diff --git a/New/Shorewall/Rules.pm b/New/Shorewall/Rules.pm index dc63ab4d4..92e35605f 100644 --- a/New/Shorewall/Rules.pm +++ b/New/Shorewall/Rules.pm @@ -187,9 +187,7 @@ sub setup_rfc1918_filteration( $ ) { add_rule $rfc1918ref , '-j DROP'; - if ( $config{RFC1918_STRICT} ) { - $chainref = new_standard_chain 'rfc1918d'; - } + $chainref = new_standard_chain 'rfc1918d' if $config{RFC1918_STRICT}; open RFC, "$ENV{TMP_DIR}/rfc1918" or fatal_error "Unable to open stripped rfc1918 file: $!"; @@ -948,6 +946,7 @@ sub process_rule1 ( $$$$$$$$$ ) { if ( $actiontype & NATRULE ) { my ( $server, $serverport , $natchain ); fatal_error "$target rules not allowed in the $section SECTION" if $section ne 'NEW'; + require_capability( 'NAT_ENABLED' , "$basictarget rules" ); # # Isolate server port # diff --git a/New/Shorewall/Tc.pm b/New/Shorewall/Tc.pm index 9f31e008f..cbec34f3d 100644 --- a/New/Shorewall/Tc.pm +++ b/New/Shorewall/Tc.pm @@ -496,50 +496,57 @@ sub setup_tc() { ensure_mangle_chain 'tcpost'; } - open TC, "$ENV{TMP_DIR}/tcrules" or fatal_error "Unable to open stripped tcrules file: $!"; + if ( -s "$ENV{TMP_DIR}/tcrules" ) { + require_capability( 'MANGLE_ENABLED' , 'a non-empty tcrules file' ); - while ( $line = ) { + open TC, "$ENV{TMP_DIR}/tcrules" or fatal_error "Unable to open stripped tcrules file: $!"; - my ( $mark, $source, $dest, $proto, $ports, $sports, $user, $testval, $length, $tos ) = split_line 10, 'tcrules file'; + while ( $line = ) { - if ( $mark eq 'COMMENT' ) { - if ( $capabilities{COMMENTS} ) { - ( $comment = $line ) =~ s/^\s*COMMENT\s*//; - $comment =~ s/\s*$//; + my ( $mark, $source, $dest, $proto, $ports, $sports, $user, $testval, $length, $tos ) = split_line 10, 'tcrules file'; + + if ( $mark eq 'COMMENT' ) { + if ( $capabilities{COMMENTS} ) { + ( $comment = $line ) =~ s/^\s*COMMENT\s*//; + $comment =~ s/\s*$//; + } else { + warning_message "COMMENT ignored -- requires comment support in iptables/Netfilter"; + } } else { - warning_message "COMMENT ignored -- requires comment support in iptables/Netfilter"; + process_tc_rule $mark, $source, $dest, $proto, $ports, $sports, $user, $testval, $length, $tos } - } else { - process_tc_rule $mark, $source, $dest, $proto, $ports, $sports, $user, $testval, $length, $tos + } + close TC; + + $comment = ''; } - close TC; + if ( $capabilities{MANGLE_ENABLED} ) { - $comment = ''; + my $mark_part = ''; - my $mark_part = ''; + if ( @routemarked_interfaces && ! $config{TC_EXPERT} ) { + $mark_part = '-m mark --mark 0/0xFF00'; - if ( @routemarked_interfaces && ! $config{TC_EXPERT} ) { - $mark_part = '-m mark --mark 0/0xFF00'; - - for my $interface ( @routemarked_interfaces ) { - add_rule $mangle_table->{PREROUTING} , "-i $interface -j tcpre"; + for my $interface ( @routemarked_interfaces ) { + add_rule $mangle_table->{PREROUTING} , "-i $interface -j tcpre"; + } } - } - add_rule $mangle_table->{PREROUTING} , "$mark_part -j tcpre"; - add_rule $mangle_table->{OUTPUT} , "$mark_part -j tcpre"; + add_rule $mangle_table->{PREROUTING} , "$mark_part -j tcpre"; + add_rule $mangle_table->{OUTPUT} , "$mark_part -j tcpre"; - if ( $capabilities{MANGLE_FORWARD} ) { - add_rule $mangle_table->{FORWARD} , '-j tcfor'; - add_rule $mangle_table->{POSTROUTING} , '-j tcpost'; - } + if ( $capabilities{MANGLE_FORWARD} ) { + add_rule $mangle_table->{FORWARD} , '-j tcfor'; + add_rule $mangle_table->{POSTROUTING} , '-j tcpost'; + } - if ( $config{HIGH_ROUTE_MARKS} ) { - for my $chain qw(INPUT FORWARD POSTROUTING) { - insert_rule $mangle_table->{$chain}, 1, '-j MARK --and-mark -0xFF'; + if ( $config{HIGH_ROUTE_MARKS} ) { + for my $chain qw(INPUT FORWARD POSTROUTING) { + insert_rule $mangle_table->{$chain}, 1, '-j MARK --and-mark -0xFF'; + } } } diff --git a/New/compiler.pl b/New/compiler.pl index dc4246b16..da9a80ba7 100755 --- a/New/compiler.pl +++ b/New/compiler.pl @@ -641,6 +641,7 @@ sub compiler( $ ) { require_capability( 'RECENT_MATCH' , 'MACLIST_TTL' ) if $config{MACLIST_TTL}; require_capability( 'XCONNMARK' , 'HIGH_ROUTE_MARKS=Yes' ) if $config{HIGH_ROUTE_MARKS}; require_capability( 'MANGLE_ENABLED' , 'Traffic Shaping' ) if $config{TC_ENABLED}; + require_capability( 'CONNTRACK_MATCH' , 'RFC1918_STRICT=Yes' ) if $config{RFC1918_STRICT}; ( $command, $doing, $done ) = qw/ check Checking Checked / unless $objectfile; @@ -710,6 +711,7 @@ sub compiler( $ ) { # [Re-]establish Routing # if ( -s "$ENV{TMP_DIR}/providers" ) { + require_capability( 'MANGLE_ENABLED' , 'a non-empty providers file' ); setup_providers; } else { emit "\nundo_routing"; @@ -731,8 +733,11 @@ sub compiler( $ ) { # # Setup Masquerading/SNAT # - progress_message2 "$doing Masq file..."; - setup_masq; + if ( -s "$ENV{TMP_DIR}/masq" ) { + require_capability( 'NAT_ENABLED' , 'a non-empty masq file' ); + progress_message2 "$doing Masq file..."; + setup_masq; + } # # MACLIST Filtration # @@ -766,13 +771,19 @@ sub compiler( $ ) { # # Setup Nat # - progress_message2 "$doing one-to-one NAT..."; - setup_nat; + if ( -s "$ENV{TMP_DIR}/nat" ) { + require_capability( 'NAT_ENABLED' , 'a non-empty nat file' ); + progress_message2 "$doing one-to-one NAT..."; + setup_nat; + } # # Setup NETMAP # - progress_message2 "$doing NETMAP..."; - setup_netmap; + if ( -s "$ENV{TMP_DIR}/nat" ) { + require_capability( 'NAT_ENABLED' , 'a non-empty netmap file' ); + progress_message2 "$doing NETMAP..."; + setup_netmap; + } # # Accounting. #