Make the migration to the xtables-addons version of IPP2P transparent for Shorewall-perl users

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@9261 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb

Shorewall-common/lib.base

@@ -35,7 +35,7 @@
 #
 
 SHOREWALL_LIBVERSION=40000
-SHOREWALL_CAPVERSION=40203
+SHOREWALL_CAPVERSION=40205
 
 [ -n "${VARDIR:=/var/lib/shorewall}" ]
 [ -n "${SHAREDIR:=/usr/share/shorewall}" ]
@@ -1063,6 +1063,7 @@ determine_capabilities() {
     XCONNMARK_MATCH=
     RAW_TABLE=
     IPP2P_MATCH=
+    OLD_IPP2P_MATCH=
     LENGTH_MATCH=
     CLASSIFY_TARGET=
     ENHANCED_REJECT=
@@ -1151,6 +1152,10 @@ determine_capabilities() {
     fi
 
     qt $IPTABLES -A $chain -p tcp -m ipp2p --edk -j ACCEPT              && IPP2P_MATCH=Yes
+    if [ -n "$IPP2P_MATCH" ]; then
+	qt $IPTABLES -A $chain -p tcp -m ipp2p --ipp2p -j ACCEPT        && OLD_IPP2P_MATCH=Yes
+    fi
+
     qt $IPTABLES -A $chain -m length --length 10:20 -j ACCEPT           && LENGTH_MATCH=Yes
     qt $IPTABLES -A $chain -j REJECT --reject-with icmp-host-prohibited && ENHANCED_REJECT=Yes
 
@@ -1245,6 +1250,7 @@ report_capabilities() {
 	[ -n "$CONNMARK_MATCH" ] && report_capability "Extended Connmark Match" $XCONNMARK_MATCH
 	report_capability "Raw Table" $RAW_TABLE
 	report_capability "IPP2P Match" $IPP2P_MATCH
+	[ -n "$IPP2P_MATCH" ] && report_capability "Old IPP2P Match" $OLD_IPP2P_MATCH
 	report_capability "CLASSIFY Target" $CLASSIFY_TARGET
 	report_capability "Extended REJECT" $ENHANCED_REJECT
 	report_capability "Repeat match" $KLUDGEFREE
@@ -1298,6 +1304,7 @@ report_capabilities1() {
     report_capability1 XCONNMARK_MATCH
     report_capability1 RAW_TABLE
     report_capability1 IPP2P_MATCH
+    report_capability1 OLD_IPP2P_MATCH
     report_capability1 CLASSIFY_TARGET
     report_capability1 ENHANCED_REJECT
     report_capability1 KLUDGEFREE

Shorewall-perl/Shorewall/Chains.pm

@@ -1289,8 +1289,16 @@ sub do_proto( $$$ )
 		my $p = $2 ? lc $3 : 'tcp';
 		require_capability( 'IPP2P_MATCH' , "PROTO = $proto" , 's' );
 		$proto = '-p ' . proto_name($p) . ' ';
-		$ports = 'ipp2p' unless $ports;
-		$output .= "${proto}-m ipp2p --$ports ";
+
+		my $options = '';
+		
+		if ( $ports ) {
+		    $options .= " --$_" for split /,/, $ports; 
+		} else {
+		    $options = $capabilities{OLD_IPP2P_MATCH} ? '--ipp2p' : '--edk --kazza --gnu --dc';
+		}
+
+		$output .= "${proto}-m ipp2p${options} ";
 	    } else {
 		fatal_error "Invalid/Unknown protocol ($proto)"
 	    }

Shorewall-perl/Shorewall/Config.pm

@@ -300,7 +300,7 @@ sub initialize( $ ) {
 		    TC_SCRIPT => '',
 		    EXPORT => 0,
 		    VERSION => "4.2.4",
-		    CAPVERSION => 40203 ,
+		    CAPVERSION => 40205 ,
 		  );
     #
     # From shorewall.conf file
@@ -547,6 +547,7 @@ sub initialize( $ ) {
 	       XCONNMARK_MATCH => undef,
 	       RAW_TABLE => undef,
 	       IPP2P_MATCH => undef,
+	       OLD_IPP2P_MATCH => undef,
 	       CLASSIFY_TARGET => undef,
 	       ENHANCED_REJECT => undef,
 	       KLUDGEFREE => undef,
@@ -1769,6 +1770,7 @@ sub determine_capabilities( $ ) {
     }
 
