mirror of
https://gitlab.com/shorewall/code.git
synced 2025-01-31 09:59:59 +01:00
Don't export %capabilities
Signed-off-by: Tom Eastep <teastep@shorewall.net>
This commit is contained in:
Tom Eastep
parent
c5f64848f6
commit
90b68a05de
@ -770,7 +770,7 @@ sub process_action3( $$$$$ ) {
|
||||
sub dropBcast( $$$ ) {
|
||||
my ($chainref, $level, $tag) = @_;
|
||||
|
||||
if ( $capabilities{ADDRTYPE} ) {
|
||||
if ( have_capability( 'ADDRTYPE' ) ) {
|
||||
if ( $level ne '' ) {
|
||||
log_rule_limit $level, $chainref, 'dropBcast' , 'DROP', '', $tag, 'add', ' -m addrtype --dst-type BROADCAST ';
|
||||
if ( $family == F_IPV4 ) {
|
||||
@ -808,7 +808,7 @@ sub dropBcast( $$$ ) {
|
||||
sub allowBcast( $$$ ) {
|
||||
my ($chainref, $level, $tag) = @_;
|
||||
|
||||
if ( $family == F_IPV4 && $capabilities{ADDRTYPE} ) {
|
||||
if ( $family == F_IPV4 && have_capability( 'ADDRTYPE' ) ) {
|
||||
if ( $level ne '' ) {
|
||||
log_rule_limit $level, $chainref, 'allowBcast' , 'ACCEPT', '', $tag, 'add', ' -m addrtype --dst-type BROADCAST ';
|
||||
log_rule_limit $level, $chainref, 'allowBcast' , 'ACCEPT', '', $tag, 'add', ' -d 224.0.0.0/4 ';
|
||||
|
||||
@ -381,7 +381,7 @@ sub initialize( $ ) {
|
||||
# Process a COMMENT line (in $currentline)
|
||||
#
|
||||
sub process_comment() {
|
||||
if ( $capabilities{COMMENTS} ) {
|
||||
if ( have_capability( 'COMMENTS' ) ) {
|
||||
( $comment = $currentline ) =~ s/^\s*COMMENT\s*//;
|
||||
$comment =~ s/\s*$//;
|
||||
} else {
|
||||
@ -393,7 +393,7 @@ sub process_comment() {
|
||||
# Returns True if there is a current COMMENT or if COMMENTS are not available.
|
||||
#
|
||||
sub no_comment() {
|
||||
$comment ? 1 : $capabilities{COMMENTS} ? 0 : 1;
|
||||
$comment ? 1 : have_capability( 'COMMENTS' ) ? 0 : 1;
|
||||
}
|
||||
|
||||
#
|
||||
@ -409,7 +409,7 @@ sub clear_comment() {
|
||||
sub macro_comment( $ ) {
|
||||
my $macro = $_[0];
|
||||
|
||||
$comment = $macro unless $comment || ! ( $capabilities{COMMENTS} && $config{AUTO_COMMENT} );
|
||||
$comment = $macro unless $comment || ! ( have_capability( 'COMMENTS' ) && $config{AUTO_COMMENT} );
|
||||
}
|
||||
|
||||
#
|
||||
@ -640,7 +640,7 @@ sub add_jump( $$$;$$$ ) {
|
||||
#
|
||||
$toref->{referenced} = 1, add_reference $fromref, $toref if $toref;
|
||||
|
||||
my $param = $goto_ok && $toref && $capabilities{GOTO_TARGET} ? 'g' : 'j';
|
||||
my $param = $goto_ok && $toref && have_capability( 'GOTO_TARGET' ) ? 'g' : 'j';
|
||||
|
||||
if ( defined $index ) {
|
||||
assert( ! $expandports );
|
||||
@ -1206,7 +1206,7 @@ sub initialize_chain_table()
|
||||
new_builtin_chain 'mangle', $chain, 'ACCEPT';
|
||||
}
|
||||
|
||||
if ( $capabilities{MANGLE_FORWARD} ) {
|
||||
if ( have_capability( 'MANGLE_FORWARD' ) ) {
|
||||
for my $chain qw( FORWARD POSTROUTING ) {
|
||||
new_builtin_chain 'mangle', $chain, 'ACCEPT';
|
||||
}
|
||||
@ -1640,7 +1640,7 @@ sub set_mss1( $$ ) {
|
||||
my $chainref = ensure_chain 'filter', $chain;
|
||||
|
||||
if ( $chainref->{policy} ne 'NONE' ) {
