Add support for new ipset match syntax

This commit is contained in:
Tom Eastep 2010-08-03 21:06:17 -07:00
parent 2774ee1bd6
commit 364ad41cf5
8 changed files with 57 additions and 8 deletions

View File

@ -2484,7 +2484,7 @@ sub get_set_flags( $$ ) {
fatal_error "Invalid ipset name ($setname)" unless $setname =~ /^[a-zA-Z]\w*/; fatal_error "Invalid ipset name ($setname)" unless $setname =~ /^[a-zA-Z]\w*/;
"--set $setname $options " have_capability 'OLD_IPSET_MATCH' ? "--set $setname $options " : "--match-set $setname $options";
} }
# #

View File

@ -218,6 +218,7 @@ our %capdesc = ( NAT_ENABLED => 'NAT',
RECENT_MATCH => 'Recent Match', RECENT_MATCH => 'Recent Match',
OWNER_MATCH => 'Owner Match', OWNER_MATCH => 'Owner Match',
IPSET_MATCH => 'Ipset Match', IPSET_MATCH => 'Ipset Match',
OLD_IPSET_MATCH => 'Old Ipset Match',
CONNMARK => 'CONNMARK Target', CONNMARK => 'CONNMARK Target',
XCONNMARK => 'Extended CONNMARK Target', XCONNMARK => 'Extended CONNMARK Target',
CONNMARK_MATCH => 'Connmark Match', CONNMARK_MATCH => 'Connmark Match',
@ -641,6 +642,7 @@ sub initialize( $ ) {
RECENT_MATCH => undef, RECENT_MATCH => undef,
OWNER_MATCH => undef, OWNER_MATCH => undef,
IPSET_MATCH => undef, IPSET_MATCH => undef,
OLD_IPSET_MATCH => undef,
CONNMARK => undef, CONNMARK => undef,
XCONNMARK => undef, XCONNMARK => undef,
CONNMARK_MATCH => undef, CONNMARK_MATCH => undef,
@ -2372,7 +2374,7 @@ sub Raw_Table() {
qt1( "$iptables -t raw -L -n" ); qt1( "$iptables -t raw -L -n" );
} }
sub IPSet_Match() { sub Old_IPSet_Match() {
my $ipset = $config{IPSET} || 'ipset'; my $ipset = $config{IPSET} || 'ipset';
my $result = 0; my $result = 0;
@ -2384,7 +2386,31 @@ sub IPSet_Match() {
if ( qt( "$ipset -N $sillyname iphash" ) ) { if ( qt( "$ipset -N $sillyname iphash" ) ) {
if ( qt1( "$iptables -A $sillyname -m set --set $sillyname src -j ACCEPT" ) ) { if ( qt1( "$iptables -A $sillyname -m set --set $sillyname src -j ACCEPT" ) ) {
qt1( "$iptables -D $sillyname -m set --set $sillyname src -j ACCEPT" ); qt1( "$iptables -D $sillyname -m set --set $sillyname src -j ACCEPT" );
$result = 1; $result = $capabilities{IPSET_MATCH} = 1;
}
qt( "$ipset -X $sillyname" );
}
}
$result;
}
sub IPSet_Match() {
my $ipset = $config{IPSET} || 'ipset';
my $result = 0;
$ipset = which $ipset unless $ipset =~ '/';
if ( $ipset && -x $ipset ) {
qt( "$ipset -X $sillyname" );
if ( qt( "$ipset -N $sillyname iphash" ) ) {
if ( qt1( "$iptables -A $sillyname -m set --match-set $sillyname src -j ACCEPT" ) ) {
qt1( "$iptables -D $sillyname -m set --match-set $sillyname src -j ACCEPT" );
$result = ! ( $capabilities{OLD_IPSET_MATCH} = 0 );
} else {
have_capability 'OLD_IPSET_MATCH';
} }
qt( "$ipset -X $sillyname" ); qt( "$ipset -X $sillyname" );
@ -2465,6 +2491,7 @@ our %detect_capability =
IPP2P_MATCH => \&Ipp2p_Match, IPP2P_MATCH => \&Ipp2p_Match,
IPRANGE_MATCH => \&IPRange_Match, IPRANGE_MATCH => \&IPRange_Match,
IPSET_MATCH => \&IPSet_Match, IPSET_MATCH => \&IPSet_Match,
OLD_IPSET_MATCH => \&Old_IPSet_Match,
KLUDGEFREE => \&Kludgefree, KLUDGEFREE => \&Kludgefree,
LENGTH_MATCH => \&Length_Match, LENGTH_MATCH => \&Length_Match,
LOGMARK_TARGET => \&Logmark_Target, LOGMARK_TARGET => \&Logmark_Target,

