Finish ipset initial implementation

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@5656 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
teastep 2007-03-24 15:59:17 +00:00
parent 6f40ceabf1
commit 5f5ece2a31
4 changed files with 83 additions and 41 deletions

View File

@ -416,31 +416,6 @@ sub first_chains( $ ) #$1 = interface
[ $c . '_fwd', $c . '_in' ];
}
#
# Split a source or destination host list but keep [...] together.
#
sub mysplit( $ ) {
my @input = split /,/, $_[0];
my @result;
while ( @input ) {
my $element = shift @input;
if ( $element =~ /\[/ ) {
while ( ! ( $element =~ /\]/ ) ) {
last unless @input;
$element .= ( ',' . shift @input );
}
fatal_error "Invalid Host List ($_[0])" unless substr( $element, -1, 1 ) eq ']';
}
push @result, $element;
}
@result;
}
#
# Create a new chain and return a reference to it.
#
@ -832,6 +807,29 @@ sub iprange_match() {
$match;
}
#
# Get set flags (ipsets).
#
sub get_set_flags( $$ ) {
my ( $setname, $option ) = @_;
my $options = $option;
fatal_error "Your kernel and/or iptables does not include ipset match: $setname" unless $capabilities{IPSET_MATCH};
if ( $setname =~ /(.*)\[([1-6])\]$/ ) {
$setname = $1;
my $count = $2;
$options .= ",$option" while --$count > 0;
} elsif ( $setname =~ /(.+)\[(.*)\]$/ ) {
$setname = $1;
$options = $2;
}
$setname =~ s/^\+//;
"--set $setname $options"
}
#
# Match a Source. Currently only handles IP addresses and ranges
#
@ -844,7 +842,9 @@ sub match_source_net( $ ) {
iprange_match . "${invert}--src-range $net ";
} elsif ( $net =~ /^(!?)~(.*)$/ ) {
( $net = $2 ) =~ s/-/:/g;
"-m mac --mac-source $1 $net "
"-m mac --mac-source $1 $net ";
} elsif ( $net =~ /^(!?)\+/ ) {
'-m set ' . ( $1 ? '! ' : '' ) . get_set_flags $net, 'src'
} elsif ( $net =~ /^!/ ) {
$net =~ s/!//;
"-s ! $net ";
@ -863,6 +863,8 @@ sub match_dest_net( $ ) {
$net =~ s/!// if my $invert = $1 ? '! ' : '';
iprange_match . "${invert}--dst-range $net ";
} elsif ( $net =~ /^(!?)\+/ ) {
'-m set ' . ( $1 ? '! ' : '' ) . get_set_flags $net, 'dst'
} elsif ( $net =~ /^!/ ) {
$net =~ s/!//;
"-d ! $net ";
@ -1159,7 +1161,7 @@ sub expand_rule( $$$$$$$$$$ )
$oexcl = '';
}
if ( ! $onets ) {
unless ( $onets ) {
my @oexcl = mysplit $oexcl;
if ( @oexcl == 1 ) {
$rule .= "-m conntrack --ctorigdst ! $oexcl ";
@ -1182,7 +1184,7 @@ sub expand_rule( $$$$$$$$$$ )
$iexcl = '';
}
if ( ! $inets ) {
unless ( $inets ) {
my @iexcl = mysplit $iexcl;
if ( @iexcl == 1 ) {
$rule .= match_source_net "!$iexcl ";
@ -1204,7 +1206,7 @@ sub expand_rule( $$$$$$$$$$ )
$dexcl = '';
}
if ( ! $dnets ) {
unless ( $dnets ) {
my @dexcl = mysplit $dexcl;
if ( @dexcl == 1 ) {
$rule .= match_dest_net "!$dexcl ";

View File

@ -34,6 +34,7 @@ our @EXPORT = qw(ALLIPv4
warning_message
fatal_error
mysplit
create_temp_object
finalize_object
emit
@ -97,6 +98,34 @@ sub fatal_error
die;
}
#
# Split a comma-separated source or destination host list but keep [...] together.
#
sub mysplit( $ ) {
my @input = split /,/, $_[0];
return @input unless $_[0] =~ /\[/;
my @result;
while ( @input ) {
my $element = shift @input;
if ( $element =~ /\[/ ) {
while ( ! ( $element =~ /\]/ ) ) {
last unless @input;
$element .= ( ',' . shift @input );
}
fatal_error "Invalid Host List ($_[0])" unless substr( $element, -1, 1 ) eq ']';
}
push @result, $element;
}
@result;
}
sub create_temp_object( $ ) {
my $objectfile = $_[0];
my $suffix;

View File

@ -601,8 +601,8 @@ sub compile_firewall( $ ) {
unless $capabilities{XMULTIPORT};
fatal_error( 'Shorewall ' . VERSION . ' requires Address Type Match Support' )
unless $capabilities{ADDRTYPE};
fatal_error 'BRIDGING=Yes requires Physdev Match support in your Kernel and iptables'
if $config{BRIDGING} && ! $capabilities{PHYSDEV_MATCH};
fatal_error 'BRIDGING=Yes is not supported by the ' . VERSION . 'Perl-based compiler';
if $config{BRIDGING};
fatal_error 'MACLIST_TTL requires the Recent Match capability which is not present in your Kernel and/or iptables'
if $config{MACLIST_TTL} && ! $capabilities{RECENT_MATCH};
fatal_error 'RFC1918_STRICT=Yes requires Connection Tracking match'

View File

@ -8,25 +8,36 @@ a) The compiler is small.
b) The compiler is very fast.
c) The compiler generates a firewall script that uses iptables-restore;
so the script is very fast.
d) Use of the perl compiler is optional! The old slow clunky
Bourne-shell compiler is still there.
The bad news:
There are a number of incompatibilities between 3.9.0 and earlier
versions.
There are a number of incompatibilities between 3.9.0 using the
Perl-based compiler and earlier versions.
a) This version requires the addrtype match capability in your kernel
and iptables. This capability is in current distributions.
a) This version requires the following capabilities in your kernel
and iptables.
b) The BROADCAST column in the interfaces file is essentailly unused;
- addrtype match
- conntrack match
- extended multiport match
These capabilities are in current distributions.
b) BRIDGING=Yes is not supported. The kernel code necessary to
support this option was removed in Linux kernel 2.6.20.
c) The BROADCAST column in the interfaces file is essentailly unused;
if you enter anything in this column but '-' or 'detect', you will
receive a warning.
c) Because the compiler is now written in Perl, your compile-time
d) Because the compiler is now written in Perl, your compile-time
extension scripts for earlier version will no longer work.
d) The 'refresh' command is now synonamous with 'restart'.
e) The 'refresh' command is now synonamous with 'restart'.
e) Some run-time extension scripts are no longer supported because they
f) Some run-time extension scripts are no longer supported because they
make no sense (iptables-restore instantiates the new configuration
atomically).
@ -36,8 +47,8 @@ e) Some run-time extension scripts are no longer supported because they
refresh
refreshed
f) Currently, 3.9.0 has no support for ipsets. That will change with
future releases but one thing is certain -- Shorewall is out of the
g) Currently, support for ipsets is untested. That will change with
future releases but one thing is certain -- Shorewall is now out of the
ipset load/reload business. If the Netfilter ruleset is never cleared,
then there is no opportunity for Shorewall to load/reload your
ipsets.