forked from extern/shorewall_code
Allow incrementing an nfacct object when an ipset matches.
Signed-off-by: Tom Eastep <teastep@shorewall.net>
This commit is contained in:
Tom Eastep
parent
610bdf1aac
commit
6c2679ce75
@ -649,6 +649,7 @@ our %opttype = ( rule => CONTROL,
|
||||
targetopts => TARGET,
|
||||
|
||||
nfacct => LAST,
|
||||
set => LAST,
|
||||
);
|
||||
|
||||
our %aliases = ( protocol => 'p',
|
||||
@ -5430,8 +5431,15 @@ sub match_source_net( $;$\$ ) {
|
||||
return do_mac $net;
|
||||
}
|
||||
|
||||
if ( $net =~ /^(!?)\+(6_)?[a-zA-Z][-\w]*(\[.*\])?/ ) {
|
||||
return join( '', '-m set ', $1 ? '! ' : '', get_set_flags( $net, 'src' ) );
|
||||
if ( $net =~ /^(!?)(?:\+?)((?:6_)?[a-zA-Z][-\w]*(?:\[.*\])?)(?:\((.+)\))?$/ ) {
|
||||
my $result = join( '', '-m set ', $1 ? '! ' : '', get_set_flags( $2, 'src' ) );
|
||||
if ( $3 ) {
|
||||
require_capability 'NFACCT_MATCH', "An nfacct object list ($3)", 's';
|
||||
my @objects = split_list $3, 'nfacct';
|
||||
$result .= "-m nfacct --nfacct-name $_ ", $nfobjects{$_} = 1 for @objects;
|
||||
}
|
||||
|
||||
return $result;
|
||||
}
|
||||
|
||||
if ( $net =~ /^\+\[(.+)\]$/ ) {
|
||||
@ -5441,8 +5449,13 @@ sub match_source_net( $;$\$ ) {
|
||||
fatal_error "Multiple ipset matches require the Repeat Match capability in your kernel and iptables" unless $globals{KLUDGEFREE};
|
||||
|
||||
for $net ( @sets ) {
|
||||
fatal_error "Expected ipset name ($net)" unless $net =~ /^(!?)(\+?)(6_)?[a-zA-Z][-\w]*(\[.*\])?/;
|
||||
$result .= join( '', '-m set ', $1 ? '! ' : '', get_set_flags( $net, 'src' ) );
|
||||
fatal_error "Expected ipset name ($net)" unless $net =~ /^(!?)(?:\+?)((?:6_)?[a-zA-Z][-\w]*(?:\[.*\])?)(?:\((.+)\))?$/;
|
||||
$result .= join( '', '-m set ', $1 ? '! ' : '', get_set_flags( $2, 'src' ) );
|
||||
if ( $3 ) {
|
||||
require_capability 'NFACCT_MATCH', "An nfacct object list ($3)", 's';
|
||||
my @objects = split_list $3, 'nfacct';
|
||||
$result .= "-m nfacct --nfacct-name $_ ", $nfobjects{$_} = 1 for @objects;
|
||||
}
|
||||
}
|
||||
|
||||
return $result;
|
||||
@ -5503,8 +5516,15 @@ sub imatch_source_net( $;$\$ ) {
|
||||
return do_imac $net;
|
||||
}
|
||||
|
||||
if ( $net =~ /^(!?)\+(6_)?[a-zA-Z][-\w]*(\[.*\])?/ ) {
|
||||
return ( set => join( '', $1 ? '! ' : '', get_set_flags( $net, 'src' ) ) );
|
||||
if ( $net =~ /^(!?)(?:\+?)((?:6_)?[a-zA-Z][-\w]*(?:\[.*\])?)(?:\((.+)\))?$/ ) {
|
||||
my @result = ( set => join( '', $1 ? '! ' : '', get_set_flags( $2, 'src' ) ) );
