From 5f5ece2a3188a8c8c23b40fd1fa30860f3c057be Mon Sep 17 00:00:00 2001 From: teastep Date: Sat, 24 Mar 2007 15:59:17 +0000 Subject: [PATCH] Finish ipset initial implementation git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@5656 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb --- New/Shorewall/Chains.pm | 60 +++++++++++++++++++++-------------------- New/Shorewall/Common.pm | 29 ++++++++++++++++++++ New/compiler.pl | 4 +-- New/releasenotes.txt | 31 ++++++++++++++------- 4 files changed, 83 insertions(+), 41 deletions(-) diff --git a/New/Shorewall/Chains.pm b/New/Shorewall/Chains.pm index 361e2f75e..c3c4b0917 100644 --- a/New/Shorewall/Chains.pm +++ b/New/Shorewall/Chains.pm @@ -416,31 +416,6 @@ sub first_chains( $ ) #$1 = interface [ $c . '_fwd', $c . '_in' ]; } -# -# Split a source or destination host list but keep [...] together. -# -sub mysplit( $ ) { - my @input = split /,/, $_[0]; - my @result; - - while ( @input ) { - my $element = shift @input; - - if ( $element =~ /\[/ ) { - while ( ! ( $element =~ /\]/ ) ) { - last unless @input; - $element .= ( ',' . shift @input ); - } - - fatal_error "Invalid Host List ($_[0])" unless substr( $element, -1, 1 ) eq ']'; - } - - push @result, $element; - } - - @result; -} - # # Create a new chain and return a reference to it. # @@ -832,6 +807,29 @@ sub iprange_match() { $match; } +# +# Get set flags (ipsets). +# +sub get_set_flags( $$ ) { + my ( $setname, $option ) = @_; + my $options = $option; + + fatal_error "Your kernel and/or iptables does not include ipset match: $setname" unless $capabilities{IPSET_MATCH}; + + if ( $setname =~ /(.*)\[([1-6])\]$/ ) { + $setname = $1; + my $count = $2; + $options .= ",$option" while --$count > 0; + } elsif ( $setname =~ /(.+)\[(.*)\]$/ ) { + $setname = $1; + $options = $2; + } + + $setname =~ s/^\+//; + + "--set $setname $options" +} + # # Match a Source. Currently only handles IP addresses and ranges # @@ -844,7 +842,9 @@ sub match_source_net( $ ) { iprange_match . "${invert}--src-range $net "; } elsif ( $net =~ /^(!?)~(.*)$/ ) { ( $net = $2 ) =~ s/-/:/g; - "-m mac --mac-source $1 $net " + "-m mac --mac-source $1 $net "; + } elsif ( $net =~ /^(!?)\+/ ) { + '-m set ' . ( $1 ? '! ' : '' ) . get_set_flags $net, 'src' } elsif ( $net =~ /^!/ ) { $net =~ s/!//; "-s ! $net "; @@ -863,6 +863,8 @@ sub match_dest_net( $ ) { $net =~ s/!// if my $invert = $1 ? '! ' : ''; iprange_match . "${invert}--dst-range $net "; + } elsif ( $net =~ /^(!?)\+/ ) { + '-m set ' . ( $1 ? '! ' : '' ) . get_set_flags $net, 'dst' } elsif ( $net =~ /^!/ ) { $net =~ s/!//; "-d ! $net "; @@ -1159,7 +1161,7 @@ sub expand_rule( $$$$$$$$$$ ) $oexcl = ''; } - if ( ! $onets ) { + unless ( $onets ) { my @oexcl = mysplit $oexcl; if ( @oexcl == 1 ) { $rule .= "-m conntrack --ctorigdst ! $oexcl "; @@ -1182,7 +1184,7 @@ sub expand_rule( $$$$$$$$$$ ) $iexcl = ''; } - if ( ! $inets ) { + unless ( $inets ) { my @iexcl = mysplit $iexcl; if ( @iexcl == 1 ) { $rule .= match_source_net "!$iexcl "; @@ -1204,7 +1206,7 @@ sub expand_rule( $$$$$$$$$$ ) $dexcl = ''; } - if ( ! $dnets ) { + unless ( $dnets ) { my @dexcl = mysplit $dexcl; if ( @dexcl == 1 ) { $rule .= match_dest_net "!$dexcl "; diff --git a/New/Shorewall/Common.pm b/New/Shorewall/Common.pm index 97fe0a970..75c2ce026 100644 --- a/New/Shorewall/Common.pm +++ b/New/Shorewall/Common.pm @@ -34,6 +34,7 @@ our @EXPORT = qw(ALLIPv4 warning_message fatal_error + mysplit create_temp_object finalize_object emit @@ -97,6 +98,34 @@ sub fatal_error die; } +# +# Split a comma-separated source or destination host list but keep [...] together. +# +sub mysplit( $ ) { + my @input = split /,/, $_[0]; + + return @input unless $_[0] =~ /\[/; + + my @result; + + while ( @input ) { + my $element = shift @input; + + if ( $element =~ /\[/ ) { + while ( ! ( $element =~ /\]/ ) ) { + last unless @input; + $element .