|
||||
my $match = $capabilities{TCPMSS_MATCH} ? "-m tcpmss --mss $mss: " : '';
|
||||
my $match = have_capability( 'TCPMSS_MATCH' ) ? "-m tcpmss --mss $mss: " : '';
|
||||
insert_rule1 $chainref, 0, "-p tcp --tcp-flags SYN,RST SYN ${match}-j TCPMSS --set-mss $mss"
|
||||
}
|
||||
}
|
||||
@ -1830,7 +1830,7 @@ sub do_proto( $$$;$ )
|
||||
if ( $ports ne '' ) {
|
||||
$invert = $ports =~ s/^!// ? '! ' : '';
|
||||
if ( $ports =~ tr/,/,/ > 0 || $sports =~ tr/,/,/ > 0 ) {
|
||||
fatal_error "Port lists require Multiport support in your kernel/iptables" unless $capabilities{MULTIPORT};
|
||||
fatal_error "Port lists require Multiport support in your kernel/iptables" unless have_capability( 'MULTIPORT' );
|
||||
fatal_error "Multiple ports not supported with SCTP" if $proto == SCTP;
|
||||
fatal_error "A port list in this file may only have up to 15 ports" if $restricted && port_count( $ports ) > 15;
|
||||
$ports = validate_port_list $pname , $ports;
|
||||
@ -1903,7 +1903,7 @@ sub do_proto( $$$;$ )
|
||||
$options .= " --$_" for split /,/, $ports;
|
||||
}
|
||||
|
||||
$options = $capabilities{OLD_IPP2P_MATCH} ? ' --ipp2p' : ' --edk --kazaa --gnu --dc' unless $options;
|
||||
$options = have_capability( 'OLD_IPP2P_MATCH' ) ? ' --ipp2p' : ' --edk --kazaa --gnu --dc' unless $options;
|
||||
|
||||
$output .= "${proto}-m ipp2p${options} ";
|
||||
} else {
|
||||
@ -2007,7 +2007,7 @@ sub do_ratelimit( $$ ) {
|
||||
require_capability 'HASHLIMIT_MATCH', 'Per-ip rate limiting' , 's';
|
||||
|
||||
my $limit = "-m hashlimit ";
|
||||
my $match = $capabilities{OLD_HL_MATCH} ? 'hashlimit' : 'hashlimit-upto';
|
||||
my $match = have_capability( 'OLD_HL_MATCH' ) ? 'hashlimit' : 'hashlimit-upto';
|
||||
|
||||
if ( $rate =~ /^[sd]:((\w*):)?(\d+(\/(sec|min|hour|day))?):(\d+)$/ ) {
|
||||
$limit .= "--hashlimit $3 --hashlimit-burst $6 --hashlimit-name ";
|
||||
@ -2218,7 +2218,7 @@ sub match_dest_dev( $ ) {
|
||||
my $interfaceref = known_interface( $interface );
|
||||
$interface = $interfaceref->{physical} if $interfaceref;
|
||||
if ( $interfaceref && $interfaceref->{options}{port} ) {
|
||||
if ( $capabilities{PHYSDEV_BRIDGE} ) {
|
||||
if ( have_capability( 'PHYSDEV_BRIDGE' ) ) {
|
||||
"-o $interfaceref->{bridge} -m physdev --physdev-is-bridged --physdev-out $interface ";
|
||||
} else {
|
||||
"-o $interfaceref->{bridge} -m physdev --physdev-out $interface ";
|
||||
@ -2237,7 +2237,7 @@ sub iprange_match() {
|
||||
require_capability( 'IPRANGE_MATCH' , 'Address Ranges' , '' );
|
||||
unless ( $iprangematch ) {
|
||||
$match = '-m iprange ';
|
||||
$iprangematch = 1 unless $capabilities{KLUDGEFREE};
|
||||
$iprangematch = 1 unless have_capability( 'KLUDGEFREE' );
|
||||
}
|
||||
|
||||
$match;
|
||||
@ -2329,11 +2329,11 @@ sub match_orig_dest ( $ ) {
|
||||
my $net = $_[0];
|
||||
|
||||
return '' if $net eq ALLIP;
|
||||
return '' unless $capabilities{CONNTRACK_MATCH};
|
||||
return '' unless have_capability( 'CONNTRACK_MATCH' );