|
||||
if ( $3 ) {
|
||||
require_capability 'NFACCT_MATCH', "An nfacct object list ($3)", 's';
|
||||
my @objects = split_list $3, 'nfacct';
|
||||
push( @result, ( nfacct => "--nfacct-name $_" ) ), $nfobjects{$_} = 1 for @objects;
|
||||
}
|
||||
|
||||
return @result;
|
||||
}
|
||||
|
||||
if ( $net =~ /^\+\[(.+)\]$/ ) {
|
||||
@ -5514,11 +5534,16 @@ sub imatch_source_net( $;$\$ ) {
|
||||
fatal_error "Multiple ipset matches requires the Repeat Match capability in your kernel and iptables" unless $globals{KLUDGEFREE};
|
||||
|
||||
for $net ( @sets ) {
|
||||
fatal_error "Expected ipset name ($net)" unless $net =~ /^(!?)(\+?)(6_)?[a-zA-Z][-\w]*(\[.*\])?/;
|
||||
push @result , ( set => join( '', $1 ? '! ' : '', get_set_flags( $net, 'src' ) ) );
|
||||
fatal_error "Expected ipset name ($net)" unless $net =~ /^(!?)(?:\+?)((?:6_)?[a-zA-Z][-\w]*(?:\[.*\])?)(?:\((.+)\))?$/;
|
||||
push @result , ( set => join( '', $1 ? '! ' : '', get_set_flags( $2, 'src' ) ) );
|
||||
if ( $3 ) {
|
||||
require_capability 'NFACCT_MATCH', "An nfacct object list ($3)", 's';
|
||||
my @objects = split_list $3, 'nfacct';
|
||||
push( @result, ( nfacct => "--nfacct-name $_" ) ), $nfobjects{$_} = 1 for @objects;
|
||||
}
|
||||
}
|
||||
|
||||
return \@result;
|
||||
return @result;
|
||||
}
|
||||
|
||||
if ( $net =~ /^(!?)\^([A-Z\d]{2})$/ || $net =~ /^(!?)\^\[([A-Z,\d]+)\]$/) {
|
||||
@ -5572,8 +5597,15 @@ sub match_dest_net( $;$ ) {
|
||||
return iprange_match . "${invert}--dst-range $net ";
|
||||
}
|
||||
|
||||
if ( $net =~ /^(!?)\+(6_)?[a-zA-Z][-\w]*(\[.*\])?$/ ) {
|
||||
return join( '', '-m set ', $1 ? '! ' : '', get_set_flags( $net, 'dst' ) );
|
||||
if ( $net =~ /^(!?)(?:\+?)((?:6_)?[a-zA-Z][-\w]*(?:\[.*\])?)(?:\((.+)\))?$/ ) {
|
||||
my $result = join( '', '-m set ', $1 ? '! ' : '', get_set_flags( $2, 'dst' ) );
|
||||
if ( $3 ) {
|
||||
require_capability 'NFACCT_MATCH', "An nfacct object list ($3)", 's';
|
||||
my @objects = split_list $3, 'nfacct';
|
||||
$result .= "-m nfacct --nfacct-name $_ ", $nfobjects{$_} = 1 for @objects;
|
||||
}
|
||||
|
||||
return $result;
|
||||
}
|
||||
|
||||
if ( $net =~ /^\+\[(.+)\]$/ ) {
|
||||
@ -5583,8 +5615,14 @@ sub match_dest_net( $;$ ) {
|
||||
fatal_error "Multiple ipset matches requires the Repeat Match capability in your kernel and iptables" unless $globals{KLUDGEFREE};
|
||||
|
||||
for $net ( @sets ) {
|
||||
