Don't fail if fooX1234 already exists

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@1800 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
2024-11-14 03:34:31 +01:00 · 2004-12-03 23:18:28 +00:00 · 2004-12-03 23:18:28 +00:00 · 8927e62047
commit 8927e62047
parent e73d3149d9
3 changed files with 17 additions and 12 deletions
--- a/Shorewall2/changelog.txt
+++ b/Shorewall2/changelog.txt
@ -171,3 +171,4 @@ Changes since 2.0.3

 84) Log drops due to policy rate limiting.

+85) Continue determining capabilities when fooX1234 already exists.
--- a/Shorewall2/firewall
+++ b/Shorewall2/firewall
@ -5484,21 +5484,20 @@ determine_capabilities() {
    PHYSDEV_MATCH=
    IPRANGE_MATCH=

-    if qt $IPTABLES -N fooX1234 ; then
-	qt $IPTABLES -A fooX1234 -m conntrack --ctorigdst 192.168.1.1 -j ACCEPT             && CONNTRACK_MATCH=Yes
-        qt $IPTABLES -A fooX1234 -p tcp -m multiport --dports 21,22 -j ACCEPT               && MULTIPORT=Yes
-	qt $IPTABLES -A fooX1234 -m policy --pol ipsec --dir in -j ACCEPT                   && POLICY_MATCH=Yes
-	qt $IPTABLES -A fooX1234 -m physdev --physdev-in eth0 -j ACCEPT                     && PHYSDEV_MATCH=Yes
-	qt $IPTABLES -A fooX1234 -m iprange --src-range 192.168.1.5-192.168.1.124 -j ACCEPT && IPRANGE_MATCH=Yes
+    qt $IPTABLES -N fooX1234
+    qt $IPTABLES -A fooX1234 -m conntrack --ctorigdst 192.168.1.1 -j ACCEPT             && CONNTRACK_MATCH=Yes
+    qt $IPTABLES -A fooX1234 -p tcp -m multiport --dports 21,22 -j ACCEPT               && MULTIPORT=Yes
+    qt $IPTABLES -A fooX1234 -m policy --pol ipsec --dir in -j ACCEPT                   && POLICY_MATCH=Yes
+    qt $IPTABLES -A fooX1234 -m physdev --physdev-in eth0 -j ACCEPT                     && PHYSDEV_MATCH=Yes
+    qt $IPTABLES -A fooX1234 -m iprange --src-range 192.168.1.5-192.168.1.124 -j ACCEPT && IPRANGE_MATCH=Yes


-	if [ -n "$PKTTYPE" ]; then
-	    qt $IPTABLES -A fooX1234 -m pkttype --pkt-type broadcast -j ACCEPT || PKTTYPE=
-	fi
-	    
-	qt $IPTABLES -F fooX1234
-	qt $IPTABLES -X fooX1234
+    if [ -n "$PKTTYPE" ]; then
+	qt $IPTABLES -A fooX1234 -m pkttype --pkt-type broadcast -j ACCEPT || PKTTYPE=
    fi
+    
+    qt $IPTABLES -F fooX1234
+    qt $IPTABLES -X fooX1234
 }

 report_capability() # $1 = Capability Name, $2 Capability Setting (if any)
--- a/Shorewall2/releasenotes.txt
+++ b/Shorewall2/releasenotes.txt
@ -175,6 +175,11 @@ Problems corrected since 2.2.0 Beta 6:
   zone Z then traffic out of any firewall interface to 1.2.3.4 will
   obey the fw->Z policies and rules. This has been corrected.

+4) Shorewall uses the temporary chain 'fooX1234' to probe iptables for
+   detrmining which features are supported. Previously, if that chain
+   happened to exist when Shorewall was run, capabilities were
+   mis-detected.
+
 -----------------------------------------------------------------------
 Issues when migrating from Shorewall 2.0 to Shorewall 2.1: