Don't export %capabilities

Signed-off-by: Tom Eastep <teastep@shorewall.net>
This commit is contained in:
Tom Eastep 2010-01-25 07:56:16 -08:00
parent c5f64848f6
commit 90b68a05de
10 changed files with 78 additions and 63 deletions

View File

@ -770,7 +770,7 @@ sub process_action3( $$$$$ ) {
sub dropBcast( $$$ ) { sub dropBcast( $$$ ) {
my ($chainref, $level, $tag) = @_; my ($chainref, $level, $tag) = @_;
if ( $capabilities{ADDRTYPE} ) { if ( have_capability( 'ADDRTYPE' ) ) {
if ( $level ne '' ) { if ( $level ne '' ) {
log_rule_limit $level, $chainref, 'dropBcast' , 'DROP', '', $tag, 'add', ' -m addrtype --dst-type BROADCAST '; log_rule_limit $level, $chainref, 'dropBcast' , 'DROP', '', $tag, 'add', ' -m addrtype --dst-type BROADCAST ';
if ( $family == F_IPV4 ) { if ( $family == F_IPV4 ) {
@ -808,7 +808,7 @@ sub dropBcast( $$$ ) {
sub allowBcast( $$$ ) { sub allowBcast( $$$ ) {
my ($chainref, $level, $tag) = @_; my ($chainref, $level, $tag) = @_;
if ( $family == F_IPV4 && $capabilities{ADDRTYPE} ) { if ( $family == F_IPV4 && have_capability( 'ADDRTYPE' ) ) {
if ( $level ne '' ) { if ( $level ne '' ) {
log_rule_limit $level, $chainref, 'allowBcast' , 'ACCEPT', '', $tag, 'add', ' -m addrtype --dst-type BROADCAST '; log_rule_limit $level, $chainref, 'allowBcast' , 'ACCEPT', '', $tag, 'add', ' -m addrtype --dst-type BROADCAST ';
log_rule_limit $level, $chainref, 'allowBcast' , 'ACCEPT', '', $tag, 'add', ' -d 224.0.0.0/4 '; log_rule_limit $level, $chainref, 'allowBcast' , 'ACCEPT', '', $tag, 'add', ' -d 224.0.0.0/4 ';