|
||||
|
||||
if ( $net =~ s/^!// ) {
|
||||
validate_net $net, 1;
|
||||
$capabilities{OLD_CONNTRACK_MATCH} ? "-m conntrack --ctorigdst ! $net " : "-m conntrack ! --ctorigdst $net ";
|
||||
have_capability( 'OLD_CONNTRACK_MATCH' ) ? "-m conntrack --ctorigdst ! $net " : "-m conntrack ! --ctorigdst $net ";
|
||||
} else {
|
||||
validate_net $net, 1;
|
||||
$net eq ALLIP ? '' : "-m conntrack --ctorigdst $net ";
|
||||
@ -2354,7 +2354,7 @@ sub match_ipsec_in( $$ ) {
|
||||
|
||||
if ( $zoneref->{type} eq 'ipsec' ) {
|
||||
$match .= "ipsec $optionsref->{in_out}{ipsec}$optionsref->{in}{ipsec}";
|
||||
} elsif ( $capabilities{POLICY_MATCH} ) {
|
||||
} elsif ( have_capability( 'POLICY_MATCH' ) ) {
|
||||
$match .= "$hostref->{ipsec} $optionsref->{in_out}{ipsec}$optionsref->{in}{ipsec}";
|
||||
} else {
|
||||
return '';
|
||||
@ -2378,7 +2378,7 @@ sub match_ipsec_out( $$ ) {
|
||||
|
||||
if ( $zoneref->{type} eq 'ipsec' ) {
|
||||
$match .= "ipsec $optionsref->{in_out}{ipsec}$optionsref->{out}{ipsec}";
|
||||
} elsif ( $capabilities{POLICY_MATCH} ) {
|
||||
} elsif ( have_capability( 'POLICY_MATCH' ) ) {
|
||||
$match .= "$hostref->{ipsec} $optionsref->{in_out}{ipsec}$optionsref->{out}{ipsec}"
|
||||
} else {
|
||||
return '';
|
||||
@ -2799,7 +2799,7 @@ sub get_interface_mac( $$$ ) {
|
||||
}
|
||||
|
||||
sub have_global_variables() {
|
||||
$capabilities{ADDRTYPE} ? $global_variables : $global_variables | NOT_RESTORE;
|
||||
have_capability( 'ADDRTYPE' ) ? $global_variables : $global_variables | NOT_RESTORE;
|
||||
}
|
||||
|
||||
#
|
||||
@ -2818,7 +2818,7 @@ sub set_global_variables( $ ) {
|
||||
emit $_ for values %interfaceaddrs;
|
||||
emit $_ for values %interfacenets;
|
||||
|
||||
unless ( $capabilities{ADDRTYPE} ) {
|
||||
unless ( have_capability( 'ADDRTYPE' ) ) {
|
||||
|
||||
if ( $family == F_IPV4 ) {
|
||||
emit 'ALL_BCASTS="$(get_all_bcasts) 255.255.255.255"';
|
||||
@ -3062,7 +3062,7 @@ sub expand_rule( $$$$$$$$$$;$ )
|
||||
}
|
||||
|
||||
if ( $origdest ) {
|
||||
if ( $origdest eq '-' || ! $capabilities{CONNTRACK_MATCH} ) {
|
||||
if ( $origdest eq '-' || ! have_capability( 'CONNTRACK_MATCH' ) ) {
|
||||
$origdest = '';
|
||||
} elsif ( $origdest =~ /^detect:(.*)$/ ) {
|
||||
#
|
||||
@ -3229,10 +3229,10 @@ sub expand_rule( $$$$$$$$$$;$ )
|
||||
for my $inet ( mysplit $inets ) {
|
||||
my $source_match;
|
||||
|
||||
$source_match = match_source_net( $inet, $restriction ) if $capabilities{KLUDGEFREE};
|
||||
$source_match = match_source_net( $inet, $restriction ) if have_capability( 'KLUDGEFREE' );
|
||||
|
||||
for my $dnet ( mysplit $dnets ) {
|
||||
$source_match = match_source_net( $inet, $restriction ) unless $capabilities{KLUDGEFREE};
|
||||
$source_match = match_source_net( $inet, $restriction ) unless have_capability( 'KLUDGEFREE' );
|
||||
my $dest_match = match_dest_net( $dnet );
|
||||
my $matches = join( '', $rule, $source_match, $dest_match, $onet );
|
||||
|
||||
@ -3383,9 +3383,9 @@ sub create_netfilter_load( $ ) {
