From d0b2d05d5b6da12f95b28e8d0d0f558229440a75 Mon Sep 17 00:00:00 2001 From: Tom Eastep Date: Mon, 18 Feb 2013 15:15:26 -0800 Subject: [PATCH] Add optional argument to have_capability(). Signed-off-by: Tom Eastep --- Shorewall/Perl/Shorewall/Chains.pm | 10 ++--- Shorewall/Perl/Shorewall/Compiler.pm | 19 +++++---- Shorewall/Perl/Shorewall/Config.pm | 56 +++++++++++++-------------- Shorewall/Perl/Shorewall/Providers.pm | 2 +- Shorewall/Perl/Shorewall/Tc.pm | 2 +- 5 files changed, 44 insertions(+), 45 deletions(-) diff --git a/Shorewall/Perl/Shorewall/Chains.pm b/Shorewall/Perl/Shorewall/Chains.pm index e39237386..d9834ed00 100644 --- a/Shorewall/Perl/Shorewall/Chains.pm +++ b/Shorewall/Perl/Shorewall/Chains.pm @@ -4094,7 +4094,7 @@ sub state_match( $ ) { if ( $state eq 'ALL' ) { '' } else { - have_capability 'CONNTRACK_MATCH' ? ( "-m conntrack --ctstate $state " ) : ( "-m state --state $state " ); + have_capability( 'CONNTRACK_MATCH' ) ? ( "-m conntrack --ctstate $state " ) : ( "-m state --state $state " ); } } @@ -4102,7 +4102,7 @@ sub state_imatch( $ ) { my $state = shift; unless ( $state eq 'ALL' ) { - have_capability 'CONNTRACK_MATCH' ? ( 'conntrack --ctstate' => $state ) : ( state => "--state $state" ); + have_capability( 'CONNTRACK_MATCH' ) ? ( 'conntrack --ctstate' => $state ) : ( state => "--state $state" ); } else { (); } @@ -4156,7 +4156,7 @@ sub do_proto( $$$;$ ) if ( $ports ne '' ) { $invert = $ports =~ s/^!// ? '! ' : ''; if ( $ports =~ tr/,/,/ > 0 || $sports =~ tr/,/,/ > 0 || $proto == UDPLITE ) { - fatal_error "Port lists require Multiport support in your kernel/iptables" unless have_capability( 'MULTIPORT' ); + fatal_error "Port lists require Multiport support in your kernel/iptables" unless have_capability( 'MULTIPORT',1 ); fatal_error "Multiple ports not supported with SCTP" if $proto == SCTP; if ( port_count ( $ports ) > 15 ) { @@ -4346,7 +4346,7 @@ sub do_iproto( $$$ ) if ( $ports ne '' ) { $invert = $ports =~ s/^!// ? '! ' : ''; if ( $ports =~ tr/,/,/ > 0 || $sports =~ tr/,/,/ > 0 || $proto == UDPLITE ) { - fatal_error "Port lists require Multiport support in your kernel/iptables" unless have_capability( 'MULTIPORT' ); + fatal_error "Port lists require Multiport support in your kernel/iptables" unless have_capability( 'MULTIPORT' , 1 ); fatal_error "Multiple ports not supported with SCTP" if $proto == SCTP; if ( port_count ( $ports ) > 15 ) { @@ -5188,7 +5188,7 @@ sub get_set_flags( $$ ) { fatal_error "Invalid ipset name ($setname)" unless $setname =~ /^(6_)?[a-zA-Z][-\w]*/; - have_capability 'OLD_IPSET_MATCH' ? "--set $setname $options " : "--match-set $setname $options "; + have_capability( 'OLD_IPSET_MATCH' ) ? "--set $setname $options " : "--match-set $setname $options "; } diff --git a/Shorewall/Perl/Shorewall/Compiler.pm b/Shorewall/Perl/Shorewall/Compiler.pm index 0fd2a743b..8a936294a 100644 --- a/Shorewall/Perl/Shorewall/Compiler.pm +++ b/Shorewall/Perl/Shorewall/Compiler.pm @@ -60,7 +60,7 @@ sub initialize_package_globals( $$$ ) { Shorewall::Config::initialize($family, $_[1], $_[2]); Shorewall::Chains::initialize ($family, 1, $export ); Shorewall::Zones::initialize ($family, $_[0]); - Shorewall::Nat::initialize; + Shorewall::Nat::initialize($family); Shorewall::Providers::initialize($family); Shorewall::Tc::initialize($family); Shorewall::Accounting::initialize; @@ -799,16 +799,15 @@ sub compiler { # ECN # setup_ecn if have_capability( 'MANGLE_ENABLED' ) && $config{MANGLE_ENABLED}; - # - # Setup Masquerading/SNAT - # - setup_masq; - # - # Setup Nat - # - setup_nat; } - + # + # Setup Masquerading/SNAT + # + setup_masq; + # + # Setup Nat + # + setup_nat; # # Setup NETMAP # diff --git a/Shorewall/Perl/Shorewall/Config.pm b/Shorewall/Perl/Shorewall/Config.pm index 5a4eceea2..1d0c77d91 100644 --- a/Shorewall/Perl/Shorewall/Config.pm +++ b/Shorewall/Perl/Shorewall/Config.pm @@ -1972,6 +1972,8 @@ sub format_warning() { # # Process a COMMENT line (in $currentline) # +sub have_capability( $;$ ); + sub process_comment() { if ( have_capability( 'COMMENTS' ) ) { warning_message "'COMMENT' is deprecated in favor of '?COMMENT' - consider running '$product update -D'" unless $warningcount1++; @@ -2121,7 +2123,6 @@ sub close_file() { # # Process an ?IF, ?ELSIF, ?ELSE or ?END directive # -sub have_capability( $ ); # # Report an error or warning from process_compiler_directive() @@ -3545,7 +3546,7 @@ sub Nat_Enabled() { } sub Persistent_Snat() { - have_capability 'NAT_ENABLED' || return ''; + have_capability( 'NAT_ENABLED' ) || return ''; my $result = ''; @@ -3574,7 +3575,7 @@ sub Conntrack_Match() { } sub New_Conntrack_Match() { - have_capability 'CONNTRACK_MATCH' && qt1( "$iptables -A $sillyname -m conntrack -p tcp --ctorigdstport 22 -j ACCEPT" ); + have_capability( 'CONNTRACK_MATCH' ) && qt1( "$iptables -A $sillyname -m conntrack -p tcp --ctorigdstport 22 -j ACCEPT" ); } sub Old_Conntrack_Match() { @@ -3586,11 +3587,11 @@ sub Multiport() { } sub Kludgefree1() { - have_capability 'MULTIPORT' && qt1( "$iptables -A $sillyname -p tcp -m multiport --sports 60 -m multiport --dports 99 -j ACCEPT" ); + have_capability( 'MULTIPORT' ) && qt1( "$iptables -A $sillyname -p tcp -m multiport --sports 60 -m multiport --dports 99 -j ACCEPT" ); } sub Kludgefree2() { - have_capability 'PHYSDEV_MATCH' && qt1( "$iptables -A $sillyname -m physdev --physdev-in eth0 -m physdev --physdev-out eth0 -j ACCEPT" ); + have_capability( 'PHYSDEV_MATCH' ) && qt1( "$iptables -A $sillyname -m physdev --physdev-in eth0 -m physdev --physdev-out eth0 -j ACCEPT" ); } sub Kludgefree3() { @@ -3648,7 +3649,7 @@ sub Connmark_Match() { } sub Xconnmark_Match() { - have_capability 'CONNMARK_MATCH' && qt1( "$iptables -A $sillyname -m connmark --mark 2/0xFF -j ACCEPT" ); + have_capability( 'CONNMARK_MATCH' ) && qt1( "$iptables -A $sillyname -m connmark --mark 2/0xFF -j ACCEPT" ); } sub Ipp2p_Match() { @@ -3688,39 +3689,39 @@ sub Old_Hashlimit_Match() { } sub Mark() { - have_capability 'MANGLE_ENABLED' && qt1( "$iptables -t mangle -A $sillyname -j MARK --set-mark 1" ); + have_capability( 'MANGLE_ENABLED' ) && qt1( "$iptables -t mangle -A $sillyname -j MARK --set-mark 1" ); } sub Xmark() { - have_capability 'MARK' && qt1( "$iptables -t mangle -A $sillyname -j MARK --and-mark 0xFF" ); + have_capability( 