View File

@ -381,7 +381,7 @@ sub initialize( $ ) {
# Process a COMMENT line (in $currentline) # Process a COMMENT line (in $currentline)
# #
sub process_comment() { sub process_comment() {
if ( $capabilities{COMMENTS} ) { if ( have_capability( 'COMMENTS' ) ) {
( $comment = $currentline ) =~ s/^\s*COMMENT\s*//; ( $comment = $currentline ) =~ s/^\s*COMMENT\s*//;
$comment =~ s/\s*$//; $comment =~ s/\s*$//;
} else { } else {
@ -393,7 +393,7 @@ sub process_comment() {
# Returns True if there is a current COMMENT or if COMMENTS are not available. # Returns True if there is a current COMMENT or if COMMENTS are not available.
# #
sub no_comment() { sub no_comment() {
$comment ? 1 : $capabilities{COMMENTS} ? 0 : 1; $comment ? 1 : have_capability( 'COMMENTS' ) ? 0 : 1;
} }
# #
@ -409,7 +409,7 @@ sub clear_comment() {
sub macro_comment( $ ) { sub macro_comment( $ ) {
my $macro = $_[0]; my $macro = $_[0];
$comment = $macro unless $comment || ! ( $capabilities{COMMENTS} && $config{AUTO_COMMENT} ); $comment = $macro unless $comment || ! ( have_capability( 'COMMENTS' ) && $config{AUTO_COMMENT} );
} }
# #
@ -640,7 +640,7 @@ sub add_jump( $$$;$$$ ) {
# #
$toref->{referenced} = 1, add_reference $fromref, $toref if $toref; $toref->{referenced} = 1, add_reference $fromref, $toref if $toref;
my $param = $goto_ok && $toref && $capabilities{GOTO_TARGET} ? 'g' : 'j'; my $param = $goto_ok && $toref && have_capability( 'GOTO_TARGET' ) ? 'g' : 'j';
if ( defined $index ) { if ( defined $index ) {
assert( ! $expandports ); assert( ! $expandports );
@ -1206,7 +1206,7 @@ sub initialize_chain_table()
new_builtin_chain 'mangle', $chain, 'ACCEPT'; new_builtin_chain 'mangle', $chain, 'ACCEPT';
} }
if ( $capabilities{MANGLE_FORWARD} ) { if ( have_capability( 'MANGLE_FORWARD' ) ) {
for my $chain qw( FORWARD POSTROUTING ) { for my $chain qw( FORWARD POSTROUTING ) {
new_builtin_chain 'mangle', $chain, 'ACCEPT'; new_builtin_chain 'mangle', $chain, 'ACCEPT';
} }
@ -1640,7 +1640,7 @@ sub set_mss1( $$ ) {
my $chainref = ensure_chain 'filter', $chain; my $chainref = ensure_chain 'filter', $chain;
if ( $chainref->{policy} ne 'NONE' ) { if ( $chainref->{policy} ne 'NONE' ) {
my $match = $capabilities{TCPMSS_MATCH} ? "-m tcpmss --mss $mss: " : ''; my $match = have_capability( 'TCPMSS_MATCH' ) ? "-m tcpmss --mss $mss: " : '';
insert_rule1 $chainref, 0, "-p tcp --tcp-flags SYN,RST SYN ${match}-j TCPMSS --set-mss $mss" insert_rule1 $chainref, 0, "-p tcp --tcp-flags SYN,RST SYN ${match}-j TCPMSS --set-mss $mss"
} }
} }
@ -1830,7 +1830,7 @@ sub do_proto( $$$;$ )
if ( $ports ne '' ) { if ( $ports ne '' ) {
$invert = $ports =~ s/^!// ? '! ' : ''; $invert = $ports =~ s/^!// ? '! ' : '';
if ( $ports =~ tr/,/,/ > 0 || $sports =~ tr/,/,/ > 0 ) { if ( $ports =~ tr/,/,/ > 0 || $sports =~ tr/,/,/ > 0 ) {
fatal_error "Port lists require Multiport support in your kernel/iptables" unless $capabilities{MULTIPORT}; fatal_error "Port lists require Multiport support in your kernel/iptables" unless have_capability( 'MULTIPORT' );
fatal_error "Multiple ports not supported with SCTP" if $proto == SCTP; fatal_error "Multiple ports not supported with SCTP" if $proto == SCTP;
fatal_error "A port list in this file may only have up to 15 ports" if $restricted && port_count( $ports ) > 15; fatal_error "A port list in this file may only have up to 15 ports" if $restricted && port_count( $ports ) > 15;
$ports = validate_port_list $pname , $ports; $ports = validate_port_list $pname , $ports;
@ -1903,7 +1903,7 @@ sub do_proto( $$$;$ )
$options .= " --$_" for split /,/, $ports; $options .= " --$_" for split /,/, $ports;
} }
$options = $capabilities{OLD_IPP2P_MATCH} ? ' --ipp2p' : ' --edk --kazaa --gnu --dc' unless $options; $options = have_capability( 'OLD_IPP2P_MATCH' ) ? ' --ipp2p' : ' --edk --kazaa --gnu --dc' unless $options;
$output .= "${proto}-m ipp2p${options} "; $output .= "${proto}-m ipp2p${options} ";
} else { } else {
@ -2007,7 +2007,7 @@ sub do_ratelimit( $$ ) {
