forked from extern/shorewall_code
Add capabilities to ?IF conditionals
Signed-off-by: Tom Eastep <teastep@shorewall.net>
This commit is contained in:
parent
d1661c95d5
commit
0d71c590e4
@ -2209,81 +2209,81 @@ report_capabilities() {
|
||||
|
||||
if [ $VERBOSITY -gt 1 ]; then
|
||||
echo "$g_product has detected the following iptables/netfilter capabilities:"
|
||||
report_capability "NAT" $NAT_ENABLED
|
||||
report_capability "Packet Mangling" $MANGLE_ENABLED
|
||||
report_capability "Multi-port Match" $MULTIPORT
|
||||
report_capability "NAT (NAT_ENABLED)" $NAT_ENABLED
|
||||
report_capability "Packet Mangling (MANGLE_ENABLED)" $MANGLE_ENABLED
|
||||
report_capability "Multi-port Match (MULTIPORT)" $MULTIPORT
|
||||
[ -n "$MULTIPORT" ] && report_capability "Extended Multi-port Match" $XMULTIPORT
|
||||
report_capability "Connection Tracking Match" $CONNTRACK_MATCH
|
||||
report_capability "Connection Tracking Match (CONNTRACK_MATCH)" $CONNTRACK_MATCH
|
||||
if [ -n "$CONNTRACK_MATCH" ]; then
|
||||
report_capability "Extended Connection Tracking Match Support" $NEW_CONNTRACK_MATCH
|
||||
[ -n "$OLD_CONNTRACK_MATCH" ] && report_capability "Old Connection Tracking Match Syntax" $OLD_CONNTRACK_MATCH
|
||||
report_capability "Extended Connection Tracking Match Support (NEW_CONNTRACK_MATCH)" $NEW_CONNTRACK_MATCH
|
||||
[ -n "$OLD_CONNTRACK_MATCH" ] && report_capability "Old Connection Tracking Match Syntax (OLD_CONNTRACK_MATCH)" $OLD_CONNTRACK_MATCH
|
||||
fi
|
||||
report_capability "Packet Type Match" $USEPKTTYPE
|
||||
report_capability "Policy Match" $POLICY_MATCH
|
||||
report_capability "Physdev Match" $PHYSDEV_MATCH
|
||||
report_capability "Physdev-is-bridged Support" $PHYSDEV_BRIDGE
|
||||
report_capability "Packet length Match" $LENGTH_MATCH
|
||||
report_capability "IP range Match" $IPRANGE_MATCH
|
||||
report_capability "Recent Match" $RECENT_MATCH
|
||||
report_capability "Owner Match" $OWNER_MATCH
|
||||
report_capability "Packet Type Match (USEPKTTYPE)" $USEPKTTYPE
|
||||
report_capability "Policy Match (POLICY_MATCH)" $POLICY_MATCH
|
||||
report_capability "Physdev Match (PHYSDEV_MATCH)" $PHYSDEV_MATCH
|
||||
report_capability "Physdev-is-bridged Support (PHYSDEV_MATCH)" $PHYSDEV_BRIDGE
|
||||
report_capability "Packet length Match (LENGTH_MATCH)" $LENGTH_MATCH
|
||||
report_capability "IP range Match (IPRANGE_MATCH)" $IPRANGE_MATCH
|
||||
report_capability "Recent Match (RECENT_MATCH)" $RECENT_MATCH
|
||||
report_capability "Owner Match (OWNER_MATCH)" $OWNER_MATCH
|
||||
if [ -n "$IPSET_MATCH" ]; then
|
||||
report_capability "Ipset Match" $IPSET_MATCH
|
||||
[ -n "$OLD_IPSET_MATCH" ] && report_capability "OLD_Ipset Match" $OLD_IPSET_MATCH
|
||||
report_capability "Ipset Match (IPSET_MATCH)" $IPSET_MATCH
|
||||
[ -n "$OLD_IPSET_MATCH" ] && report_capability "OLD_Ipset Match (OLD_IPSET_MATCH)" $OLD_IPSET_MATCH
|
||||
fi
|
||||
report_capability "CONNMARK Target" $CONNMARK
|
||||
[ -n "$CONNMARK" ] && report_capability "Extended CONNMARK Target" $XCONNMARK
|
||||
report_capability "Connmark Match" $CONNMARK_MATCH
|
||||
[ -n "$CONNMARK_MATCH" ] && report_capability "Extended Connmark Match" $XCONNMARK_MATCH
|
||||
report_capability "Raw Table" $RAW_TABLE
|
||||
