mirror of
https://gitlab.com/shorewall/code.git
synced 2024-11-29 02:54:18 +01:00
Implement IPTABLES_S capability
Signed-off-by: Tom Eastep <teastep@shorewall.net>
This commit is contained in:
parent
2f0829596f
commit
e728d663f9
@ -5571,11 +5571,36 @@ sub emitr1( $$ ) {
|
|||||||
|
|
||||||
sub save_dynamic_chains() {
|
sub save_dynamic_chains() {
|
||||||
|
|
||||||
my $tool = $family == F_IPV4 ? '${IPTABLES}-save' : '${IP6TABLES}-save';
|
my $tool;
|
||||||
|
|
||||||
emit ( 'if [ "$COMMAND" = restart -o "$COMMAND" = refresh ]; then' );
|
emit ( 'if [ "$COMMAND" = restart -o "$COMMAND" = refresh ]; then' );
|
||||||
push_indent;
|
push_indent;
|
||||||
|
|
||||||
|
if ( have_capability 'IPTABLES_S' ) {
|
||||||
|
$tool = $family == F_IPV4 ? '${IPTABLES}' : '${IP6TABLES}';
|
||||||
|
|
||||||
|
emit <<"EOF";
|
||||||
|
if chain_exists 'UPnP -t nat'; then
|
||||||
|
$tool -t nat -S UPnP | tail -n +2 > \${VARDIR}/.UPnP
|
||||||
|
else
|
||||||
|
rm -f \${VARDIR}/.UPnP
|
||||||
|
fi
|
||||||
|
|
||||||
|
if chain_exists forwardUPnP; then
|
||||||
|
$tool -S forwardUPnP | tail -n +2 > \${VARDIR}/.forwardUPnP
|
||||||
|
else
|
||||||
|
rm -f \${VARDIR}/.forwardUPnP
|
||||||
|
fi
|
||||||
|
|
||||||
|
if chain_exists dynamic; then
|
||||||
|
$tool -S dynamic | tail -n +2 > \${VARDIR}/.dynamic
|
||||||
|
else
|
||||||
|
rm -f \${VARDIR}/.dynamic
|
||||||
|
fi
|
||||||
|
EOF
|
||||||
|
} else {
|
||||||
|
$tool = $family == F_IPV4 ? '${IPTABLES}-save' : '${IP6TABLES}-save';
|
||||||
|
|
||||||
emit <<"EOF";
|
emit <<"EOF";
|
||||||
if chain_exists 'UPnP -t nat'; then
|
if chain_exists 'UPnP -t nat'; then
|
||||||
$tool -t nat | grep '^-A UPnP ' > \${VARDIR}/.UPnP
|
$tool -t nat | grep '^-A UPnP ' > \${VARDIR}/.UPnP
|
||||||
@ -5595,6 +5620,7 @@ else
|
|||||||
rm -f \${VARDIR}/.dynamic
|
rm -f \${VARDIR}/.dynamic
|
||||||
fi
|
fi
|
||||||
EOF
|
EOF
|
||||||
|
}
|
||||||
|
|
||||||
pop_indent;
|
pop_indent;
|
||||||
emit ( 'else' );
|
emit ( 'else' );
|
||||||
@ -5603,13 +5629,23 @@ EOF
|
|||||||
emit <<"EOF";
|
emit <<"EOF";
|
||||||
rm -f \${VARDIR}/.UPnP
|
rm -f \${VARDIR}/.UPnP
|
||||||
rm -f \${VARDIR}/.forwardUPnP
|
rm -f \${VARDIR}/.forwardUPnP
|
||||||
|
EOF
|
||||||
|
|
||||||
if [ "\$COMMAND" = stop -o "\$COMMAND" = clear ]; then
|
if ( have_capability 'IPTABLES_S' ) {
|
||||||
if chain_exists dynamic; then
|
emit( qq(if [ "\$COMMAND" = stop -o "\$COMMAND" = clear ]; then),
|
||||||