require_capability 'HASHLIMIT_MATCH', 'Per-ip rate limiting' , 's'; require_capability 'HASHLIMIT_MATCH', 'Per-ip rate limiting' , 's';
my $limit = "-m hashlimit "; my $limit = "-m hashlimit ";
my $match = $capabilities{OLD_HL_MATCH} ? 'hashlimit' : 'hashlimit-upto'; my $match = have_capability( 'OLD_HL_MATCH' ) ? 'hashlimit' : 'hashlimit-upto';
if ( $rate =~ /^[sd]:((\w*):)?(\d+(\/(sec|min|hour|day))?):(\d+)$/ ) { if ( $rate =~ /^[sd]:((\w*):)?(\d+(\/(sec|min|hour|day))?):(\d+)$/ ) {
$limit .= "--hashlimit $3 --hashlimit-burst $6 --hashlimit-name "; $limit .= "--hashlimit $3 --hashlimit-burst $6 --hashlimit-name ";
@ -2218,7 +2218,7 @@ sub match_dest_dev( $ ) {
my $interfaceref = known_interface( $interface ); my $interfaceref = known_interface( $interface );
$interface = $interfaceref->{physical} if $interfaceref; $interface = $interfaceref->{physical} if $interfaceref;
if ( $interfaceref && $interfaceref->{options}{port} ) { if ( $interfaceref && $interfaceref->{options}{port} ) {
if ( $capabilities{PHYSDEV_BRIDGE} ) { if ( have_capability( 'PHYSDEV_BRIDGE' ) ) {
"-o $interfaceref->{bridge} -m physdev --physdev-is-bridged --physdev-out $interface "; "-o $interfaceref->{bridge} -m physdev --physdev-is-bridged --physdev-out $interface ";
} else { } else {
"-o $interfaceref->{bridge} -m physdev --physdev-out $interface "; "-o $interfaceref->{bridge} -m physdev --physdev-out $interface ";
@ -2237,7 +2237,7 @@ sub iprange_match() {
require_capability( 'IPRANGE_MATCH' , 'Address Ranges' , '' ); require_capability( 'IPRANGE_MATCH' , 'Address Ranges' , '' );
unless ( $iprangematch ) { unless ( $iprangematch ) {
$match = '-m iprange '; $match = '-m iprange ';
$iprangematch = 1 unless $capabilities{KLUDGEFREE}; $iprangematch = 1 unless have_capability( 'KLUDGEFREE' );
} }
$match; $match;
@ -2329,11 +2329,11 @@ sub match_orig_dest ( $ ) {
my $net = $_[0]; my $net = $_[0];
return '' if $net eq ALLIP; return '' if $net eq ALLIP;
return '' unless $capabilities{CONNTRACK_MATCH}; return '' unless have_capability( 'CONNTRACK_MATCH' );
if ( $net =~ s/^!// ) { if ( $net =~ s/^!// ) {
validate_net $net, 1; validate_net $net, 1;
$capabilities{OLD_CONNTRACK_MATCH} ? "-m conntrack --ctorigdst ! $net " : "-m conntrack ! --ctorigdst $net "; have_capability( 'OLD_CONNTRACK_MATCH' ) ? "-m conntrack --ctorigdst ! $net " : "-m conntrack ! --ctorigdst $net ";
} else { } else {
validate_net $net, 1; validate_net $net, 1;
$net eq ALLIP ? '' : "-m conntrack --ctorigdst $net "; $net eq ALLIP ? '' : "-m conntrack --ctorigdst $net ";
@ -2354,7 +2354,7 @@ sub match_ipsec_in( $$ ) {
if ( $zoneref->{type} eq 'ipsec' ) { if ( $zoneref->{type} eq 'ipsec' ) {
$match .= "ipsec $optionsref->{in_out}{ipsec}$optionsref->{in}{ipsec}"; $match .= "ipsec $optionsref->{in_out}{ipsec}$optionsref->{in}{ipsec}";
} elsif ( $capabilities{POLICY_MATCH} ) { } elsif ( have_capability( 'POLICY_MATCH' ) ) {
$match .= "$hostref->{ipsec} $optionsref->{in_out}{ipsec}$optionsref->{in}{ipsec}"; $match .= "$hostref->{ipsec} $optionsref->{in_out}{ipsec}$optionsref->{in}{ipsec}";
} else { } else {
return ''; return '';
@ -2378,7 +2378,7 @@ sub match_ipsec_out( $$ ) {
if ( $zoneref->{type} eq 'ipsec' ) { if ( $zoneref->{type} eq 'ipsec' ) {
$match .= "ipsec $optionsref->{in_out}{ipsec}$optionsref->{out}{ipsec}"; $match .= "ipsec $optionsref->{in_out}{ipsec}$optionsref->{out}{ipsec}";
} elsif ( $capabilities{POLICY_MATCH} ) { } elsif ( have_capability( 'POLICY_MATCH' ) ) {
$match .= "$hostref->{ipsec} $optionsref->{in_out}{ipsec}$optionsref->{out}{ipsec}" $match .= "$hostref->{ipsec} $optionsref->{in_out}{ipsec}$optionsref->{out}{ipsec}"
} else { } else {
return ''; return '';
@ -2799,7 +2799,7 @@ sub get_interface_mac( $$$ ) {
} }
sub have_global_variables() { sub have_global_variables() {
$capabilities{ADDRTYPE} ? $global_variables : $global_variables | NOT_RESTORE; have_capability( 'ADDRTYPE' ) ? $global_variables : $global_variables | NOT_RESTORE;
