More capability tests

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@5738 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
teastep 2007-03-29 01:29:27 +00:00
parent 3d06e0682b
commit 70682ad40d
2 changed files with 14 additions and 9 deletions

View File

@ -504,24 +504,24 @@ sub process_actions3 () {
my ($chainref, $level, $tag) = @_; my ($chainref, $level, $tag) = @_;
if ( $level ) { if ( $level ) {
log_rule_limit $level, $chainref, 'dropBcast' , 'DROP', '', $tag, 'add', ' -m pkttype --pkt-type broadcast'; log_rule_limit $level, $chainref, 'dropBcast' , 'DROP', '', $tag, 'add', ' -m addrtype --dst-type BROADCAST';
log_rule_limit $level, $chainref, 'dropBcast' , 'DROP', '', $tag, 'add', ' -m pkttype --pkt-type multicast'; log_rule_limit $level, $chainref, 'dropBcast' , 'DROP', '', $tag, 'add', ' -m addrtype --dst-type MULTICAST';
} }
add_rule $chainref, '-m pkttype --pkt-type broadcast -j DROP'; add_rule $chainref, '-m addrtype --dst-type BROADCAST -j DROP';
add_rule $chainref, '-m pkttype --pkt-type multicast -j DROP'; add_rule $chainref, '-m addrtype --dst-type MULTICAST -j DROP';
} }
sub allowBcast( $$$ ) { sub allowBcast( $$$ ) {
my ($chainref, $level, $tag) = @_; my ($chainref, $level, $tag) = @_;
if ( $level ) { if ( $level ) {
log_rule_limit $level, $chainref, 'allowBcast' , 'ACCEPT', '', $tag, 'add', ' -m pkttype --pkt-type broadcast'; log_rule_limit $level, $chainref, 'allowBcast' , 'ACCEPT', '', $tag, 'add', ' -m addrtype --dst-type BROADCAST';
log_rule_limit $level, $chainref, 'allowBcast' , 'ACCEPT', '', $tag, 'add', ' -m pkttype --pkt-type multicast'; log_rule_limit $level, $chainref, 'allowBcast' , 'ACCEPT', '', $tag, 'add', ' -m addrtype --dst-type MULTICAST';
} }
add_rule $chainref, '-m pkttype --pkt-type broadcast -j ACCEPT'; add_rule $chainref, '-m addrtype --dst-type BROADCAST -j ACCEPT';
add_rule $chainref, '-m pkttype --pkt-type multicast -j ACCEPT'; add_rule $chainref, '-m addrtype --dst-type MULTICAST -j ACCEPT';
} }
sub dropNotSyn ( $$$ ) { sub dropNotSyn ( $$$ ) {
@ -577,6 +577,8 @@ sub process_actions3 () {
my $set = $tag[0]; my $set = $tag[0];
my $count = $tag[1] + 1; my $count = $tag[1] + 1;
require_capability( 'RECENT_MATCH' , 'Limit rules' );
add_rule $chainref, "-m recent --name $set --set"; add_rule $chainref, "-m recent --name $set --set";
if ( $level ) { if ( $level ) {

View File

@ -666,7 +666,7 @@ sub do_proto( $$$ )
$output .= "-p icmp --icmp-type $ports " if $ports; $output .= "-p icmp --icmp-type $ports " if $ports;
fatal_error 'SOURCE PORT(S) not permitted with ICMP' if $sports; fatal_error 'SOURCE PORT(S) not permitted with ICMP' if $sports;
} elsif ( $proto =~ /^(ipp2p(:(tcp|udp|all)))?$/i ) { } elsif ( $proto =~ /^(ipp2p(:(tcp|udp|all)))?$/i ) {
fatal_error 'PROTO = ipp2p requires IPP2P match support in your kernel/iptables' unless $capabilities{IPP2P}; require_capability( 'IPP2P' , 'PROTO = ipp2p' );
$proto = $2 ? $3 : 'tcp'; $proto = $2 ? $3 : 'tcp';
$ports = 'ipp2p' unless $ports; $ports = 'ipp2p' unless $ports;
$output .= "-p $proto -m ipp2p --$ports "; $output .= "-p $proto -m ipp2p --$ports ";
@ -800,6 +800,7 @@ sub do_tos( $ ) {
sub iprange_match() { sub iprange_match() {
my $match = ''; my $match = '';
require_capability( 'IPRANGE_MATCH' , 'Address Ranges' );
unless ( $iprangematch ) { unless ( $iprangematch ) {
$match = '-m iprange '; $match = '-m iprange ';
$iprangematch = 1; $iprangematch = 1;
@ -845,6 +846,7 @@ sub match_source_net( $ ) {
( $net = $2 ) =~ s/-/:/g; ( $net = $2 ) =~ s/-/:/g;
"-m mac --mac-source $1 $net "; "-m mac --mac-source $1 $net ";
} elsif ( $net =~ /^(!?)\+/ ) { } elsif ( $net =~ /^(!?)\+/ ) {
require_capability( 'IPSET_MATCH' , 'ipset names in Shorewall configuration files' );
join( '', '-m set ', $1 ? '! ' : '', get_set_flags( $net, 'src' ) ); join( '', '-m set ', $1 ? '! ' : '', get_set_flags( $net, 'src' ) );
} elsif ( $net =~ /^!/ ) { } elsif ( $net =~ /^!/ ) {
$net =~ s/!//; $net =~ s/!//;
@ -865,6 +867,7 @@ sub match_dest_net( $ ) {
iprange_match . "${invert}--dst-range $net "; iprange_match . "${invert}--dst-range $net ";
} elsif ( $net =~ /^(!?)\+/ ) { } elsif ( $net =~ /^(!?)\+/ ) {
require_capability( 'IPSET_MATCH' , 'ipset names in Shorewall configuration files' );
join( '', '-m set ', $1 ? '! ' : '', get_set_flags( $net, 'dst' ) ); join( '', '-m set ', $1 ? '! ' : '', get_set_flags( $net, 'dst' ) );
} elsif ( $net =~ /^!/ ) { } elsif ( $net =~ /^!/ ) {
$net =~ s/!//; $net =~ s/!//;