holm/shorewall_code
1
0
Fork 0
forked from extern/shorewall_code
Code Pull Requests Activity

Allow Shorewall to work with iptables 1.4.1

Browse Source 
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@8762 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
teastep 2008-10-08 21:30:05 +00:00
parent 8bd24599ff
commit 11fa1bc259
2 changed files with 8 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
Shorewall-perl/Shorewall/Chains.pm
View File

@ -1508,7 +1508,7 @@ sub match_orig_dest ( $ ) {
if ( $net =~ s/^!// ) { if ( $net =~ s/^!// ) {
validate_net $net, 1; validate_net $net, 1;
"-m conntrack --ctorigdst ! $net "; $capabilities{NEW_CONNTRACK_MATCH} ? "-m conntrack ! --ctorigdst $net " : "-m conntrack --ctorigdst ! $net ";
} else { } else {
validate_net $net, 1; validate_net $net, 1;
$net eq ALLIPv4 ? '' : "-m conntrack --ctorigdst $net "; $net eq ALLIPv4 ? '' : "-m conntrack --ctorigdst $net ";

7
Shorewall-perl/Shorewall/Config.pm
View File

@ -177,6 +177,8 @@ our %capdesc = ( NAT_ENABLED => 'NAT',
MULTIPORT => 'Multi-port Match' , MULTIPORT => 'Multi-port Match' ,
XMULTIPORT => 'Extended Multi-port Match', XMULTIPORT => 'Extended Multi-port Match',
CONNTRACK_MATCH => 'Connection Tracking Match', CONNTRACK_MATCH => 'Connection Tracking Match',
NEW_CONNTRACK_MATCH =>
'New Connection Tracking Match syntax',
USEPKTTYPE => 'Packet Type Match', USEPKTTYPE => 'Packet Type Match',
POLICY_MATCH => 'Policy Match', POLICY_MATCH => 'Policy Match',
PHYSDEV_MATCH => 'Physdev Match', PHYSDEV_MATCH => 'Physdev Match',
@ -385,6 +387,7 @@ sub initialize() {
MULTIPORT => undef, MULTIPORT => undef,
XMULTIPORT => undef, XMULTIPORT => undef,
CONNTRACK_MATCH => undef, CONNTRACK_MATCH => undef,
NEW_CONNTRACK_MATCH => undef,
USEPKTTYPE => undef, USEPKTTYPE => undef,
POLICY_MATCH => undef, POLICY_MATCH => undef,
PHYSDEV_MATCH => undef, PHYSDEV_MATCH => undef,
@ -1552,6 +1555,10 @@ sub determine_capabilities( $ ) {
$capabilities{CONNTRACK_MATCH} = qt1( "$iptables -A $sillyname -m conntrack --ctorigdst 192.168.1.1 -j ACCEPT" ); $capabilities{CONNTRACK_MATCH} = qt1( "$iptables -A $sillyname -m conntrack --ctorigdst 192.168.1.1 -j ACCEPT" );
if ( $capabilities{CONNTRACL_MATCH} ) {
$capabilities{NEW_CONNTRACK_MATCH} = qt1( "$iptables -A $sillyname -m conntrack ! --ctorigdst 192.168.1.1 -j ACCEPT" );
}
if ( qt1( "$iptables -A $sillyname -p tcp -m multiport --dports 21,22 -j ACCEPT" ) ) { if ( qt1( "$iptables -A $sillyname -p tcp -m multiport --dports 21,22 -j ACCEPT" ) ) {
$capabilities{MULTIPORT} = 1; $capabilities{MULTIPORT} = 1;
$capabilities{KLUDGEFREE} = qt1( "$iptables -A $sillyname -p tcp -m multiport --sports 60 -m multiport --dports 99 -j ACCEPT" ); $capabilities{KLUDGEFREE} = qt1( "$iptables -A $sillyname -p tcp -m multiport --sports 60 -m multiport --dports 99 -j ACCEPT" );