report_capability "Rawpost Table" $RAWPOST_TABLE
|
||||
report_capability "IPP2P Match" $IPP2P_MATCH
|
||||
[ -n "$OLD_IPP2P_MATCH" ] && report_capability "Old IPP2P Match Syntax" $OLD_IPP2P_MATCH
|
||||
report_capability "CLASSIFY Target" $CLASSIFY_TARGET
|
||||
report_capability "Extended REJECT" $ENHANCED_REJECT
|
||||
report_capability "Repeat match" $KLUDGEFREE
|
||||
report_capability "MARK Target" $MARK
|
||||
[ -n "$MARK" ] && report_capability "Extended MARK Target" $XMARK
|
||||
[ -n "$XMARK" ] && report_capability "Extended MARK Target 2" $EXMARK
|
||||
report_capability "Mangle FORWARD Chain" $MANGLE_FORWARD
|
||||
report_capability "Comments" $COMMENTS
|
||||
report_capability "Address Type Match" $ADDRTYPE
|
||||
report_capability "TCPMSS Match" $TCPMSS_MATCH
|
||||
report_capability "Hashlimit Match" $HASHLIMIT_MATCH
|
||||
[ -n "$OLD_HL_MATCH" ] && report_capability "Old Hashlimit Match" $OLD_HL_MATCH
|
||||
report_capability "NFQUEUE Target" $NFQUEUE_TARGET
|
||||
report_capability "Realm Match" $REALM_MATCH
|
||||
report_capability "Helper Match" $HELPER_MATCH
|
||||
report_capability "Connlimit Match" $CONNLIMIT_MATCH
|
||||
report_capability "Time Match" $TIME_MATCH
|
||||
report_capability "Goto Support" $GOTO_TARGET
|
||||
report_capability "LOGMARK Target" $LOGMARK_TARGET
|
||||
report_capability "IPMARK Target" $IPMARK_TARGET
|
||||
report_capability "LOG Target" $LOG_TARGET
|
||||
report_capability "ULOG Target" $ULOG_TARGET
|
||||
report_capability "NFLOG Target" $NFLOG_TARGET
|
||||
report_capability "Persistent SNAT" $PERSISTENT_SNAT
|
||||
report_capability "TPROXY Target" $TPROXY_TARGET
|
||||
report_capability "FLOW Classifier" $FLOW_FILTER
|
||||
report_capability "fwmark route mask" $FWMARK_RT_MASK
|
||||
report_capability "Mark in any table" $MARK_ANYWHERE
|
||||
report_capability "Header Match" $HEADER_MATCH
|
||||
report_capability "ACCOUNT Target" $ACCOUNT_TARGET
|
||||
report_capability "AUDIT Target" $AUDIT_TARGET
|
||||
report_capability "ipset V5" $IPSET_V5
|
||||
report_capability "Condition Match" $CONDITION_MATCH
|
||||
report_capability "Statistic Match" $STATISTIC_MATCH
|
||||
report_capability "IMQ Target" $IMQ_TARGET
|
||||
report_capability "DSCP Match" $DSCP_MATCH
|
||||
report_capability "DSCP Target" $DSCP_TARGET
|
||||
report_capability "CONNMARK Target (CONNMARK)" $CONNMARK
|
||||
[ -n "$CONNMARK" ] && report_capability "Extended CONNMARK Target (XCONNMARK)" $XCONNMARK
|
||||
report_capability "Connmark Match (CONNMARK_MATCH)" $CONNMARK_MATCH
|
||||
[ -n "$CONNMARK_MATCH" ] && report_capability "Extended Connmark Match (XCONNMARK_MATCH)" $XCONNMARK_MATCH
|
||||
report_capability "Raw Table (RAW_TABLE)" $RAW_TABLE
|
||||
report_capability "Rawpost Table (RAWPOST_TABLE)" $RAWPOST_TABLE
|
||||
report_capability "IPP2P Match (IPP2P_MATCH)" $IPP2P_MATCH
|
||||
[ -n "$OLD_IPP2P_MATCH" ] && report_capability "Old IPP2P Match Syntax (OLD_IPP2P_MATCH)" $OLD_IPP2P_MATCH
|
||||
report_capability "CLASSIFY Target (CLASSIFY_TARGET)" $CLASSIFY_TARGET
|
||||
report_capability "Extended REJECT (ENHANCED_REJECT)" $ENHANCED_REJECT
|
||||
report_capability "Repeat match (KLUDGEFREE)" $KLUDGEFREE
|
||||
report_capability "MARK Target (MARK)" $MARK
|
||||
