forked from extern/shorewall_code
Prepare for being able to accept multiple '-m' instances in an iptables command
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@3753 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
parent
b90357ee95
commit
2e1cecd923
@ -123,11 +123,13 @@ do_iptables() {
|
|||||||
# Generate an IPTABLES command. Include hacks to work around iptables limitations
|
# Generate an IPTABLES command. Include hacks to work around iptables limitations
|
||||||
#
|
#
|
||||||
run_iptables() {
|
run_iptables() {
|
||||||
#
|
if [ -z "$KLUDGEFREE" ]; then
|
||||||
# Purge the temporary files that we use to prevent duplicate '-m' specifications
|
#
|
||||||
#
|
# Purge the temporary files that we use to prevent duplicate '-m' specifications
|
||||||
[ -n "$BRIDGING" ] && [ -f $TMP_DIR/physdev ] && rm -f $TMP_DIR/physdev
|
#
|
||||||
[ -n "$IPRANGE_MATCH" ] && [ -f $TMP_DIR/iprange ] && rm -f $TMP_DIR/iprange
|
[ -n "$BRIDGING" ] && [ -f $TMP_DIR/physdev ] && rm -f $TMP_DIR/physdev
|
||||||
|
[ -n "$IPRANGE_MATCH" ] && [ -f $TMP_DIR/iprange ] && rm -f $TMP_DIR/iprange
|
||||||
|
fi
|
||||||
|
|
||||||
save_command "$IPTABLES_COMMAND $@"
|
save_command "$IPTABLES_COMMAND $@"
|
||||||
|
|
||||||
@ -137,8 +139,10 @@ run_iptables() {
|
|||||||
# Version of 'run_iptables' that inserts white space after "!" in the arg list
|
# Version of 'run_iptables' that inserts white space after "!" in the arg list
|
||||||
#
|
#
|
||||||
run_iptables2() {
|
run_iptables2() {
|
||||||
[ -n "$BRIDGING" ] && [ -f $TMP_DIR/physdev ] && rm -f $TMP_DIR/physdev
|
if [ -z "$KLUDGEFREE" ]; then
|
||||||
[ -n "$IPRANGE_MATCH" ] && [ -f $TMP_DIR/iprange ] && rm -f $TMP_DIR/iprange
|
[ -n "$BRIDGING" ] && [ -f $TMP_DIR/physdev ] && rm -f $TMP_DIR/physdev
|
||||||
|
[ -n "$IPRANGE_MATCH" ] && [ -f $TMP_DIR/iprange ] && rm -f $TMP_DIR/iprange
|
||||||
|
fi
|
||||||
|
|
||||||
save_command run_iptables $(fix_bang $@)
|
save_command run_iptables $(fix_bang $@)
|
||||||
}
|
}
|
||||||
@ -147,11 +151,13 @@ run_iptables2() {
|
|||||||
# Generate command to quietly run iptables
|
# Generate command to quietly run iptables
|
||||||
#
|
#
|
||||||
qt_iptables() {
|
qt_iptables() {
|
||||||
#
|
if [ -z "$KLUDGEFREE" ]; then
|
||||||
# Purge the temporary files that we use to prevent duplicate '-m' specifications
|
#
|
||||||
#
|
# Purge the temporary files that we use to prevent duplicate '-m' specifications
|
||||||
[ -n "$BRIDGING" ] && [ -f $TMP_DIR/physdev ] && rm -f $TMP_DIR/physdev
|
#
|
||||||
[ -n "$IPRANGE_MATCH" ] && [ -f $TMP_DIR/iprange ] && rm -f $TMP_DIR/iprange
|
[ -n "$BRIDGING" ] && [ -f $TMP_DIR/physdev ] && rm -f $TMP_DIR/physdev
|
||||||
|
[ -n "$IPRANGE_MATCH" ] && [ -f $TMP_DIR/iprange ] && rm -f $TMP_DIR/iprange
|
||||||
|
fi
|
||||||
|
|
||||||
save_command qt \$IPTABLES $@
|
save_command qt \$IPTABLES $@
