mirror of
https://gitlab.com/shorewall/code.git
synced 2025-03-05 10:02:19 +01:00
Add some capability tests
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@5736 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
teastep
parent
50195b17ce
commit
8fc53b3277
@ -187,9 +187,7 @@ sub setup_rfc1918_filteration( $ ) {
|
|||||||
|
|
||||||
add_rule $rfc1918ref , '-j DROP';
|
add_rule $rfc1918ref , '-j DROP';
|
||||||
|
|
||||||
if ( $config{RFC1918_STRICT} ) {
|
$chainref = new_standard_chain 'rfc1918d' if $config{RFC1918_STRICT};
|
||||||
$chainref = new_standard_chain 'rfc1918d';
|
|
||||||
}
|
|
||||||
|
|
||||||
open RFC, "$ENV{TMP_DIR}/rfc1918" or fatal_error "Unable to open stripped rfc1918 file: $!";
|
open RFC, "$ENV{TMP_DIR}/rfc1918" or fatal_error "Unable to open stripped rfc1918 file: $!";
|
||||||
|
|
||||||
@ -948,6 +946,7 @@ sub process_rule1 ( $$$$$$$$$ ) {
|
|||||||
if ( $actiontype & NATRULE ) {
|
if ( $actiontype & NATRULE ) {
|
||||||
my ( $server, $serverport , $natchain );
|
my ( $server, $serverport , $natchain );
|
||||||
fatal_error "$target rules not allowed in the $section SECTION" if $section ne 'NEW';
|
fatal_error "$target rules not allowed in the $section SECTION" if $section ne 'NEW';
|
||||||
|
require_capability( 'NAT_ENABLED' , "$basictarget rules" );
|
||||||
#
|
#
|
||||||
# Isolate server port
|
# Isolate server port
|
||||||
#
|
#
|
||||||
|
|||||||
@ -496,50 +496,57 @@ sub setup_tc() {
|
|||||||
ensure_mangle_chain 'tcpost';
|
ensure_mangle_chain 'tcpost';
|
||||||
}
|
}
|
||||||
|
|
||||||
open TC, "$ENV{TMP_DIR}/tcrules" or fatal_error "Unable to open stripped tcrules file: $!";
|
if ( -s "$ENV{TMP_DIR}/tcrules" ) {
|
||||||
|
require_capability( 'MANGLE_ENABLED' , 'a non-empty tcrules file' );
|
||||||
|
|
||||||
while ( $line = <TC> ) {
|
open TC, "$ENV{TMP_DIR}/tcrules" or fatal_error "Unable to open stripped tcrules file: $!";
|
||||||
|
|
||||||
my ( $mark, $source, $dest, $proto, $ports, $sports, $user, $testval, $length, $tos ) = split_line 10, 'tcrules file';
|
while ( $line = <TC> ) {
|
||||||
|
|
||||||
if ( $mark eq 'COMMENT' ) {
|
my ( $mark, $source, $dest, $proto, $ports, $sports, $user, $testval, $length, $tos ) = split_line 10, 'tcrules file';
|
||||||
if ( $capabilities{COMMENTS} ) {
|
|
||||||
( $comment = $line ) =~ s/^\s*COMMENT\s*//;
|
if ( $mark eq 'COMMENT' ) {
|
||||||
$comment =~ s/\s*$//;
|
if ( $capabilities{COMMENTS} ) {
|
||||||
|
( $comment = $line ) =~ s/^\s*COMMENT\s*//;
|
||||||
|
$comment =~ s/\s*$//;
|
||||||
|
} else {
|
||||||
|
warning_message "COMMENT ignored -- requires comment support in iptables/Netfilter";
|
||||||
|
}
|
||||||
} else {
|
} else {
|
||||||
warning_message "COMMENT ignored -- requires comment support in iptables/Netfilter";
|
process_tc_rule $mark, $source, $dest, $proto, $ports, $sports, $user, $testval, $length, $tos
|
||||||
}
|
}
|
||||||
} else {
|
|
||||||
process_tc_rule $mark, $source, $dest, $proto, $ports, $sports, $user, $testval, $length, $tos
|
|
||||||
}
|
}
|
||||||
|
|
||||||
|
close TC;
|
||||||
|
|
||||||
|
$comment = '';
|
||||||
}
|
}
|
||||||
|
|
||||||
close TC;
|
if ( $capabilities{MANGLE_ENABLED} ) {
|
||||||
|
|
||||||
$comment = '';
|
my $mark_part = '';
|
||||||
|
|
||||||
my $mark_part = '';
|
if ( @routemarked_interfaces && ! $config{TC_EXPERT} ) {
|
||||||
|
$mark_part = '-m mark --mark 0/0xFF00';
|
||||||
|
|
||||||
if ( @routemarked_interfaces && ! $config{TC_EXPERT} ) {
|
for my $interface ( @routemarked_interfaces ) {
|
||||||
$mark_part = '-m mark --mark 0/0xFF00';
|
add_rule $mangle_table->{PREROUTING} , "-i $interface -j tcpre";
|
||||||
|
}
|
||||||
for my $interface ( @routemarked_interfaces ) {
|
|
||||||
