Prepare for being able to accept multiple '-m' instances in an iptables command

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@3753 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
teastep 2006-03-29 19:24:33 +00:00
parent b90357ee95
commit 2e1cecd923
3 changed files with 60 additions and 22 deletions

View File

@ -123,11 +123,13 @@ do_iptables() {
# Generate an IPTABLES command. Include hacks to work around iptables limitations # Generate an IPTABLES command. Include hacks to work around iptables limitations
# #
run_iptables() { run_iptables() {
if [ -z "$KLUDGEFREE" ]; then
# #
# Purge the temporary files that we use to prevent duplicate '-m' specifications # Purge the temporary files that we use to prevent duplicate '-m' specifications
# #
[ -n "$BRIDGING" ] && [ -f $TMP_DIR/physdev ] && rm -f $TMP_DIR/physdev [ -n "$BRIDGING" ] && [ -f $TMP_DIR/physdev ] && rm -f $TMP_DIR/physdev
[ -n "$IPRANGE_MATCH" ] && [ -f $TMP_DIR/iprange ] && rm -f $TMP_DIR/iprange [ -n "$IPRANGE_MATCH" ] && [ -f $TMP_DIR/iprange ] && rm -f $TMP_DIR/iprange
fi
save_command "$IPTABLES_COMMAND $@" save_command "$IPTABLES_COMMAND $@"
@ -137,8 +139,10 @@ run_iptables() {
# Version of 'run_iptables' that inserts white space after "!" in the arg list # Version of 'run_iptables' that inserts white space after "!" in the arg list
# #
run_iptables2() { run_iptables2() {
if [ -z "$KLUDGEFREE" ]; then
[ -n "$BRIDGING" ] && [ -f $TMP_DIR/physdev ] && rm -f $TMP_DIR/physdev [ -n "$BRIDGING" ] && [ -f $TMP_DIR/physdev ] && rm -f $TMP_DIR/physdev
[ -n "$IPRANGE_MATCH" ] && [ -f $TMP_DIR/iprange ] && rm -f $TMP_DIR/iprange [ -n "$IPRANGE_MATCH" ] && [ -f $TMP_DIR/iprange ] && rm -f $TMP_DIR/iprange
fi
save_command run_iptables $(fix_bang $@) save_command run_iptables $(fix_bang $@)
} }
@ -147,11 +151,13 @@ run_iptables2() {
# Generate command to quietly run iptables # Generate command to quietly run iptables
# #
qt_iptables() { qt_iptables() {
if [ -z "$KLUDGEFREE" ]; then
# #
# Purge the temporary files that we use to prevent duplicate '-m' specifications # Purge the temporary files that we use to prevent duplicate '-m' specifications
# #
[ -n "$BRIDGING" ] && [ -f $TMP_DIR/physdev ] && rm -f $TMP_DIR/physdev [ -n "$BRIDGING" ] && [ -f $TMP_DIR/physdev ] && rm -f $TMP_DIR/physdev
[ -n "$IPRANGE_MATCH" ] && [ -f $TMP_DIR/iprange ] && rm -f $TMP_DIR/iprange [ -n "$IPRANGE_MATCH" ] && [ -f $TMP_DIR/iprange ] && rm -f $TMP_DIR/iprange
fi
save_command qt \$IPTABLES $@ save_command qt \$IPTABLES $@
} }
@ -670,7 +676,9 @@ first_chains() #$1 = interface
# #
iprange_echo() iprange_echo()
{ {
if [ -f $TMP_DIR/iprange ]; then if [ -n "$KLUDGEFREE" ]; then
echo "-m iprange $@"
elif [ -f $TMP_DIR/iprange ]; then
echo $@ echo $@
else else
echo "-m iprange $@" echo "-m iprange $@"
@ -714,7 +722,9 @@ get_set_flags() # $1 = set name and optional [levels], $2 = src or dst
# #
physdev_echo() physdev_echo()
{ {
if [ -f $TMP_DIR/physdev ]; then if [ -n "$KLUDGEFREE" ]; then
echo -m physdev $@
elif [ -f $TMP_DIR/physdev ]; then
echo $@ echo $@
else else
echo -m physdev $@ echo -m physdev $@
@ -7854,7 +7864,7 @@ activate_rules()
if havenatchain $destchain ; then if havenatchain $destchain ; then
run_iptables2 -t nat -A $sourcechain $@ -j $destchain run_iptables2 -t nat -A $sourcechain $@ -j $destchain
else elif [ -z "$KLUDGEFREE" ]; then
[ -n "$BRIDGING" -a -f $TMP_DIR/physdev ] && -rm -f $TMP_DIR/physdev [ -n "$BRIDGING" -a -f $TMP_DIR/physdev ] && -rm -f $TMP_DIR/physdev
[ -n "$IPRANGE_MATCH" -a -f $TMP_DIR/iprange ] && rm -f $TMP_DIR/iprange [ -n "$IPRANGE_MATCH" -a -f $TMP_DIR/iprange ] && rm -f $TMP_DIR/iprange
fi fi
@ -7874,7 +7884,7 @@ activate_rules()
eval run_iptables2 -t nat -I $sourcechain \ eval run_iptables2 -t nat -I $sourcechain \
\$${sourcechain}_rule $@ -j $destchain \$${sourcechain}_rule $@ -j $destchain
eval ${sourcechain}_rule=\$\(\(\$${sourcechain}_rule + 1\)\) eval ${sourcechain}_rule=\$\(\(\$${sourcechain}_rule + 1\)\)
else elif [ -z "$KLUDGEFREE" ]; then
[ -n "$BRIDGING" -a -f $TMP_DIR/physdev ] && rm -f $TMP_DIR/physdev [ -n "$BRIDGING" -a -f $TMP_DIR/physdev ] && rm -f $TMP_DIR/physdev
[ -n "$IPRANGE_MATCH" -a -f $TMP_DIR/iprange ] && rm -f $TMP_DIR/iprange [ -n "$IPRANGE_MATCH" -a -f $TMP_DIR/iprange ] && rm -f $TMP_DIR/iprange
@ -9217,8 +9227,10 @@ do_initialize() {
fatal_error "Shell $SHOREWALL_SHELL is broken and may not be used with Shorewall" fatal_error "Shell $SHOREWALL_SHELL is broken and may not be used with Shorewall"
fi fi
if [ -z "$KLUDGEFREE" ]; then
rm -f $TMP_DIR/physdev rm -f $TMP_DIR/physdev
rm -f $TMP_DIR/iprange rm -f $TMP_DIR/iprange
fi
qt mywhich awk && HAVEAWK=Yes || HAVEAWK= qt mywhich awk && HAVEAWK=Yes || HAVEAWK=
} }