|
||||||
}
|
}
|
||||||
@ -670,7 +676,9 @@ first_chains() #$1 = interface
|
|||||||
#
|
#
|
||||||
iprange_echo()
|
iprange_echo()
|
||||||
{
|
{
|
||||||
if [ -f $TMP_DIR/iprange ]; then
|
if [ -n "$KLUDGEFREE" ]; then
|
||||||
|
echo "-m iprange $@"
|
||||||
|
elif [ -f $TMP_DIR/iprange ]; then
|
||||||
echo $@
|
echo $@
|
||||||
else
|
else
|
||||||
echo "-m iprange $@"
|
echo "-m iprange $@"
|
||||||
@ -714,7 +722,9 @@ get_set_flags() # $1 = set name and optional [levels], $2 = src or dst
|
|||||||
#
|
#
|
||||||
physdev_echo()
|
physdev_echo()
|
||||||
{
|
{
|
||||||
if [ -f $TMP_DIR/physdev ]; then
|
if [ -n "$KLUDGEFREE" ]; then
|
||||||
|
echo -m physdev $@
|
||||||
|
elif [ -f $TMP_DIR/physdev ]; then
|
||||||
echo $@
|
echo $@
|
||||||
else
|
else
|
||||||
echo -m physdev $@
|
echo -m physdev $@
|
||||||
@ -7854,7 +7864,7 @@ activate_rules()
|
|||||||
|
|
||||||
if havenatchain $destchain ; then
|
if havenatchain $destchain ; then
|
||||||
run_iptables2 -t nat -A $sourcechain $@ -j $destchain
|
run_iptables2 -t nat -A $sourcechain $@ -j $destchain
|
||||||
else
|
elif [ -z "$KLUDGEFREE" ]; then
|
||||||
[ -n "$BRIDGING" -a -f $TMP_DIR/physdev ] && -rm -f $TMP_DIR/physdev
|
[ -n "$BRIDGING" -a -f $TMP_DIR/physdev ] && -rm -f $TMP_DIR/physdev
|
||||||
[ -n "$IPRANGE_MATCH" -a -f $TMP_DIR/iprange ] && rm -f $TMP_DIR/iprange
|
[ -n "$IPRANGE_MATCH" -a -f $TMP_DIR/iprange ] && rm -f $TMP_DIR/iprange
|
||||||
fi
|
fi
|
||||||
@ -7874,7 +7884,7 @@ activate_rules()
|
|||||||
eval run_iptables2 -t nat -I $sourcechain \
|
eval run_iptables2 -t nat -I $sourcechain \
|
||||||
\$${sourcechain}_rule $@ -j $destchain
|
\$${sourcechain}_rule $@ -j $destchain
|
||||||
eval ${sourcechain}_rule=\$\(\(\$${sourcechain}_rule + 1\)\)
|
eval ${sourcechain}_rule=\$\(\(\$${sourcechain}_rule + 1\)\)
|
||||||
else
|
elif [ -z "$KLUDGEFREE" ]; then
|
||||||
[ -n "$BRIDGING" -a -f $TMP_DIR/physdev ] && rm -f $TMP_DIR/physdev
|
[ -n "$BRIDGING" -a -f $TMP_DIR/physdev ] && rm -f $TMP_DIR/physdev
|
||||||
[ -n "$IPRANGE_MATCH" -a -f $TMP_DIR/iprange ] && rm -f $TMP_DIR/iprange
|
[ -n "$IPRANGE_MATCH" -a -f $TMP_DIR/iprange ] && rm -f $TMP_DIR/iprange
|
||||||
|
|
||||||
@ -9217,8 +9227,10 @@ do_initialize() {
|
|||||||
fatal_error "Shell $SHOREWALL_SHELL is broken and may not be used with Shorewall"
|
fatal_error "Shell $SHOREWALL_SHELL is broken and may not be used with Shorewall"
|
||||||
fi
|
fi
|
||||||
|
|
||||||
rm -f $TMP_DIR/physdev
|
if [ -z "$KLUDGEFREE" ]; then
|
||||||
rm -f $TMP_DIR/iprange
|
rm -f $TMP_DIR/physdev
|
||||||
|
rm -f $TMP_DIR/iprange
|
||||||
|
fi
|
||||||
|
|
||||||
qt mywhich awk && HAVEAWK=Yes || HAVEAWK=
|
qt mywhich awk && HAVEAWK=Yes || HAVEAWK=
|
||||||
}
|
}
|
||||||
|
@ -1137,14 +1137,26 @@ determine_capabilities() {
|
|||||||
CLASSIFY_TARGET=
|
CLASSIFY_TARGET=
|
||||||
ENHANCED_REJECT=
