forked from extern/shorewall_code
More capability tests
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@5738 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
parent
3d06e0682b
commit
70682ad40d
@ -504,24 +504,24 @@ sub process_actions3 () {
|
||||
my ($chainref, $level, $tag) = @_;
|
||||
|
||||
if ( $level ) {
|
||||
log_rule_limit $level, $chainref, 'dropBcast' , 'DROP', '', $tag, 'add', ' -m pkttype --pkt-type broadcast';
|
||||
log_rule_limit $level, $chainref, 'dropBcast' , 'DROP', '', $tag, 'add', ' -m pkttype --pkt-type multicast';
|
||||
log_rule_limit $level, $chainref, 'dropBcast' , 'DROP', '', $tag, 'add', ' -m addrtype --dst-type BROADCAST';
|
||||
log_rule_limit $level, $chainref, 'dropBcast' , 'DROP', '', $tag, 'add', ' -m addrtype --dst-type MULTICAST';
|
||||
}
|
||||
|
||||
add_rule $chainref, '-m pkttype --pkt-type broadcast -j DROP';
|
||||
add_rule $chainref, '-m pkttype --pkt-type multicast -j DROP';
|
||||
add_rule $chainref, '-m addrtype --dst-type BROADCAST -j DROP';
|
||||
add_rule $chainref, '-m addrtype --dst-type MULTICAST -j DROP';
|
||||
}
|
||||
|
||||
sub allowBcast( $$$ ) {
|
||||
my ($chainref, $level, $tag) = @_;
|
||||
|
||||
if ( $level ) {
|
||||
log_rule_limit $level, $chainref, 'allowBcast' , 'ACCEPT', '', $tag, 'add', ' -m pkttype --pkt-type broadcast';
|
||||
log_rule_limit $level, $chainref, 'allowBcast' , 'ACCEPT', '', $tag, 'add', ' -m pkttype --pkt-type multicast';
|
||||
log_rule_limit $level, $chainref, 'allowBcast' , 'ACCEPT', '', $tag, 'add', ' -m addrtype --dst-type BROADCAST';
|
||||
log_rule_limit $level, $chainref, 'allowBcast' , 'ACCEPT', '', $tag, 'add', ' -m addrtype --dst-type MULTICAST';
|
||||
}
|
||||
|
||||
add_rule $chainref, '-m pkttype --pkt-type broadcast -j ACCEPT';
|
||||
add_rule $chainref, '-m pkttype --pkt-type multicast -j ACCEPT';
|
||||
add_rule $chainref, '-m addrtype --dst-type BROADCAST -j ACCEPT';
|
||||
add_rule $chainref, '-m addrtype --dst-type MULTICAST -j ACCEPT';
|
||||
}
|
||||
|
||||
sub dropNotSyn ( $$$ ) {
|
||||
@ -577,6 +577,8 @@ sub process_actions3 () {
|
||||
my $set = $tag[0];
|
||||
my $count = $tag[1] + 1;
|
||||
|
||||
require_capability( 'RECENT_MATCH' , 'Limit rules' );
|
||||
|
||||
add_rule $chainref, "-m recent --name $set --set";
|
||||
|
||||
if ( $level ) {
|
||||
|
@ -666,7 +666,7 @@ sub do_proto( $$$ )
|
||||
$output .= "-p icmp --icmp-type $ports " if $ports;
|
||||
fatal_error 'SOURCE PORT(S) not permitted with ICMP' if $sports;
|
||||
} elsif ( $proto =~ /^(ipp2p(:(tcp|udp|all)))?$/i ) {
|
||||
fatal_error 'PROTO = ipp2p requires IPP2P match support in your kernel/iptables' unless $capabilities{IPP2P};
|
||||
require_capability( 'IPP2P' , 'PROTO = ipp2p' );
|
||||
$proto = $2 ? $3 : 'tcp';
|
||||
$ports = 'ipp2p' unless $ports;
|
||||
$output .= "-p $proto -m ipp2p --$ports ";
|
||||
@ -800,6 +800,7 @@ sub do_tos( $ ) {
|
||||
sub iprange_match() {
|
||||
my $match = '';
|
||||
|
||||
require_capability( 'IPRANGE_MATCH' , 'Address Ranges' );
|
||||
unless ( $iprangematch ) {
|
||||
$match = '-m iprange ';
|
||||
$iprangematch = 1;
|
||||
@ -845,6 +846,7 @@ sub match_source_net( $ ) {
|
||||
( $net = $2 ) =~ s/-/:/g;
|
||||
"-m mac --mac-source $1 $net ";
|
||||
} elsif ( $net =~ /^(!?)\+/ ) {
|
||||
require_capability( 'IPSET_MATCH' , 'ipset names in Shorewall configuration files' );
|
||||
join( '', '-m set ', $1 ? '! ' : '', get_set_flags( $net, 'src' ) );
|
||||
} elsif ( $net =~ /^!/ ) {
|
||||
$net =~ s/!//;
|
||||
@ -865,6 +867,7 @@ sub match_dest_net( $ ) {
|
||||
|
||||
iprange_match . "${invert}--dst-range $net ";
|
||||
} elsif ( $net =~ /^(!?)\+/ ) {
|
||||
require_capability( 'IPSET_MATCH' , 'ipset names in Shorewall configuration files' );
|
||||
join( '', '-m set ', $1 ? '! ' : '', get_set_flags( $net, 'dst' ) );
|
||||
} elsif ( $net =~ /^!/ ) {
|
||||
$net =~ s/!//;
|
||||
|
Loading…
Reference in New Issue
Block a user