From 088fc1a3a3c67e24d49db84705544db694168030 Mon Sep 17 00:00:00 2001 From: Tom Eastep Date: Mon, 18 Feb 2013 08:48:18 -0800 Subject: [PATCH] Report used/required capabilities Signed-off-by: Tom Eastep --- Shorewall/Perl/Shorewall/Compiler.pm | 8 +++++++ Shorewall/Perl/Shorewall/Config.pm | 35 ++++++++++++++++++++++++++-- 2 files changed, 41 insertions(+), 2 deletions(-) diff --git a/Shorewall/Perl/Shorewall/Compiler.pm b/Shorewall/Perl/Shorewall/Compiler.pm index c26c4ea4a..0fd2a743b 100644 --- a/Shorewall/Perl/Shorewall/Compiler.pm +++ b/Shorewall/Perl/Shorewall/Compiler.pm @@ -903,6 +903,10 @@ sub compiler { # And generate the auxilary config file # enable_script, generate_aux_config if $export; + # + # Report used/required capabilities + # + report_used_capabilities; } else { # # Just checking the configuration @@ -954,6 +958,10 @@ sub compiler { process_routestopped; process_stoppedrules; } + # + # Report used/required capabilities + # + report_used_capabilities; if ( $family == F_IPV4 ) { progress_message3 "Shorewall configuration verified"; diff --git a/Shorewall/Perl/Shorewall/Config.pm b/Shorewall/Perl/Shorewall/Config.pm index c75364b9e..5a4eceea2 100644 --- a/Shorewall/Perl/Shorewall/Config.pm +++ b/Shorewall/Perl/Shorewall/Config.pm @@ -66,6 +66,7 @@ our @EXPORT = qw( have_capability require_capability + report_used_capabilities kernel_version ); @@ -380,6 +381,8 @@ our %capdesc = ( NAT_ENABLED => 'NAT', KERNELVERSION => 'Kernel Version', ); +our %used; + use constant { ICMP => 1, TCP => 6, @@ -4128,6 +4131,8 @@ sub have_capability( $ ) { $setting = $capabilities{ $capability } = detect_capability( $capability ) unless defined $setting; + $used{$capability} = 1 if $setting; + $setting; } @@ -4276,6 +4281,8 @@ sub require_capability( $$$ ) { my ( $capability, $description, $singular ) = @_; fatal_error "$description require${singular} $capdesc{$capability} in your kernel and iptables" unless have_capability $capability; + + $used{$capability} = 2; } # @@ -4574,7 +4581,8 @@ sub read_capabilities() { # # Get the system's capabilities, either by probing or by reading a capabilities file # -sub get_capabilities( $ ) { +sub get_capabilities( $ ) +{ my $export = $_[0]; if ( ! $export && $> == 0 ) { # $> == $EUID @@ -4937,8 +4945,17 @@ sub get_configuration( $$$$ ) { $helpers_aliases{sip} = 'sip-0', $capabilities{SIP_HELPER} = 1 if $capabilities{SIP0_HELPER}; $helpers_aliases{tftp} = 'tftp-0', $capabilities{TFTP_HELPER} = 1 if $capabilities{TFTP0_HELPER}; - $globals{STATEMATCH} = '-m conntrack --ctstate' if have_capability 'CONNTRACK_MATCH'; + # + # Now initialize the used capabilities hash + # + %used = (); + if ( have_capability 'CONNTRACK_MATCH') { + $globals{STATEMATCH} = '-m conntrack --ctstate'; + $used{CONNTRACK_MATCH} = 2; + } else { + $used{STATE_MATCH} = 2; + } # # The following is not documented as it is not likely useful to the user base in general # Going forward, it allows me to create a configuration that will work on multiple @@ -5767,6 +5784,20 @@ sub dump_mark_layout() { $globals{TPROXY_MARK} ); } +sub report_used_capabilities() { + if ( $verbosity > 1 ) { + progress_message2 "Configuration uses these capabilities ('*' denotes required):"; + + for ( sort grep $_ ne 'KERNELVERSION', keys %used ) { + if ( $used{$_} > 1 ) { + progress_message2 " $_*"; + } else { + progress_message2 " $_"; + } + } + } +} + END { cleanup; }