|
||||
|
||||
my @table_list;
|
||||
|
||||
push @table_list, 'raw' if $capabilities{RAW_TABLE};
|
||||
push @table_list, 'nat' if $capabilities{NAT_ENABLED};
|
||||
push @table_list, 'mangle' if $capabilities{MANGLE_ENABLED} && $config{MANGLE_ENABLED};
|
||||
push @table_list, 'raw' if have_capability( 'RAW_TABLE' );
|
||||
push @table_list, 'nat' if have_capability( 'NAT_ENABLED' );
|
||||
push @table_list, 'mangle' if have_capability( 'MANGLE_ENABLED' ) && $config{MANGLE_ENABLED};
|
||||
push @table_list, 'filter';
|
||||
|
||||
$mode = NULL_MODE;
|
||||
@ -3485,9 +3485,9 @@ sub preview_netfilter_load() {
|
||||
|
||||
my @table_list;
|
||||
|
||||
push @table_list, 'raw' if $capabilities{RAW_TABLE};
|
||||
push @table_list, 'nat' if $capabilities{NAT_ENABLED};
|
||||
push @table_list, 'mangle' if $capabilities{MANGLE_ENABLED} && $config{MANGLE_ENABLED};
|
||||
push @table_list, 'raw' if have_capability( 'RAW_TABLE' );
|
||||
push @table_list, 'nat' if have_capability( 'NAT_ENABLED' );
|
||||
push @table_list, 'mangle' if have_capability( 'MANGLE_ENABLED' ) && $config{MANGLE_ENABLED};
|
||||
push @table_list, 'filter';
|
||||
|
||||
$mode = NULL_MODE;
|
||||
@ -3557,7 +3557,7 @@ sub create_chainlist_reload($) {
|
||||
|
||||
unless ( @chains ) {
|
||||
@chains = qw( blacklst ) if $filter_table->{blacklst};
|
||||
push @chains, 'mangle:' if $capabilities{MANGLE_ENABLED} && $config{MANGLE_ENABLED};
|
||||
push @chains, 'mangle:' if have_capability( 'MANGLE_ENABLED' ) && $config{MANGLE_ENABLED};
|
||||
$chains = join( ',', @chains ) if @chains;
|
||||
}
|
||||
|
||||
@ -3677,9 +3677,9 @@ sub create_stop_load( $ ) {
|
||||
|
||||
my @table_list;
|
||||
|
||||
push @table_list, 'raw' if $capabilities{RAW_TABLE};
|
||||
push @table_list, 'nat' if $capabilities{NAT_ENABLED};
|
||||
push @table_list, 'mangle' if $capabilities{MANGLE_ENABLED} && $config{MANGLE_ENABLED};
|
||||
push @table_list, 'raw' if have_capability( 'RAW_TABLE' );
|
||||
push @table_list, 'nat' if have_capability( 'NAT_ENABLED' );
|
||||
push @table_list, 'mangle' if have_capability( 'MANGLE_ENABLED' ) && $config{MANGLE_ENABLED};
|
||||
push @table_list, 'filter';
|
||||
|
||||
my $utility = $family == F_IPV4 ? 'iptables-restore' : 'ip6tables-restore';
|
||||
|
||||
@ -434,7 +434,7 @@ sub generate_script_3($) {
|
||||
''
|
||||
);
|
||||
|
||||
if ( $capabilities{NAT_ENABLED} ) {
|
||||
if ( have_capability( 'NAT_ENABLED' ) ) {
|
||||
emit( 'if [ -f ${VARDIR}/nat ]; then',
|
||||
' while read external interface; do',
|
||||
' del_ip_addr $external $interface',
|
||||
@ -773,7 +773,7 @@ sub compiler {
|
||||
#
|
||||
# ECN
|
||||
#
|
||||
setup_ecn if $capabilities{MANGLE_ENABLED} && $config{MANGLE_ENABLED};
|
||||
setup_ecn if have_capability( 'MANGLE_ENABLED' ) && $config{MANGLE_ENABLED};
|
||||
#
|
||||
# Setup Masquerading/SNAT
|
||||
#
|
||||
|
||||
@ -101,6 +101,8 @@ our %EXPORT_TAGS = ( internal => [ qw( create_temp_script
|
||||
ensure_config_path