fatal_error "Expected ipset name ($net)" unless $net =~ /^(!?)(\+?)(6_)?[a-zA-Z][-\w]*(\[.*\])?/;
|
||||
$result .= join( '', '-m set ', $1 ? '! ' : '', get_set_flags( $net, 'dst' ) );
|
||||
fatal_error "Expected ipset name ($net)" unless $net =~ /^(!?)(?:\+?)((?:6_)?[a-zA-Z][-\w]*(?:\[.*\])?)(?:\((.+)\))?$/;
|
||||
$result .= join( '', '-m set ', $1 ? '! ' : '', get_set_flags( $2, 'dst' ) );
|
||||
}
|
||||
|
||||
if ( $3 ) {
|
||||
require_capability 'NFACCT_MATCH', "An nfacct object list ($3)", 's';
|
||||
my @objects = split_list $3, 'nfacct';
|
||||
$result .= "-m nfacct --nfacct-name $_ ", $nfobjects{$_} = 1 for @objects;
|
||||
}
|
||||
|
||||
return $result;
|
||||
@ -5639,8 +5677,15 @@ sub imatch_dest_net( $;$ ) {
|
||||
return ( iprange => "${invert}--dst-range $net" );
|
||||
}
|
||||
|
||||
if ( $net =~ /^(!?)\+(6_)?[a-zA-Z][-\w]*(\[.*\])?$/ ) {
|
||||
return ( set => join( '', $1 ? '! ' : '', get_set_flags( $net, 'dst' ) ) );
|
||||
if ( $net =~ /^(!?)(?:\+?)((?:6_)?[a-zA-Z][-\w]*(?:\[.*\])?)(?:\((.+)\))?$/ ) {
|
||||
my @result = ( set => join( '', $1 ? '! ' : '', get_set_flags( $2, 'dst' ) ) );
|
||||
if ( $3 ) {
|
||||
require_capability 'NFACCT_MATCH', "An nfacct object list ($3)", 's';
|
||||
my @objects = split_list $3, 'nfacct';
|
||||
push( @result, ( nfacct => "--nfacct-name $_" ) ), $nfobjects{$_} = 1 for @objects;
|
||||
}
|
||||
|
||||
return @result;
|
||||
}
|
||||
|
||||
if ( $net =~ /^\+\[(.+)\]$/ ) {
|
||||
@ -5650,8 +5695,13 @@ sub imatch_dest_net( $;$ ) {
|
||||
fatal_error "Multiple ipset matches requires the Repeat Match capability in your kernel and iptables" unless $globals{KLUDGEFREE};
|
||||
|
||||
for $net ( @sets ) {
|
||||
fatal_error "Expected ipset name ($net)" unless $net =~ /^(!?)(\+?)(6_)?[a-zA-Z][-\w]*(\[.*\])?/;
|
||||
push @result , ( set => join( '', $1 ? '! ' : '', get_set_flags( $net, 'dst' ) ) );
|
||||
fatal_error "Expected ipset name ($net)" unless $net =~ /^(!?)(?:\+?)((?:6_)?[a-zA-Z][-\w]*(?:\[.*\])?)(?:\((.+)\))?$/;
|
||||
push @result , ( set => join( '', $1 ? '! ' : '', get_set_flags( $2, 'dst' ) ) );
|
||||
if ( $3 ) {
|
||||
require_capability 'NFACCT_MATCH', "An nfacct object list ($3)", 's';
|
||||
my @objects = split_list $3, 'nfacct';
|
||||
push( @result, ( nfacct => "--nfacct-name $_" ) ), $nfobjects{$_} = 1 for @objects;
|
||||
}
|
||||
}
|
||||
|
||||
return \@result;
|
||||
|
||||
@ -312,6 +312,14 @@
|
||||
<replaceable>object</replaceable> could be specified.