$tool -t filter | grep '^-A dynamic ' > \${VARDIR}/.dynamic
|
qq( if chain_exists dynamic; then),
|
||||||
|
qq( $tool -S dynamic | tail -n +2 > \${VARDIR}/.dynamic) );
|
||||||
|
} else {
|
||||||
|
emit( qq(if [ "\$COMMAND" = stop -o "\$COMMAND" = clear ]; then),
|
||||||
|
qq( if chain_exists dynamic; then),
|
||||||
|
qq( $tool -t filter | grep '^-A dynamic ' > \${VARDIR}/.dynamic) );
|
||||||
|
}
|
||||||
|
|
||||||
|
emit <<"EOF";
|
||||||
fi
|
fi
|
||||||
fi
|
fi
|
||||||
EOF
|
EOF
|
||||||
|
|
||||||
pop_indent;
|
pop_indent;
|
||||||
|
|
||||||
emit ( 'fi' ,
|
emit ( 'fi' ,
|
||||||
|
@ -281,6 +281,7 @@ my %capdesc = ( NAT_ENABLED => 'NAT',
|
|||||||
AUDIT_TARGET => 'AUDIT Target',
|
AUDIT_TARGET => 'AUDIT Target',
|
||||||
RAWPOST_TABLE => 'Rawpost Table',
|
RAWPOST_TABLE => 'Rawpost Table',
|
||||||
CONDITION_MATCH => 'Condition Match',
|
CONDITION_MATCH => 'Condition Match',
|
||||||
|
IPTABLES_S => 'iptables -S',
|
||||||
CAPVERSION => 'Capability Version',
|
CAPVERSION => 'Capability Version',
|
||||||
KERNELVERSION => 'Kernel Version',
|
KERNELVERSION => 'Kernel Version',
|
||||||
);
|
);
|
||||||
@ -666,6 +667,7 @@ sub initialize( $ ) {
|
|||||||
ACCOUNT_TARGET => undef,
|
ACCOUNT_TARGET => undef,
|
||||||
AUDIT_TARGET => undef,
|
AUDIT_TARGET => undef,
|
||||||
CONDITION_MATCH => undef,
|
CONDITION_MATCH => undef,
|
||||||
|
IPTABLES_S => undef,
|
||||||
CAPVERSION => undef,
|
CAPVERSION => undef,
|
||||||
KERNELVERSION => undef,
|
KERNELVERSION => undef,
|
||||||
);
|
);
|
||||||
@ -2715,6 +2717,10 @@ sub Audit_Target() {
|
|||||||
qt1( "$iptables -A $sillyname -j AUDIT --type drop" );
|
qt1( "$iptables -A $sillyname -j AUDIT --type drop" );
|
||||||
}
|
}
|
||||||
|
|
||||||
|
sub Iptables_S() {
|
||||||
|
qt1( "$iptables -S INPUT" )
|
||||||
|
}
|
||||||
|
|
||||||
our %detect_capability =
|
our %detect_capability =
|
||||||
( ACCOUNT_TARGET =>\&Account_Target,
|
( ACCOUNT_TARGET =>\&Account_Target,
|
||||||
AUDIT_TARGET => \&Audit_Target,
|
AUDIT_TARGET => \&Audit_Target,
|
||||||
@ -2740,6 +2746,7 @@ our %detect_capability =
|
|||||||
IPSET_MATCH => \&IPSet_Match,
|
IPSET_MATCH => \&IPSet_Match,
|
||||||
OLD_IPSET_MATCH => \&Old_IPSet_Match,
|
OLD_IPSET_MATCH => \&Old_IPSet_Match,
|
||||||
IPSET_V5 => \&IPSET_V5,
|
IPSET_V5 => \&IPSET_V5,
|
||||||
|
IPTABLES_S => \&Iptables_S,
|
||||||
KLUDGEFREE => \&Kludgefree,
|
KLUDGEFREE => \&Kludgefree,
|
||||||
LENGTH_MATCH => \&Length_Match,