View File

@ -18,6 +18,8 @@ Changes in Shorewall 4.4.12
9) Make ICMP a synonym for IPV6-ICMP in ipv6 configs. 9) Make ICMP a synonym for IPV6-ICMP in ipv6 configs.
10) Support new set match syntax.
Changes in Shorewall 4.4.11 Changes in Shorewall 4.4.11
1) Apply patch from Gabriel. 1) Apply patch from Gabriel.

View File

@ -29,7 +29,7 @@
# #
SHOREWALL_LIBVERSION=40407 SHOREWALL_LIBVERSION=40407
SHOREWALL_CAPVERSION=40411 SHOREWALL_CAPVERSION=40412
[ -n "${VARDIR:=/var/lib/shorewall}" ] [ -n "${VARDIR:=/var/lib/shorewall}" ]
[ -n "${SHAREDIR:=/usr/share/shorewall}" ] [ -n "${SHAREDIR:=/usr/share/shorewall}" ]

View File

@ -1511,6 +1511,7 @@ determine_capabilities() {
RECENT_MATCH= RECENT_MATCH=
OWNER_MATCH= OWNER_MATCH=
IPSET_MATCH= IPSET_MATCH=
OLD_IPSET_MATCH=
CONNMARK= CONNMARK=
XCONNMARK= XCONNMARK=
CONNMARK_MATCH= CONNMARK_MATCH=
@ -1653,9 +1654,13 @@ determine_capabilities() {
qt ipset -X $chain # Just in case something went wrong the last time qt ipset -X $chain # Just in case something went wrong the last time
if qt ipset -N $chain iphash ; then if qt ipset -N $chain iphash ; then
if qt $IPTABLES -A $chain -m set --set $chain src -j ACCEPT; then if qt $IPTABLES -A $chain -m set --match-set $chain src -j ACCEPT; then
qt $IPTABLES -D $chain -m set --match-set $chain src -j ACCEPT
IPSET_MATCH=Yes
elif qt $IPTABLES -A $chain -m set --set $chain src -j ACCEPT; then
qt $IPTABLES -D $chain -m set --set $chain src -j ACCEPT qt $IPTABLES -D $chain -m set --set $chain src -j ACCEPT
IPSET_MATCH=Yes IPSET_MATCH=Yes
OLD_IPSET_MATCH=Yes
fi fi
qt ipset -X $chain qt ipset -X $chain
fi fi
@ -1720,7 +1725,10 @@ report_capabilities() {
report_capability "IP range Match" $IPRANGE_MATCH report_capability "IP range Match" $IPRANGE_MATCH
report_capability "Recent Match" $RECENT_MATCH report_capability "Recent Match" $RECENT_MATCH
report_capability "Owner Match" $OWNER_MATCH report_capability "Owner Match" $OWNER_MATCH
report_capability "Ipset Match" $IPSET_MATCH if [ -n "$IPSET_MATCH" ]; then
report_capability "Ipset Match" $IPSET_MATCH
[ -n "$OLD_IPSET_MATCH" ] && report_capability "OLD_Ipset Match" $OLD_IPSET_MATCH
fi
report_capability "CONNMARK Target" $CONNMARK report_capability "CONNMARK Target" $CONNMARK
[ -n "$CONNMARK" ] && report_capability "Extended CONNMARK Target" $XCONNMARK [ -n "$CONNMARK" ] && report_capability "Extended CONNMARK Target" $XCONNMARK
report_capability "Connmark Match" $CONNMARK_MATCH report_capability "Connmark Match" $CONNMARK_MATCH
@ -1784,6 +1792,7 @@ report_capabilities1() {
report_capability1 RECENT_MATCH report_capability1 RECENT_MATCH
report_capability1 OWNER_MATCH report_capability1 OWNER_MATCH
report_capability1 IPSET_MATCH report_capability1 IPSET_MATCH
report_capability1 OLD_IPSET_MATCH
report_capability1 CONNMARK report_capability1 CONNMARK
report_capability1 XCONNMARK report_capability1 XCONNMARK
report_capability1 CONNMARK_MATCH report_capability1 CONNMARK_MATCH