View File

@ -1137,14 +1137,26 @@ determine_capabilities() {
CLASSIFY_TARGET= CLASSIFY_TARGET=
ENHANCED_REJECT= ENHANCED_REJECT=
USEPKTTYPE= USEPKTTYPE=
KLUDGEFREE=
qt $IPTABLES -N fooX1234 qt $IPTABLES -N fooX1234
qt $IPTABLES -A fooX1234 -m conntrack --ctorigdst 192.168.1.1 -j ACCEPT && CONNTRACK_MATCH=Yes qt $IPTABLES -A fooX1234 -m conntrack --ctorigdst 192.168.1.1 -j ACCEPT && CONNTRACK_MATCH=Yes
qt $IPTABLES -A fooX1234 -p tcp -m multiport --dports 21,22 -j ACCEPT && MULTIPORT=Yes qt $IPTABLES -A fooX1234 -p tcp -m multiport --dports 21,22 -j ACCEPT && MULTIPORT=Yes
qt $IPTABLES -A fooX1234 -p tcp -m multiport --dports 21:22 -j ACCEPT && XMULTIPORT=Yes qt $IPTABLES -A fooX1234 -p tcp -m multiport --dports 21:22 -j ACCEPT && XMULTIPORT=Yes
qt $IPTABLES -A fooX1234 -m policy --pol ipsec --mode tunnel --dir in -j ACCEPT && POLICY_MATCH=Yes qt $IPTABLES -A fooX1234 -m policy --pol ipsec --mode tunnel --dir in -j ACCEPT && POLICY_MATCH=Yes
qt $IPTABLES -A fooX1234 -m physdev --physdev-in eth0 -j ACCEPT && PHYSDEV_MATCH=Yes
qt $IPTABLES -A fooX1234 -m iprange --src-range 192.168.1.5-192.168.1.124 -j ACCEPT && IPRANGE_MATCH=Yes if qt $IPTABLES -A fooX1234 -m physdev --physdev-in eth0 -j ACCEPT; then
PHYSDEV_MATCH=Yes
qt $IPTABLES -A fooX1234 -m physdev --physdev-in eth1 -m physdev --physdev-out eth1 -j ACCEPT && KLUDGEFREE=Yes
fi
if qt $IPTABLES -A fooX1234 -m iprange --src-range 192.168.1.5-192.168.1.124 -j ACCEPT; then
IPRANGE_MATCH=Yes
if [ -z "${KLUDGEFREE}${PHYSDEV_MATCH}" ]; then
qt $IPTABLES -A fooX1234 -m iprange --src-range 192.168.1.5-192.168.1.124 -m iprange --dst-range 192.168.1.5-192.168.1.124 -j ACCEPT && KLUDGEFREE=Yes
fi
fi
qt $IPTABLES -A fooX1234 -m recent --update -j ACCEPT && RECENT_MATCH=Yes qt $IPTABLES -A fooX1234 -m recent --update -j ACCEPT && RECENT_MATCH=Yes
qt $IPTABLES -A fooX1234 -m owner --uid-owner 0 -j ACCEPT && OWNER_MATCH=Yes qt $IPTABLES -A fooX1234 -m owner --uid-owner 0 -j ACCEPT && OWNER_MATCH=Yes
qt $IPTABLES -A fooX1234 -m connmark --mark 2 -j ACCEPT && CONNMARK_MATCH=Yes qt $IPTABLES -A fooX1234 -m connmark --mark 2 -j ACCEPT && CONNMARK_MATCH=Yes
@ -1209,6 +1221,7 @@ report_capabilities() {
report_capability "IPP2P Match" $IPP2P_MATCH report_capability "IPP2P Match" $IPP2P_MATCH
report_capability "CLASSIFY Target" $CLASSIFY_TARGET report_capability "CLASSIFY Target" $CLASSIFY_TARGET
report_capability "Extended REJECT" $ENHANCED_REJECT report_capability "Extended REJECT" $ENHANCED_REJECT
report_capability "Repeat match" $KLUDGEFREE
fi fi
[ -n "$PKTTYPE" ] || USEPKTTYPE= [ -n "$PKTTYPE" ] || USEPKTTYPE=

