Implement IPTABLES_S capability

Signed-off-by: Tom Eastep <teastep@shorewall.net>
This commit is contained in:
Tom Eastep 2011-10-01 13:54:52 -07:00
parent 2f0829596f
commit e728d663f9
4 changed files with 57 additions and 5 deletions

View File

@ -5571,11 +5571,36 @@ sub emitr1( $$ ) {
sub save_dynamic_chains() { sub save_dynamic_chains() {
my $tool = $family == F_IPV4 ? '${IPTABLES}-save' : '${IP6TABLES}-save'; my $tool;
emit ( 'if [ "$COMMAND" = restart -o "$COMMAND" = refresh ]; then' ); emit ( 'if [ "$COMMAND" = restart -o "$COMMAND" = refresh ]; then' );
push_indent; push_indent;
if ( have_capability 'IPTABLES_S' ) {
$tool = $family == F_IPV4 ? '${IPTABLES}' : '${IP6TABLES}';
emit <<"EOF";
if chain_exists 'UPnP -t nat'; then
$tool -t nat -S UPnP | tail -n +2 > \${VARDIR}/.UPnP
else
rm -f \${VARDIR}/.UPnP
fi
if chain_exists forwardUPnP; then
$tool -S forwardUPnP | tail -n +2 > \${VARDIR}/.forwardUPnP
else
rm -f \${VARDIR}/.forwardUPnP
fi
if chain_exists dynamic; then
$tool -S dynamic | tail -n +2 > \${VARDIR}/.dynamic
else
rm -f \${VARDIR}/.dynamic
fi
EOF
} else {
$tool = $family == F_IPV4 ? '${IPTABLES}-save' : '${IP6TABLES}-save';
emit <<"EOF"; emit <<"EOF";
if chain_exists 'UPnP -t nat'; then if chain_exists 'UPnP -t nat'; then
$tool -t nat | grep '^-A UPnP ' > \${VARDIR}/.UPnP $tool -t nat | grep '^-A UPnP ' > \${VARDIR}/.UPnP
@ -5595,6 +5620,7 @@ else
rm -f \${VARDIR}/.dynamic rm -f \${VARDIR}/.dynamic
fi fi
EOF EOF
}
pop_indent; pop_indent;
emit ( 'else' ); emit ( 'else' );
@ -5603,13 +5629,23 @@ EOF
emit <<"EOF"; emit <<"EOF";
rm -f \${VARDIR}/.UPnP rm -f \${VARDIR}/.UPnP
rm -f \${VARDIR}/.forwardUPnP rm -f \${VARDIR}/.forwardUPnP
EOF
if [ "\$COMMAND" = stop -o "\$COMMAND" = clear ]; then if ( have_capability 'IPTABLES_S' ) {
if chain_exists dynamic; then emit( qq(if [ "\$COMMAND" = stop -o "\$COMMAND" = clear ]; then),
$tool -t filter | grep '^-A dynamic ' > \${VARDIR}/.dynamic qq( if chain_exists dynamic; then),
qq( $tool -S dynamic | tail -n +2 > \${VARDIR}/.dynamic) );
} else {
emit( qq(if [ "\$COMMAND" = stop -o "\$COMMAND" = clear ]; then),
qq( if chain_exists dynamic; then),
qq( $tool -t filter | grep '^-A dynamic ' > \${VARDIR}/.dynamic) );
}
emit <<"EOF";
fi fi
fi fi
EOF EOF
pop_indent; pop_indent;
emit ( 'fi' , emit ( 'fi' ,