[ -n "$MARK" ] && report_capability "Extended MARK Target (XMARK)" $XMARK
|
||||
[ -n "$XMARK" ] && report_capability "Extended MARK Target 2 (EXMARK)" $EXMARK
|
||||
report_capability "Mangle FORWARD Chain (MANGLE_FORWARD)" $MANGLE_FORWARD
|
||||
report_capability "Comments (COMMENTS)" $COMMENTS
|
||||
report_capability "Address Type Match (ADDRTYPE)" $ADDRTYPE
|
||||
report_capability "TCPMSS Match (TCPMSS_MATCH)" $TCPMSS_MATCH
|
||||
report_capability "Hashlimit Match (HASHLIMIT_MATCH)" $HASHLIMIT_MATCH
|
||||
[ -n "$OLD_HL_MATCH" ] && report_capability "Old Hashlimit Match (OLD_HL_MATCH)" $OLD_HL_MATCH
|
||||
report_capability "NFQUEUE Target (NFQUEUE_TARGET)" $NFQUEUE_TARGET
|
||||
report_capability "Realm Match (RELM_MATCH)" $REALM_MATCH
|
||||
report_capability "Helper Match (HELPER_MATCH)" $HELPER_MATCH
|
||||
report_capability "Connlimit Match (CONNLIMIT_MATCH)" $CONNLIMIT_MATCH
|
||||
report_capability "Time Match (TIME_MATCH)" $TIME_MATCH
|
||||
report_capability "Goto Support (GOTO_TARGET)" $GOTO_TARGET
|
||||
report_capability "LOGMARK Target (LOGMARK_TARGET)" $LOGMARK_TARGET
|
||||
report_capability "IPMARK Target (IPMARK_TARGET)" $IPMARK_TARGET
|
||||
report_capability "LOG Target (LOG_TARGET)" $LOG_TARGET
|
||||
report_capability "ULOG Target (ULOG_TARGET)" $ULOG_TARGET
|
||||
report_capability "NFLOG Target (NFLOG_TARGET)" $NFLOG_TARGET
|
||||
report_capability "Persistent SNAT (PERSISTENT_SNAT)" $PERSISTENT_SNAT
|
||||
report_capability "TPROXY Target (TPROXY_TARGET)" $TPROXY_TARGET
|
||||
report_capability "FLOW Classifier (FLOW_FILTER)" $FLOW_FILTER
|
||||
report_capability "fwmark route mask (FWMARK_RT_MASK)" $FWMARK_RT_MASK
|
||||
report_capability "Mark in any table (MARK_ANYWHERE)" $MARK_ANYWHERE
|
||||
report_capability "Header Match (HEADER_MATCH)" $HEADER_MATCH
|
||||
report_capability "ACCOUNT Target (ACCOUNT_TARGET)" $ACCOUNT_TARGET
|
||||
report_capability "AUDIT Target (AUDIT_TARGET)" $AUDIT_TARGET
|
||||
report_capability "ipset V5 (IPSET_V5)" $IPSET_V5
|
||||
report_capability "Condition Match (CONDITION_MATCH)" $CONDITION_MATCH
|
||||
report_capability "Statistic Match (STATISTIC_MATCH)" $STATISTIC_MATCH
|
||||
report_capability "IMQ Target (IMQ_TARGET)" $IMQ_TARGET
|
||||
report_capability "DSCP Match (DSCP_MATCH)" $DSCP_MATCH
|
||||
report_capability "DSCP Target (DSCP_TARGET)" $DSCP_TARGET
|
||||
|
||||
if [ $g_family -eq 4 ]; then
|
||||
report_capability "iptables -S" $IPTABLES_S
|
||||
report_capability "iptables -S (IPTABLES_S)" $IPTABLES_S
|
||||
else
|
||||
report_capability "ip6tables -S" $IPTABLES_S
|
||||
report_capability "ip6tables -S (IPTABLES_S)" $IPTABLES_S
|
||||
fi
|
||||
|
||||
report_capability "Basic Filter" $BASIC_FILTER
|
||||
report_capability "CT Target" $CT_TARGET
|
||||
report_capability "Basic Filter (BASIC_FILTER)" $BASIC_FILTER
|
||||
report_capability "CT Target (CT_TARGET)" $CT_TARGET
|
||||
fi
|
||||
|
||||
[ -n "$PKTTYPE" ] || USEPKTTYPE=
|
||||
|
@ -1470,7 +1470,10 @@ sub do_open_file( $ ) {
|
||||
open $currentfile, '<', $fname or fatal_error "Unable to open $fname: $!";
|
||||
$currentlinenumber = 0;
|
||||
$ifstack = @ifstack;
|
||||
$currentfilename = $fname;
|
||||
#
|
||||
# Must be last
|
||||
#
|
||||
$currentfilename = $fname;
