extern/shorewall_code
1
0
Fork 1
mirror of https://gitlab.com/shorewall/code.git synced 2025-04-15 14:58:25 +02:00
Code Issues Packages Projects Releases Wiki Activity

Add optional argument to have_capability().

Browse Source 
Signed-off-by: Tom Eastep <teastep@shorewall.net>
This commit is contained in:
Tom Eastep 2013-02-18 15:15:26 -08:00
parent 010c44d07a
commit d0b2d05d5b
5 changed files with 44 additions and 45 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
Shorewall/Perl/Shorewall/Chains.pm
View File

@ -4094,7 +4094,7 @@ sub state_match( $ ) {
if ( $state eq 'ALL' ) { if ( $state eq 'ALL' ) {
'' ''
} else { } else {
have_capability 'CONNTRACK_MATCH' ? ( "-m conntrack --ctstate $state " ) : ( "-m state --state $state " ); have_capability( 'CONNTRACK_MATCH' ) ? ( "-m conntrack --ctstate $state " ) : ( "-m state --state $state " );
} }
} }
@ -4102,7 +4102,7 @@ sub state_imatch( $ ) {
my $state = shift; my $state = shift;
unless ( $state eq 'ALL' ) { unless ( $state eq 'ALL' ) {
have_capability 'CONNTRACK_MATCH' ? ( 'conntrack --ctstate' => $state ) : ( state => "--state $state" ); have_capability( 'CONNTRACK_MATCH' ) ? ( 'conntrack --ctstate' => $state ) : ( state => "--state $state" );
} else { } else {
(); ();
} }
@ -4156,7 +4156,7 @@ sub do_proto( $$$;$ )
if ( $ports ne '' ) { if ( $ports ne '' ) {
$invert = $ports =~ s/^!// ? '! ' : ''; $invert = $ports =~ s/^!// ? '! ' : '';
if ( $ports =~ tr/,/,/ > 0 || $sports =~ tr/,/,/ > 0 || $proto == UDPLITE ) { if ( $ports =~ tr/,/,/ > 0 || $sports =~ tr/,/,/ > 0 || $proto == UDPLITE ) {
fatal_error "Port lists require Multiport support in your kernel/iptables" unless have_capability( 'MULTIPORT' ); fatal_error "Port lists require Multiport support in your kernel/iptables" unless have_capability( 'MULTIPORT',1 );
fatal_error "Multiple ports not supported with SCTP" if $proto == SCTP; fatal_error "Multiple ports not supported with SCTP" if $proto == SCTP;
if ( port_count ( $ports ) > 15 ) { if ( port_count ( $ports ) > 15 ) {
@ -4346,7 +4346,7 @@ sub do_iproto( $$$ )
if ( $ports ne '' ) { if ( $ports ne '' ) {
$invert = $ports =~ s/^!// ? '! ' : ''; $invert = $ports =~ s/^!// ? '! ' : '';
if ( $ports =~ tr/,/,/ > 0 || $sports =~ tr/,/,/ > 0 || $proto == UDPLITE ) { if ( $ports =~ tr/,/,/ > 0 || $sports =~ tr/,/,/ > 0 || $proto == UDPLITE ) {
fatal_error "Port lists require Multiport support in your kernel/iptables" unless have_capability( 'MULTIPORT' ); fatal_error "Port lists require Multiport support in your kernel/iptables" unless have_capability( 'MULTIPORT' , 1 );
fatal_error "Multiple ports not supported with SCTP" if $proto == SCTP; fatal_error "Multiple ports not supported with SCTP" if $proto == SCTP;
if ( port_count ( $ports ) > 15 ) { if ( port_count ( $ports ) > 15 ) {
@ -5188,7 +5188,7 @@ sub get_set_flags( $$ ) {
fatal_error "Invalid ipset name ($setname)" unless $setname =~ /^(6_)?[a-zA-Z][-\w]*/; fatal_error "Invalid ipset name ($setname)" unless $setname =~ /^(6_)?[a-zA-Z][-\w]*/;
have_capability 'OLD_IPSET_MATCH' ? "--set $setname $options " : "--match-set $setname $options "; have_capability( 'OLD_IPSET_MATCH' ) ? "--set $setname $options " : "--match-set $setname $options ";
} }

