forked from extern/shorewall_code
Add support for new ipset match syntax
This commit is contained in:
parent
2774ee1bd6
commit
364ad41cf5
@ -2484,7 +2484,7 @@ sub get_set_flags( $$ ) {
|
||||
|
||||
fatal_error "Invalid ipset name ($setname)" unless $setname =~ /^[a-zA-Z]\w*/;
|
||||
|
||||
"--set $setname $options "
|
||||
have_capability 'OLD_IPSET_MATCH' ? "--set $setname $options " : "--match-set $setname $options";
|
||||
}
|
||||
|
||||
#
|
||||
|
@ -218,6 +218,7 @@ our %capdesc = ( NAT_ENABLED => 'NAT',
|
||||
RECENT_MATCH => 'Recent Match',
|
||||
OWNER_MATCH => 'Owner Match',
|
||||
IPSET_MATCH => 'Ipset Match',
|
||||
OLD_IPSET_MATCH => 'Old Ipset Match',
|
||||
CONNMARK => 'CONNMARK Target',
|
||||
XCONNMARK => 'Extended CONNMARK Target',
|
||||
CONNMARK_MATCH => 'Connmark Match',
|
||||
@ -641,6 +642,7 @@ sub initialize( $ ) {
|
||||
RECENT_MATCH => undef,
|
||||
OWNER_MATCH => undef,
|
||||
IPSET_MATCH => undef,
|
||||
OLD_IPSET_MATCH => undef,
|
||||
CONNMARK => undef,
|
||||
XCONNMARK => undef,
|
||||
CONNMARK_MATCH => undef,
|
||||
@ -2372,7 +2374,7 @@ sub Raw_Table() {
|
||||
qt1( "$iptables -t raw -L -n" );
|
||||
}
|
||||
|
||||
sub IPSet_Match() {
|
||||
sub Old_IPSet_Match() {
|
||||
my $ipset = $config{IPSET} || 'ipset';
|
||||
my $result = 0;
|
||||
|
||||
@ -2384,7 +2386,31 @@ sub IPSet_Match() {
|
||||
if ( qt( "$ipset -N $sillyname iphash" ) ) {
|
||||
if ( qt1( "$iptables -A $sillyname -m set --set $sillyname src -j ACCEPT" ) ) {
|
||||
qt1( "$iptables -D $sillyname -m set --set $sillyname src -j ACCEPT" );
|
||||
$result = 1;
|
||||
$result = $capabilities{IPSET_MATCH} = 1;
|
||||
}
|
||||
|
||||
qt( "$ipset -X $sillyname" );
|
||||
}
|
||||
}
|
||||
|
||||
$result;
|
||||
}
|
||||
|
||||
sub IPSet_Match() {
|
||||
my $ipset = $config{IPSET} || 'ipset';
|
||||
my $result = 0;
|
||||
|
||||
$ipset = which $ipset unless $ipset =~ '/';
|
||||
|
||||
if ( $ipset && -x $ipset ) {
|
||||
qt( "$ipset -X $sillyname" );
|
||||
|
||||
if ( qt( "$ipset -N $sillyname iphash" ) ) {
|
||||
if ( qt1( "$iptables -A $sillyname -m set --match-set $sillyname src -j ACCEPT" ) ) {
|
||||
qt1( "$iptables -D $sillyname -m set --match-set $sillyname src -j ACCEPT" );
|
||||
$result = ! ( $capabilities{OLD_IPSET_MATCH} = 0 );
|
||||
} else {
|
||||
have_capability 'OLD_IPSET_MATCH';
|
||||
}
|
||||
|
||||
qt( "$ipset -X $sillyname" );
|
||||
@ -2465,6 +2491,7 @@ our %detect_capability =
|
||||
IPP2P_MATCH => \&Ipp2p_Match,
|
||||
IPRANGE_MATCH => \&IPRange_Match,
|
||||
IPSET_MATCH => \&IPSet_Match,
|
||||
OLD_IPSET_MATCH => \&Old_IPSet_Match,
|
||||
KLUDGEFREE => \&Kludgefree,
|
||||
LENGTH_MATCH => \&Length_Match,
|
||||
LOGMARK_TARGET => \&Logmark_Target,
|
||||
|
@ -18,6 +18,8 @@ Changes in Shorewall 4.4.12
|
||||
|
||||
9) Make ICMP a synonym for IPV6-ICMP in ipv6 configs.
|
||||
|
||||
10) Support new set match syntax.
|
||||
|
||||
Changes in Shorewall 4.4.11
|
||||
|
||||
1) Apply patch from Gabriel.