|
||||
}
|
||||
|
||||
sub open_file( $ ) {
|
||||
@ -1524,7 +1527,7 @@ sub close_file() {
|
||||
}
|
||||
|
||||
#
|
||||
# Process an ?IF, ?ELSE, or ?ENDIF
|
||||
# Process an ?IF, ?ELSE, or ?ENDIF. Returns the new $omitting setting.
|
||||
#
|
||||
sub process_conditional($$$) {
|
||||
my ( $omitting, $keyword, $rest ) = @_;
|
||||
@ -1535,18 +1538,23 @@ sub process_conditional($$$) {
|
||||
fatal_error "Missing IF variable" unless $rest;
|
||||
my $invert = $rest =~ s/^!\s*//;
|
||||
|
||||
fatal_error "Invalid IF variable ($rest)" unless $rest =~ s/^\$// && $rest =~ /^\w+$/;
|
||||
fatal_error "Invalid IF variable ($rest)" unless ( $rest =~ s/^\$// || $rest =~ /^__/ ) && $rest =~ /^\w+$/;
|
||||
|
||||
push @ifstack, [ 'IF', $omitting, $currentlinenumber ];
|
||||
|
||||
if ( $rest eq '__IPV6' ) {
|
||||
$omitting = $family == F_IPV4;
|
||||
} elsif ( $rest eq '__IPV4' ) {
|
||||
if ( $rest eq '__IPV4' ) {
|
||||
$omitting = $family == F_IPV6;
|
||||
} elsif ( $rest eq '__IPV6' ) {
|
||||
$omitting = $family == F_IPV4;
|
||||
} else {
|
||||
$omitting = ! ( exists $ENV{$rest} ? $ENV{$rest} :
|
||||
exists $params{$rest} ? $params{$rest} :
|
||||
exists $config{$rest} ? $config{$rest} : 0 );
|
||||
my $cap;
|
||||
|
||||
($cap = $rest) =~ s/^__//;
|
||||
|
||||
$omitting = ! ( exists $ENV{$rest} ? $ENV{$rest} :
|
||||
exists $params{$rest} ? $params{$rest} :
|
||||
exists $config{$rest} ? $config{$rest} :
|
||||
exists $capdesc{$cap} ? have_capability( $cap ) : 0 );
|
||||
}
|
||||
|
||||
$omitting = ! $omitting if $invert;
|
||||
|
@ -46,7 +46,7 @@ my $chainref = get_action_chain;
|
||||
my ( $level, $tag ) = get_action_logging;
|
||||
my $target = require_audit ( $action , $audit );
|
||||
|
||||
if ( have_capability( 'ADDRTYPE' ) ) {
|
||||
?IF __ADDRTYPE
|
||||
if ( $level ne '' ) {
|
||||
log_rule_limit $level, $chainref, 'dropBcast' , $action, '', $tag, 'add', ' -m addrtype --dst-type BROADCAST ';
|
||||
log_rule_limit $level, $chainref, 'dropBcast' , $action, '', $tag, 'add', ' -m addrtype --dst-type MULTICAST ';
|
||||
@ -56,14 +56,14 @@ if ( have_capability( 'ADDRTYPE' ) ) {
|
||||
add_jump $chainref, $target, 0, '-m addrtype --dst-type BROADCAST ';
|
||||
add_jump $chainref, $target, 0, '-m addrtype --dst-type MULTICAST ';
|
||||
add_jump $chainref, $target, 0, '-m addrtype --dst-type ANYCAST ';
|
||||
} else {
|
||||
?ELSE #Begin no Addrtype support
|
||||
add_commands $chainref, 'for address in $ALL_BCASTS; do';
|
||||
incr_cmd_level $chainref;
|
||||
log_rule_limit $level, $chainref, 'Broadcast' , $action, '', $tag, 'add', ' -d $address ' if $level ne '';
|
||||
add_jump $chainref, $target, 0, "-d \$address ";
|
||||
decr_cmd_level $chainref;
|
||||
add_commands $chainref, 'done';
|
||||
}
|
||||
?END #No Addrtype support
|
||||
|
||||
log_rule_limit $level, $chainref, 'Broadcast' , $action, '', $tag, 'add', ' -d 224.0.0.0/4 ' if $level ne '';
|
||||
add_jump $chainref, $target, 0, '-d 224.0.0.0/4 ';
