Support ipset lists in the tcfilters file.

- Also document the fact that ipset match options are not available in the tcfilters file. Signed-off-by: Tom Eastep <teastep@shorewall.net>
2024-11-22 15:43:30 +01:00 · 2014-02-04 12:16:35 -08:00 · 2014-02-04 12:16:35 -08:00 · 7ddc65133e
commit 7ddc65133e
parent 1d4a87a0d0
3 changed files with 37 additions and 4 deletions
--- a/Shorewall/Perl/Shorewall/Tc.pm
+++ b/Shorewall/Perl/Shorewall/Tc.pm
@ -2191,11 +2191,32 @@ sub process_tc_filter1( $$$$$$$$$ ) {
 #
 # Handle an ipset name in the SOURCE or DEST columns of a filter
 #
+sub handle_ematch( $$ );
+
 sub handle_ematch( $$ ) {
    my ( $setname, $option ) = @_;

    my $options = $option;

+    if ( $setname =~ /^\+\[(.+)\]$/ ) {
+	my @sets = split_host_list( $1, 1, 1 );
+
+	fatal_error "Multiple ipset matches require the Repeat Match capability in your kernel and iptables" unless $globals{KLUDGEFREE};
+
+	my $result = @sets > 1 ? "\\(\\\n" : '';
+	my $sets   = 0;
+
+	for $setname ( @sets ) {
+	    $result .= ' or' if $sets++;
+	    $result .= "\\\n   " if @sets > 1;
+	    $result .= handle_ematch( $setname, $option );
+	}
+
+	$result .= "\\\n   \\)" if @sets > 1;
+
+	return $result;
+    }
+
    require_capability 'BASIC_EMATCH', 'IPSets', '';

    if ( $setname =~ /^(.*)\[([1-6])\]$/ ) {
--- a/Shorewall/manpages/shorewall-ipsets.xml
+++ b/Shorewall/manpages/shorewall-ipsets.xml
@ -99,8 +99,14 @@
    role="bold">myobject</emphasis> nfacct counter will be incremented.</para>

    <para>Beginning with Shorewall 4.6.0, an ipset name (and src/dst list, if
-    any) can be immediately be followed by a list of match options. Available
-    options are:</para>
+    any) can be immediately be followed by a list of match options.</para>
+
+    <important>
+      <para>These additional match options are not available in <ulink
+      url="shorewall-tcfilters.html">shorewall-tcfilters(5)</ulink>.</para>
+    </important>
+
+    <para>Available options are:</para>

    <variablelist>
      <varlistentry>
--- a/Shorewall6/manpages/shorewall6-ipsets.xml
+++ b/Shorewall6/manpages/shorewall6-ipsets.xml
@ -98,8 +98,14 @@
    role="bold">myobject</emphasis> nfacct counter will be incremented.</para>

    <para>Beginning with Shorewall 4.6.0, an ipset name (and src/dst list, if
-    any) can be immediately be followed by a list of match options. Available
-    options are:</para>
+    any) can be immediately be followed by a list of match options.</para>
+
+    <important>
+      <para>These additional match options are not available in <ulink
+      url="shorewall6-tcfilters.html">shorewall6-tcfilters(5)</ulink>.</para>
+    </important>
+
+    <para>Available options are:</para>

    <variablelist>
      <varlistentry>