forked from extern/shorewall_code
Finish ipset initial implementation
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@5656 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
parent
6f40ceabf1
commit
5f5ece2a31
@ -416,31 +416,6 @@ sub first_chains( $ ) #$1 = interface
|
||||
[ $c . '_fwd', $c . '_in' ];
|
||||
}
|
||||
|
||||
#
|
||||
# Split a source or destination host list but keep [...] together.
|
||||
#
|
||||
sub mysplit( $ ) {
|
||||
my @input = split /,/, $_[0];
|
||||
my @result;
|
||||
|
||||
while ( @input ) {
|
||||
my $element = shift @input;
|
||||
|
||||
if ( $element =~ /\[/ ) {
|
||||
while ( ! ( $element =~ /\]/ ) ) {
|
||||
last unless @input;
|
||||
$element .= ( ',' . shift @input );
|
||||
}
|
||||
|
||||
fatal_error "Invalid Host List ($_[0])" unless substr( $element, -1, 1 ) eq ']';
|
||||
}
|
||||
|
||||
push @result, $element;
|
||||
}
|
||||
|
||||
@result;
|
||||
}
|
||||
|
||||
#
|
||||
# Create a new chain and return a reference to it.
|
||||
#
|
||||
@ -832,6 +807,29 @@ sub iprange_match() {
|
||||
$match;
|
||||
}
|
||||
|
||||
#
|
||||
# Get set flags (ipsets).
|
||||
#
|
||||
sub get_set_flags( $$ ) {
|
||||
my ( $setname, $option ) = @_;
|
||||
my $options = $option;
|
||||
|
||||
fatal_error "Your kernel and/or iptables does not include ipset match: $setname" unless $capabilities{IPSET_MATCH};
|
||||
|
||||
if ( $setname =~ /(.*)\[([1-6])\]$/ ) {
|
||||
$setname = $1;
|
||||
my $count = $2;
|
||||
$options .= ",$option" while --$count > 0;
|
||||
} elsif ( $setname =~ /(.+)\[(.*)\]$/ ) {
|
||||
$setname = $1;
|
||||
$options = $2;
|
||||
}
|
||||
|
||||
$setname =~ s/^\+//;
|
||||
|
||||
"--set $setname $options"
|
||||
}
|
||||
|
||||
#
|
||||
# Match a Source. Currently only handles IP addresses and ranges
|
||||
#
|
||||
@ -844,7 +842,9 @@ sub match_source_net( $ ) {
|
||||
iprange_match . "${invert}--src-range $net ";
|
||||
} elsif ( $net =~ /^(!?)~(.*)$/ ) {
|
||||
( $net = $2 ) =~ s/-/:/g;
|
||||
"-m mac --mac-source $1 $net "
|
||||
"-m mac --mac-source $1 $net ";
|
||||
} elsif ( $net =~ /^(!?)\+/ ) {
|
||||
'-m set ' . ( $1 ? '! ' : '' ) . get_set_flags $net, 'src'
|
||||
} elsif ( $net =~ /^!/ ) {
|
||||
$net =~ s/!//;
|
||||
"-s ! $net ";
|
||||
@ -863,6 +863,8 @@ sub match_dest_net( $ ) {
|
||||
$net =~ s/!// if my $invert = $1 ? '! ' : '';
|
||||
|
||||
iprange_match . "${invert}--dst-range $net ";
|
||||
} elsif ( $net =~ /^(!?)\+/ ) {
|
||||
'-m set ' . ( $1 ? '! ' : '' ) . get_set_flags $net, 'dst'
|
||||
} elsif ( $net =~ /^!/ ) {
|
||||
$net =~ s/!//;
|
||||
"-d ! $net ";
|
||||
@ -1159,7 +1161,7 @@ sub expand_rule( $$$$$$$$$$ )
|
||||
$oexcl = '';
|
||||
}
|
||||
|
||||
if ( ! $onets ) {
|
||||
unless ( $onets ) {
|
||||
my @oexcl = mysplit $oexcl;
|
||||
if ( @oexcl == 1 ) {
|
||||
$rule .= "-m conntrack --ctorigdst ! $oexcl ";
|
||||
@ -1182,7 +1184,7 @@ sub expand_rule( $$$$$$$$$$ )
|
||||
$iexcl = '';
|
||||
}
|
||||
|
||||
if ( ! $inets ) {
|
||||
unless ( $inets ) {
|
||||
my @iexcl = mysplit $iexcl;
|
||||
if ( @iexcl == 1 ) {
|
||||
$rule .= match_source_net "!$iexcl ";
|
||||
@ -1204,7 +1206,7 @@ sub expand_rule( $$$$$$$$$$ )
|
||||
$dexcl = '';
|
||||
}
|
||||
|
||||
if ( ! $dnets ) {
|
||||
unless ( $dnets ) {
|
||||
my @dexcl = mysplit $dexcl;
|
||||
if ( @dexcl == 1 ) {
|
||||
$rule .= match_dest_net "!$dexcl ";
|
||||
|
@ -34,6 +34,7 @@ our @EXPORT = qw(ALLIPv4
|
||||
|
||||
warning_message
|
||||
fatal_error
|
||||
mysplit
|
||||
create_temp_object
|
||||
finalize_object
|
||||
emit
|
||||
@ -97,6 +98,34 @@ sub fatal_error
|
||||
die;
