Verify physdev match if BRIDGING=Yes

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@1602 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
teastep 2004-09-05 23:43:08 +00:00
parent 2fca478477
commit 0649e6ad70
3 changed files with 15 additions and 1 deletions

View File

@ -60,3 +60,5 @@ Changes since 2.0.3
28) Apply Richard Musil's patch. 28) Apply Richard Musil's patch.
29) Correct parsing of PROTO column in setup_tc1(). 29) Correct parsing of PROTO column in setup_tc1().
30) Verify Physdev match if BRIDGING=Yes

View File

@ -2503,6 +2503,10 @@ check_config() {
verify_os_version verify_os_version
if [ -n "$BRIDGING" ]; then
[ -n "$PHYSDEV_MATCH" || startup_error "BRIDGING=Yes requires Physdev Match support in your Kernel and iptables"
fi
echo "Determining Zones..." echo "Determining Zones..."
determine_zones determine_zones
@ -5187,11 +5191,13 @@ determine_capabilities() {
CONNTRACK_MATCH= CONNTRACK_MATCH=
MULTIPORT= MULTIPORT=
POLICY_MATCH= POLICY_MATCH=
PHYSDEV_MATCH=
if qt iptables -N fooX1234 ; then if qt iptables -N fooX1234 ; then
qt iptables -A fooX1234 -m conntrack --ctorigdst 192.168.1.1 -j ACCEPT && CONNTRACK_MATCH=Yes qt iptables -A fooX1234 -m conntrack --ctorigdst 192.168.1.1 -j ACCEPT && CONNTRACK_MATCH=Yes
qt iptables -A fooX1234 -p tcp -m multiport --dports 21,22 -j ACCEPT && MULTIPORT=Yes qt iptables -A fooX1234 -p tcp -m multiport --dports 21,22 -j ACCEPT && MULTIPORT=Yes
qt iptables -A fooX1234 -m policy --pol ipsec --dir in -j ACCEPT && POLICY_MATCH=Yes qt iptables -A fooX1234 -m policy --pol ipsec --dir in -j ACCEPT && POLICY_MATCH=Yes
qt iptables -A fooX1234 -m physdev --physdev-in eth0 -j ACCEPT && PHYSDEV_MATCH=Yes
qt iptables -F fooX1234 qt iptables -F fooX1234
@ -5225,6 +5231,7 @@ report_capabilities() {
report_capability $CONNTRACK_MATCH "Connection Tracking Match" report_capability $CONNTRACK_MATCH "Connection Tracking Match"
report_capability $PKTTYPE "Packet Type Match" report_capability $PKTTYPE "Packet Type Match"
report_capability $POLICY_MATCH "Policy Match" report_capability $POLICY_MATCH "Policy Match"
report_capability $PHYSDEV_MATCH "Physdev Match"
} }
# #
@ -5239,6 +5246,10 @@ initialize_netfilter () {
report_capabilities report_capabilities
if [ -n "$BRIDGING" ]; then
[ -n "$PHYSDEV_MATCH" || startup_error "BRIDGING=Yes requires Physdev Match support in your Kernel and iptables"
fi
echo "Determining Zones..." echo "Determining Zones..."
determine_zones determine_zones

View File

@ -420,6 +420,7 @@ New Features:
See the comments at the top of /etc/shorewall/accounting for See the comments at the top of /etc/shorewall/accounting for
details. details.
13) Shorewall now verifies that your kernel and iptables have physdev
match support if BRIDGING=Yes in shorewall.conf.