} }
# #
@ -2818,7 +2818,7 @@ sub set_global_variables( $ ) {
emit $_ for values %interfaceaddrs; emit $_ for values %interfaceaddrs;
emit $_ for values %interfacenets; emit $_ for values %interfacenets;
unless ( $capabilities{ADDRTYPE} ) { unless ( have_capability( 'ADDRTYPE' ) ) {
if ( $family == F_IPV4 ) { if ( $family == F_IPV4 ) {
emit 'ALL_BCASTS="$(get_all_bcasts) 255.255.255.255"'; emit 'ALL_BCASTS="$(get_all_bcasts) 255.255.255.255"';
@ -3062,7 +3062,7 @@ sub expand_rule( $$$$$$$$$$;$ )
} }
if ( $origdest ) { if ( $origdest ) {
if ( $origdest eq '-' || ! $capabilities{CONNTRACK_MATCH} ) { if ( $origdest eq '-' || ! have_capability( 'CONNTRACK_MATCH' ) ) {
$origdest = ''; $origdest = '';
} elsif ( $origdest =~ /^detect:(.*)$/ ) { } elsif ( $origdest =~ /^detect:(.*)$/ ) {
# #
@ -3229,10 +3229,10 @@ sub expand_rule( $$$$$$$$$$;$ )
for my $inet ( mysplit $inets ) { for my $inet ( mysplit $inets ) {
my $source_match; my $source_match;
$source_match = match_source_net( $inet, $restriction ) if $capabilities{KLUDGEFREE}; $source_match = match_source_net( $inet, $restriction ) if have_capability( 'KLUDGEFREE' );
for my $dnet ( mysplit $dnets ) { for my $dnet ( mysplit $dnets ) {
$source_match = match_source_net( $inet, $restriction ) unless $capabilities{KLUDGEFREE}; $source_match = match_source_net( $inet, $restriction ) unless have_capability( 'KLUDGEFREE' );
my $dest_match = match_dest_net( $dnet ); my $dest_match = match_dest_net( $dnet );
my $matches = join( '', $rule, $source_match, $dest_match, $onet ); my $matches = join( '', $rule, $source_match, $dest_match, $onet );
@ -3383,9 +3383,9 @@ sub create_netfilter_load( $ ) {
my @table_list; my @table_list;
push @table_list, 'raw' if $capabilities{RAW_TABLE}; push @table_list, 'raw' if have_capability( 'RAW_TABLE' );
push @table_list, 'nat' if $capabilities{NAT_ENABLED}; push @table_list, 'nat' if have_capability( 'NAT_ENABLED' );
push @table_list, 'mangle' if $capabilities{MANGLE_ENABLED} && $config{MANGLE_ENABLED}; push @table_list, 'mangle' if have_capability( 'MANGLE_ENABLED' ) && $config{MANGLE_ENABLED};
push @table_list, 'filter'; push @table_list, 'filter';
$mode = NULL_MODE; $mode = NULL_MODE;
@ -3485,9 +3485,9 @@ sub preview_netfilter_load() {
my @table_list; my @table_list;
push @table_list, 'raw' if $capabilities{RAW_TABLE}; push @table_list, 'raw' if have_capability( 'RAW_TABLE' );
push @table_list, 'nat' if $capabilities{NAT_ENABLED}; push @table_list, 'nat' if have_capability( 'NAT_ENABLED' );
push @table_list, 'mangle' if $capabilities{MANGLE_ENABLED} && $config{MANGLE_ENABLED}; push @table_list, 'mangle' if have_capability( 'MANGLE_ENABLED' ) && $config{MANGLE_ENABLED};
push @table_list, 'filter'; push @table_list, 'filter';
$mode = NULL_MODE; $mode = NULL_MODE;
@ -3557,7 +3557,7 @@ sub create_chainlist_reload($) {
unless ( @chains ) { unless ( @chains ) {
@chains = qw( blacklst ) if $filter_table->{blacklst}; @chains = qw( blacklst ) if $filter_table->{blacklst};
push @chains, 'mangle:' if $capabilities{MANGLE_ENABLED} && $config{MANGLE_ENABLED}; push @chains, 'mangle:' if have_capability( 'MANGLE_ENABLED' ) && $config{MANGLE_ENABLED};
$chains = join( ',', @chains ) if @chains; $chains = join( ',', @chains ) if @chains;
} }
@ -3677,9 +3677,9 @@ sub create_stop_load( $ ) {
my @table_list; my @table_list;
push @table_list, 'raw' if $capabilities{RAW_TABLE}; push @table_list, 'raw' if have_capability( 'RAW_TABLE' );
push @table_list, 'nat' if $capabilities{NAT_ENABLED}; push @table_list, 'nat' if have_capability( 'NAT_ENABLED' );
push @table_list, 'mangle' if $capabilities{MANGLE_ENABLED} && $config{MANGLE_ENABLED}; push @table_list, 'mangle' if have_capability( 'MANGLE_ENABLED' ) && $config{MANGLE_ENABLED};
push @table_list, 'filter'; push @table_list, 'filter';
my $utility = $family == F_IPV4 ? 'iptables-restore' : 'ip6tables-restore'; my $utility = $family == F_IPV4 ? 'iptables-restore' : 'ip6tables-restore';