|
||||
}
|
||||
|
||||
#
|
||||
# Split a comma-separated source or destination host list but keep [...] together.
|
||||
#
|
||||
sub mysplit( $ ) {
|
||||
my @input = split /,/, $_[0];
|
||||
|
||||
return @input unless $_[0] =~ /\[/;
|
||||
|
||||
my @result;
|
||||
|
||||
while ( @input ) {
|
||||
my $element = shift @input;
|
||||
|
||||
if ( $element =~ /\[/ ) {
|
||||
while ( ! ( $element =~ /\]/ ) ) {
|
||||
last unless @input;
|
||||
$element .= ( ',' . shift @input );
|
||||
}
|
||||
|
||||
fatal_error "Invalid Host List ($_[0])" unless substr( $element, -1, 1 ) eq ']';
|
||||
}
|
||||
|
||||
push @result, $element;
|
||||
}
|
||||
|
||||
@result;
|
||||
}
|
||||
|
||||
sub create_temp_object( $ ) {
|
||||
my $objectfile = $_[0];
|
||||
my $suffix;
|
||||
|
@ -601,8 +601,8 @@ sub compile_firewall( $ ) {
|
||||
unless $capabilities{XMULTIPORT};
|
||||
fatal_error( 'Shorewall ' . VERSION . ' requires Address Type Match Support' )
|
||||
unless $capabilities{ADDRTYPE};
|
||||
fatal_error 'BRIDGING=Yes requires Physdev Match support in your Kernel and iptables'
|
||||
if $config{BRIDGING} && ! $capabilities{PHYSDEV_MATCH};
|
||||
fatal_error 'BRIDGING=Yes is not supported by the ' . VERSION . 'Perl-based compiler';
|
||||
if $config{BRIDGING};
|
||||
fatal_error 'MACLIST_TTL requires the Recent Match capability which is not present in your Kernel and/or iptables'
|
||||
if $config{MACLIST_TTL} && ! $capabilities{RECENT_MATCH};
|
||||
fatal_error 'RFC1918_STRICT=Yes requires Connection Tracking match'
|
||||
|
@ -8,25 +8,36 @@ a) The compiler is small.
|
||||
b) The compiler is very fast.
|
||||
c) The compiler generates a firewall script that uses iptables-restore;
|
||||
so the script is very fast.
|
||||
d) Use of the perl compiler is optional! The old slow clunky
|
||||
Bourne-shell compiler is still there.
|
||||
|
||||
The bad news:
|
||||
|
||||
There are a number of incompatibilities between 3.9.0 and earlier
|
||||
versions.
|
||||
There are a number of incompatibilities between 3.9.0 using the
|
||||
Perl-based compiler and earlier versions.
|
||||
|
||||
a) This version requires the addrtype match capability in your kernel
|
||||
and iptables. This capability is in current distributions.
|
||||
a) This version requires the following capabilities in your kernel
|
||||
and iptables.
|
||||
|
||||
b) The BROADCAST column in the interfaces file is essentailly unused;
|
||||
- addrtype match
|
||||
- conntrack match
|
||||
- extended multiport match
|
||||
|
||||
These capabilities are in current distributions.
|
||||
|
||||
b) BRIDGING=Yes is not supported. The kernel code necessary to
|
||||
support this option was removed in Linux kernel 2.6.20.
|
||||
|
||||
c) The BROADCAST column in the interfaces file is essentailly unused;
|
||||
if you enter anything in this column but '-' or 'detect', you will
|
||||
receive a warning.
|
||||
|
||||
c) Because the compiler is now written in Perl, your compile-time
|
||||
d) Because the compiler is now written in Perl, your compile-time
|
||||
extension scripts for earlier version will no longer work.
|
||||
|
||||
d) The 'refresh' command is now synonamous with 'restart'.
|
||||
e) The 'refresh' command is now synonamous with 'restart'.
|
||||
|
||||
e) Some run-time extension scripts are no longer supported because they
|
||||
f) Some run-time extension scripts are no longer supported because they
|
||||
make no sense (iptables-restore instantiates the new configuration
|
||||
atomically).
|
||||
|
||||
@ -36,8 +47,8 @@ e) Some run-time extension scripts are no longer supported because they
|
||||
refresh
|
||||
refreshed
|
||||
|
||||
f) Currently, 3.9.0 has no support for ipsets. That will change with
|
||||
future releases but one thing is certain -- Shorewall is out of the
|
||||
g) Currently, support for ipsets is untested. That will change with
|
||||
future releases but one thing is certain -- Shorewall is now out of the
|
||||
ipset load/reload business. If the Netfilter ruleset is never cleared,
|
||||
then there is no opportunity for Shorewall to load/reload your
|
||||
ipsets.
|
||||
|
Loading…
Reference in New Issue
Block a user