diff --git a/Shorewall/Perl/Shorewall/Config.pm b/Shorewall/Perl/Shorewall/Config.pm index 0b4025ad8..2f9f0ebd3 100644 --- a/Shorewall/Perl/Shorewall/Config.pm +++ b/Shorewall/Perl/Shorewall/Config.pm @@ -4273,7 +4273,7 @@ sub Basic_Filter() { } sub Basic_Ematch() { - $tc && have_capability 'BASIC_FILTER' && system( "$tc filter add basic help 2>&1 | egrep -q match" ) == 0; + $tc && have_capability( 'BASIC_FILTER' ) && system( "$tc filter add basic help 2>&1 | egrep -q match" ) == 0; } sub Fwmark_Rt_Mask() { diff --git a/Shorewall/Perl/Shorewall/Tc.pm b/Shorewall/Perl/Shorewall/Tc.pm index 06cc3f6d0..c13e0f996 100644 --- a/Shorewall/Perl/Shorewall/Tc.pm +++ b/Shorewall/Perl/Shorewall/Tc.pm @@ -1908,36 +1908,6 @@ sub validate_tc_class( ) { my %validlengths = ( 32 => '0xffe0', 64 => '0xffc0', 128 => '0xff80', 256 => '0xff00', 512 => '0xfe00', 1024 => '0xfc00', 2048 => '0xf800', 4096 => '0xf000', 8192 => '0xe000' ); -# -# Handle an ipset name in the SOURCE or DEST columns of a filter -# -sub handle_ematch( $$ ) { - my ( $setname, $option ) = @_; - - my $options = $option; - - require_capability 'BASIC_EMATCH', 'IPSets', ''; - - if ( $setname =~ /^(.*)\[([1-6])\]$/ ) { - $setname = $1; - my $count = $2; - - $options .= ",$option" while --$count > 0; - } elsif ( $setname =~ /^(.*)\[((?:src|dst)(?:,(?:src|dst))){0,5}\]$/ ) { - $setname = $1; - $options = $2 if supplied $2; - - my @options = split /,/, $options; - - if ( $config{IPSET_WARNINGS} ) { - my %typemap = ( src => 'Source', dst => 'Destination' ); - warning_message( "The '$options[0]' ipset flag is used in a $typemap{$option} column" ), unless $options[0] eq $option; - } - } - - return " ipset( $setname, $options )"; -} - # # Process a record from the tcfilters file # @@ -1955,8 +1925,6 @@ sub process_tc_filter1( $$$$$$$$$ ) { my $devref; - my $ematch = ''; - if ( $device =~ /^[\da-fA-F]+$/ && ! $tcdevices{$device} ) { ( $device, $devref ) = dev_by_number( hex_value( $device ) ); } else { @@ -2002,27 +1970,15 @@ sub process_tc_filter1( $$$$$$$$$ ) { my $rule = "filter add dev $devref->{physical} protocol $ip parent $devnum:0 prio $prio u32"; if ( $source ne '-' ) { - if ( $source =~ /^\+/ ) { - $ematch = join( ' ', 'match', handle_ematch( $source, 'src' ) ); - } else { - my ( $net , $mask ) = decompose_net( $source ); - $rule .= "\\\n match $ip32 src $net/$mask"; - $have_rule = 1; - } + my ( $net , $mask ) = decompose_net( $source ); + $rule .= "\\\n match $ip32 src $net/$mask"; + $have_rule = 1; } if ( $dest ne '-' ) { - if ( $dest =~ /^\+/ ) { - if ( $ematch ) { - $ematch = join( ' ', $ematch, handle_ematch( $dest, 'dst' ) ); - } else { - $ematch = join( ' ', 'match', handle_ematch( $dest, 'dst' ) ); - } - } else { - my ( $net , $mask ) = decompose_net( $dest ); - $rule .= "\\\n match $ip32 dst $net/$mask"; - $have_rule = 1; - } + my ( $net , $mask ) = decompose_net( $dest ); + $rule .= "\\\n match $ip32 dst $net/$mask"; + $have_rule = 1; } if ( $tos ne '-' ) { @@ -2063,25 +2019,13 @@ sub process_tc_filter1( $$$$$$$$$ ) { } } - if ( $ematch ) { - if ( $have_rule ) { - my $tnum = in_hex3 $devref->{tablenumber}++; - push @$filtersref, ( "\nrun_tc $rule\\" , - " link $tnum:0" ); - $rule = "filter add dev $devref->{physical} protocol $ip parent $devnum:0 prio $prio basic ht $tnum:0 match ${ematch}"; - } else { - $rule = "filter add dev $devref->{physical} protocol $ip parent $devnum:0 prio $prio basic match$ ${ematch}"; - $have_rule = 1; - } - } - if ( $portlist eq '-' && $sportlist eq '-' ) { if ( $have_rule ) { push @$filtersref , ( "\nrun_tc $rule\\" , " flowid $devnum:$class" , '' ); } else { - warning_message "Degenerate tcfilter ignored" unless $ematch; + warning_message "Degenerate tcfilter ignored"; } } else { fatal_error "Ports may not be specified without a PROTO" unless $protonumber;