From 70682ad40d57204758b08e897af51297e1b9a4de Mon Sep 17 00:00:00 2001 From: teastep Date: Thu, 29 Mar 2007 01:29:27 +0000 Subject: [PATCH] More capability tests git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@5738 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb --- New/Shorewall/Actions.pm | 18 ++++++++++-------- New/Shorewall/Chains.pm | 5 ++++- 2 files changed, 14 insertions(+), 9 deletions(-) diff --git a/New/Shorewall/Actions.pm b/New/Shorewall/Actions.pm index 8308a21b4..a9b3d0be9 100644 --- a/New/Shorewall/Actions.pm +++ b/New/Shorewall/Actions.pm @@ -504,24 +504,24 @@ sub process_actions3 () { my ($chainref, $level, $tag) = @_; if ( $level ) { - log_rule_limit $level, $chainref, 'dropBcast' , 'DROP', '', $tag, 'add', ' -m pkttype --pkt-type broadcast'; - log_rule_limit $level, $chainref, 'dropBcast' , 'DROP', '', $tag, 'add', ' -m pkttype --pkt-type multicast'; + log_rule_limit $level, $chainref, 'dropBcast' , 'DROP', '', $tag, 'add', ' -m addrtype --dst-type BROADCAST'; + log_rule_limit $level, $chainref, 'dropBcast' , 'DROP', '', $tag, 'add', ' -m addrtype --dst-type MULTICAST'; } - add_rule $chainref, '-m pkttype --pkt-type broadcast -j DROP'; - add_rule $chainref, '-m pkttype --pkt-type multicast -j DROP'; + add_rule $chainref, '-m addrtype --dst-type BROADCAST -j DROP'; + add_rule $chainref, '-m addrtype --dst-type MULTICAST -j DROP'; } sub allowBcast( $$$ ) { my ($chainref, $level, $tag) = @_; if ( $level ) { - log_rule_limit $level, $chainref, 'allowBcast' , 'ACCEPT', '', $tag, 'add', ' -m pkttype --pkt-type broadcast'; - log_rule_limit $level, $chainref, 'allowBcast' , 'ACCEPT', '', $tag, 'add', ' -m pkttype --pkt-type multicast'; + log_rule_limit $level, $chainref, 'allowBcast' , 'ACCEPT', '', $tag, 'add', ' -m addrtype --dst-type BROADCAST'; + log_rule_limit $level, $chainref, 'allowBcast' , 'ACCEPT', '', $tag, 'add', ' -m addrtype --dst-type MULTICAST'; } - add_rule $chainref, '-m pkttype --pkt-type broadcast -j ACCEPT'; - add_rule $chainref, '-m pkttype --pkt-type multicast -j ACCEPT'; + add_rule $chainref, '-m addrtype --dst-type BROADCAST -j ACCEPT'; + add_rule $chainref, '-m addrtype --dst-type MULTICAST -j ACCEPT'; } sub dropNotSyn ( $$$ ) { @@ -577,6 +577,8 @@ sub process_actions3 () { my $set = $tag[0]; my $count = $tag[1] + 1; + require_capability( 'RECENT_MATCH' , 'Limit rules' ); + add_rule $chainref, "-m recent --name $set --set"; if ( $level ) { diff --git a/New/Shorewall/Chains.pm b/New/Shorewall/Chains.pm index e91284f3e..c70ce5b96 100644 --- a/New/Shorewall/Chains.pm +++ b/New/Shorewall/Chains.pm @@ -666,7 +666,7 @@ sub do_proto( $$$ ) $output .= "-p icmp --icmp-type $ports " if $ports; fatal_error 'SOURCE PORT(S) not permitted with ICMP' if $sports; } elsif ( $proto =~ /^(ipp2p(:(tcp|udp|all)))?$/i ) { - fatal_error 'PROTO = ipp2p requires IPP2P match support in your kernel/iptables' unless $capabilities{IPP2P}; + require_capability( 'IPP2P' , 'PROTO = ipp2p' ); $proto = $2 ? $3 : 'tcp'; $ports = 'ipp2p' unless $ports; $output .= "-p $proto -m ipp2p --$ports "; @@ -800,6 +800,7 @@ sub do_tos( $ ) { sub iprange_match() { my $match = ''; + require_capability( 'IPRANGE_MATCH' , 'Address Ranges' ); unless ( $iprangematch ) { $match = '-m iprange '; $iprangematch = 1; @@ -845,6 +846,7 @@ sub match_source_net( $ ) { ( $net = $2 ) =~ s/-/:/g; "-m mac --mac-source $1 $net "; } elsif ( $net =~ /^(!?)\+/ ) { + require_capability( 'IPSET_MATCH' , 'ipset names in Shorewall configuration files' ); join( '', '-m set ', $1 ? '! ' : '', get_set_flags( $net, 'src' ) ); } elsif ( $net =~ /^!/ ) { $net =~ s/!//; @@ -865,6 +867,7 @@ sub match_dest_net( $ ) { iprange_match . "${invert}--dst-range $net "; } elsif ( $net =~ /^(!?)\+/ ) { + require_capability( 'IPSET_MATCH' , 'ipset names in Shorewall configuration files' ); join( '', '-m set ', $1 ? '! ' : '', get_set_flags( $net, 'dst' ) ); } elsif ( $net =~ /^!/ ) { $net =~ s/!//;