|
ENHANCED_REJECT=
|
||||||
USEPKTTYPE=
|
USEPKTTYPE=
|
||||||
|
KLUDGEFREE=
|
||||||
|
|
||||||
qt $IPTABLES -N fooX1234
|
qt $IPTABLES -N fooX1234
|
||||||
qt $IPTABLES -A fooX1234 -m conntrack --ctorigdst 192.168.1.1 -j ACCEPT && CONNTRACK_MATCH=Yes
|
qt $IPTABLES -A fooX1234 -m conntrack --ctorigdst 192.168.1.1 -j ACCEPT && CONNTRACK_MATCH=Yes
|
||||||
qt $IPTABLES -A fooX1234 -p tcp -m multiport --dports 21,22 -j ACCEPT && MULTIPORT=Yes
|
qt $IPTABLES -A fooX1234 -p tcp -m multiport --dports 21,22 -j ACCEPT && MULTIPORT=Yes
|
||||||
qt $IPTABLES -A fooX1234 -p tcp -m multiport --dports 21:22 -j ACCEPT && XMULTIPORT=Yes
|
qt $IPTABLES -A fooX1234 -p tcp -m multiport --dports 21:22 -j ACCEPT && XMULTIPORT=Yes
|
||||||
qt $IPTABLES -A fooX1234 -m policy --pol ipsec --mode tunnel --dir in -j ACCEPT && POLICY_MATCH=Yes
|
qt $IPTABLES -A fooX1234 -m policy --pol ipsec --mode tunnel --dir in -j ACCEPT && POLICY_MATCH=Yes
|
||||||
qt $IPTABLES -A fooX1234 -m physdev --physdev-in eth0 -j ACCEPT && PHYSDEV_MATCH=Yes
|
|
||||||
qt $IPTABLES -A fooX1234 -m iprange --src-range 192.168.1.5-192.168.1.124 -j ACCEPT && IPRANGE_MATCH=Yes
|
if qt $IPTABLES -A fooX1234 -m physdev --physdev-in eth0 -j ACCEPT; then
|
||||||
|
PHYSDEV_MATCH=Yes
|
||||||
|
qt $IPTABLES -A fooX1234 -m physdev --physdev-in eth1 -m physdev --physdev-out eth1 -j ACCEPT && KLUDGEFREE=Yes
|
||||||
|
fi
|
||||||
|
|
||||||
|
if qt $IPTABLES -A fooX1234 -m iprange --src-range 192.168.1.5-192.168.1.124 -j ACCEPT; then
|
||||||
|
IPRANGE_MATCH=Yes
|
||||||
|
if [ -z "${KLUDGEFREE}${PHYSDEV_MATCH}" ]; then
|
||||||
|
qt $IPTABLES -A fooX1234 -m iprange --src-range 192.168.1.5-192.168.1.124 -m iprange --dst-range 192.168.1.5-192.168.1.124 -j ACCEPT && KLUDGEFREE=Yes
|
||||||
|
fi
|
||||||
|
fi
|
||||||
|
|
||||||
qt $IPTABLES -A fooX1234 -m recent --update -j ACCEPT && RECENT_MATCH=Yes
|
qt $IPTABLES -A fooX1234 -m recent --update -j ACCEPT && RECENT_MATCH=Yes
|
||||||
qt $IPTABLES -A fooX1234 -m owner --uid-owner 0 -j ACCEPT && OWNER_MATCH=Yes
|
qt $IPTABLES -A fooX1234 -m owner --uid-owner 0 -j ACCEPT && OWNER_MATCH=Yes
|
||||||
qt $IPTABLES -A fooX1234 -m connmark --mark 2 -j ACCEPT && CONNMARK_MATCH=Yes
|
qt $IPTABLES -A fooX1234 -m connmark --mark 2 -j ACCEPT && CONNMARK_MATCH=Yes
|
||||||
@ -1209,6 +1221,7 @@ report_capabilities() {
|
|||||||
report_capability "IPP2P Match" $IPP2P_MATCH
|
report_capability "IPP2P Match" $IPP2P_MATCH
|
||||||
report_capability "CLASSIFY Target" $CLASSIFY_TARGET
|
report_capability "CLASSIFY Target" $CLASSIFY_TARGET
|
||||||
report_capability "Extended REJECT" $ENHANCED_REJECT
|
report_capability "Extended REJECT" $ENHANCED_REJECT
|
||||||
|
report_capability "Repeat match" $KLUDGEFREE
|
||||||
fi
|
fi
|
||||||
|
|
||||||
[ -n "$PKTTYPE" ] || USEPKTTYPE=
|
[ -n "$PKTTYPE" ] || USEPKTTYPE=
|
||||||
|