View File

@ -434,7 +434,7 @@ sub generate_script_3($) {
'' ''
); );
if ( $capabilities{NAT_ENABLED} ) { if ( have_capability( 'NAT_ENABLED' ) ) {
emit( 'if [ -f ${VARDIR}/nat ]; then', emit( 'if [ -f ${VARDIR}/nat ]; then',
' while read external interface; do', ' while read external interface; do',
' del_ip_addr $external $interface', ' del_ip_addr $external $interface',
@ -773,7 +773,7 @@ sub compiler {
# #
# ECN # ECN
# #
setup_ecn if $capabilities{MANGLE_ENABLED} && $config{MANGLE_ENABLED}; setup_ecn if have_capability( 'MANGLE_ENABLED' ) && $config{MANGLE_ENABLED};
# #
# Setup Masquerading/SNAT # Setup Masquerading/SNAT
# #

View File

@ -101,6 +101,8 @@ our %EXPORT_TAGS = ( internal => [ qw( create_temp_script
ensure_config_path ensure_config_path
get_configuration get_configuration
require_capability require_capability
have_capability
set_capability
report_capabilities report_capabilities
propagateconfig propagateconfig
append_file append_file
@ -117,7 +119,6 @@ our %EXPORT_TAGS = ( internal => [ qw( create_temp_script
$currentline $currentline
%config %config
%globals %globals
%capabilities
F_IPV4 F_IPV4
F_IPV6 F_IPV6
@ -600,7 +601,7 @@ sub initialize( $ ) {
LOGMARK => 'LOGMARK' ); LOGMARK => 'LOGMARK' );
} }
# #
# From parsing the capabilities file # From parsing the capabilities file or capabilities detection
# #
%capabilities = %capabilities =
( NAT_ENABLED => undef, ( NAT_ENABLED => undef,
@ -2195,6 +2196,20 @@ sub determine_capabilities( $ ) {
determine_kernelversion; determine_kernelversion;
} }
#
# Report the passed capability
#
sub have_capability( $ ) {
$capabilities{$_[0]};
}
#
# Set the passed capability
#
sub set_capability( $$ ) {
$capabilities{$_[0]} = $_[1];
}
# #
# Require the passed capability # Require the passed capability
# #

View File

@ -159,7 +159,7 @@ sub process_one_masq( )
} else { } else {
$baserule .= do_ipsec_options $ipsec; $baserule .= do_ipsec_options $ipsec;
} }
} elsif ( $capabilities{POLICY_MATCH} ) { } elsif ( have_capability( 'POLICY_MATCH' ) ) {
$baserule .= '-m policy --pol none --dir out '; $baserule .= '-m policy --pol none --dir out ';
} }
@ -372,7 +372,7 @@ sub do_one_nat( $$$$$ )
$interface = $interfaceref->{name}; $interface = $interfaceref->{name};
} }
if ( $capabilities{POLICY_MATCH} ) { if ( have_capability( 'POLICY_MATCH' ) ) {
$policyin = ' -m policy --pol none --dir in'; $policyin = ' -m policy --pol none --dir in';
$policyout = '-m policy --pol none --dir out'; $policyout = '-m policy --pol none --dir out';
} }

View File

@ -130,7 +130,7 @@ sub setup_route_filtering() {
emit "fi\n"; emit "fi\n";
} }
if ( $capabilities{KERNELVERSION} < 20631 ) { if ( have_capability( 'KERNELVERSION' ) < 20631 ) {
emit 'echo 1 > /proc/sys/net/ipv4/conf/all/rp_filter'; emit 'echo 1 > /proc/sys/net/ipv4/conf/all/rp_filter';
} elsif ( $val ne '' ) { } elsif ( $val ne '' ) {
emit "echo $val > /proc/sys/net/ipv4/conf/all/rp_filter"; emit "echo $val > /proc/sys/net/ipv4/conf/all/rp_filter";

