mirror of
https://gitlab.com/shorewall/code.git
synced 2025-01-07 05:58:49 +01:00
More capability tests
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@5738 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
parent
3d06e0682b
commit
70682ad40d
@ -504,24 +504,24 @@ sub process_actions3 () {
|
|||||||
my ($chainref, $level, $tag) = @_;
|
my ($chainref, $level, $tag) = @_;
|
||||||
|
|
||||||
if ( $level ) {
|
if ( $level ) {
|
||||||
log_rule_limit $level, $chainref, 'dropBcast' , 'DROP', '', $tag, 'add', ' -m pkttype --pkt-type broadcast';
|
log_rule_limit $level, $chainref, 'dropBcast' , 'DROP', '', $tag, 'add', ' -m addrtype --dst-type BROADCAST';
|
||||||
log_rule_limit $level, $chainref, 'dropBcast' , 'DROP', '', $tag, 'add', ' -m pkttype --pkt-type multicast';
|
log_rule_limit $level, $chainref, 'dropBcast' , 'DROP', '', $tag, 'add', ' -m addrtype --dst-type MULTICAST';
|
||||||
}
|
}
|
||||||
|
|
||||||
add_rule $chainref, '-m pkttype --pkt-type broadcast -j DROP';
|
add_rule $chainref, '-m addrtype --dst-type BROADCAST -j DROP';
|
||||||
add_rule $chainref, '-m pkttype --pkt-type multicast -j DROP';
|
add_rule $chainref, '-m addrtype --dst-type MULTICAST -j DROP';
|
||||||
}
|
}
|
||||||
|
|
||||||
sub allowBcast( $$$ ) {
|
sub allowBcast( $$$ ) {
|
||||||
my ($chainref, $level, $tag) = @_;
|
my ($chainref, $level, $tag) = @_;
|
||||||
|
|
||||||
if ( $level ) {
|
if ( $level ) {
|
||||||
log_rule_limit $level, $chainref, 'allowBcast' , 'ACCEPT', '', $tag, 'add', ' -m pkttype --pkt-type broadcast';
|
log_rule_limit $level, $chainref, 'allowBcast' , 'ACCEPT', '', $tag, 'add', ' -m addrtype --dst-type BROADCAST';
|
||||||
log_rule_limit $level, $chainref, 'allowBcast' , 'ACCEPT', '', $tag, 'add', ' -m pkttype --pkt-type multicast';
|
log_rule_limit $level, $chainref, 'allowBcast' , 'ACCEPT', '', $tag, 'add', ' -m addrtype --dst-type MULTICAST';
|
||||||
}
|
}
|
||||||
|
|
||||||
add_rule $chainref, '-m pkttype --pkt-type broadcast -j ACCEPT';
|
add_rule $chainref, '-m addrtype --dst-type BROADCAST -j ACCEPT';
|
||||||
add_rule $chainref, '-m pkttype --pkt-type multicast -j ACCEPT';
|
add_rule $chainref, '-m addrtype --dst-type MULTICAST -j ACCEPT';
|
||||||
}
|
}
|
||||||
|
|
||||||
sub dropNotSyn ( $$$ ) {
|
sub dropNotSyn ( $$$ ) {
|
||||||
@ -577,6 +577,8 @@ sub process_actions3 () {
|
|||||||
my $set = $tag[0];
|
my $set = $tag[0];
|
||||||
my $count = $tag[1] + 1;
|
my $count = $tag[1] + 1;
|
||||||
|
|
||||||
|
require_capability( 'RECENT_MATCH' , 'Limit rules' );
|
||||||
|
|
||||||
add_rule $chainref, "-m recent --name $set --set";
|
add_rule $chainref, "-m recent --name $set --set";
|
||||||
|
|
||||||
if ( $level ) {
|
if ( $level ) {
|
||||||
|
@ -666,7 +666,7 @@ sub do_proto( $$$ )
|
|||||||
$output .= "-p icmp --icmp-type $ports " if $ports;
|
$output .= "-p icmp --icmp-type $ports " if $ports;
|
||||||
fatal_error 'SOURCE PORT(S) not permitted with ICMP' if $sports;
|
fatal_error 'SOURCE PORT(S) not permitted with ICMP' if $sports;
|
||||||
} elsif ( $proto =~ /^(ipp2p(:(tcp|udp|all)))?$/i ) {
|
} elsif ( $proto =~ /^(ipp2p(:(tcp|udp|all)))?$/i ) {
|
||||||
fatal_error 'PROTO = ipp2p requires IPP2P match support in your kernel/iptables' unless $capabilities{IPP2P};
|
require_capability( 'IPP2P' , 'PROTO = ipp2p' );
|
||||||
$proto = $2 ? $3 : 'tcp';
|
$proto = $2 ? $3 : 'tcp';
|
||||||
$ports = 'ipp2p' unless $ports;
|
$ports = 'ipp2p' unless $ports;
|
||||||
$output .= "-p $proto -m ipp2p --$ports ";
|
$output .= "-p $proto -m ipp2p --$ports ";
|
||||||
@ -800,6 +800,7 @@ sub do_tos( $ ) {
|
|||||||
sub iprange_match() {
|
sub iprange_match() {
|
||||||
my $match = '';
|
my $match = '';
|
||||||
|
|
||||||
|
require_capability( 'IPRANGE_MATCH' , 'Address Ranges' );
|
||||||
unless ( $iprangematch ) {
|
unless ( $iprangematch ) {
|
||||||
$match = '-m iprange ';
|
$match = '-m iprange ';
|
||||||
$iprangematch = 1;
|
$iprangematch = 1;
|
||||||
@ -845,6 +846,7 @@ sub match_source_net( $ ) {
|
|||||||
( $net = $2 ) =~ s/-/:/g;
|
( $net = $2 ) =~ s/-/:/g;
|
||||||
"-m mac --mac-source $1 $net ";
|
"-m mac --mac-source $1 $net ";
|
||||||
} elsif ( $net =~ /^(!?)\+/ ) {
|
} elsif ( $net =~ /^(!?)\+/ ) {
|
||||||
|
require_capability( 'IPSET_MATCH' , 'ipset names in Shorewall configuration files' );
|
||||||
join( '', '-m set ', $1 ? '! ' : '', get_set_flags( $net, 'src' ) );
|
join( '', '-m set ', $1 ? '! ' : '', get_set_flags( $net, 'src' ) );
|
||||||
} elsif ( $net =~ /^!/ ) {
|
} elsif ( $net =~ /^!/ ) {
|
||||||
$net =~ s/!//;
|
$net =~ s/!//;
|
||||||
@ -865,6 +867,7 @@ sub match_dest_net( $ ) {
|
|||||||
|
|
||||||
iprange_match . "${invert}--dst-range $net ";
|
iprange_match . "${invert}--dst-range $net ";
|
||||||
} elsif ( $net =~ /^(!?)\+/ ) {
|
} elsif ( $net =~ /^(!?)\+/ ) {
|
||||||
|
require_capability( 'IPSET_MATCH' , 'ipset names in Shorewall configuration files' );
|
||||||
join( '', '-m set ', $1 ? '! ' : '', get_set_flags( $net, 'dst' ) );
|
join( '', '-m set ', $1 ? '! ' : '', get_set_flags( $net, 'dst' ) );
|
||||||
} elsif ( $net =~ /^!/ ) {
|
} elsif ( $net =~ /^!/ ) {
|
||||||
$net =~ s/!//;
|
$net =~ s/!//;
|
||||||
|
Loading…
Reference in New Issue
Block a user