View File

@ -281,6 +281,7 @@ my %capdesc = ( NAT_ENABLED => 'NAT',
AUDIT_TARGET => 'AUDIT Target', AUDIT_TARGET => 'AUDIT Target',
RAWPOST_TABLE => 'Rawpost Table', RAWPOST_TABLE => 'Rawpost Table',
CONDITION_MATCH => 'Condition Match', CONDITION_MATCH => 'Condition Match',
IPTABLES_S => 'iptables -S',
CAPVERSION => 'Capability Version', CAPVERSION => 'Capability Version',
KERNELVERSION => 'Kernel Version', KERNELVERSION => 'Kernel Version',
); );
@ -666,6 +667,7 @@ sub initialize( $ ) {
ACCOUNT_TARGET => undef, ACCOUNT_TARGET => undef,
AUDIT_TARGET => undef, AUDIT_TARGET => undef,
CONDITION_MATCH => undef, CONDITION_MATCH => undef,
IPTABLES_S => undef,
CAPVERSION => undef, CAPVERSION => undef,
KERNELVERSION => undef, KERNELVERSION => undef,
); );
@ -2715,6 +2717,10 @@ sub Audit_Target() {
qt1( "$iptables -A $sillyname -j AUDIT --type drop" ); qt1( "$iptables -A $sillyname -j AUDIT --type drop" );
} }
sub Iptables_S() {
qt1( "$iptables -S INPUT" )
}
our %detect_capability = our %detect_capability =
( ACCOUNT_TARGET =>\&Account_Target, ( ACCOUNT_TARGET =>\&Account_Target,
AUDIT_TARGET => \&Audit_Target, AUDIT_TARGET => \&Audit_Target,
@ -2740,6 +2746,7 @@ our %detect_capability =
IPSET_MATCH => \&IPSet_Match, IPSET_MATCH => \&IPSet_Match,
OLD_IPSET_MATCH => \&Old_IPSet_Match, OLD_IPSET_MATCH => \&Old_IPSet_Match,
IPSET_V5 => \&IPSET_V5, IPSET_V5 => \&IPSET_V5,
IPTABLES_S => \&Iptables_S,
KLUDGEFREE => \&Kludgefree, KLUDGEFREE => \&Kludgefree,
LENGTH_MATCH => \&Length_Match, LENGTH_MATCH => \&Length_Match,
LOGMARK_TARGET => \&Logmark_Target, LOGMARK_TARGET => \&Logmark_Target,
@ -2895,6 +2902,7 @@ sub determine_capabilities() {
$capabilities{AUDIT_TARGET} = detect_capability( 'AUDIT_TARGET' ); $capabilities{AUDIT_TARGET} = detect_capability( 'AUDIT_TARGET' );
$capabilities{IPSET_V5} = detect_capability( 'IPSET_V5' ); $capabilities{IPSET_V5} = detect_capability( 'IPSET_V5' );
$capabilities{CONDITION_MATCH} = detect_capability( 'CONDITION_MATCH' ); $capabilities{CONDITION_MATCH} = detect_capability( 'CONDITION_MATCH' );
$capabilities{IPTABLES_S} = detect_capability( 'IPTABLES_S' );
qt1( "$iptables -F $sillyname" ); qt1( "$iptables -F $sillyname" );