|
||||
get_configuration
|
||||
require_capability
|
||||
have_capability
|
||||
set_capability
|
||||
report_capabilities
|
||||
propagateconfig
|
||||
append_file
|
||||
@ -117,7 +119,6 @@ our %EXPORT_TAGS = ( internal => [ qw( create_temp_script
|
||||
$currentline
|
||||
%config
|
||||
%globals
|
||||
%capabilities
|
||||
|
||||
F_IPV4
|
||||
F_IPV6
|
||||
@ -600,7 +601,7 @@ sub initialize( $ ) {
|
||||
LOGMARK => 'LOGMARK' );
|
||||
}
|
||||
#
|
||||
# From parsing the capabilities file
|
||||
# From parsing the capabilities file or capabilities detection
|
||||
#
|
||||
%capabilities =
|
||||
( NAT_ENABLED => undef,
|
||||
@ -2195,6 +2196,20 @@ sub determine_capabilities( $ ) {
|
||||
determine_kernelversion;
|
||||
}
|
||||
|
||||
#
|
||||
# Report the passed capability
|
||||
#
|
||||
sub have_capability( $ ) {
|
||||
$capabilities{$_[0]};
|
||||
}
|
||||
|
||||
#
|
||||
# Set the passed capability
|
||||
#
|
||||
sub set_capability( $$ ) {
|
||||
$capabilities{$_[0]} = $_[1];
|
||||
}
|
||||
|
||||
#
|
||||
# Require the passed capability
|
||||
#
|
||||
|
||||
@ -159,7 +159,7 @@ sub process_one_masq( )
|
||||
} else {
|
||||
$baserule .= do_ipsec_options $ipsec;
|
||||
}
|
||||
} elsif ( $capabilities{POLICY_MATCH} ) {
|
||||
} elsif ( have_capability( 'POLICY_MATCH' ) ) {
|
||||
$baserule .= '-m policy --pol none --dir out ';
|
||||
}
|
||||
|
||||
@ -372,7 +372,7 @@ sub do_one_nat( $$$$$ )
|
||||
$interface = $interfaceref->{name};
|
||||
}
|
||||
|
||||
if ( $capabilities{POLICY_MATCH} ) {
|
||||
if ( have_capability( 'POLICY_MATCH' ) ) {
|
||||
$policyin = ' -m policy --pol none --dir in';
|
||||
$policyout = '-m policy --pol none --dir out';
|
||||
}
|
||||
|
||||
@ -130,7 +130,7 @@ sub setup_route_filtering() {
|
||||
emit "fi\n";
|
||||
}
|
||||
|
||||
if ( $capabilities{KERNELVERSION} < 20631 ) {
|
||||
if ( have_capability( 'KERNELVERSION' ) < 20631 ) {
|
||||
emit 'echo 1 > /proc/sys/net/ipv4/conf/all/rp_filter';
|
||||
} elsif ( $val ne '' ) {
|
||||
emit "echo $val > /proc/sys/net/ipv4/conf/all/rp_filter";
|
||||
|
||||
@ -85,8 +85,8 @@ sub initialize( $ ) {
|
||||
use constant { MAX_MACRO_NEST_LEVEL => 5 };
|
||||
|
||||
sub process_tos() {
|
||||
my $chain = $capabilities{MANGLE_FORWARD} ? 'fortos' : 'pretos';
|
||||
my $stdchain = $capabilities{MANGLE_FORWARD} ? 'FORWARD' : 'PREROUTING';
|
||||
my $chain = have_capability( 'MANGLE_FORWARD' ) ? 'fortos' : 'pretos';
|
||||
my $stdchain = have_capability( 'MANGLE_FORWARD' ) ? 'FORWARD' : 'PREROUTING';
|
||||
|
||||
my %tosoptions = ( 'minimize-delay' => 0x10 ,
|
||||
'maximize-throughput' => 0x08 ,
|
||||
@ -281,7 +281,7 @@ sub setup_blacklist() {
|
||||
for my $hostref ( @$hosts ) {
|
||||
my $interface = $hostref->[0];
|
||||
my $ipsec = $hostref->[1];
|
||||
my $policy = $capabilities{POLICY_MATCH} ? "-m policy --pol $ipsec --dir in " : '';
|
||||
my $policy = have_capability( 'POLICY_MATCH' ) ? "-m policy --pol $ipsec --dir in " : '';
|
||||