19
Shorewall/Perl/Shorewall/Compiler.pm
View File

@ -60,7 +60,7 @@ sub initialize_package_globals( $$$ ) {
Shorewall::Config::initialize($family, $_[1], $_[2]); Shorewall::Config::initialize($family, $_[1], $_[2]);
Shorewall::Chains::initialize ($family, 1, $export ); Shorewall::Chains::initialize ($family, 1, $export );
Shorewall::Zones::initialize ($family, $_[0]); Shorewall::Zones::initialize ($family, $_[0]);
Shorewall::Nat::initialize; Shorewall::Nat::initialize($family);
Shorewall::Providers::initialize($family); Shorewall::Providers::initialize($family);
Shorewall::Tc::initialize($family); Shorewall::Tc::initialize($family);
Shorewall::Accounting::initialize; Shorewall::Accounting::initialize;
@ -799,16 +799,15 @@ sub compiler {
# ECN # ECN
# #
setup_ecn if have_capability( 'MANGLE_ENABLED' ) && $config{MANGLE_ENABLED}; setup_ecn if have_capability( 'MANGLE_ENABLED' ) && $config{MANGLE_ENABLED};
#
# Setup Masquerading/SNAT
#
setup_masq;
#
# Setup Nat
#
setup_nat;
} }
#
# Setup Masquerading/SNAT
#
setup_masq;
#
# Setup Nat
#
setup_nat;
# #
# Setup NETMAP # Setup NETMAP
# #