View File

@ -1732,6 +1732,7 @@ determine_capabilities() {
ACCOUNT_TARGET= ACCOUNT_TARGET=
AUDIT_TARGET= AUDIT_TARGET=
CONDITION_MATCH= CONDITION_MATCH=
IPTABLES_S=
chain=fooX$$ chain=fooX$$
@ -1883,6 +1884,7 @@ determine_capabilities() {
qt $IPTABLES -A $chain -j ACCOUNT --addr 192.168.1.0/29 --tname $chain && ACCOUNT_TARGET=Yes qt $IPTABLES -A $chain -j ACCOUNT --addr 192.168.1.0/29 --tname $chain && ACCOUNT_TARGET=Yes
qt $IPTABLES -A $chain -j AUDIT --type drop && AUDIT_TARGET=Yes qt $IPTABLES -A $chain -j AUDIT --type drop && AUDIT_TARGET=Yes
qt $IPTABLES -A $chain -m condition --condition foo && CONDITION_MATCH=Yes qt $IPTABLES -A $chain -m condition --condition foo && CONDITION_MATCH=Yes
qt $IPTABLES -S INPUT && IPTABLES_S=Yes
qt $IPTABLES -F $chain qt $IPTABLES -F $chain
qt $IPTABLES -X $chain qt $IPTABLES -X $chain
qt $IPTABLES -F $chain1 qt $IPTABLES -F $chain1
@ -1978,6 +1980,7 @@ report_capabilities() {
report_capability "AUDIT Target" $AUDIT_TARGET report_capability "AUDIT Target" $AUDIT_TARGET
report_capability "ipset V5" $IPSET_V5 report_capability "ipset V5" $IPSET_V5
report_capability "Condition Match" $CONDITION_MATCH report_capability "Condition Match" $CONDITION_MATCH
report_capability "iptables -S" $IPTABLES_S
fi fi
[ -n "$PKTTYPE" ] || USEPKTTYPE= [ -n "$PKTTYPE" ] || USEPKTTYPE=
@ -2049,6 +2052,7 @@ report_capabilities1() {
report_capability1 AUDIT_TARGET report_capability1 AUDIT_TARGET
report_capability1 IPSET_V5 report_capability1 IPSET_V5
report_capability1 CONDITION_MATCH report_capability1 CONDITION_MATCH
report_capability1 IPTABLES_S
echo CAPVERSION=$SHOREWALL_CAPVERSION echo CAPVERSION=$SHOREWALL_CAPVERSION
echo KERNELVERSION=$KERNELVERSION echo KERNELVERSION=$KERNELVERSION

View File

@ -1559,6 +1559,7 @@ determine_capabilities() {
AUDIT_TARGET= AUDIT_TARGET=
IPSET_V5= IPSET_V5=
CONDITION_MATCH= CONDITION_MATCH=
IPTABLES_S=
chain=fooX$$ chain=fooX$$
@ -1711,6 +1712,7 @@ determine_capabilities() {
qt $IP6TABLES -A $chain -j ACCOUNT --addr 1::/122 --tname $chain && ACCOUNT_TARGET=Yes qt $IP6TABLES -A $chain -j ACCOUNT --addr 1::/122 --tname $chain && ACCOUNT_TARGET=Yes
qt $IP6TABLES -A $chain -j AUDIT --type drop && AUDIT_TARGET=Yes qt $IP6TABLES -A $chain -j AUDIT --type drop && AUDIT_TARGET=Yes
qt $IP6TABLES -A $chain -m condition --condition foo && CONDITION_MATCH=Yes qt $IP6TABLES -A $chain -m condition --condition foo && CONDITION_MATCH=Yes
qt $IP6TABLES -S INPUT && IPTABLES_S=Yes
qt $IP6TABLES -F $chain qt $IP6TABLES -F $chain
@ -1805,6 +1807,7 @@ report_capabilities() {
report_capability "AUDIT Target" $AUDIT_TARGET report_capability "AUDIT Target" $AUDIT_TARGET
report_capability "ipset V5" $IPSET_V5 report_capability "ipset V5" $IPSET_V5
report_capability "Condition Match" $CONDITION_MATCH report_capability "Condition Match" $CONDITION_MATCH
report_capability "ip6tables -S" $IPTABLES_S
fi fi
[ -n "$PKTTYPE" ] || USEPKTTYPE= [ -n "$PKTTYPE" ] || USEPKTTYPE=
@ -1873,6 +1876,7 @@ report_capabilities1() {
report_capability1 AUDIT_TARGET report_capability1 AUDIT_TARGET
report_capability1 IPSET_V5 report_capability1 IPSET_V5
report_capability1 CONDITION_MATCH report_capability1 CONDITION_MATCH
report_capability1 IPTABLES_S
echo CAPVERSION=$SHOREWALL_CAPVERSION echo CAPVERSION=$SHOREWALL_CAPVERSION
echo KERNELVERSION=$KERNELVERSION echo KERNELVERSION=$KERNELVERSION