my $network = $hostref->[2];
|
||||
my $source = match_source_net $network;
|
||||
my $target = source_exclusion( $hostref->[3], $chainref );
|
||||
@ -453,7 +453,7 @@ sub add_common_rules() {
|
||||
|
||||
$chainref = new_standard_chain 'smurfs';
|
||||
|
||||
if ( $capabilities{ADDRTYPE} ) {
|
||||
if ( have_capability( 'ADDRTYPE' ) ) {
|
||||
add_rule $chainref , '-s 0.0.0.0 -j RETURN';
|
||||
add_rule_pair $chainref, '-m addrtype --src-type BROADCAST ', 'DROP', $config{SMURF_LOG_LEVEL} ;
|
||||
} else {
|
||||
@ -476,7 +476,7 @@ sub add_common_rules() {
|
||||
add_rule_pair $chainref, '-s ff00::/10 ', 'DROP', $config{SMURF_LOG_LEVEL} if $family == F_IPV4;
|
||||
}
|
||||
|
||||
if ( $capabilities{ADDRTYPE} ) {
|
||||
if ( have_capability( 'ADDRTYPE' ) ) {
|
||||
add_rule $rejectref , '-m addrtype --src-type BROADCAST -j DROP';
|
||||
} else {
|
||||
if ( $family == F_IPV4 ) {
|
||||
@ -505,7 +505,7 @@ sub add_common_rules() {
|
||||
for my $hostref ( @$list ) {
|
||||
$interface = $hostref->[0];
|
||||
my $ipsec = $hostref->[1];
|
||||
my $policy = $capabilities{POLICY_MATCH} ? "-m policy --pol $ipsec --dir in " : '';
|
||||
my $policy = have_capability( 'POLICY_MATCH' ) ? "-m policy --pol $ipsec --dir in " : '';
|
||||
my $target = source_exclusion( $hostref->[3], $chainref );
|
||||
|
||||
for $chain ( first_chains $interface ) {
|
||||
@ -520,7 +520,7 @@ sub add_common_rules() {
|
||||
add_rule $rejectref , '-p 2 -j DROP';
|
||||
add_rule $rejectref , '-p 6 -j REJECT --reject-with tcp-reset';
|
||||
|
||||
if ( $capabilities{ENHANCED_REJECT} ) {
|
||||
if ( have_capability( 'ENHANCED_REJECT' ) ) {
|
||||
add_rule $rejectref , '-p 17 -j REJECT';
|
||||
|
||||
if ( $family == F_IPV4 ) {
|
||||
@ -597,7 +597,7 @@ sub add_common_rules() {
|
||||
for my $hostref ( @$list ) {
|
||||
my $interface = $hostref->[0];
|
||||
my $target = source_exclusion( $hostref->[3], $chainref );
|
||||
my $policy = $capabilities{POLICY_MATCH} ? "-m policy --pol $hostref->[1] --dir in " : '';
|
||||
my $policy = have_capability( 'POLICY_MATCH' ) ? "-m policy --pol $hostref->[1] --dir in " : '';
|
||||
|
||||
for $chain ( first_chains $interface ) {
|
||||
add_jump $filter_table->{$chain} , $target, 0, join( '', '-p tcp ', match_source_net( $hostref->[2] ), $policy );
|
||||
@ -763,7 +763,7 @@ sub setup_mac_lists( $ ) {
|
||||
for my $hostref ( @$maclist_hosts ) {
|
||||
my $interface = $hostref->[0];
|
||||
my $ipsec = $hostref->[1];
|
||||
my $policy = $capabilities{POLICY_MATCH} ? "-m policy --pol $ipsec --dir in " : '';
|
||||
my $policy = have_capability( 'POLICY_MATCH' ) ? "-m policy --pol $ipsec --dir in " : '';
|
||||
my $source = match_source_net $hostref->[2];
|
||||
|
||||
my $state = $globals{UNTRACKED} ? 'NEW,UNTRACKED' : 'NEW';
|
||||
@ -794,7 +794,7 @@ sub setup_mac_lists( $ ) {
|
||||
if ( $level ne '' || $disposition ne 'ACCEPT' ) {
|
||||
my $variable = get_interface_addresses source_port_to_bridge( $interface );
|
||||
|
||||
if ( $capabilities{ADDRTYPE} ) {