56
Shorewall/Perl/Shorewall/Config.pm
View File

@ -1972,6 +1972,8 @@ sub format_warning() {
# #
# Process a COMMENT line (in $currentline) # Process a COMMENT line (in $currentline)
# #
sub have_capability( $;$ );
sub process_comment() { sub process_comment() {
if ( have_capability( 'COMMENTS' ) ) { if ( have_capability( 'COMMENTS' ) ) {
warning_message "'COMMENT' is deprecated in favor of '?COMMENT' - consider running '$product update -D'" unless $warningcount1++; warning_message "'COMMENT' is deprecated in favor of '?COMMENT' - consider running '$product update -D'" unless $warningcount1++;
@ -2121,7 +2123,6 @@ sub close_file() {
# #
# Process an ?IF, ?ELSIF, ?ELSE or ?END directive # Process an ?IF, ?ELSIF, ?ELSE or ?END directive
# #
sub have_capability( $ );
# #
# Report an error or warning from process_compiler_directive() # Report an error or warning from process_compiler_directive()
@ -3545,7 +3546,7 @@ sub Nat_Enabled() {
} }
sub Persistent_Snat() { sub Persistent_Snat() {
have_capability 'NAT_ENABLED' || return ''; have_capability( 'NAT_ENABLED' ) || return '';
my $result = ''; my $result = '';
@ -3574,7 +3575,7 @@ sub Conntrack_Match() {
} }
sub New_Conntrack_Match() { sub New_Conntrack_Match() {
have_capability 'CONNTRACK_MATCH' && qt1( "$iptables -A $sillyname -m conntrack -p tcp --ctorigdstport 22 -j ACCEPT" ); have_capability( 'CONNTRACK_MATCH' ) && qt1( "$iptables -A $sillyname -m conntrack -p tcp --ctorigdstport 22 -j ACCEPT" );
} }
sub Old_Conntrack_Match() { sub Old_Conntrack_Match() {
@ -3586,11 +3587,11 @@ sub Multiport() {
} }
sub Kludgefree1() { sub Kludgefree1() {
have_capability 'MULTIPORT' && qt1( "$iptables -A $sillyname -p tcp -m multiport --sports 60 -m multiport --dports 99 -j ACCEPT" ); have_capability( 'MULTIPORT' ) && qt1( "$iptables -A $sillyname -p tcp -m multiport --sports 60 -m multiport --dports 99 -j ACCEPT" );
} }
sub Kludgefree2() { sub Kludgefree2() {
have_capability 'PHYSDEV_MATCH' && qt1( "$iptables -A $sillyname -m physdev --physdev-in eth0 -m physdev --physdev-out eth0 -j ACCEPT" ); have_capability( 'PHYSDEV_MATCH' ) && qt1( "$iptables -A $sillyname -m physdev --physdev-in eth0 -m physdev --physdev-out eth0 -j ACCEPT" );
} }
sub Kludgefree3() { sub Kludgefree3() {
@ -3648,7 +3649,7 @@ sub Connmark_Match() {
} }
sub Xconnmark_Match() { sub Xconnmark_Match() {
have_capability 'CONNMARK_MATCH' && qt1( "$iptables -A $sillyname -m connmark --mark 2/0xFF -j ACCEPT" ); have_capability( 'CONNMARK_MATCH' ) && qt1( "$iptables -A $sillyname -m connmark --mark 2/0xFF -j ACCEPT" );
} }
sub Ipp2p_Match() { sub Ipp2p_Match() {
@ -3688,39 +3689,39 @@ sub Old_Hashlimit_Match() {
} }
sub Mark() { sub Mark() {
have_capability 'MANGLE_ENABLED' && qt1( "$iptables -t mangle -A $sillyname -j MARK --set-mark 1" ); have_capability( 'MANGLE_ENABLED' ) && qt1( "$iptables -t mangle -A $sillyname -j MARK --set-mark 1" );
} }
sub Xmark() { sub Xmark() {
have_capability 'MARK' && qt1( "$iptables -t mangle -A $sillyname -j MARK --and-mark 0xFF" ); have_capability( 'MARK' ) && qt1( "$iptables -t mangle -A $sillyname -j MARK --and-mark 0xFF" );
} }
sub Exmark() { sub Exmark() {
have_capability 'MARK' && qt1( "$iptables -t mangle -A $sillyname -j MARK --set-mark 1/0xFF" ); have_capability( 'MARK' ) && qt1( "$iptables -t mangle -A $sillyname -j MARK --set-mark 1/0xFF" );
} }
sub Connmark() { sub Connmark() {
have_capability 'MANGLE_ENABLED' && qt1( "$iptables -t mangle -A $sillyname -j CONNMARK --save-mark" ); have_capability( 'MANGLE_ENABLED' ) && qt1( "$iptables -t mangle -A $sillyname -j CONNMARK --save-mark" );
} }
sub Xconnmark() { sub Xconnmark() {
have_capability 'XCONNMARK_MATCH' && have_capability 'XMARK' && qt1( "$iptables -t mangle -A $sillyname -j CONNMARK --save-mark --mask 0xFF" ); have_capability( 'XCONNMARK_MATCH' ) && have_capability( 'XMARK' ) && qt1( "$iptables -t mangle -A $sillyname -j CONNMARK --save-mark --mask 0xFF" );
} }
sub Classify_Target() { sub Classify_Target() {
have_capability 'MANGLE_ENABLED' && qt1( "$iptables -t mangle -A $sillyname -j CLASSIFY --set-class 1:1" ); have_capability( 'MANGLE_ENABLED' ) && qt1( "$iptables -t mangle -A $sillyname -j CLASSIFY --set-class 1:1" );
} }
sub IPMark_Target() { sub IPMark_Target() {
have_capability 'MANGLE_ENABLED' && qt1( "$iptables -t mangle -A $sillyname -j IPMARK --addr src" ); have_capability( 'MANGLE_ENABLED' ) && qt1( "$iptables -t mangle -A $sillyname -j IPMARK --addr src" );
} }