|
LENGTH_MATCH => \&Length_Match,
|
||||||
LOGMARK_TARGET => \&Logmark_Target,
|
LOGMARK_TARGET => \&Logmark_Target,
|
||||||
@ -2895,6 +2902,7 @@ sub determine_capabilities() {
|
|||||||
$capabilities{AUDIT_TARGET} = detect_capability( 'AUDIT_TARGET' );
|
$capabilities{AUDIT_TARGET} = detect_capability( 'AUDIT_TARGET' );
|
||||||
$capabilities{IPSET_V5} = detect_capability( 'IPSET_V5' );
|
$capabilities{IPSET_V5} = detect_capability( 'IPSET_V5' );
|
||||||
$capabilities{CONDITION_MATCH} = detect_capability( 'CONDITION_MATCH' );
|
$capabilities{CONDITION_MATCH} = detect_capability( 'CONDITION_MATCH' );
|
||||||
|
$capabilities{IPTABLES_S} = detect_capability( 'IPTABLES_S' );
|
||||||
|
|
||||||
|
|
||||||
qt1( "$iptables -F $sillyname" );
|
qt1( "$iptables -F $sillyname" );
|
||||||
|
@ -1732,6 +1732,7 @@ determine_capabilities() {
|
|||||||
ACCOUNT_TARGET=
|
ACCOUNT_TARGET=
|
||||||
AUDIT_TARGET=
|
AUDIT_TARGET=
|
||||||
CONDITION_MATCH=
|
CONDITION_MATCH=
|
||||||
|
IPTABLES_S=
|
||||||
|
|
||||||
chain=fooX$$
|
chain=fooX$$
|
||||||
|
|
||||||
@ -1883,6 +1884,7 @@ determine_capabilities() {
|
|||||||
qt $IPTABLES -A $chain -j ACCOUNT --addr 192.168.1.0/29 --tname $chain && ACCOUNT_TARGET=Yes
|
qt $IPTABLES -A $chain -j ACCOUNT --addr 192.168.1.0/29 --tname $chain && ACCOUNT_TARGET=Yes
|
||||||
qt $IPTABLES -A $chain -j AUDIT --type drop && AUDIT_TARGET=Yes
|
qt $IPTABLES -A $chain -j AUDIT --type drop && AUDIT_TARGET=Yes
|
||||||
qt $IPTABLES -A $chain -m condition --condition foo && CONDITION_MATCH=Yes
|
qt $IPTABLES -A $chain -m condition --condition foo && CONDITION_MATCH=Yes
|
||||||
|
qt $IPTABLES -S INPUT && IPTABLES_S=Yes
|
||||||
qt $IPTABLES -F $chain
|
qt $IPTABLES -F $chain
|
||||||
qt $IPTABLES -X $chain
|
qt $IPTABLES -X $chain
|
||||||
qt $IPTABLES -F $chain1
|
qt $IPTABLES -F $chain1
|
||||||
@ -1978,6 +1980,7 @@ report_capabilities() {
|
|||||||
report_capability "AUDIT Target" $AUDIT_TARGET
|
report_capability "AUDIT Target" $AUDIT_TARGET
|
||||||
report_capability "ipset V5" $IPSET_V5
|
report_capability "ipset V5" $IPSET_V5
|
||||||
report_capability "Condition Match" $CONDITION_MATCH
|
report_capability "Condition Match" $CONDITION_MATCH
|
||||||
|
report_capability "iptables -S" $IPTABLES_S
|
||||||
fi
|
fi
|
||||||
|
|
||||||
[ -n "$PKTTYPE" ] || USEPKTTYPE=
|
[ -n "$PKTTYPE" ] || USEPKTTYPE=
|
||||||
@ -2049,6 +2052,7 @@ report_capabilities1() {
|
|||||||
