forked from extern/shorewall_code
Drop hard requirement for CONNTRACK_MATCH
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@5735 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
parent
ba2dcd6d45
commit
50195b17ce
@ -738,7 +738,6 @@ sub do_test ( $$ )
|
|||||||
"${invert}$match $testval ";
|
"${invert}$match $testval ";
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
#
|
#
|
||||||
# Create a "-m limit" match for the passed LIMIT/BURST
|
# Create a "-m limit" match for the passed LIMIT/BURST
|
||||||
#
|
#
|
||||||
@ -882,6 +881,7 @@ sub match_orig_dest ( $ ) {
|
|||||||
my $net = $_[0];
|
my $net = $_[0];
|
||||||
|
|
||||||
return '' if $net eq ALLIPv4;
|
return '' if $net eq ALLIPv4;
|
||||||
|
return '' unless $capabilities{CONNTRACK_MATCH};
|
||||||
|
|
||||||
if ( $net =~ /^!/ ) {
|
if ( $net =~ /^!/ ) {
|
||||||
$net =~ s/!//;
|
$net =~ s/!//;
|
||||||
@ -1207,7 +1207,7 @@ sub expand_rule( $$$$$$$$$$ )
|
|||||||
}
|
}
|
||||||
|
|
||||||
if ( $origdest ) {
|
if ( $origdest ) {
|
||||||
if ( $origdest eq '-' ) {
|
if ( $origdest eq '-' || ! $capabilities{CONNTRACK_MATCH} ) {
|
||||||
$origdest = '';
|
$origdest = '';
|
||||||
} elsif ( $origdest =~ /^detect:(.*)$/ ) {
|
} elsif ( $origdest =~ /^detect:(.*)$/ ) {
|
||||||
#
|
#
|
||||||
|
@ -28,7 +28,19 @@ use warnings;
|
|||||||
use Shorewall::Common;
|
use Shorewall::Common;
|
||||||
|
|
||||||
our @ISA = qw(Exporter);
|
our @ISA = qw(Exporter);
|
||||||
our @EXPORT = qw(find_file expand_shell_variables get_configuration report_capabilities propagateconfig append_file run_user_exit generate_aux_config %config %env %capabilities );
|
our @EXPORT = qw(find_file
|
||||||
|
expand_shell_variables
|
||||||
|
get_configuration
|
||||||
|
require_capability
|
||||||
|
report_capabilities
|
||||||
|
propagateconfig
|
||||||
|
append_file
|
||||||
|
run_user_exit
|
||||||
|
generate_aux_config
|
||||||
|
|
||||||
|
%config
|
||||||
|
%env
|
||||||
|
%capabilities );
|
||||||
our @EXPORT_OK = ();
|
our @EXPORT_OK = ();
|
||||||
our @VERSION = 1.00;
|
our @VERSION = 1.00;
|
||||||
|
|
||||||
@ -251,6 +263,13 @@ sub report_capabilities() {
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
sub require_capability( $$ ) {
|
||||||
|
my ( $capability, $description ) = @_;
|
||||||
|
|
||||||
|
fatal_error "$description requires $capdesc{$capability} in your kernel and iptables"
|
||||||
|
unless $capabilities{$capability};
|
||||||
|
}
|
||||||
|
|
||||||
#
|
#
|
||||||
# Some files can have shell variables embedded. This function expands them from %ENV.
|
# Some files can have shell variables embedded. This function expands them from %ENV.
|
||||||
#
|
#
|
||||||
|
@ -988,7 +988,9 @@ sub process_rule1 ( $$$$$$$$$ ) {
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
unless ( $origdest && $origdest ne '-' && $origdest ne 'detect' ) {
|
if ( $origdest && $origdest ne '-' ) {
|
||||||
|
require_capability( 'CONNTRACK_MATCH', 'ORIGINAL DEST in non-NAT rule' ) unless $actiontype & NATRULE;
|
||||||
|
} elsif ( $origdest ne 'detect' ) {
|
||||||
if ( $config{DETECT_DNAT_IPADDRS} ) {
|
if ( $config{DETECT_DNAT_IPADDRS} ) {
|
||||||
my $interfacesref = $zones{$sourcezone}{interfaces};
|
my $interfacesref = $zones{$sourcezone}{interfaces};
|
||||||
my @interfaces = keys %$interfacesref;
|
my @interfaces = keys %$interfacesref;
|
||||||
|
@ -179,7 +179,7 @@ sub compile_stop_firewall() {
|
|||||||
|
|
||||||
emit <<'EOF';
|
emit <<'EOF';