sub Tproxy_Target() { sub Tproxy_Target() {
have_capability 'MANGLE_ENABLED' && qt1( "$iptables -t mangle -A $sillyname -p tcp -j TPROXY --on-port 0 --tproxy-mark 1" ); have_capability( 'MANGLE_ENABLED' ) && qt1( "$iptables -t mangle -A $sillyname -p tcp -j TPROXY --on-port 0 --tproxy-mark 1" );
} }
sub Mangle_Forward() { sub Mangle_Forward() {
have_capability 'MANGLE_ENABLED' && qt1( "$iptables -t mangle -L FORWARD -n" ); have_capability( 'MANGLE_ENABLED' ) && qt1( "$iptables -t mangle -L FORWARD -n" );
} }
sub Raw_Table() { sub Raw_Table() {
@ -3977,19 +3978,19 @@ sub Statistic_Match() {
sub Imq_Target() { sub Imq_Target() {
have_capability 'MANGLE_ENABLED' && qt1( "$iptables -t mangle -A $sillyname -j IMQ --todev 0" ); have_capability( 'MANGLE_ENABLED' ) && qt1( "$iptables -t mangle -A $sillyname -j IMQ --todev 0" );
} }
sub Dscp_Match() { sub Dscp_Match() {
have_capability 'MANGLE_ENABLED' && qt1( "$iptables -t mangle -A $sillyname -m dscp --dscp 0" ); have_capability( 'MANGLE_ENABLED' ) && qt1( "$iptables -t mangle -A $sillyname -m dscp --dscp 0" );
} }
sub Dscp_Target() { sub Dscp_Target() {
have_capability 'MANGLE_ENABLED' && qt1( "$iptables -t mangle -A $sillyname -j DSCP --set-dscp 0" ); have_capability( 'MANGLE_ENABLED' ) && qt1( "$iptables -t mangle -A $sillyname -j DSCP --set-dscp 0" );
} }
sub RPFilter_Match() { sub RPFilter_Match() {
have_capability 'MANGLE_ENABLED' && qt1( "$iptables -t mangle -A $sillyname -m rpfilter" ); have_capability( 'MANGLE_ENABLED' ) && qt1( "$iptables -t mangle -A $sillyname -m rpfilter" );
} }
sub NFAcct_Match() { sub NFAcct_Match() {
@ -4009,7 +4010,7 @@ sub GeoIP_Match() {
} }
sub Checksum_Target() { sub Checksum_Target() {
have_capability 'MANGLE_ENABLED' && qt1( "$iptables -t mangle -A $sillyname -j CHECKSUM --checksum-fill" ); have_capability( 'MANGLE_ENABLED' ) && qt1( "$iptables -t mangle -A $sillyname -j CHECKSUM --checksum-fill" );
} }
sub Arptables_JF() { sub Arptables_JF() {
@ -4123,15 +4124,15 @@ sub detect_capability( $ ) {
# #
# Report the passed capability # Report the passed capability
# #
sub have_capability( $ ) { sub have_capability( $;$ ) {
my $capability = shift; my ( $capability, $required ) = @_;
our %detect_capability; our %detect_capability;
my $setting = $capabilities{ $capability }; my $setting = $capabilities{ $capability };
$setting = $capabilities{ $capability } = detect_capability( $capability ) unless defined $setting; $setting = $capabilities{ $capability } = detect_capability( $capability ) unless defined $setting;
$used{$capability} = 1 if $setting; $used{$capability} = $required ? 2 : 1 if $setting;
$setting; $setting;
} }
@ -4280,9 +4281,7 @@ sub determine_capabilities() {
sub require_capability( $$$ ) { sub require_capability( $$$ ) {
my ( $capability, $description, $singular ) = @_; my ( $capability, $description, $singular ) = @_;
fatal_error "$description require${singular} $capdesc{$capability} in your kernel and iptables" unless have_capability $capability; fatal_error "$description require${singular} $capdesc{$capability} in your kernel and iptables" unless have_capability $capability, 1;
$used{$capability} = 2;
} }
# #
@ -5175,7 +5174,8 @@ sub get_configuration( $$$$ ) {
default_yes_no 'AUTOCOMMENT' , 'Yes'; default_yes_no 'AUTOCOMMENT' , 'Yes';
default_yes_no 'MULTICAST' , ''; default_yes_no 'MULTICAST' , '';
default_yes_no 'MARK_IN_FORWARD_CHAIN' , ''; default_yes_no 'MARK_IN_FORWARD_CHAIN' , '';
default_yes_no 'MANGLE_ENABLED' , have_capability 'MANGLE_ENABLED' ? 'Yes' : '';
default_yes_no 'MANGLE_ENABLED' , have_capability( 'MANGLE_ENABLED' ) ? 'Yes' : '';
default_yes_no 'NULL_ROUTE_RFC1918' , ''; default_yes_no 'NULL_ROUTE_RFC1918' , '';
default_yes_no 'USE_DEFAULT_RT' , ''; default_yes_no 'USE_DEFAULT_RT' , '';
default_yes_no 'RESTORE_DEFAULT_ROUTE' , 'Yes'; default_yes_no 'RESTORE_DEFAULT_ROUTE' , 'Yes';
@ -5195,7 +5195,7 @@ sub get_configuration( $$$$ ) {
default_yes_no 'DYNAMIC_BLACKLIST' , 'Yes'; default_yes_no 'DYNAMIC_BLACKLIST' , 'Yes';
default_yes_no 'REQUIRE_INTERFACE' , ''; default_yes_no 'REQUIRE_INTERFACE' , '';
default_yes_no 'FORWARD_CLEAR_MARK' , have_capability 'MARK' ? 'Yes' : ''; default_yes_no 'FORWARD_CLEAR_MARK' , have_capability( 'MARK' ) ? 'Yes' : '';
default_yes_no 'COMPLETE' , ''; default_yes_no 'COMPLETE' , '';
default_yes_no 'EXPORTMODULES' , ''; default_yes_no 'EXPORTMODULES' , '';
default_yes_no 'LEGACY_FASTSTART' , 'Yes'; default_yes_no 'LEGACY_FASTSTART' , 'Yes';