@ -233,14 +233,26 @@ determine_capabilities() {
|
|||||||
CLASSIFY_TARGET=
|
CLASSIFY_TARGET=
|
||||||
ENHANCED_REJECT=
|
ENHANCED_REJECT=
|
||||||
USEPKTTYPE=
|
USEPKTTYPE=
|
||||||
|
KLUDGEFREE=
|
||||||
|
|
||||||
qt $IPTABLES -N fooX1234
|
qt $IPTABLES -N fooX1234
|
||||||
qt $IPTABLES -A fooX1234 -m conntrack --ctorigdst 192.168.1.1 -j ACCEPT && CONNTRACK_MATCH=Yes
|
qt $IPTABLES -A fooX1234 -m conntrack --ctorigdst 192.168.1.1 -j ACCEPT && CONNTRACK_MATCH=Yes
|
||||||
qt $IPTABLES -A fooX1234 -p tcp -m multiport --dports 21,22 -j ACCEPT && MULTIPORT=Yes
|
qt $IPTABLES -A fooX1234 -p tcp -m multiport --dports 21,22 -j ACCEPT && MULTIPORT=Yes
|
||||||
qt $IPTABLES -A fooX1234 -p tcp -m multiport --dports 21:22 -j ACCEPT && XMULTIPORT=Yes
|
qt $IPTABLES -A fooX1234 -p tcp -m multiport --dports 21:22 -j ACCEPT && XMULTIPORT=Yes
|
||||||
qt $IPTABLES -A fooX1234 -m policy --pol ipsec --mode tunnel --dir in -j ACCEPT && POLICY_MATCH=Yes
|
qt $IPTABLES -A fooX1234 -m policy --pol ipsec --mode tunnel --dir in -j ACCEPT && POLICY_MATCH=Yes
|
||||||
qt $IPTABLES -A fooX1234 -m physdev --physdev-in eth0 -j ACCEPT && PHYSDEV_MATCH=Yes
|
|
||||||
qt $IPTABLES -A fooX1234 -m iprange --src-range 192.168.1.5-192.168.1.124 -j ACCEPT && IPRANGE_MATCH=Yes
|
if qt $IPTABLES -A fooX1234 -m physdev --physdev-in eth0 -j ACCEPT; then
|
||||||
|
PHYSDEV_MATCH=Yes
|
||||||
|
qt $IPTABLES -A fooX1234 -m physdev --physdev-in eth1 -m physdev --physdev-out eth1 -j ACCEPT && KLUDGEFREE=Yes
|
||||||
|
fi
|
||||||
|
|
||||||
|
if qt $IPTABLES -A fooX1234 -m iprange --src-range 192.168.1.5-192.168.1.124 -j ACCEPT; then
|
||||||
|
IPRANGE_MATCH=Yes
|
||||||
|
if [ -z "${KLUDGEFREE}${PHYSDEV_MATCH}" ]; then
|
||||||
|
qt $IPTABLES -A fooX1234 -m iprange --src-range 192.168.1.5-192.168.1.124 -m iprange --dst-range 192.168.1.5-192.168.1.124 -j ACCEPT && KLUDGEFREE=Yes
|
||||||
|
fi
|
||||||
|
fi
|
||||||
|
|
||||||
qt $IPTABLES -A fooX1234 -m recent --update -j ACCEPT && RECENT_MATCH=Yes
|
qt $IPTABLES -A fooX1234 -m recent --update -j ACCEPT && RECENT_MATCH=Yes
|
||||||
qt $IPTABLES -A fooX1234 -m owner --uid-owner 0 -j ACCEPT && OWNER_MATCH=Yes
|
qt $IPTABLES -A fooX1234 -m owner --uid-owner 0 -j ACCEPT && OWNER_MATCH=Yes
|
||||||
qt $IPTABLES -A fooX1234 -m connmark --mark 2 -j ACCEPT && CONNMARK_MATCH=Yes
|
qt $IPTABLES -A fooX1234 -m connmark --mark 2 -j ACCEPT && CONNMARK_MATCH=Yes
|
||||||
@ -307,6 +319,7 @@ report_capabilities() {
|
|||||||
report_capability IPP2P_MATCH
|
report_capability IPP2P_MATCH
|
||||||
report_capability CLASSIFY_TARGET
|
report_capability CLASSIFY_TARGET
|
||||||
report_capability ENHANCED_REJECT
|
report_capability ENHANCED_REJECT
|
||||||
|
report_capability KLUDGEFREE
|
||||||
}
|
}
|
||||||
|
|
||||||
load_kernel_modules
|
load_kernel_modules
|
||||||
|
Loading…
x
Reference in New Issue
Block a user