extern/shorewall_code
1
0
Fork 1
mirror of https://gitlab.com/shorewall/code.git synced 2024-11-25 17:13:11 +01:00
Code Issues Packages Projects Releases Wiki Activity

Implement rpfilter match capability

Browse Source 
Signed-off-by: Tom Eastep <teastep@shorewall.net>
This commit is contained in:
Tom Eastep 2012-07-15 07:54:46 -07:00
parent 691a9bf793
commit e7cd84a72c
3 changed files with 14 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
Shorewall-core/lib.base
View File

@ -28,7 +28,7 @@
# #
SHOREWALL_LIBVERSION=40502 SHOREWALL_LIBVERSION=40502
SHOREWALL_CAPVERSION=40504 SHOREWALL_CAPVERSION=40507
[ -n "${g_program:=shorewall}" ] [ -n "${g_program:=shorewall}" ]

4
Shorewall-core/lib.cli
View File

@ -1995,6 +1995,7 @@ determine_capabilities() {
DSCP_MATCH= DSCP_MATCH=
DSCP_TARGET= DSCP_TARGET=
GEOIP_MATCH= GEOIP_MATCH=
RPFILTER_MATCH=
chain=fooX$$ chain=fooX$$
@ -2127,6 +2128,7 @@ determine_capabilities() {
qt $g_tool -t mangle -A $chain -j IMQ --todev 0 && IMQ_TARGET=Yes qt $g_tool -t mangle -A $chain -j IMQ --todev 0 && IMQ_TARGET=Yes
qt $g_tool -t mangle -A $chain -m dscp --dscp 0 && DSCP_MATCH=Yes qt $g_tool -t mangle -A $chain -m dscp --dscp 0 && DSCP_MATCH=Yes
qt $g_tool -t mangle -A $chain -j DSCP --set-dscp 0 && DSCP_TARGET=Yes qt $g_tool -t mangle -A $chain -j DSCP --set-dscp 0 && DSCP_TARGET=Yes
qt $g_tool -t mangle -A $chain -m rpfilter && RPFILTER_MATCH=Yes
qt $g_tool -t mangle -F $chain qt $g_tool -t mangle -F $chain
qt $g_tool -t mangle -X $chain qt $g_tool -t mangle -X $chain
@ -2319,6 +2321,7 @@ report_capabilities() {
report_capability "DSCP Match (DSCP_MATCH)" $DSCP_MATCH report_capability "DSCP Match (DSCP_MATCH)" $DSCP_MATCH
report_capability "DSCP Target (DSCP_TARGET)" $DSCP_TARGET report_capability "DSCP Target (DSCP_TARGET)" $DSCP_TARGET
report_capability "Geo IP match" $GEOIP_MATCH report_capability "Geo IP match" $GEOIP_MATCH
report_capability "RPFilter match" $RPFILTER_MATCH
if [ $g_family -eq 4 ]; then if [ $g_family -eq 4 ]; then
report_capability "iptables -S (IPTABLES_S)" $IPTABLES_S report_capability "iptables -S (IPTABLES_S)" $IPTABLES_S
@ -2410,6 +2413,7 @@ report_capabilities1() {
report_capability1 DSCP_MATCH report_capability1 DSCP_MATCH
report_capability1 DSCP_TARGET report_capability1 DSCP_TARGET
report_capability1 GEOIP_MATCH report_capability1 GEOIP_MATCH
report_capability1 RPFILTER_MATCH
echo CAPVERSION=$SHOREWALL_CAPVERSION echo CAPVERSION=$SHOREWALL_CAPVERSION
echo KERNELVERSION=$KERNELVERSION echo KERNELVERSION=$KERNELVERSION

10
Shorewall/Perl/Shorewall/Config.pm
View File

@ -308,6 +308,7 @@ my %capdesc = ( NAT_ENABLED => 'NAT',
DSCP_MATCH => 'DSCP Match', DSCP_MATCH => 'DSCP Match',
DSCP_TARGET => 'DSCP Target', DSCP_TARGET => 'DSCP Target',
GEOIP_MATCH => 'GeoIP Match' , GEOIP_MATCH => 'GeoIP Match' ,
RPFILTER_MATCH => 'RPFilter Match',
# #
# Constants # Constants
# #
@ -526,7 +527,7 @@ sub initialize( $;$ ) {
STATEMATCH => '-m state --state', STATEMATCH => '-m state --state',
UNTRACKED => 0, UNTRACKED => 0,
VERSION => "4.5.6", VERSION => "4.5.6",
CAPVERSION => 40504 , CAPVERSION => 40507 ,
); );
# #
# From shorewall.conf file # From shorewall.conf file
@ -759,6 +760,7 @@ sub initialize( $;$ ) {
DSCP_MATCH => undef, DSCP_MATCH => undef,
DSCP_TARGET => undef, DSCP_TARGET => undef,
GEOIP_MATCH => undef, GEOIP_MATCH => undef,
RPFILTER_MATCH => undef,
CAPVERSION => undef, CAPVERSION => undef,
LOG_OPTIONS => 1, LOG_OPTIONS => 1,
KERNELVERSION => undef, KERNELVERSION => undef,
@ -3208,6 +3210,10 @@ sub Dscp_Target() {
have_capability 'MANGLE_ENABLED' && qt1( "$iptables -t mangle -A $sillyname -j DSCP --set-dscp 0" ); have_capability 'MANGLE_ENABLED' && qt1( "$iptables -t mangle -A $sillyname -j DSCP --set-dscp 0" );
} }
sub RPFilter_Match() {
have_capability 'MANGLE_ENABLED' && qt1( "$iptables -t mangle -A $sillyname -m rpfilter" );
}
sub GeoIP_Match() { sub GeoIP_Match() {
qt1( "$iptables -A $sillyname -m geoip --src-cc US" ); qt1( "$iptables -A $sillyname -m geoip --src-cc US" );
} }
@ -3271,6 +3277,7 @@ our %detect_capability =
RAWPOST_TABLE => \&Rawpost_Table, RAWPOST_TABLE => \&Rawpost_Table,
REALM_MATCH => \&Realm_Match, REALM_MATCH => \&Realm_Match,
RECENT_MATCH => \&Recent_Match, RECENT_MATCH => \&Recent_Match,
RPFILTER_MATCH => \&RPFilter_Match,
STATISTIC_MATCH => \&Statistic_Match, STATISTIC_MATCH => \&Statistic_Match,
TCPMSS_MATCH => \&Tcpmss_Match, TCPMSS_MATCH => \&Tcpmss_Match,
TIME_MATCH => \&Time_Match, TIME_MATCH => \&Time_Match,
@ -3410,6 +3417,7 @@ sub determine_capabilities() {
$capabilities{DSCP_MATCH} = detect_capability( 'DSCP_MATCH' ); $capabilities{DSCP_MATCH} = detect_capability( 'DSCP_MATCH' );
$capabilities{DSCP_TARGET} = detect_capability( 'DSCP_TARGET' ); $capabilities{DSCP_TARGET} = detect_capability( 'DSCP_TARGET' );
$capabilities{GEOIP_MATCH} = detect_capability( 'GEOIP_MATCH' ); $capabilities{GEOIP_MATCH} = detect_capability( 'GEOIP_MATCH' );
$capabilities{RPFILTER_MATCH} = detect_capability( 'RPFILTER_MATCH' );
qt1( "$iptables -F $sillyname" ); qt1( "$iptables -F $sillyname" );
qt1( "$iptables -X $sillyname" ); qt1( "$iptables -X $sillyname" );