View File

@ -85,8 +85,8 @@ sub initialize( $ ) {
use constant { MAX_MACRO_NEST_LEVEL => 5 }; use constant { MAX_MACRO_NEST_LEVEL => 5 };
sub process_tos() { sub process_tos() {
my $chain = $capabilities{MANGLE_FORWARD} ? 'fortos' : 'pretos'; my $chain = have_capability( 'MANGLE_FORWARD' ) ? 'fortos' : 'pretos';
my $stdchain = $capabilities{MANGLE_FORWARD} ? 'FORWARD' : 'PREROUTING'; my $stdchain = have_capability( 'MANGLE_FORWARD' ) ? 'FORWARD' : 'PREROUTING';
my %tosoptions = ( 'minimize-delay' => 0x10 , my %tosoptions = ( 'minimize-delay' => 0x10 ,
'maximize-throughput' => 0x08 , 'maximize-throughput' => 0x08 ,
@ -281,7 +281,7 @@ sub setup_blacklist() {
for my $hostref ( @$hosts ) { for my $hostref ( @$hosts ) {
my $interface = $hostref->[0]; my $interface = $hostref->[0];
my $ipsec = $hostref->[1]; my $ipsec = $hostref->[1];
my $policy = $capabilities{POLICY_MATCH} ? "-m policy --pol $ipsec --dir in " : ''; my $policy = have_capability( 'POLICY_MATCH' ) ? "-m policy --pol $ipsec --dir in " : '';
my $network = $hostref->[2]; my $network = $hostref->[2];
my $source = match_source_net $network; my $source = match_source_net $network;
my $target = source_exclusion( $hostref->[3], $chainref ); my $target = source_exclusion( $hostref->[3], $chainref );
@ -453,7 +453,7 @@ sub add_common_rules() {
$chainref = new_standard_chain 'smurfs'; $chainref = new_standard_chain 'smurfs';
if ( $capabilities{ADDRTYPE} ) { if ( have_capability( 'ADDRTYPE' ) ) {
add_rule $chainref , '-s 0.0.0.0 -j RETURN'; add_rule $chainref , '-s 0.0.0.0 -j RETURN';
add_rule_pair $chainref, '-m addrtype --src-type BROADCAST ', 'DROP', $config{SMURF_LOG_LEVEL} ; add_rule_pair $chainref, '-m addrtype --src-type BROADCAST ', 'DROP', $config{SMURF_LOG_LEVEL} ;
} else { } else {
@ -476,7 +476,7 @@ sub add_common_rules() {
add_rule_pair $chainref, '-s ff00::/10 ', 'DROP', $config{SMURF_LOG_LEVEL} if $family == F_IPV4; add_rule_pair $chainref, '-s ff00::/10 ', 'DROP', $config{SMURF_LOG_LEVEL} if $family == F_IPV4;
} }
if ( $capabilities{ADDRTYPE} ) { if ( have_capability( 'ADDRTYPE' ) ) {
add_rule $rejectref , '-m addrtype --src-type BROADCAST -j DROP'; add_rule $rejectref , '-m addrtype --src-type BROADCAST -j DROP';
} else { } else {
if ( $family == F_IPV4 ) { if ( $family == F_IPV4 ) {
@ -505,7 +505,7 @@ sub add_common_rules() {
for my $hostref ( @$list ) { for my $hostref ( @$list ) {
$interface = $hostref->[0]; $interface = $hostref->[0];
my $ipsec = $hostref->[1]; my $ipsec = $hostref->[1];
my $policy = $capabilities{POLICY_MATCH} ? "-m policy --pol $ipsec --dir in " : ''; my $policy = have_capability( 'POLICY_MATCH' ) ? "-m policy --pol $ipsec --dir in " : '';
my $target = source_exclusion( $hostref->[3], $chainref ); my $target = source_exclusion( $hostref->[3], $chainref );
for $chain ( first_chains $interface ) { for $chain ( first_chains $interface ) {
@ -520,7 +520,7 @@ sub add_common_rules() {
add_rule $rejectref , '-p 2 -j DROP'; add_rule $rejectref , '-p 2 -j DROP';
add_rule $rejectref , '-p 6 -j REJECT --reject-with tcp-reset'; add_rule $rejectref , '-p 6 -j REJECT --reject-with tcp-reset';
if ( $capabilities{ENHANCED_REJECT} ) { if ( have_capability( 'ENHANCED_REJECT' ) ) {
add_rule $rejectref , '-p 17 -j REJECT'; add_rule $rejectref , '-p 17 -j REJECT';
if ( $family == F_IPV4 ) { if ( $family == F_IPV4 ) {
@ -597,7 +597,7 @@ sub add_common_rules() {
for my $hostref ( @$list ) { for my $hostref ( @$list ) {
my $interface = $hostref->[0]; my $interface = $hostref->[0];
my $target = source_exclusion( $hostref->[3], $chainref ); my $target = source_exclusion( $hostref->[3], $chainref );
my $policy = $capabilities{POLICY_MATCH} ? "-m policy --pol $hostref->[1] --dir in " : ''; my $policy = have_capability( 'POLICY_MATCH' ) ? "-m policy --pol $hostref->[1] --dir in " : '';
for $chain ( first_chains $interface ) { for $chain ( first_chains $interface ) {
add_jump $filter_table->{$chain} , $target, 0, join( '', '-p tcp ', match_source_net( $hostref->[2] ), $policy ); add_jump $filter_table->{$chain} , $target, 0, join( '', '-p tcp ', match_source_net( $hostref->[2] ), $policy );
@ -763,7 +763,7 @@ sub setup_mac_lists( $ ) {
for my $hostref ( @$maclist_hosts ) { for my $hostref ( @$maclist_hosts ) {
