holm/shorewall_code
1
0
Fork 0
forked from extern/shorewall_code
Code Pull Requests Activity

Add SWITCH column to the conntrack file

Browse Source 
Signed-off-by: Tom Eastep <teastep@shorewall.net>
This commit is contained in:
Tom Eastep 2012-11-21 14:20:56 -08:00
parent 54dadcc546
commit 3040156981
4 changed files with 90 additions and 12 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

22
Shorewall/Perl/Shorewall/Raw.pm
View File

@ -41,9 +41,9 @@ my %valid_ctevent = ( new => 1, related => 1, destroy => 1, reply => 1, assured
# #
# Notrack # Notrack
# #
sub process_conntrack_rule( $$$$$$$$$ ) { sub process_conntrack_rule( $$$$$$$$$$ ) {
my ($chainref, $zoneref, $action, $source, $dest, $proto, $ports, $sports, $user ) = @_; my ($chainref, $zoneref, $action, $source, $dest, $proto, $ports, $sports, $user, $switch ) = @_;
require_capability 'RAW_TABLE', 'conntrack rules', ''; require_capability 'RAW_TABLE', 'conntrack rules', '';
@ -74,7 +74,7 @@ sub process_conntrack_rule( $$$$$$$$$ ) {
my $target = $action; my $target = $action;
my $exception_rule = ''; my $exception_rule = '';
my $rule = do_proto( $proto, $ports, $sports ) . do_user ( $user ); my $rule = do_proto( $proto, $ports, $sports ) . do_user ( $user ) . do_condition( $switch );
if ( $action eq 'NOTRACK' ) { if ( $action eq 'NOTRACK' ) {
# #
@ -162,7 +162,9 @@ sub handle_helper_rule( $$$$$$$$$$$ ) {
$proto , $proto ,
$ports , $ports ,
$sports , $sports ,
$user ); $user,
'-',
);
} else { } else {
assert( $action_target ); assert( $action_target );
# #
@ -224,17 +226,17 @@ sub setup_conntrack() {
first_entry( "$doing $fn..." ); first_entry( "$doing $fn..." );
while ( read_a_line( NORMAL_READ ) ) { while ( read_a_line( NORMAL_READ ) ) {
my ( $source, $dest, $proto, $ports, $sports, $user ); my ( $source, $dest, $proto, $ports, $sports, $user, $switch );
if ( $format == 1 ) { if ( $format == 1 ) {
( $source, $dest, $proto, $ports, $sports, $user ) = split_line1 'Conntrack File', { source => 0, dest => 1, proto => 2, dport => 3, sport => 4, user => 5 }; ( $source, $dest, $proto, $ports, $sports, $user, $switch ) = split_line1 'Conntrack File', { source => 0, dest => 1, proto => 2, dport => 3, sport => 4, user => 5, switch => 6 };
if ( $source eq 'FORMAT' ) { if ( $source eq 'FORMAT' ) {
$format = process_format( $dest ); $format = process_format( $dest );
next; next;
} }
} else { } else {
( $action, $source, $dest, $proto, $ports, $sports, $user ) = split_line1 'Conntrack File', { action => 0, source => 1, dest => 2, proto => 3, dport => 4, sport => 5, user => 6 }, { COMMENT => 0, FORMAT => 2 }; ( $action, $source, $dest, $proto, $ports, $sports, $user, $switch ) = split_line1 'Conntrack File', { action => 0, source => 1, dest => 2, proto => 3, dport => 4, sport => 5, user => 6, switch => 7 }, { COMMENT => 0, FORMAT => 2 };
if ( $action eq 'FORMAT' ) { if ( $action eq 'FORMAT' ) {
$format = process_format( $source ); $format = process_format( $source );
@ -252,10 +254,10 @@ sub setup_conntrack() {
if ( $source =~ /^all(-)?(:(.+))?$/ ) { if ( $source =~ /^all(-)?(:(.+))?$/ ) {
fatal_error 'USER/GROUP is not allowed unless the SOURCE zone is $FW or a Vserver zone' if $user ne '-'; fatal_error 'USER/GROUP is not allowed unless the SOURCE zone is $FW or a Vserver zone' if $user ne '-';
process_conntrack_rule( $raw_table->{OUTPUT}, undef, $action, $3 || '-', $dest, $proto, $ports, $sports, $user ) unless $1; process_conntrack_rule( $raw_table->{OUTPUT}, undef, $action, $3 || '-', $dest, $proto, $ports, $sports, $user , $switch ) unless $1;
process_conntrack_rule( $raw_table->{PREROUTING}, undef, $action, $3 || '-', $dest, $proto, $ports, $sports, $user ); process_conntrack_rule( $raw_table->{PREROUTING}, undef, $action, $3 || '-', $dest, $proto, $ports, $sports, $user , $switch );
} else { } else {
process_conntrack_rule( undef, undef, $action, $source, $dest, $proto, $ports, $sports, $user ); process_conntrack_rule( undef, undef, $action, $source, $dest, $proto, $ports, $sports, $user, $switch );
} }
} }

