extern/shorewall_code
1
0
Fork 1
mirror of https://gitlab.com/shorewall/code.git synced 2024-11-22 23:53:30 +01:00
Code Issues Packages Projects Releases Wiki Activity

Support ipset lists in the tcfilters file.

Browse Source 
- Also document the fact that ipset match options are not available in
  the tcfilters file.

Signed-off-by: Tom Eastep <teastep@shorewall.net>
This commit is contained in:
Tom Eastep 2014-02-04 12:16:35 -08:00
parent 1d4a87a0d0
commit 7ddc65133e
3 changed files with 37 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

21
Shorewall/Perl/Shorewall/Tc.pm
View File

@ -2191,11 +2191,32 @@ sub process_tc_filter1( $$$$$$$$$ ) {
# #
# Handle an ipset name in the SOURCE or DEST columns of a filter # Handle an ipset name in the SOURCE or DEST columns of a filter
# #
sub handle_ematch( $$ );
sub handle_ematch( $$ ) { sub handle_ematch( $$ ) {
my ( $setname, $option ) = @_; my ( $setname, $option ) = @_;
my $options = $option; my $options = $option;
if ( $setname =~ /^\+\[(.+)\]$/ ) {
my @sets = split_host_list( $1, 1, 1 );
fatal_error "Multiple ipset matches require the Repeat Match capability in your kernel and iptables" unless $globals{KLUDGEFREE};
my $result = @sets > 1 ? "\\(\\\n" : '';
my $sets = 0;
for $setname ( @sets ) {
$result .= ' or' if $sets++;
$result .= "\\\n " if @sets > 1;
$result .= handle_ematch( $setname, $option );
}
$result .= "\\\n \\)" if @sets > 1;
return $result;
}
require_capability 'BASIC_EMATCH', 'IPSets', ''; require_capability 'BASIC_EMATCH', 'IPSets', '';
if ( $setname =~ /^(.*)\[([1-6])\]$/ ) { if ( $setname =~ /^(.*)\[([1-6])\]$/ ) {

10
Shorewall/manpages/shorewall-ipsets.xml
View File

@ -99,8 +99,14 @@
role="bold">myobject</emphasis> nfacct counter will be incremented.</para> role="bold">myobject</emphasis> nfacct counter will be incremented.</para>
<para>Beginning with Shorewall 4.6.0, an ipset name (and src/dst list, if <para>Beginning with Shorewall 4.6.0, an ipset name (and src/dst list, if
any) can be immediately be followed by a list of match options. Available any) can be immediately be followed by a list of match options.</para>
options are:</para>
<important>
<para>These additional match options are not available in <ulink
url="shorewall-tcfilters.html">shorewall-tcfilters(5)</ulink>.</para>
</important>
<para>Available options are:</para>
<variablelist> <variablelist>
<varlistentry> <varlistentry>

10
Shorewall6/manpages/shorewall6-ipsets.xml
View File

@ -98,8 +98,14 @@
role="bold">myobject</emphasis> nfacct counter will be incremented.</para> role="bold">myobject</emphasis> nfacct counter will be incremented.</para>
<para>Beginning with Shorewall 4.6.0, an ipset name (and src/dst list, if <para>Beginning with Shorewall 4.6.0, an ipset name (and src/dst list, if
any) can be immediately be followed by a list of match options. Available any) can be immediately be followed by a list of match options.</para>
options are:</para>
<important>
<para>These additional match options are not available in <ulink
url="shorewall6-tcfilters.html">shorewall6-tcfilters(5)</ulink>.</para>
</important>
<para>Available options are:</para>
<variablelist> <variablelist>
<varlistentry> <varlistentry>