diff --git a/New/Shorewall/Chains.pm b/New/Shorewall/Chains.pm index bb35e726d..e91284f3e 100644 --- a/New/Shorewall/Chains.pm +++ b/New/Shorewall/Chains.pm @@ -738,7 +738,6 @@ sub do_test ( $$ ) "${invert}$match $testval "; } - # # Create a "-m limit" match for the passed LIMIT/BURST # @@ -882,6 +881,7 @@ sub match_orig_dest ( $ ) { my $net = $_[0]; return '' if $net eq ALLIPv4; + return '' unless $capabilities{CONNTRACK_MATCH}; if ( $net =~ /^!/ ) { $net =~ s/!//; @@ -1207,7 +1207,7 @@ sub expand_rule( $$$$$$$$$$ ) } if ( $origdest ) { - if ( $origdest eq '-' ) { + if ( $origdest eq '-' || ! $capabilities{CONNTRACK_MATCH} ) { $origdest = ''; } elsif ( $origdest =~ /^detect:(.*)$/ ) { # diff --git a/New/Shorewall/Config.pm b/New/Shorewall/Config.pm index 70f603991..241b4454f 100644 --- a/New/Shorewall/Config.pm +++ b/New/Shorewall/Config.pm @@ -28,7 +28,19 @@ use warnings; use Shorewall::Common; our @ISA = qw(Exporter); -our @EXPORT = qw(find_file expand_shell_variables get_configuration report_capabilities propagateconfig append_file run_user_exit generate_aux_config %config %env %capabilities ); +our @EXPORT = qw(find_file + expand_shell_variables + get_configuration + require_capability + report_capabilities + propagateconfig + append_file + run_user_exit + generate_aux_config + + %config + %env + %capabilities ); our @EXPORT_OK = (); our @VERSION = 1.00; @@ -251,6 +263,13 @@ sub report_capabilities() { } } +sub require_capability( $$ ) { + my ( $capability, $description ) = @_; + + fatal_error "$description requires $capdesc{$capability} in your kernel and iptables" + unless $capabilities{$capability}; +} + # # Some files can have shell variables embedded. This function expands them from %ENV. # diff --git a/New/Shorewall/Rules.pm b/New/Shorewall/Rules.pm index 733e4d501..dc63ab4d4 100644 --- a/New/Shorewall/Rules.pm +++ b/New/Shorewall/Rules.pm @@ -988,7 +988,9 @@ sub process_rule1 ( $$$$$$$$$ ) { } } - unless ( $origdest && $origdest ne '-' && $origdest ne 'detect' ) { + if ( $origdest && $origdest ne '-' ) { + require_capability( 'CONNTRACK_MATCH', 'ORIGINAL DEST in non-NAT rule' ) unless $actiontype & NATRULE; + } elsif ( $origdest ne 'detect' ) { if ( $config{DETECT_DNAT_IPADDRS} ) { my $interfacesref = $zones{$sourcezone}{interfaces}; my @interfaces = keys %$interfacesref; diff --git a/New/compiler.pl b/New/compiler.pl index a7721658c..dc4246b16 100755 --- a/New/compiler.pl +++ b/New/compiler.pl @@ -179,7 +179,7 @@ sub compile_stop_firewall() { emit <<'EOF'; # -# Stop/restore the firewall after an error or because of a \'stop\' or \'clear\' command +# Stop/restore the firewall after an error or because of a 'stop' or 'clear' command # stop_firewall() { @@ -544,6 +544,7 @@ sub generate_script_2 () { # Generate the end of 'setup_routing_and_traffic_shaping()': # Generate code for loading the various files in /var/lib/shorewall[-lite] # Generate code to add IP addresses under ADD_IP_ALIASES and ADD_SNAT_ALIASES +# # Generate the 'setup_netfilter()' function that runs iptables-restore. # Generate the 'define_firewall()' function. # @@ -575,7 +576,9 @@ sub generate_script_3() { emit "#\n# Start/Restart the Firewall\n#"; emit 'define_firewall() {'; push_indent; - emit 'setup_routing_and_traffic_shaping; + + emit<<'EOF'; +setup_routing_and_traffic_shaping; if [ $COMMAND = restore ]; then iptables_save_file=${VARDIR}/$(basename $0)-iptables @@ -611,7 +614,8 @@ case $COMMAND in restore) logger -p kern.info "$PRODUCT restored" ;; -esac'; +esac +EOF pop_indent; @@ -632,21 +636,11 @@ sub compiler( $ ) { report_capabilities if $ENV{VERBOSE} > 1; - fatal_error join( '', 'Shorewall-perl ', $env{VERSION}, ' requires Conntrack Match Support' ) - unless $capabilities{CONNTRACK_MATCH}; - fatal_error join ( '', 'Shorewall-perl ', $env{VERSION}, ' requires Multi-port Match Support' ) - unless $capabilities{MULTIPORT}; - fatal_error join( '', 'Shorewall-perl ', $env{VERSION}, ' requires Address Type Match Support' ) - unless $capabilities{ADDRTYPE}; - fatal_error 'MACLIST_TTL requires the Recent Match capability which is not present in your Kernel and/or iptables' - if $config{MACLIST_TTL} && ! $capabilities{RECENT_MATCH}; - fatal_error 'RFC1918_STRICT=Yes requires Connection Tracking match' - if $config{RFC1918_STRICT} && ! $capabilities{CONNTRACK_MATCH}; - fatal_error 'HIGH_ROUTE_MARKS=Yes requires extended MARK support' - if $config{HIGH_ROUTE_MARKS} && ! $capabilities{XCONNMARK}; - if ( $config{MANGLE_ENABLED} ) { - fatal_error 'Traffic Shaping requires mangle support in your kernel and iptables' unless $capabilities{MANGLE_ENABLED}; - } + require_capability( 'MULTIPORT' , "Shorewall-perl $env{VERSION}" ); + require_capability( 'ADDRTYPE' , "Shorewall-perl $env{VERSION}" ); + require_capability( 'RECENT_MATCH' , 'MACLIST_TTL' ) if $config{MACLIST_TTL}; + require_capability( 'XCONNMARK' , 'HIGH_ROUTE_MARKS=Yes' ) if $config{HIGH_ROUTE_MARKS}; + require_capability( 'MANGLE_ENABLED' , 'Traffic Shaping' ) if $config{TC_ENABLED}; ( $command, $doing, $done ) = qw/ check Checking Checked / unless $objectfile; diff --git a/New/releasenotes.txt b/New/releasenotes.txt index 844e6fbfb..7e88cdcdb 100644 --- a/New/releasenotes.txt +++ b/New/releasenotes.txt @@ -47,7 +47,6 @@ a) The Perl-based compiler requires the following capabilities in your kernel and iptables. - addrtype match (may be relaxed later) - - conntrack match (may be relaxed later) - multiport match (will not be relaxed) These capabilities are in current distributions.