|
||||
if ( have_capability( 'ADDRTYPE' ) ) {
|
||||
add_commands( $chainref,
|
||||
"for address in $variable; do",
|
||||
" echo \"-A $chainref->{name} -s \$address -m addrtype --dst-type BROADCAST -j RETURN\" >&3",
|
||||
@ -1416,7 +1416,7 @@ sub process_rule1 ( $$$$$$$$$$$$$ ) {
|
||||
}
|
||||
}
|
||||
|
||||
$rule .= "-m conntrack --ctorigdstport $origdstports " if $capabilities{NEW_CONNTRACK_MATCH} && $origdstports;
|
||||
$rule .= "-m conntrack --ctorigdstport $origdstports " if have_capability( 'NEW_CONNTRACK_MATCH' ) && $origdstports;
|
||||
|
||||
expand_rule( ensure_chain( 'filter', $chain ) ,
|
||||
$restriction ,
|
||||
@ -1709,7 +1709,7 @@ sub generate_matrix() {
|
||||
#
|
||||
my $frwd_ref = new_standard_chain zone_forward_chain( $zone );
|
||||
|
||||
if ( $capabilities{POLICY_MATCH} ) {
|
||||
if ( have_capability( 'POLICY_MATCH' ) ) {
|
||||
#
|
||||
# Because policy match only matches an 'in' or an 'out' policy (but not both), we have to place the
|
||||
# '--pol ipsec --dir in' rules at the front of the (interface) forwarding chains. Otherwise, decrypted packets
|
||||
@ -2117,11 +2117,11 @@ sub setup_mss( ) {
|
||||
if ( "\L$clampmss" eq 'yes' ) {
|
||||
$option = '--clamp-mss-to-pmtu';
|
||||
} else {
|
||||
$match = "-m tcpmss --mss $clampmss: " if $capabilities{TCPMSS_MATCH};
|
||||
$match = "-m tcpmss --mss $clampmss: " if have_capability( 'TCPMSS_MATCH' );
|
||||
$option = "--set-mss $clampmss";
|
||||
}
|
||||
|
||||
$match .= '-m policy --pol none --dir out ' if $capabilities{POLICY_MATCH};
|
||||
$match .= '-m policy --pol none --dir out ' if have_capability( 'POLICY_MATCH' );
|
||||
}
|
||||
|
||||
my $interfaces = find_interfaces_by_option( 'mss' );
|
||||
@ -2139,14 +2139,14 @@ sub setup_mss( ) {
|
||||
my $in_match = '';
|
||||
my $out_match = '';
|
||||
|
||||
if ( $capabilities{POLICY_MATCH} ) {
|
||||
if ( have_capability( 'POLICY_MATCH' ) ) {
|
||||
$in_match = '-m policy --pol none --dir in ';
|
||||
$out_match = '-m policy --pol none --dir out ';
|
||||
}
|
||||
|
||||
for ( @$interfaces ) {
|
||||
my $mss = get_interface_option( $_, 'mss' );
|
||||
my $mssmatch = $capabilities{TCPMSS_MATCH} ? "-m tcpmss --mss $mss: " : '';
|
||||
my $mssmatch = have_capability( 'TCPMSS_MATCH' ) ? "-m tcpmss --mss $mss: " : '';
|
||||
my $source = match_source_dev $_;
|
||||
my $dest = match_dest_dev $_;
|
||||
add_rule $chainref, "${dest}-p tcp --tcp-flags SYN,RST SYN ${mssmatch}${out_match}-j TCPMSS --set-mss $mss";
|
||||
@ -2249,7 +2249,7 @@ EOF
|
||||
run_stop_exit
|
||||
EOF
|
||||
|
||||
if ( $capabilities{NAT_ENABLED} ) {
|
||||
if ( have_capability( 'NAT_ENABLED' ) ) {
|
||||
emit<<'EOF';
|
||||
if [ -f ${VARDIR}/nat ]; then
|
||||
while read external interface; do
|
||||
|
||||
@ -1114,7 +1114,7 @@ sub process_tc_priority() {
|
||||
|
||||
my $rule = do_helper( $helper ) . "-j MARK --set-mark $band";
|
||||
|
||||
$rule .= join('', '/', in_hex( $globals{TC_MASK} ) ) if $capabilities{EXMARK};