     $capabilities{IPP2P_MATCH}     = qt1( "$iptables -A $sillyname -p tcp -m ipp2p --edk -j ACCEPT" );
+    $capabilities{OLD_IPP2P_MATCH} = qt1( "$iptables -A $sillyname -p tcp -m ipp2p --ipp2p -j ACCEPT" ) if $capabilities{IPP2P_MATCH};
     $capabilities{LENGTH_MATCH}    = qt1( "$iptables -A $sillyname -m length --length 10:20 -j ACCEPT" );
     $capabilities{ENHANCED_REJECT} = qt1( "$iptables -A $sillyname -j REJECT --reject-with icmp6-admt-prohibited" );
     $capabilities{COMMENTS}        = qt1( qq($iptables -A $sillyname -j ACCEPT -m comment --comment "This is a comment" ) );

docs/IPP2P.xml

@@ -77,14 +77,32 @@
     </simplelist>
 
     <para>When the PROTO or PROTOCOL column contains "ipp2p" then the DEST
-    PORT(S) or PORT(S) column may contain a recognized ipp2p option; for a
-    list of the options and their meaning, at a root prompt type:</para>
+    PORT(S) or PORT(S) column may contain a recognized ipp2p option
+    (Shorewall-perl 4.2.5 and later accepts a list of options); for a list of
+    the options and their meaning, at a root prompt type:</para>
 
     <programlisting><command>iptables -m ipp2p --help</command></programlisting>
 
     <para>You must not include the leading "--" on the option; Shorewall will
-    supply those characters for you. If you do not include an option then
-    "ipp2p" is assumed (Shorewall will generate "-m ipp2p --ipp2p").</para>
+    supply those characters for you. If you do not include an option
+    then:</para>
+
+    <itemizedlist>
+      <listitem>
+        <para>Shorewall-shell and Shorewall-perl up through 4.2.4 will assume
+        "ipp2p". Note that the xtables version of IPP2P does not support this
+        option.</para>
+      </listitem>
+
+      <listitem>
+        <para>Shorewall-perl 4.2.5 and later will assume "ipp2p" if that
+        option is supported by the installed iptables/Netfilter. Otherwise, it
+        will assume "edk,kazza,gnu,dc"</para>
+      </listitem>
+    </itemizedlist>
+
+    <para>If 'ipp2p' is specified, Shorewall-perl 4.2.5 and later will
+    substitute "edk,kazza,gnu,dc".</para>
   </section>
 
   <section id="Example">

manpages/shorewall-providers.xml

@@ -231,12 +231,16 @@
               role="bold">fallback[=<replaceable>weight</replaceable>]</emphasis></term>
 
               <listitem>
-                <para>Added in Shorewall-perl 4.2.5. Indicates that a balanced
-                default route through the provider should be added to the
-                default routing table (table 253). The route is added with a
-                weight equal to the specified
-                <replaceable>weight</replaceable> (default 1). The option is
-                ignored with a warning message if USE_DEFAULT_RT=Yes in
+                <para>Added in Shorewall-perl 4.2.5. Indicates that a default
+                route through the provider should be added to the default
+                routing table (table 253). If a
+                <replaceable>weight</replaceable> is given, a balanced route
+                is added with the weight of this provider equal to the
+                specified <replaceable>weight</replaceable>. If the option is
+                given without a <replaceable>weight</replaceable>, an separate
+                default route is added through the provider's gateway; the
+                route has a metric equal to the provider's NUMBER. The option
+                is ignored with a warning message if USE_DEFAULT_RT=Yes in
                 <filename>shorewall.conf</filename>.</para>
               </listitem>
             </varlistentry>