diff --git a/Shorewall/Perl/Shorewall/Chains.pm b/Shorewall/Perl/Shorewall/Chains.pm index ca91db0fd..d4cfef55a 100644 --- a/Shorewall/Perl/Shorewall/Chains.pm +++ b/Shorewall/Perl/Shorewall/Chains.pm @@ -4517,7 +4517,11 @@ sub ensure_ipset( $ ) { my $set = shift; if ( $family == F_IPV4 ) { - emit ( " qt \$IPSET -L $set -n || \$IPSET -N $_ iphash" ); + if ( have_capability 'IPSET_V4' ) { + emit ( " qt \$IPSET -L $set -n || \$IPSET -N $_ hash:ip family inet" ); + } else { + emit ( " qt \$IPSET -L $set -n || \$IPSET -N $_ iphash" ); + } } else { emit ( " qt \$IPSET -L $set -n || \$IPSET -N $_ hash:ip family inet6" ); } diff --git a/Shorewall/Perl/Shorewall/Config.pm b/Shorewall/Perl/Shorewall/Config.pm index fd3b08806..49140fdbf 100644 --- a/Shorewall/Perl/Shorewall/Config.pm +++ b/Shorewall/Perl/Shorewall/Config.pm @@ -433,7 +433,7 @@ sub initialize( $ ) { STATEMATCH => '-m state --state', UNTRACKED => 0, VERSION => "4.4.21-Beta3", - CAPVERSION => 40417 , + CAPVERSION => 40421 , ); # # From shorewall.conf file @@ -609,6 +609,7 @@ sub initialize( $ ) { OWNER_MATCH => undef, IPSET_MATCH => undef, OLD_IPSET_MATCH => undef, + IPSET_V4 => undef, CONNMARK => undef, XCONNMARK => undef, CONNMARK_MATCH => undef, @@ -2508,13 +2509,14 @@ sub Old_IPSet_Match() { sub IPSet_Match() { my $ipset = $config{IPSET} || 'ipset'; my $result = 0; + my $fam = $family == F_IPV4 ? 'inet' : 'inet6'; $ipset = which $ipset unless $ipset =~ '/'; if ( $ipset && -x $ipset ) { qt( "$ipset -X $sillyname" ); - if ( qt( "$ipset -N $sillyname iphash" ) ) { + if ( qt( "$ipset -N $sillyname iphash" ) || qt( "$ipset -N $sillyname hash:ip family $fam") ) { if ( qt1( "$iptables -A $sillyname -m set --match-set $sillyname src -j ACCEPT" ) ) { qt1( "$iptables -D $sillyname -m set --match-set $sillyname src -j ACCEPT" ); $result = ! ( $capabilities{OLD_IPSET_MATCH} = 0 ); @@ -2529,6 +2531,24 @@ sub IPSet_Match() { $result; } +sub IPSET_V4() { + my $ipset = $config{IPSET} || 'ipset'; + my $result = 0; + + $ipset = which $ipset unless $ipset =~ '/'; + + if ( $ipset && -x $ipset ) { + qt( "$ipset -X $sillyname" ); + + if ( qt( "$ipset -N $sillyname hash:ip family inet" ) ) { + $result = 1; + qt( "$ipset -X $sillyname" ); + } + } + + $result; +} + sub Usepkttype() { qt1( "$iptables -A $sillyname -m pkttype --pkt-type broadcast -j ACCEPT" ); } diff --git a/Shorewall/lib.base b/Shorewall/lib.base index 5adad0e93..dfaf19686 100644 --- a/Shorewall/lib.base +++ b/Shorewall/lib.base @@ -29,7 +29,7 @@ # SHOREWALL_LIBVERSION=40407 -SHOREWALL_CAPVERSION=40417 +SHOREWALL_CAPVERSION=40421 [ -n "${VARDIR:=/var/lib/shorewall}" ] [ -n "${SHAREDIR:=/usr/share/shorewall}" ] diff --git a/Shorewall/lib.cli