|
||||
Beginning with Shorewall 4.5.16, an arbitrary number of
|
||||
objects may be given.</para>
|
||||
|
||||
<caution>
|
||||
<para>If you specify ipset names in the SOURCE or
|
||||
DESTINATION columns, you should not use NFACCT in the ACTION
|
||||
column. You should rather use COUNT and specify the nfacct
|
||||
object(s) together with the ipset. See <ulink
|
||||
url="shorewall-ipsets.html">shorewall-ipsets</ulink>(5).</para>
|
||||
</caution>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
|
||||
@ -62,7 +62,7 @@
|
||||
</listitem>
|
||||
</itemizedlist>
|
||||
|
||||
<para>In a DEST column, the following paris are equivalent:</para>
|
||||
<para>In a DEST column, the following pairs are equivalent:</para>
|
||||
|
||||
<itemizedlist>
|
||||
<listitem>
|
||||
@ -77,6 +77,20 @@
|
||||
|
||||
<para>For information about set lists and exclusion, see <ulink
|
||||
url="shorewall-exclusion.html">shorewall-exclusion</ulink> (5).</para>
|
||||
|
||||
<para>Beginning with Shorewall 4.5.16, you can increment one or more
|
||||
nfacct objects each time a packet matches an ipset. You do that by listing
|
||||
the objects separated by commas within parentheses.</para>
|
||||
|
||||
<para>Example:</para>
|
||||
|
||||
<simplelist>
|
||||
<member>+myset[src](myobject)</member>
|
||||
</simplelist>
|
||||
|
||||
<para>In that example, when the source address of a packet matches the
|
||||
<emphasis role="bold">myset</emphasis> ipset, the <emphasis
|
||||
role="bold">myobject</emphasis> nfacct counter will be incremented.</para>
|
||||
</refsect1>
|
||||
|
||||
<refsect1>
|
||||
|
||||
@ -254,6 +254,14 @@
|
||||
<replaceable>object</replaceable> could be specified.
|
||||
Beginning with Shorewall 4.5.16, an arbitrary number of
|
||||
objects may be given.</para>
|
||||
|
||||
<caution>
|
||||
<para>If you specify ipset names in the SOURCE or
|
||||
DESTINATION columns, you should not use NFACCT in the ACTION
|
||||
column. You should rather use COUNT and specify the nfacct
|
||||
object(s) together with the ipset. See <ulink
|
||||
url="shorewall-ipsets.html">shorewall6-ipsets</ulink>(5).</para>
|
||||
</caution>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
|
||||
@ -77,6 +77,20 @@
|
||||
|
||||
<para>For information about set lists and exclusion, see <ulink
|
||||
url="shorewall-exclusion.html">shorewall-exclusion</ulink> (5).</para>
|
||||
|
||||
<para>Beginning with Shorewall 4.5.16, you can increment one or more
|
||||
nfacct objects each time a packet matches an ipset. You do that by listing
|
||||
the objects separated by commas within parentheses.</para>
|
||||
|
||||
<para>Example:</para>
|
||||
|
||||
<simplelist>
|
||||
<member>+myset[src](myobject)</member>
|
||||
</simplelist>
|
||||
|
||||
<para>In that example, when the source address of a packet matches the
|
||||
<emphasis role="bold">myset</emphasis> ipset, the <emphasis
|
||||
role="bold">myobject</emphasis> nfacct counter will be incremented.</para>
|
||||
</refsect1>
|
||||
|
||||
<refsect1>
|
||||
@ -116,10 +130,11 @@
|
||||
|
||||
<para>shorewall6(8), shorewall6-actions(5), shorewall6-blacklist(5),
|
||||
shorewall6-hosts(5), shorewall6-interfaces(5), shorewall6-maclist(5),
|
||||
shoewall6-netmap(5),shorewall6-params(5), shorewall6-policy(5), shorewall6-providers(5),
|
||||
shorewall6-rtrules(5), shorewall6-routestopped(5),
|
||||
shorewall6-rules(5), shorewall6.conf(5), shorewall6-secmarks(5),
|
||||
shorewall6-tcclasses(5), shorewall6-tcdevices(5), shorewall6-tcrules(5),
|
||||
shorewall6-tos(5), shorewall6-tunnels(5), shorewall6-zones(5)</para>
|
||||
shoewall6-netmap(5),shorewall6-params(5), shorewall6-policy(5),
|
||||
shorewall6-providers(5), shorewall6-rtrules(5),
|
||||
shorewall6-routestopped(5), shorewall6-rules(5), shorewall6.conf(5),
|
||||
shorewall6-secmarks(5), shorewall6-tcclasses(5), shorewall6-tcdevices(5),
|
||||
shorewall6-tcrules(5), shorewall6-tos(5), shorewall6-tunnels(5),
|
||||
shorewall6-zones(5)</para>
|
||||
</refsect1>
|
||||
</refentry>
|
||||
|
||||
Loading…
Reference in New Issue
Block a user