|
||||
|
@ -29,7 +29,7 @@
|
||||
#
|
||||
|
||||
SHOREWALL_LIBVERSION=40407
|
||||
SHOREWALL_CAPVERSION=40411
|
||||
SHOREWALL_CAPVERSION=40412
|
||||
|
||||
[ -n "${VARDIR:=/var/lib/shorewall}" ]
|
||||
[ -n "${SHAREDIR:=/usr/share/shorewall}" ]
|
||||
|
@ -1511,6 +1511,7 @@ determine_capabilities() {
|
||||
RECENT_MATCH=
|
||||
OWNER_MATCH=
|
||||
IPSET_MATCH=
|
||||
OLD_IPSET_MATCH=
|
||||
CONNMARK=
|
||||
XCONNMARK=
|
||||
CONNMARK_MATCH=
|
||||
@ -1653,9 +1654,13 @@ determine_capabilities() {
|
||||
qt ipset -X $chain # Just in case something went wrong the last time
|
||||
|
||||
if qt ipset -N $chain iphash ; then
|
||||
if qt $IPTABLES -A $chain -m set --set $chain src -j ACCEPT; then
|
||||
if qt $IPTABLES -A $chain -m set --match-set $chain src -j ACCEPT; then
|
||||
qt $IPTABLES -D $chain -m set --match-set $chain src -j ACCEPT
|
||||
IPSET_MATCH=Yes
|
||||
elif qt $IPTABLES -A $chain -m set --set $chain src -j ACCEPT; then
|
||||
qt $IPTABLES -D $chain -m set --set $chain src -j ACCEPT
|
||||
IPSET_MATCH=Yes
|
||||
OLD_IPSET_MATCH=Yes
|
||||
fi
|
||||
qt ipset -X $chain
|
||||
fi
|
||||
@ -1720,7 +1725,10 @@ report_capabilities() {
|
||||
report_capability "IP range Match" $IPRANGE_MATCH
|
||||
report_capability "Recent Match" $RECENT_MATCH
|
||||
report_capability "Owner Match" $OWNER_MATCH
|
||||
report_capability "Ipset Match" $IPSET_MATCH
|
||||
if [ -n "$IPSET_MATCH" ]; then
|
||||
report_capability "Ipset Match" $IPSET_MATCH
|
||||
[ -n "$OLD_IPSET_MATCH" ] && report_capability "OLD_Ipset Match" $OLD_IPSET_MATCH
|
||||
fi
|
||||
report_capability "CONNMARK Target" $CONNMARK
|
||||
[ -n "$CONNMARK" ] && report_capability "Extended CONNMARK Target" $XCONNMARK
|
||||
report_capability "Connmark Match" $CONNMARK_MATCH
|
||||
@ -1784,6 +1792,7 @@ report_capabilities1() {
|
||||
report_capability1 RECENT_MATCH
|
||||
report_capability1 OWNER_MATCH
|
||||
report_capability1 IPSET_MATCH
|
||||
report_capability1 OLD_IPSET_MATCH
|
||||
report_capability1 CONNMARK
|
||||
report_capability1 XCONNMARK
|
||||
report_capability1 CONNMARK_MATCH
|
||||
|
@ -300,6 +300,12 @@ None.
|
||||
4) 'icmp' is now accepted as a synonym for 'ipv6-icmp' in IPv6
|
||||
compilations.
|
||||
|
||||
5) Shorewall now detects the presence of a recent ipset iptables
|
||||
module and uses its new syntax. This avoids a warning on iptables
|
||||
1.4.9. This change involves a new capabilities file version so if
|
||||
you use a capabilities file, be sure to regenerate it with 4.4.12
|
||||
shorewall-lite or shorewall6-lite.
|
||||
|
||||
----------------------------------------------------------------------------
|
||||
V I. P R O B L E M S C O R R E C T E D A N D N E W F E A T U R E S
|
||||
I N P R I O R R E L E A S E S
|
||||
|
@ -33,7 +33,7 @@
|
||||
#
|
||||
|
||||
SHOREWALL_LIBVERSION=40407
|
||||
SHOREWALL_CAPVERSION=40411
|
||||
SHOREWALL_CAPVERSION=40412
|
||||
|
||||
[ -n "${VARDIR:=/var/lib/shorewall6}" ]
|
||||
[ -n "${SHAREDIR:=/usr/share/shorewall6}" ]
|
||||
|
@ -1200,6 +1200,7 @@ determine_capabilities() {
|
||||
RECENT_MATCH=
|
||||
OWNER_MATCH=
|
||||
IPSET_MATCH=
|
||||
OLD_IPSET_MATCH=
|
||||
CONNMARK=
|
||||
XCONNMARK=
|
||||
CONNMARK_MATCH=
|
||||
@ -1414,7 +1415,10 @@ report_capabilities() {
|
||||
report_capability "IP range Match" $IPRANGE_MATCH
|
||||
report_capability "Recent Match" $RECENT_MATCH
|
||||
report_capability "Owner Match" $OWNER_MATCH
|
||||
report_capability "Ipset Match" $IPSET_MATCH
|
||||
if [ -n "$IPSET_MATCH" ]; then
|
||||
report_capability "Ipset Match" $IPSET_MATCH
|
||||
[ -n "$OLD_IPSET_MATCH" ] && report_capability "OLD_Ipset Match" $OLD_IPSET_MATCH
|
||||
fi
|
||||
report_capability "CONNMARK Target" $CONNMARK
|
||||
[ -n "$CONNMARK" ] && report_capability "Extended CONNMARK Target" $XCONNMARK
|
||||
report_capability "Connmark Match" $CONNMARK_MATCH
|
||||
@ -1475,6 +1479,7 @@ report_capabilities1() {
|
||||
report_capability1 RECENT_MATCH
|
||||
report_capability1 OWNER_MATCH
|
||||
report_capability1 IPSET_MATCH
|
||||
report_capability1 OLD_IPSET_MATCH
|
||||
report_capability1 CONNMARK
|
||||
report_capability1 XCONNMARK
|
||||
report_capability1 CONNMARK_MATCH
|
||||
|
Loading…
Reference in New Issue
Block a user