2
Shorewall/Perl/Shorewall/Providers.pm
View File

@ -712,7 +712,7 @@ CEOF
if ( $mark ne '-' ) { if ( $mark ne '-' ) {
my $hexmark = in_hex( $mark ); my $hexmark = in_hex( $mark );
my $mask = have_capability 'FWMARK_RT_MASK' ? '/' . in_hex( $globals{ $tproxy && ! $local ? 'TPROXY_MARK' : 'PROVIDER_MASK' } ) : ''; my $mask = have_capability( 'FWMARK_RT_MASK' ) ? '/' . in_hex( $globals{ $tproxy && ! $local ? 'TPROXY_MARK' : 'PROVIDER_MASK' } ) : '';
emit ( "qt \$IP -$family rule del fwmark ${hexmark}${mask}" ) if $config{DELETE_THEN_ADD}; emit ( "qt \$IP -$family rule del fwmark ${hexmark}${mask}" ) if $config{DELETE_THEN_ADD};

2
Shorewall/Perl/Shorewall/Tc.pm
View File

@ -2406,7 +2406,7 @@ sub setup_tc() {
add_ijump $mangle_table->{OUTPUT} , j => 'tcout', @mark_part; add_ijump $mangle_table->{OUTPUT} , j => 'tcout', @mark_part;
if ( have_capability( 'MANGLE_FORWARD' ) ) { if ( have_capability( 'MANGLE_FORWARD' ) ) {
my $mask = have_capability 'EXMARK' ? have_capability 'FWMARK_RT_MASK' ? '/' . in_hex $globals{PROVIDER_MASK} : '' : ''; my $mask = have_capability( 'EXMARK' ) ? have_capability( 'FWMARK_RT_MASK' ) ? '/' . in_hex $globals{PROVIDER_MASK} : '' : '';
add_ijump $mangle_table->{FORWARD}, j => "MARK --set-mark 0${mask}" if $config{FORWARD_CLEAR_MARK}; add_ijump $mangle_table->{FORWARD}, j => "MARK --set-mark 0${mask}" if $config{FORWARD_CLEAR_MARK};
add_ijump $mangle_table->{FORWARD} , j => 'tcfor'; add_ijump $mangle_table->{FORWARD} , j => 'tcfor';