my $interface = $hostref->[0]; my $interface = $hostref->[0];
my $ipsec = $hostref->[1]; my $ipsec = $hostref->[1];
my $policy = $capabilities{POLICY_MATCH} ? "-m policy --pol $ipsec --dir in " : ''; my $policy = have_capability( 'POLICY_MATCH' ) ? "-m policy --pol $ipsec --dir in " : '';
my $source = match_source_net $hostref->[2]; my $source = match_source_net $hostref->[2];
my $state = $globals{UNTRACKED} ? 'NEW,UNTRACKED' : 'NEW'; my $state = $globals{UNTRACKED} ? 'NEW,UNTRACKED' : 'NEW';
@ -794,7 +794,7 @@ sub setup_mac_lists( $ ) {
if ( $level ne '' || $disposition ne 'ACCEPT' ) { if ( $level ne '' || $disposition ne 'ACCEPT' ) {
my $variable = get_interface_addresses source_port_to_bridge( $interface ); my $variable = get_interface_addresses source_port_to_bridge( $interface );
if ( $capabilities{ADDRTYPE} ) { if ( have_capability( 'ADDRTYPE' ) ) {
add_commands( $chainref, add_commands( $chainref,
"for address in $variable; do", "for address in $variable; do",
" echo \"-A $chainref->{name} -s \$address -m addrtype --dst-type BROADCAST -j RETURN\" >&3", " echo \"-A $chainref->{name} -s \$address -m addrtype --dst-type BROADCAST -j RETURN\" >&3",
@ -1416,7 +1416,7 @@ sub process_rule1 ( $$$$$$$$$$$$$ ) {
} }
} }
$rule .= "-m conntrack --ctorigdstport $origdstports " if $capabilities{NEW_CONNTRACK_MATCH} && $origdstports; $rule .= "-m conntrack --ctorigdstport $origdstports " if have_capability( 'NEW_CONNTRACK_MATCH' ) && $origdstports;
expand_rule( ensure_chain( 'filter', $chain ) , expand_rule( ensure_chain( 'filter', $chain ) ,
$restriction , $restriction ,
@ -1709,7 +1709,7 @@ sub generate_matrix() {
# #
my $frwd_ref = new_standard_chain zone_forward_chain( $zone ); my $frwd_ref = new_standard_chain zone_forward_chain( $zone );
if ( $capabilities{POLICY_MATCH} ) { if ( have_capability( 'POLICY_MATCH' ) ) {
# #
# Because policy match only matches an 'in' or an 'out' policy (but not both), we have to place the # Because policy match only matches an 'in' or an 'out' policy (but not both), we have to place the
# '--pol ipsec --dir in' rules at the front of the (interface) forwarding chains. Otherwise, decrypted packets # '--pol ipsec --dir in' rules at the front of the (interface) forwarding chains. Otherwise, decrypted packets
@ -2117,11 +2117,11 @@ sub setup_mss( ) {
if ( "\L$clampmss" eq 'yes' ) { if ( "\L$clampmss" eq 'yes' ) {
$option = '--clamp-mss-to-pmtu'; $option = '--clamp-mss-to-pmtu';
} else { } else {
$match = "-m tcpmss --mss $clampmss: " if $capabilities{TCPMSS_MATCH}; $match = "-m tcpmss --mss $clampmss: " if have_capability( 'TCPMSS_MATCH' );
$option = "--set-mss $clampmss"; $option = "--set-mss $clampmss";
} }
$match .= '-m policy --pol none --dir out ' if $capabilities{POLICY_MATCH}; $match .= '-m policy --pol none --dir out ' if have_capability( 'POLICY_MATCH' );
} }
my $interfaces = find_interfaces_by_option( 'mss' ); my $interfaces = find_interfaces_by_option( 'mss' );
@ -2139,14 +2139,14 @@ sub setup_mss( ) {
my $in_match = ''; my $in_match = '';
my $out_match = ''; my $out_match = '';
if ( $capabilities{POLICY_MATCH} ) { if ( have_capability( 'POLICY_MATCH' ) ) {
$in_match = '-m policy --pol none --dir in '; $in_match = '-m policy --pol none --dir in ';
$out_match = '-m policy --pol none --dir out '; $out_match = '-m policy --pol none --dir out ';
} }
for ( @$interfaces ) { for ( @$interfaces ) {
my $mss = get_interface_option( $_, 'mss' ); my $mss = get_interface_option( $_, 'mss' );
my $mssmatch = $capabilities{TCPMSS_MATCH} ? "-m tcpmss --mss $mss: " : ''; my $mssmatch = have_capability( 'TCPMSS_MATCH' ) ? "-m tcpmss --mss $mss: " : '';
my $source = match_source_dev $_; my $source = match_source_dev $_;
my $dest = match_dest_dev $_; my $dest = match_dest_dev $_;
add_rule $chainref, "${dest}-p tcp --tcp-flags SYN,RST SYN ${mssmatch}${out_match}-j TCPMSS --set-mss $mss"; add_rule $chainref, "${dest}-p tcp --tcp-flags SYN,RST SYN ${mssmatch}${out_match}-j TCPMSS --set-mss $mss";
@ -2249,7 +2249,7 @@ EOF
run_stop_exit run_stop_exit
EOF EOF
if ( $capabilities{NAT_ENABLED} ) { if ( have_capability( 'NAT_ENABLED' ) ) {
emit<<'EOF'; emit<<'EOF';
if [ -f ${VARDIR}/nat ]; then if [ -f ${VARDIR}/nat ]; then
while read external interface; do while read external interface; do

