorewall-perl ', $env{VERSION}, ' requires Conntrack Match Support' )
-	unless $capabilities{CONNTRACK_MATCH};
-    fatal_error join ( '', 'Shorewall-perl ', $env{VERSION}, ' requires Multi-port Match Support' )
-	unless $capabilities{MULTIPORT};
-    fatal_error join( '', 'Shorewall-perl ', $env{VERSION}, ' requires Address Type Match Support' )
-	unless $capabilities{ADDRTYPE};
-    fatal_error 'MACLIST_TTL requires the Recent Match capability which is not present in your Kernel and/or iptables'
-	if $config{MACLIST_TTL} && ! $capabilities{RECENT_MATCH};
-    fatal_error 'RFC1918_STRICT=Yes requires Connection Tracking match'
-	if $config{RFC1918_STRICT} && ! $capabilities{CONNTRACK_MATCH};
-    fatal_error 'HIGH_ROUTE_MARKS=Yes requires extended MARK support'
-	if $config{HIGH_ROUTE_MARKS} && ! $capabilities{XCONNMARK};
-    if ( $config{MANGLE_ENABLED} ) {
-	fatal_error 'Traffic Shaping requires mangle support in your kernel and iptables' unless $capabilities{MANGLE_ENABLED};
-    }
+    require_capability( 'MULTIPORT'       , "Shorewall-perl $env{VERSION}" ); 
+    require_capability( 'ADDRTYPE'        , "Shorewall-perl $env{VERSION}" );
+    require_capability( 'RECENT_MATCH'    , 'MACLIST_TTL' )           if $config{MACLIST_TTL};
+    require_capability( 'XCONNMARK'       , 'HIGH_ROUTE_MARKS=Yes' )  if $config{HIGH_ROUTE_MARKS};
+    require_capability( 'MANGLE_ENABLED'  , 'Traffic Shaping'      )  if $config{TC_ENABLED};

    ( $command, $doing, $done ) = qw/ check Checking Checked / unless $objectfile;

--- a/New/releasenotes.txt
+++ b/New/releasenotes.txt
@ -47,7 +47,6 @@ a) The Perl-based compiler requires the following capabilities in your
   kernel and iptables. 

   - addrtype match (may be relaxed later)
-   - conntrack match (may be relaxed later)
   - multiport match (will not be relaxed)

   These capabilities are in current distributions.