View File

@ -233,14 +233,26 @@ determine_capabilities() {
CLASSIFY_TARGET= CLASSIFY_TARGET=
ENHANCED_REJECT= ENHANCED_REJECT=
USEPKTTYPE= USEPKTTYPE=
KLUDGEFREE=
qt $IPTABLES -N fooX1234 qt $IPTABLES -N fooX1234
qt $IPTABLES -A fooX1234 -m conntrack --ctorigdst 192.168.1.1 -j ACCEPT && CONNTRACK_MATCH=Yes qt $IPTABLES -A fooX1234 -m conntrack --ctorigdst 192.168.1.1 -j ACCEPT && CONNTRACK_MATCH=Yes
qt $IPTABLES -A fooX1234 -p tcp -m multiport --dports 21,22 -j ACCEPT && MULTIPORT=Yes qt $IPTABLES -A fooX1234 -p tcp -m multiport --dports 21,22 -j ACCEPT && MULTIPORT=Yes
qt $IPTABLES -A fooX1234 -p tcp -m multiport --dports 21:22 -j ACCEPT && XMULTIPORT=Yes qt $IPTABLES -A fooX1234 -p tcp -m multiport --dports 21:22 -j ACCEPT && XMULTIPORT=Yes
qt $IPTABLES -A fooX1234 -m policy --pol ipsec --mode tunnel --dir in -j ACCEPT && POLICY_MATCH=Yes qt $IPTABLES -A fooX1234 -m policy --pol ipsec --mode tunnel --dir in -j ACCEPT && POLICY_MATCH=Yes
qt $IPTABLES -A fooX1234 -m physdev --physdev-in eth0 -j ACCEPT && PHYSDEV_MATCH=Yes
qt $IPTABLES -A fooX1234 -m iprange --src-range 192.168.1.5-192.168.1.124 -j ACCEPT && IPRANGE_MATCH=Yes if qt $IPTABLES -A fooX1234 -m physdev --physdev-in eth0 -j ACCEPT; then
PHYSDEV_MATCH=Yes
qt $IPTABLES -A fooX1234 -m physdev --physdev-in eth1 -m physdev --physdev-out eth1 -j ACCEPT && KLUDGEFREE=Yes
fi
if qt $IPTABLES -A fooX1234 -m iprange --src-range 192.168.1.5-192.168.1.124 -j ACCEPT; then
IPRANGE_MATCH=Yes
if [ -z "${KLUDGEFREE}${PHYSDEV_MATCH}" ]; then
qt $IPTABLES -A fooX1234 -m iprange --src-range 192.168.1.5-192.168.1.124 -m iprange --dst-range 192.168.1.5-192.168.1.124 -j ACCEPT && KLUDGEFREE=Yes
fi
fi
qt $IPTABLES -A fooX1234 -m recent --update -j ACCEPT && RECENT_MATCH=Yes qt $IPTABLES -A fooX1234 -m recent --update -j ACCEPT && RECENT_MATCH=Yes
qt $IPTABLES -A fooX1234 -m owner --uid-owner 0 -j ACCEPT && OWNER_MATCH=Yes qt $IPTABLES -A fooX1234 -m owner --uid-owner 0 -j ACCEPT && OWNER_MATCH=Yes
qt $IPTABLES -A fooX1234 -m connmark --mark 2 -j ACCEPT && CONNMARK_MATCH=Yes qt $IPTABLES -A fooX1234 -m connmark --mark 2 -j ACCEPT && CONNMARK_MATCH=Yes
@ -307,6 +319,7 @@ report_capabilities() {
report_capability IPP2P_MATCH report_capability IPP2P_MATCH
report_capability CLASSIFY_TARGET report_capability CLASSIFY_TARGET
report_capability ENHANCED_REJECT report_capability ENHANCED_REJECT
report_capability KLUDGEFREE
} }
load_kernel_modules load_kernel_modules