View File

@ -1114,7 +1114,7 @@ sub process_tc_priority() {
my $rule = do_helper( $helper ) . "-j MARK --set-mark $band"; my $rule = do_helper( $helper ) . "-j MARK --set-mark $band";
$rule .= join('', '/', in_hex( $globals{TC_MASK} ) ) if $capabilities{EXMARK}; $rule .= join('', '/', in_hex( $globals{TC_MASK} ) ) if have_capability( 'EXMARK' );
if ( $interface ne '-' ) { if ( $interface ne '-' ) {
fatal_error "Invalid combination of columns" unless $address eq '-' && $proto eq '-' && $ports eq '-'; fatal_error "Invalid combination of columns" unless $address eq '-' && $proto eq '-' && $ports eq '-';
@ -1384,7 +1384,7 @@ sub setup_tc() {
ensure_mangle_chain 'tcpre'; ensure_mangle_chain 'tcpre';
ensure_mangle_chain 'tcout'; ensure_mangle_chain 'tcout';
if ( $capabilities{MANGLE_FORWARD} ) { if ( have_capability( 'MANGLE_FORWARD' ) ) {
ensure_mangle_chain 'tcfor'; ensure_mangle_chain 'tcfor';
ensure_mangle_chain 'tcpost'; ensure_mangle_chain 'tcpost';
} }
@ -1407,7 +1407,7 @@ sub setup_tc() {
add_jump $mangle_table->{PREROUTING} , 'tcpre', 0, $mark_part; add_jump $mangle_table->{PREROUTING} , 'tcpre', 0, $mark_part;
add_jump $mangle_table->{OUTPUT} , 'tcout', 0, $mark_part; add_jump $mangle_table->{OUTPUT} , 'tcout', 0, $mark_part;
if ( $capabilities{MANGLE_FORWARD} ) { if ( have_capability( 'MANGLE_FORWARD' ) ) {
add_rule( $mangle_table->{FORWARD}, '-j MARK --set-mark 0' ); add_rule( $mangle_table->{FORWARD}, '-j MARK --set-mark 0' );
add_jump $mangle_table->{FORWARD} , 'tcfor', 0; add_jump $mangle_table->{FORWARD} , 'tcfor', 0;
add_jump $mangle_table->{POSTROUTING} , 'tcpost', 0; add_jump $mangle_table->{POSTROUTING} , 'tcpost', 0;

View File

@ -86,7 +86,7 @@ sub setup_tunnels() {
$inchainref = ensure_filter_chain rules_chain( ${zone}, ${fw} ), 1; $inchainref = ensure_filter_chain rules_chain( ${zone}, ${fw} ), 1;
$outchainref = ensure_filter_chain rules_chain( ${fw}, ${zone} ), 1; $outchainref = ensure_filter_chain rules_chain( ${fw}, ${zone} ), 1;
unless ( $capabilities{POLICY_MATCH} ) { unless ( have_capability( 'POLICY_MATCH' ) ) {
add_tunnel_rule $inchainref, "-p 50 $source -j ACCEPT"; add_tunnel_rule $inchainref, "-p 50 $source -j ACCEPT";
add_tunnel_rule $outchainref, "-p 50 $dest -j ACCEPT"; add_tunnel_rule $outchainref, "-p 50 $dest -j ACCEPT";

View File

@ -752,7 +752,7 @@ sub process_interface( $ ) {
if ( defined $port && $port ne '' ) { if ( defined $port && $port ne '' ) {
fatal_error qq("Virtual" interfaces are not supported -- see http://www.shorewall.net/Shorewall_and_Aliased_Interfaces.html) if $port =~ /^\d+$/; fatal_error qq("Virtual" interfaces are not supported -- see http://www.shorewall.net/Shorewall_and_Aliased_Interfaces.html) if $port =~ /^\d+$/;
require_capability( 'PHYSDEV_MATCH', 'Bridge Ports', ''); require_capability( 'PHYSDEV_MATCH', 'Bridge Ports', '');
fatal_error "Your iptables is not recent enough to support bridge ports" unless $capabilities{KLUDGEFREE}; fatal_error "Your iptables is not recent enough to support bridge ports" unless have_capability( 'KLUDGEFREE' );
fatal_error "Invalid Interface Name ($interface:$port)" unless $port =~ /^[\w.@%-]+\+?$/; fatal_error "Invalid Interface Name ($interface:$port)" unless $port =~ /^[\w.@%-]+\+?$/;
fatal_error "Duplicate Interface ($port)" if $interfaces{$port}; fatal_error "Duplicate Interface ($port)" if $interfaces{$port};
@ -796,7 +796,7 @@ sub process_interface( $ ) {
fatal_error 'Invalid BROADCAST address' unless $address =~ /^(\d+)\.(\d+)\.(\d+)\.(\d+)$/; fatal_error 'Invalid BROADCAST address' unless $address =~ /^(\d+)\.(\d+)\.(\d+)\.(\d+)$/;
} }
if ( $capabilities{ADDRTYPE} ) { if ( have_capability( 'ADDRTYPE' ) ) {
warning_message 'Shorewall no longer uses broadcast addresses in rule generation when Address Type Match is available'; warning_message 'Shorewall no longer uses broadcast addresses in rule generation when Address Type Match is available';
} else { } else {
$broadcasts = \@broadcasts; $broadcasts = \@broadcasts;
@ -1271,7 +1271,7 @@ sub validate_hosts_file()
$ipsec |= process_host while read_a_line; $ipsec |= process_host while read_a_line;
$capabilities{POLICY_MATCH} = '' unless $ipsec || haveipseczones; set_capability( 'POLICY_MATCH' , '' ) unless $ipsec || haveipseczones;
} }
# #