View File

@ -300,6 +300,12 @@ None.
4) 'icmp' is now accepted as a synonym for 'ipv6-icmp' in IPv6 4) 'icmp' is now accepted as a synonym for 'ipv6-icmp' in IPv6
compilations. compilations.
5) Shorewall now detects the presence of a recent ipset iptables
module and uses its new syntax. This avoids a warning on iptables
1.4.9. This change involves a new capabilities file version so if
you use a capabilities file, be sure to regenerate it with 4.4.12
shorewall-lite or shorewall6-lite.
---------------------------------------------------------------------------- ----------------------------------------------------------------------------
V I. P R O B L E M S C O R R E C T E D A N D N E W F E A T U R E S V I. P R O B L E M S C O R R E C T E D A N D N E W F E A T U R E S
I N P R I O R R E L E A S E S I N P R I O R R E L E A S E S

View File

@ -33,7 +33,7 @@
# #
SHOREWALL_LIBVERSION=40407 SHOREWALL_LIBVERSION=40407
SHOREWALL_CAPVERSION=40411 SHOREWALL_CAPVERSION=40412
[ -n "${VARDIR:=/var/lib/shorewall6}" ] [ -n "${VARDIR:=/var/lib/shorewall6}" ]
[ -n "${SHAREDIR:=/usr/share/shorewall6}" ] [ -n "${SHAREDIR:=/usr/share/shorewall6}" ]

View File

@ -1200,6 +1200,7 @@ determine_capabilities() {
RECENT_MATCH= RECENT_MATCH=
OWNER_MATCH= OWNER_MATCH=
IPSET_MATCH= IPSET_MATCH=
OLD_IPSET_MATCH=
CONNMARK= CONNMARK=
XCONNMARK= XCONNMARK=
CONNMARK_MATCH= CONNMARK_MATCH=
@ -1414,7 +1415,10 @@ report_capabilities() {
report_capability "IP range Match" $IPRANGE_MATCH report_capability "IP range Match" $IPRANGE_MATCH
report_capability "Recent Match" $RECENT_MATCH report_capability "Recent Match" $RECENT_MATCH
report_capability "Owner Match" $OWNER_MATCH report_capability "Owner Match" $OWNER_MATCH
report_capability "Ipset Match" $IPSET_MATCH if [ -n "$IPSET_MATCH" ]; then
report_capability "Ipset Match" $IPSET_MATCH
[ -n "$OLD_IPSET_MATCH" ] && report_capability "OLD_Ipset Match" $OLD_IPSET_MATCH
fi
report_capability "CONNMARK Target" $CONNMARK report_capability "CONNMARK Target" $CONNMARK
[ -n "$CONNMARK" ] && report_capability "Extended CONNMARK Target" $XCONNMARK [ -n "$CONNMARK" ] && report_capability "Extended CONNMARK Target" $XCONNMARK
report_capability "Connmark Match" $CONNMARK_MATCH report_capability "Connmark Match" $CONNMARK_MATCH
@ -1475,6 +1479,7 @@ report_capabilities1() {
report_capability1 RECENT_MATCH report_capability1 RECENT_MATCH
report_capability1 OWNER_MATCH report_capability1 OWNER_MATCH
report_capability1 IPSET_MATCH report_capability1 IPSET_MATCH
report_capability1 OLD_IPSET_MATCH
report_capability1 CONNMARK report_capability1 CONNMARK
report_capability1 XCONNMARK report_capability1 XCONNMARK
report_capability1 CONNMARK_MATCH report_capability1 CONNMARK_MATCH