4
Shorewall/configfiles/conntrack
View File

@ -3,9 +3,9 @@
# #
# For information about entries in this file, type "man shorewall-conntrack" # For information about entries in this file, type "man shorewall-conntrack"
# #
############################################################################################# ##############################################################################################################
FORMAT 2 FORMAT 2
#ACTION SOURCE DESTINATION PROTO DEST SOURCE USER/ #ACTION SOURCE DESTINATION PROTO DEST SOURCE USER/ SWITCH
# PORT(S) PORT(S) GROUP # PORT(S) PORT(S) GROUP
?if $AUTOHELPERS && __CT_TARGET ?if $AUTOHELPERS && __CT_TARGET

38
Shorewall/manpages/shorewall-conntrack.xml
View File

@ -339,6 +339,44 @@
id and or group id of the process sending the traffic.</para> id and or group id of the process sending the traffic.</para>
</listitem> </listitem>
</varlistentry> </varlistentry>
<varlistentry>
<term><emphasis role="bold">SWITCH -
[!]<replaceable>switch-name</replaceable></emphasis></term>
<listitem>
<para>Added in Shorewall 4.5.10 and allows enabling and disabling
the rule without requiring <command>shorewall
restart</command>.</para>
<para>The rule is enabled if the value stored in
<filename>/proc/net/nf_condition/<replaceable>switch-name</replaceable></filename>
is 1. The rule is disabled if that file contains 0 (the default). If
'!' is supplied, the test is inverted such that the rule is enabled
if the file contains 0. <replaceable>switch-name</replaceable> must
begin with a letter and be composed of letters, decimal digits,
underscores or hyphens. Switch names must be 30 characters or less
in length.</para>
<para>Switches are normally <emphasis role="bold">off</emphasis>. To
turn a switch <emphasis role="bold">on</emphasis>:</para>
<simplelist>
<member><command>echo 1 &gt;
/proc/net/nf_condition/<replaceable>switch-name</replaceable></command></member>
</simplelist>
<para>To turn it <emphasis role="bold">off</emphasis> again:</para>
<simplelist>
<member><command>echo 0 &gt;
/proc/net/nf_condition/<replaceable>switch-name</replaceable></command></member>
</simplelist>
<para>Switch settings are retained over <command>shorewall
restart</command>.</para>
</listitem>
</varlistentry>
</variablelist> </variablelist>
</refsect1> </refsect1>

38
Shorewall6/manpages/shorewall6-conntrack.xml
View File

@ -225,6 +225,44 @@
id and or group id of the process sending the traffic.</para> id and or group id of the process sending the traffic.</para>
</listitem> </listitem>
</varlistentry> </varlistentry>
<varlistentry>
<term><emphasis role="bold">SWITCH -
[!]<replaceable>switch-name</replaceable></emphasis></term>
<listitem>
<para>Added in Shorewall6 4.5.10 and allows enabling and disabling
the rule without requiring <command>shorewall6
restart</command>.</para>
<para>Enables the rule if the value stored in
<filename>/proc/net/nf_condition/<replaceable>switch-name</replaceable></filename>
is 1. Disables the rule if that file contains 0 (the default). If
'!' is supplied, the test is inverted such that the rule is enabled
if the file contains 0. The <replaceable>switch-name</replaceable>
must begin with a letter and be composed of letters, decimal digits,
underscores or hyphens. Switch names must be 30 characters or less
in length.</para>
<para>Switches are normally <emphasis role="bold">off</emphasis>. To
turn a switch <emphasis role="bold">on</emphasis>:</para>
<simplelist>
<member><command>echo 1 &gt;
/proc/net/nf_condition/<replaceable>switch-name</replaceable></command></member>
</simplelist>
<para>To turn it <emphasis role="bold">off</emphasis> again:</para>
<simplelist>
<member><command>echo 0 &gt;
/proc/net/nf_condition/<replaceable>switch-name</replaceable></command></member>
</simplelist>
<para>Switch settings are retained over <command>shorewall6
restart</command>.</para>
</listitem>
</varlistentry>
</variablelist> </variablelist>
</refsect1> </refsect1>