'MARK' ) && qt1( "$iptables -t mangle -A $sillyname -j MARK --and-mark 0xFF" ); } sub Exmark() { - have_capability 'MARK' && qt1( "$iptables -t mangle -A $sillyname -j MARK --set-mark 1/0xFF" ); + have_capability( 'MARK' ) && qt1( "$iptables -t mangle -A $sillyname -j MARK --set-mark 1/0xFF" ); } sub Connmark() { - have_capability 'MANGLE_ENABLED' && qt1( "$iptables -t mangle -A $sillyname -j CONNMARK --save-mark" ); + have_capability( 'MANGLE_ENABLED' ) && qt1( "$iptables -t mangle -A $sillyname -j CONNMARK --save-mark" ); } sub Xconnmark() { - have_capability 'XCONNMARK_MATCH' && have_capability 'XMARK' && qt1( "$iptables -t mangle -A $sillyname -j CONNMARK --save-mark --mask 0xFF" ); + have_capability( 'XCONNMARK_MATCH' ) && have_capability( 'XMARK' ) && qt1( "$iptables -t mangle -A $sillyname -j CONNMARK --save-mark --mask 0xFF" ); } sub Classify_Target() { - have_capability 'MANGLE_ENABLED' && qt1( "$iptables -t mangle -A $sillyname -j CLASSIFY --set-class 1:1" ); + have_capability( 'MANGLE_ENABLED' ) && qt1( "$iptables -t mangle -A $sillyname -j CLASSIFY --set-class 1:1" ); } sub IPMark_Target() { - have_capability 'MANGLE_ENABLED' && qt1( "$iptables -t mangle -A $sillyname -j IPMARK --addr src" ); + have_capability( 'MANGLE_ENABLED' ) && qt1( "$iptables -t mangle -A $sillyname -j IPMARK --addr src" ); } sub Tproxy_Target() { - have_capability 'MANGLE_ENABLED' && qt1( "$iptables -t mangle -A $sillyname -p tcp -j TPROXY --on-port 0 --tproxy-mark 1" ); + have_capability( 'MANGLE_ENABLED' ) && qt1( "$iptables -t mangle -A $sillyname -p tcp -j TPROXY --on-port 0 --tproxy-mark 1" ); } sub Mangle_Forward() { - have_capability 'MANGLE_ENABLED' && qt1( "$iptables -t mangle -L FORWARD -n" ); + have_capability( 'MANGLE_ENABLED' ) && qt1( "$iptables -t mangle -L FORWARD -n" ); } sub Raw_Table() { @@ -3977,19 +3978,19 @@ sub Statistic_Match() { sub Imq_Target() { - have_capability 'MANGLE_ENABLED' && qt1( "$iptables -t mangle -A $sillyname -j IMQ --todev 0" ); + have_capability( 'MANGLE_ENABLED' ) && qt1( "$iptables -t mangle -A $sillyname -j IMQ --todev 0" ); } sub Dscp_Match() { - have_capability 'MANGLE_ENABLED' && qt1( "$iptables -t mangle -A $sillyname -m dscp --dscp 0" ); + have_capability( 'MANGLE_ENABLED' ) && qt1( "$iptables -t mangle -A $sillyname -m dscp --dscp 0" ); } sub Dscp_Target() { - have_capability 'MANGLE_ENABLED' && qt1( "$iptables -t mangle -A $sillyname -j DSCP --set-dscp 0" ); + have_capability( 'MANGLE_ENABLED' ) && qt1( "$iptables -t mangle -A $sillyname -j DSCP --set-dscp 0" ); } sub RPFilter_Match() { - have_capability 'MANGLE_ENABLED' && qt1( "$iptables -t mangle -A $sillyname -m rpfilter" ); + have_capability( 'MANGLE_ENABLED' ) && qt1( "$iptables -t mangle -A $sillyname -m rpfilter" ); } sub NFAcct_Match() { @@ -4009,7 +4010,7 @@ sub GeoIP_Match() { } sub Checksum_Target() { - have_capability 'MANGLE_ENABLED' && qt1( "$iptables -t mangle -A $sillyname -j CHECKSUM --checksum-fill" ); + have_capability( 'MANGLE_ENABLED' ) && qt1( "$iptables -t mangle -A $sillyname -j CHECKSUM --checksum-fill" ); } sub Arptables_JF() { @@ -4123,15 +4124,15 @@ sub detect_capability( $ ) { # # Report the passed capability # -sub have_capability( $ ) { - my $capability = shift; +sub have_capability( $;$ ) { + my ( $capability, $required ) = @_; our %detect_capability; my $setting = $capabilities{ $capability }; $setting = $capabilities{ $capability } = detect_capability( $capability ) unless defined $setting; - $used{$capability} = 1 if $setting; + $used{$capability} = $required ? 