b/Shorewall/lib.cli index cd14ce8a0..f1e7ab05e 100644 --- a/Shorewall/lib.cli +++ b/Shorewall/lib.cli @@ -1672,6 +1672,7 @@ determine_capabilities() { OWNER_MATCH= IPSET_MATCH= OLD_IPSET_MATCH= + IPSET_V4= CONNMARK= XCONNMARK= CONNMARK_MATCH= @@ -1817,7 +1818,16 @@ determine_capabilities() { if qt mywhich ipset; then qt ipset -X $chain # Just in case something went wrong the last time - if qt ipset -N $chain iphash ; then + local have_ipset + + if qt ipset -N $chain hash:ip family inet; then + IPSET_V4=Yes + have_ipset=Yes + elif qt ipset -N $chain iphash ; then + have_ipset=Yes + fi + + if [ -n "$have_ipset" ]; then if qt $IPTABLES -A $chain -m set --match-set $chain src -j ACCEPT; then qt $IPTABLES -D $chain -m set --match-set $chain src -j ACCEPT IPSET_MATCH=Yes @@ -1932,6 +1942,7 @@ report_capabilities() { report_capability "Header Match" $HEADER_MATCH report_capability "ACCOUNT Target" $ACCOUNT_TARGET report_capability "AUDIT Target" $AUDIT_TARGET + report_capability "ipset V4" $IPSET_V4 fi [ -n "$PKTTYPE" ] || USEPKTTYPE= diff --git a/Shorewall6/lib.base b/Shorewall6/lib.base index d94cd828c..256af6002 100644 --- a/Shorewall6/lib.base +++ b/Shorewall6/lib.base @@ -33,7 +33,7 @@ # SHOREWALL_LIBVERSION=40407 -SHOREWALL_CAPVERSION=40417 +SHOREWALL_CAPVERSION=40421 [ -n "${VARDIR:=/var/lib/shorewall6}" ] [ -n "${SHAREDIR:=/usr/share/shorewall6}" ] diff --git a/Shorewall6/lib.cli b/Shorewall6/lib.cli index 0c61b901a..df2ec4851 100644 --- a/Shorewall6/lib.cli +++ b/Shorewall6/lib.cli @@ -1499,6 +1499,7 @@ determine_capabilities() { OWNER_MATCH= IPSET_MATCH= OLD_IPSET_MATCH= + IPSET_V4= CONNMARK= XCONNMARK= CONNMARK_MATCH= @@ -1534,6 +1535,7 @@ determine_capabilities() { HEADER_MATCH= ACCOUNT_TARGET= AUDIT_TARGET= + IPSET_V4= chain=fooX$$ @@ -1651,7 +1653,8 @@ determine_capabilities() { if qt mywhich ipset; then qt ipset -X $chain # Just in case something went wrong the last time - if qt ipset -N $chain iphash ; then + if qt ipset -N $chain hash:ip family inet6; then + IPSET_V4=Yes if qt $IP6TABLES -A $chain -m set --set $chain src -j ACCEPT; then qt $IP6TABLES -D $chain -m set --set $chain src -j ACCEPT IPSET_MATCH=Yes @@ -1764,6 +1767,7 @@ report_capabilities() { report_capability "Header Match" $HEADER_MATCH report_capability "ACCOUNT Target" $ACCOUNT_TARGET report_capability "AUDIT Target" $AUDIT_TARGET + report_capability "IPSET V4" $IPSET_V4 fi [ -n "$PKTTYPE" ] || USEPKTTYPE= @@ -1829,6 +1833,7 @@ report_capabilities1() { report_capability1 HEADER_MATCH report_capability1 ACCOUNT_TARGET report_capability1 AUDIT_TARGET + report_capability1 IPSET_V4 echo CAPVERSION=$SHOREWALL_CAPVERSION echo KERNELVERSION=$KERNELVERSION