= ( ',' . shift @input ); + } + + fatal_error "Invalid Host List ($_[0])" unless substr( $element, -1, 1 ) eq ']'; + } + + push @result, $element; + } + + @result; +} + sub create_temp_object( $ ) { my $objectfile = $_[0]; my $suffix; diff --git a/New/compiler.pl b/New/compiler.pl index 6bba398f6..1d60d18b4 100755 --- a/New/compiler.pl +++ b/New/compiler.pl @@ -601,8 +601,8 @@ sub compile_firewall( $ ) { unless $capabilities{XMULTIPORT}; fatal_error( 'Shorewall ' . VERSION . ' requires Address Type Match Support' ) unless $capabilities{ADDRTYPE}; - fatal_error 'BRIDGING=Yes requires Physdev Match support in your Kernel and iptables' - if $config{BRIDGING} && ! $capabilities{PHYSDEV_MATCH}; + fatal_error 'BRIDGING=Yes is not supported by the ' . VERSION . 'Perl-based compiler'; + if $config{BRIDGING}; fatal_error 'MACLIST_TTL requires the Recent Match capability which is not present in your Kernel and/or iptables' if $config{MACLIST_TTL} && ! $capabilities{RECENT_MATCH}; fatal_error 'RFC1918_STRICT=Yes requires Connection Tracking match' diff --git a/New/releasenotes.txt b/New/releasenotes.txt index ce59549c5..f8561c378 100644 --- a/New/releasenotes.txt +++ b/New/releasenotes.txt @@ -8,25 +8,36 @@ a) The compiler is small. b) The compiler is very fast. c) The compiler generates a firewall script that uses iptables-restore; so the script is very fast. +d) Use of the perl compiler is optional! The old slow clunky + Bourne-shell compiler is still there. The bad news: -There are a number of incompatibilities between 3.9.0 and earlier -versions. +There are a number of incompatibilities between 3.9.0 using the +Perl-based compiler and earlier versions. -a) This version requires the addrtype match capability in your kernel - and iptables. This capability is in current distributions. +a) This version requires the following capabilities in your kernel + and iptables. -b) The BROADCAST column in the interfaces file is essentailly unused; + - addrtype match + - conntrack match + - extended multiport match + + These capabilities are in current distributions. + +b) BRIDGING=Yes is not supported. The kernel code necessary to + support this option was removed in Linux kernel 2.6.20. + +c) The BROADCAST column in the interfaces file is essentailly unused; if you enter anything in this column but '-' or 'detect', you will receive a warning. -c) Because the compiler is now written in Perl, your compile-time +d) Because the compiler is now written in Perl, your compile-time extension scripts for earlier version will no longer work. -d) The 'refresh' command is now synonamous with 'restart'. +e) The 'refresh' command is now synonamous with 'restart'. -e) Some run-time extension scripts are no longer supported because they +f) Some run-time extension scripts are no longer supported because they make no sense (iptables-restore instantiates the new configuration atomically). @@ -36,8 +47,8 @@ e) Some run-time extension scripts are no longer supported because they refresh refreshed -f) Currently, 3.9.0 has no support for ipsets. That will change with - future releases but one thing is certain -- Shorewall is out of the +g) Currently, support for ipsets is untested. That will change with + future releases but one thing is certain -- Shorewall is now out of the ipset load/reload business. If the Netfilter ruleset is never cleared, then there is no opportunity for Shorewall to load/reload your ipsets.