|
||||||
#
|
#
|
||||||
# Stop/restore the firewall after an error or because of a \'stop\' or \'clear\' command
|
# Stop/restore the firewall after an error or because of a 'stop' or 'clear' command
|
||||||
#
|
#
|
||||||
stop_firewall() {
|
stop_firewall() {
|
||||||
|
|
||||||
@ -544,6 +544,7 @@ sub generate_script_2 () {
|
|||||||
# Generate the end of 'setup_routing_and_traffic_shaping()':
|
# Generate the end of 'setup_routing_and_traffic_shaping()':
|
||||||
# Generate code for loading the various files in /var/lib/shorewall[-lite]
|
# Generate code for loading the various files in /var/lib/shorewall[-lite]
|
||||||
# Generate code to add IP addresses under ADD_IP_ALIASES and ADD_SNAT_ALIASES
|
# Generate code to add IP addresses under ADD_IP_ALIASES and ADD_SNAT_ALIASES
|
||||||
|
#
|
||||||
# Generate the 'setup_netfilter()' function that runs iptables-restore.
|
# Generate the 'setup_netfilter()' function that runs iptables-restore.
|
||||||
# Generate the 'define_firewall()' function.
|
# Generate the 'define_firewall()' function.
|
||||||
#
|
#
|
||||||
@ -575,7 +576,9 @@ sub generate_script_3() {
|
|||||||
emit "#\n# Start/Restart the Firewall\n#";
|
emit "#\n# Start/Restart the Firewall\n#";
|
||||||
emit 'define_firewall() {';
|
emit 'define_firewall() {';
|
||||||
push_indent;
|
push_indent;
|
||||||
emit 'setup_routing_and_traffic_shaping;
|
|
||||||
|
emit<<'EOF';
|
||||||
|
setup_routing_and_traffic_shaping;
|
||||||
|
|
||||||
if [ $COMMAND = restore ]; then
|
if [ $COMMAND = restore ]; then
|
||||||
iptables_save_file=${VARDIR}/$(basename $0)-iptables
|
iptables_save_file=${VARDIR}/$(basename $0)-iptables
|
||||||
@ -611,7 +614,8 @@ case $COMMAND in
|
|||||||
restore)
|
restore)
|
||||||
logger -p kern.info "$PRODUCT restored"
|
logger -p kern.info "$PRODUCT restored"
|
||||||
;;
|
;;
|
||||||
esac';
|
esac
|
||||||
|
EOF
|
||||||
|
|
||||||
pop_indent;
|
pop_indent;
|
||||||
|
|
||||||
@ -632,21 +636,11 @@ sub compiler( $ ) {
|
|||||||
|
|
||||||
report_capabilities if $ENV{VERBOSE} > 1;
|
report_capabilities if $ENV{VERBOSE} > 1;
|
||||||
|
|
||||||
fatal_error join( '', 'Shorewall-perl ', $env{VERSION}, ' requires Conntrack Match Support' )
|
require_capability( 'MULTIPORT' , "Shorewall-perl $env{VERSION}" );
|
||||||
unless $capabilities{CONNTRACK_MATCH};
|
require_capability( 'ADDRTYPE' , "Shorewall-perl $env{VERSION}" );
|
||||||
fatal_error join ( '', 'Shorewall-perl ', $env{VERSION}, ' requires Multi-port Match Support' )
|
require_capability( 'RECENT_MATCH' , 'MACLIST_TTL' ) if $config{MACLIST_TTL};
|
||||||
unless $capabilities{MULTIPORT};
|
require_capability( 'XCONNMARK' , 'HIGH_ROUTE_MARKS=Yes' ) if $config{HIGH_ROUTE_MARKS};
|
||||||
fatal_error join( '', 'Shorewall-perl ', $env{VERSION}, ' requires Address Type Match Support' )
|
require_capability( 'MANGLE_ENABLED' , 'Traffic Shaping' ) if $config{TC_ENABLED};
|
||||||
unless $capabilities{ADDRTYPE};
|
|
||||||
fatal_error 'MACLIST_TTL requires the Recent Match capability which is not present in your Kernel and/or iptables'
|
|
||||||
if $config{MACLIST_TTL} && ! $capabilities{RECENT_MATCH};
|
|
||||||
fatal_error 'RFC1918_STRICT=Yes requires Connection Tracking match'
|
|
||||||
if $config{RFC1918_STRICT} && ! $capabilities{CONNTRACK_MATCH};
|
|
||||||
fatal_error 'HIGH_ROUTE_MARKS=Yes requires extended MARK support'
|
|
||||||
if $config{HIGH_ROUTE_MARKS} && ! $capabilities{XCONNMARK};
|
|
||||||
if ( $config{MANGLE_ENABLED} ) {
|
|
||||||
fatal_error 'Traffic Shaping requires mangle support in your kernel and iptables' unless $capabilities{MANGLE_ENABLED};
|
|
||||||
}
|
|
||||||
|
|
||||||
( $command, $doing, $done ) = qw/ check Checking Checked / unless $objectfile;
|
( $command, $doing, $done ) = qw/ check Checking Checked / unless $objectfile;
|
||||||
|
|
||||||
|
@ -47,7 +47,6 @@ a) The Perl-based compiler requires the following capabilities in your
|
|||||||
kernel and iptables.
|
kernel and iptables.
|
||||||
|
|
||||||
- addrtype match (may be relaxed later)
|
- addrtype match (may be relaxed later)
|
||||||
- conntrack match (may be relaxed later)
|
|
||||||
- multiport match (will not be relaxed)
|
- multiport match (will not be relaxed)
|
||||||
|
|
||||||
These capabilities are in current distributions.
|
These capabilities are in current distributions.
|
||||||
|
Loading…
Reference in New Issue
Block a user