|
||||
$rule .= join('', '/', in_hex( $globals{TC_MASK} ) ) if have_capability( 'EXMARK' );
|
||||
|
||||
if ( $interface ne '-' ) {
|
||||
fatal_error "Invalid combination of columns" unless $address eq '-' && $proto eq '-' && $ports eq '-';
|
||||
@ -1384,7 +1384,7 @@ sub setup_tc() {
|
||||
ensure_mangle_chain 'tcpre';
|
||||
ensure_mangle_chain 'tcout';
|
||||
|
||||
if ( $capabilities{MANGLE_FORWARD} ) {
|
||||
if ( have_capability( 'MANGLE_FORWARD' ) ) {
|
||||
ensure_mangle_chain 'tcfor';
|
||||
ensure_mangle_chain 'tcpost';
|
||||
}
|
||||
@ -1407,7 +1407,7 @@ sub setup_tc() {
|
||||
add_jump $mangle_table->{PREROUTING} , 'tcpre', 0, $mark_part;
|
||||
add_jump $mangle_table->{OUTPUT} , 'tcout', 0, $mark_part;
|
||||
|
||||
if ( $capabilities{MANGLE_FORWARD} ) {
|
||||
if ( have_capability( 'MANGLE_FORWARD' ) ) {
|
||||
add_rule( $mangle_table->{FORWARD}, '-j MARK --set-mark 0' );
|
||||
add_jump $mangle_table->{FORWARD} , 'tcfor', 0;
|
||||
add_jump $mangle_table->{POSTROUTING} , 'tcpost', 0;
|
||||
|
||||
@ -86,7 +86,7 @@ sub setup_tunnels() {
|
||||
$inchainref = ensure_filter_chain rules_chain( ${zone}, ${fw} ), 1;
|
||||
$outchainref = ensure_filter_chain rules_chain( ${fw}, ${zone} ), 1;
|
||||
|
||||
unless ( $capabilities{POLICY_MATCH} ) {
|
||||
unless ( have_capability( 'POLICY_MATCH' ) ) {
|
||||
add_tunnel_rule $inchainref, "-p 50 $source -j ACCEPT";
|
||||
add_tunnel_rule $outchainref, "-p 50 $dest -j ACCEPT";
|
||||
|
||||
|
||||
@ -752,7 +752,7 @@ sub process_interface( $ ) {
|
||||
if ( defined $port && $port ne '' ) {
|
||||
fatal_error qq("Virtual" interfaces are not supported -- see http://www.shorewall.net/Shorewall_and_Aliased_Interfaces.html) if $port =~ /^\d+$/;
|
||||
require_capability( 'PHYSDEV_MATCH', 'Bridge Ports', '');
|
||||
fatal_error "Your iptables is not recent enough to support bridge ports" unless $capabilities{KLUDGEFREE};
|
||||
fatal_error "Your iptables is not recent enough to support bridge ports" unless have_capability( 'KLUDGEFREE' );
|
||||
|
||||
fatal_error "Invalid Interface Name ($interface:$port)" unless $port =~ /^[\w.@%-]+\+?$/;
|
||||
fatal_error "Duplicate Interface ($port)" if $interfaces{$port};
|
||||
@ -796,7 +796,7 @@ sub process_interface( $ ) {
|
||||
fatal_error 'Invalid BROADCAST address' unless $address =~ /^(\d+)\.(\d+)\.(\d+)\.(\d+)$/;
|
||||
}
|
||||
|
||||
if ( $capabilities{ADDRTYPE} ) {
|
||||
if ( have_capability( 'ADDRTYPE' ) ) {
|
||||
warning_message 'Shorewall no longer uses broadcast addresses in rule generation when Address Type Match is available';
|
||||
} else {
|
||||
$broadcasts = \@broadcasts;
|
||||
@ -1271,7 +1271,7 @@ sub validate_hosts_file()
|
||||
|
||||
$ipsec |= process_host while read_a_line;
|
||||
|
||||
$capabilities{POLICY_MATCH} = '' unless $ipsec || haveipseczones;
|
||||
set_capability( 'POLICY_MATCH' , '' ) unless $ipsec || haveipseczones;
|
||||
}
|
||||
|
||||
#
|
||||
|
||||
Loading…
Reference in New Issue
Block a user