|
||||
|
@ -50,32 +50,32 @@ if ( $level ne '-' || $audit ne '-' ) {
|
||||
$target = 'DROP';
|
||||
}
|
||||
|
||||
if ( have_capability( 'ADDRTYPE' ) ) {
|
||||
if ( $family == F_IPV4 ) {
|
||||
add_ijump $chainref , j => 'RETURN', s => '0.0.0.0'; ;
|
||||
} else {
|
||||
add_ijump $chainref , j => 'RETURN', s => '::';
|
||||
}
|
||||
?IF __ADDRTYPE
|
||||
?IF __IPV4
|
||||
add_ijump $chainref , j => 'RETURN', s => '0.0.0.0'; ;
|
||||
?ELSE
|
||||
add_ijump $chainref , j => 'RETURN', s => '::';
|
||||
?END
|
||||
|
||||
add_ijump( $chainref, g => $target, addrtype => '--src-type BROADCAST' ) ;
|
||||
} else {
|
||||
if ( $family == F_IPV4 ) {
|
||||
add_commands $chainref, 'for address in $ALL_BCASTS; do';
|
||||
} else {
|
||||
add_commands $chainref, 'for address in $ALL_ACASTS; do';
|
||||
}
|
||||
?ELSE # Begin no Addrtype support
|
||||
?IF __IPV4
|
||||
add_commands $chainref, 'for address in $ALL_BCASTS; do';
|
||||
?ELSE
|
||||
add_commands $chainref, 'for address in $ALL_ACASTS; do';
|
||||
?END
|
||||
|
||||
incr_cmd_level $chainref;
|
||||
add_ijump( $chainref, g => $target, s => '$address' );
|
||||
decr_cmd_level $chainref;
|
||||
add_commands $chainref, 'done';
|
||||
}
|
||||
?END # No Addrtype support
|
||||
|
||||
if ( $family == F_IPV4 ) {
|
||||
?IF __IPV4
|
||||
add_ijump( $chainref, g => $target, s => '224.0.0.0/4' );
|
||||
} else {
|
||||
?ELSE
|
||||
add_ijump( $chainref, g => $target, s => IPv6_MULTICAST );
|
||||
}
|
||||
?END
|
||||
|
||||
END PERL;
|
||||
|
||||
|
1306
Shorewall/lib.core
1306
Shorewall/lib.core
File diff suppressed because it is too large
Load Diff
@ -1485,9 +1485,18 @@ SHELL cat /etc/shorewall/rules.d/*.rules 2> /dev/null || true</programlisting
|
||||
pre-defined ones, it is searched for in the compiler's environmental
|
||||
variables, in variables set in <filename>/etc/shorewall/params</filename>,
|
||||
and in options set in <filename>/etc/shorewall/shorewall.conf</filename>
|
||||
in that order. If it is not found in any of those places, the
|
||||
in that order. If the <replaceable>variable</replaceable> is still not
|
||||
found and it begins with '__', then those leading characters are stripped
|
||||
off and the result is searched for in the defined
|
||||
<firstterm>capabilities</firstterm>. The current set of capabilities may
|
||||
be obtained by the command <command>shorewall show capabilities</command>
|
||||
(the capability names are in parentheses).</para>
|
||||
|
||||
<para>If it is not found in any of those places, the
|
||||
<replaceable>variable</replaceable> is assumed to have a value of 0
|
||||
(false). If "!" is present, the result of the test is inverted.</para>
|
||||
(false).</para>
|
||||
|
||||
<para>If "!" is present, the result value is inverted.</para>
|
||||
|
||||
<para>The setting in <filename>/etc/shorewall/params</filename> by be
|
||||
overridden at runtime, provided the setting in
|
||||
|
Loading…
Reference in New Issue
Block a user