add_rule $mangle_table->{PREROUTING} , "-i $interface -j tcpre";
|
|
||||||
}
|
}
|
||||||
}
|
|
||||||
|
|
||||||
add_rule $mangle_table->{PREROUTING} , "$mark_part -j tcpre";
|
add_rule $mangle_table->{PREROUTING} , "$mark_part -j tcpre";
|
||||||
add_rule $mangle_table->{OUTPUT} , "$mark_part -j tcpre";
|
add_rule $mangle_table->{OUTPUT} , "$mark_part -j tcpre";
|
||||||
|
|
||||||
if ( $capabilities{MANGLE_FORWARD} ) {
|
if ( $capabilities{MANGLE_FORWARD} ) {
|
||||||
add_rule $mangle_table->{FORWARD} , '-j tcfor';
|
add_rule $mangle_table->{FORWARD} , '-j tcfor';
|
||||||
add_rule $mangle_table->{POSTROUTING} , '-j tcpost';
|
add_rule $mangle_table->{POSTROUTING} , '-j tcpost';
|
||||||
}
|
}
|
||||||
|
|
||||||
if ( $config{HIGH_ROUTE_MARKS} ) {
|
if ( $config{HIGH_ROUTE_MARKS} ) {
|
||||||
for my $chain qw(INPUT FORWARD POSTROUTING) {
|
for my $chain qw(INPUT FORWARD POSTROUTING) {
|
||||||
insert_rule $mangle_table->{$chain}, 1, '-j MARK --and-mark -0xFF';
|
insert_rule $mangle_table->{$chain}, 1, '-j MARK --and-mark -0xFF';
|
||||||
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|||||||
@ -641,6 +641,7 @@ sub compiler( $ ) {
|
|||||||
require_capability( 'RECENT_MATCH' , 'MACLIST_TTL' ) if $config{MACLIST_TTL};
|
require_capability( 'RECENT_MATCH' , 'MACLIST_TTL' ) if $config{MACLIST_TTL};
|
||||||
require_capability( 'XCONNMARK' , 'HIGH_ROUTE_MARKS=Yes' ) if $config{HIGH_ROUTE_MARKS};
|
require_capability( 'XCONNMARK' , 'HIGH_ROUTE_MARKS=Yes' ) if $config{HIGH_ROUTE_MARKS};
|
||||||
require_capability( 'MANGLE_ENABLED' , 'Traffic Shaping' ) if $config{TC_ENABLED};
|
require_capability( 'MANGLE_ENABLED' , 'Traffic Shaping' ) if $config{TC_ENABLED};
|
||||||
|
require_capability( 'CONNTRACK_MATCH' , 'RFC1918_STRICT=Yes' ) if $config{RFC1918_STRICT};
|
||||||
|
|
||||||
( $command, $doing, $done ) = qw/ check Checking Checked / unless $objectfile;
|
( $command, $doing, $done ) = qw/ check Checking Checked / unless $objectfile;
|
||||||
|
|
||||||
@ -710,6 +711,7 @@ sub compiler( $ ) {
|
|||||||
# [Re-]establish Routing
|
# [Re-]establish Routing
|
||||||
#
|
#
|
||||||
if ( -s "$ENV{TMP_DIR}/providers" ) {
|
if ( -s "$ENV{TMP_DIR}/providers" ) {
|
||||||
|
require_capability( 'MANGLE_ENABLED' , 'a non-empty providers file' );
|
||||||
setup_providers;
|
setup_providers;
|
||||||
} else {
|
} else {
|
||||||
emit "\nundo_routing";
|
emit "\nundo_routing";
|
||||||
@ -731,8 +733,11 @@ sub compiler( $ ) {
|
|||||||
#
|
#
|
||||||
# Setup Masquerading/SNAT
|
# Setup Masquerading/SNAT
|
||||||
#
|
#
|
||||||
progress_message2 "$doing Masq file...";
|
if ( -s "$ENV{TMP_DIR}/masq" ) {
|
||||||
setup_masq;
|
require_capability( 'NAT_ENABLED' , 'a non-empty masq file' );
|
||||||
|
progress_message2 "$doing Masq file...";
|
||||||
|
setup_masq;
|
||||||
|
}
|
||||||
#
|
#
|
||||||
# MACLIST Filtration
|
# MACLIST Filtration
|
||||||
#
|
#
|
||||||
@ -766,13 +771,19 @@ sub compiler( $ ) {
|
|||||||
#
|
#
|
||||||
# Setup Nat
|
# Setup Nat
|
||||||
#
|
#
|
||||||
progress_message2 "$doing one-to-one NAT...";
|
if ( -s "$ENV{TMP_DIR}/nat" ) {
|
||||||
setup_nat;
|
require_capability( 'NAT_ENABLED' , 'a non-empty nat file' );
|
||||||
|
progress_message2 "$doing one-to-one NAT...";
|
||||||
|
setup_nat;
|
||||||
|
}
|
||||||
#
|
#
|
||||||
# Setup NETMAP
|
# Setup NETMAP
|
||||||
#
|
#
|
||||||
progress_message2 "$doing NETMAP...";
|
if ( -s "$ENV{TMP_DIR}/nat" ) {
|
||||||
setup_netmap;
|
require_capability( 'NAT_ENABLED' , 'a non-empty netmap file' );
|
||||||
|
progress_message2 "$doing NETMAP...";
|
||||||
|
setup_netmap;
|
||||||
|
}
|
||||||
#
|
#
|
||||||
# Accounting.
|
# Accounting.
|
||||||
#
|
#
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user