2 : 1 if $setting; $setting; } @@ -4280,9 +4281,7 @@ sub determine_capabilities() { sub require_capability( $$$ ) { my ( $capability, $description, $singular ) = @_; - fatal_error "$description require${singular} $capdesc{$capability} in your kernel and iptables" unless have_capability $capability; - - $used{$capability} = 2; + fatal_error "$description require${singular} $capdesc{$capability} in your kernel and iptables" unless have_capability $capability, 1; } # @@ -5175,7 +5174,8 @@ sub get_configuration( $$$$ ) { default_yes_no 'AUTOCOMMENT' , 'Yes'; default_yes_no 'MULTICAST' , ''; default_yes_no 'MARK_IN_FORWARD_CHAIN' , ''; - default_yes_no 'MANGLE_ENABLED' , have_capability 'MANGLE_ENABLED' ? 'Yes' : ''; + + default_yes_no 'MANGLE_ENABLED' , have_capability( 'MANGLE_ENABLED' ) ? 'Yes' : ''; default_yes_no 'NULL_ROUTE_RFC1918' , ''; default_yes_no 'USE_DEFAULT_RT' , ''; default_yes_no 'RESTORE_DEFAULT_ROUTE' , 'Yes'; @@ -5195,7 +5195,7 @@ sub get_configuration( $$$$ ) { default_yes_no 'DYNAMIC_BLACKLIST' , 'Yes'; default_yes_no 'REQUIRE_INTERFACE' , ''; - default_yes_no 'FORWARD_CLEAR_MARK' , have_capability 'MARK' ? 'Yes' : ''; + default_yes_no 'FORWARD_CLEAR_MARK' , have_capability( 'MARK' ) ? 'Yes' : ''; default_yes_no 'COMPLETE' , ''; default_yes_no 'EXPORTMODULES' , ''; default_yes_no 'LEGACY_FASTSTART' , 'Yes'; diff --git a/Shorewall/Perl/Shorewall/Providers.pm b/Shorewall/Perl/Shorewall/Providers.pm index ca5da94d0..233cf42dc 100644 --- a/Shorewall/Perl/Shorewall/Providers.pm +++ b/Shorewall/Perl/Shorewall/Providers.pm @@ -712,7 +712,7 @@ CEOF if ( $mark ne '-' ) { my $hexmark = in_hex( $mark ); - my $mask = have_capability 'FWMARK_RT_MASK' ? '/' . in_hex( $globals{ $tproxy && ! $local ? 'TPROXY_MARK' : 'PROVIDER_MASK' } ) : ''; + my $mask = have_capability( 'FWMARK_RT_MASK' ) ? '/' . in_hex( $globals{ $tproxy && ! $local ? 'TPROXY_MARK' : 'PROVIDER_MASK' } ) : ''; emit ( "qt \$IP -$family rule del fwmark ${hexmark}${mask}" ) if $config{DELETE_THEN_ADD}; diff --git a/Shorewall/Perl/Shorewall/Tc.pm b/Shorewall/Perl/Shorewall/Tc.pm index d16b5ce17..1a764e50b 100644 --- a/Shorewall/Perl/Shorewall/Tc.pm +++ b/Shorewall/Perl/Shorewall/Tc.pm @@ -2406,7 +2406,7 @@ sub setup_tc() { add_ijump $mangle_table->{OUTPUT} , j => 'tcout', @mark_part; if ( have_capability( 'MANGLE_FORWARD' ) ) { - my $mask = have_capability 'EXMARK' ? have_capability 'FWMARK_RT_MASK' ? '/' . in_hex $globals{PROVIDER_MASK} : '' : ''; + my $mask = have_capability( 'EXMARK' ) ? have_capability( 'FWMARK_RT_MASK' ) ? '/' . in_hex $globals{PROVIDER_MASK} : '' : ''; add_ijump $mangle_table->{FORWARD}, j => "MARK --set-mark 0${mask}" if $config{FORWARD_CLEAR_MARK}; add_ijump $mangle_table->{FORWARD} , j => 'tcfor';