report_capability1 AUDIT_TARGET
|
report_capability1 AUDIT_TARGET
|
||||||
report_capability1 IPSET_V5
|
report_capability1 IPSET_V5
|
||||||
report_capability1 CONDITION_MATCH
|
report_capability1 CONDITION_MATCH
|
||||||
|
report_capability1 IPTABLES_S
|
||||||
|
|
||||||
echo CAPVERSION=$SHOREWALL_CAPVERSION
|
echo CAPVERSION=$SHOREWALL_CAPVERSION
|
||||||
echo KERNELVERSION=$KERNELVERSION
|
echo KERNELVERSION=$KERNELVERSION
|
||||||
|
@ -1559,6 +1559,7 @@ determine_capabilities() {
|
|||||||
AUDIT_TARGET=
|
AUDIT_TARGET=
|
||||||
IPSET_V5=
|
IPSET_V5=
|
||||||
CONDITION_MATCH=
|
CONDITION_MATCH=
|
||||||
|
IPTABLES_S=
|
||||||
|
|
||||||
chain=fooX$$
|
chain=fooX$$
|
||||||
|
|
||||||
@ -1711,6 +1712,7 @@ determine_capabilities() {
|
|||||||
qt $IP6TABLES -A $chain -j ACCOUNT --addr 1::/122 --tname $chain && ACCOUNT_TARGET=Yes
|
qt $IP6TABLES -A $chain -j ACCOUNT --addr 1::/122 --tname $chain && ACCOUNT_TARGET=Yes
|
||||||
qt $IP6TABLES -A $chain -j AUDIT --type drop && AUDIT_TARGET=Yes
|
qt $IP6TABLES -A $chain -j AUDIT --type drop && AUDIT_TARGET=Yes
|
||||||
qt $IP6TABLES -A $chain -m condition --condition foo && CONDITION_MATCH=Yes
|
qt $IP6TABLES -A $chain -m condition --condition foo && CONDITION_MATCH=Yes
|
||||||
|
qt $IP6TABLES -S INPUT && IPTABLES_S=Yes
|
||||||
|
|
||||||
|
|
||||||
qt $IP6TABLES -F $chain
|
qt $IP6TABLES -F $chain
|
||||||
@ -1805,6 +1807,7 @@ report_capabilities() {
|
|||||||
report_capability "AUDIT Target" $AUDIT_TARGET
|
report_capability "AUDIT Target" $AUDIT_TARGET
|
||||||
report_capability "ipset V5" $IPSET_V5
|
report_capability "ipset V5" $IPSET_V5
|
||||||
report_capability "Condition Match" $CONDITION_MATCH
|
report_capability "Condition Match" $CONDITION_MATCH
|
||||||
|
report_capability "ip6tables -S" $IPTABLES_S
|
||||||
fi
|
fi
|
||||||
|
|
||||||
[ -n "$PKTTYPE" ] || USEPKTTYPE=
|
[ -n "$PKTTYPE" ] || USEPKTTYPE=
|
||||||
@ -1873,6 +1876,7 @@ report_capabilities1() {
|
|||||||
report_capability1 AUDIT_TARGET
|
report_capability1 AUDIT_TARGET
|
||||||
report_capability1 IPSET_V5
|
report_capability1 IPSET_V5
|
||||||
report_capability1 CONDITION_MATCH
|
report_capability1 CONDITION_MATCH
|
||||||
|
report_capability1 IPTABLES_S
|
||||||
|
|
||||||
echo CAPVERSION=$SHOREWALL_CAPVERSION
|
echo CAPVERSION=$SHOREWALL_CAPVERSION
|
||||||
echo KERNELVERSION=$KERNELVERSION
|
echo KERNELVERSION=$KERNELVERSION
|
||||||
|
Loading…
Reference in New Issue
Block a user