Revert "Add capabilities to ?IF conditionals"

This reverts commit 0d71c590e4.
This commit is contained in:
Tom Eastep 2012-03-19 07:20:31 -07:00
parent 5bfd2cc2c9
commit 72e6330ff4
6 changed files with 747 additions and 766 deletions

View File

@ -2209,81 +2209,81 @@ report_capabilities() {
if [ $VERBOSITY -gt 1 ]; then if [ $VERBOSITY -gt 1 ]; then
echo "$g_product has detected the following iptables/netfilter capabilities:" echo "$g_product has detected the following iptables/netfilter capabilities:"
report_capability "NAT (NAT_ENABLED)" $NAT_ENABLED report_capability "NAT" $NAT_ENABLED
report_capability "Packet Mangling (MANGLE_ENABLED)" $MANGLE_ENABLED report_capability "Packet Mangling" $MANGLE_ENABLED
report_capability "Multi-port Match (MULTIPORT)" $MULTIPORT report_capability "Multi-port Match" $MULTIPORT
[ -n "$MULTIPORT" ] && report_capability "Extended Multi-port Match" $XMULTIPORT [ -n "$MULTIPORT" ] && report_capability "Extended Multi-port Match" $XMULTIPORT
report_capability "Connection Tracking Match (CONNTRACK_MATCH)" $CONNTRACK_MATCH report_capability "Connection Tracking Match" $CONNTRACK_MATCH
if [ -n "$CONNTRACK_MATCH" ]; then if [ -n "$CONNTRACK_MATCH" ]; then
report_capability "Extended Connection Tracking Match Support (NEW_CONNTRACK_MATCH)" $NEW_CONNTRACK_MATCH report_capability "Extended Connection Tracking Match Support" $NEW_CONNTRACK_MATCH
[ -n "$OLD_CONNTRACK_MATCH" ] && report_capability "Old Connection Tracking Match Syntax (OLD_CONNTRACK_MATCH)" $OLD_CONNTRACK_MATCH [ -n "$OLD_CONNTRACK_MATCH" ] && report_capability "Old Connection Tracking Match Syntax" $OLD_CONNTRACK_MATCH
fi fi
report_capability "Packet Type Match (USEPKTTYPE)" $USEPKTTYPE report_capability "Packet Type Match" $USEPKTTYPE
report_capability "Policy Match (POLICY_MATCH)" $POLICY_MATCH report_capability "Policy Match" $POLICY_MATCH
report_capability "Physdev Match (PHYSDEV_MATCH)" $PHYSDEV_MATCH report_capability "Physdev Match" $PHYSDEV_MATCH
report_capability "Physdev-is-bridged Support (PHYSDEV_MATCH)" $PHYSDEV_BRIDGE report_capability "Physdev-is-bridged Support" $PHYSDEV_BRIDGE
report_capability "Packet length Match (LENGTH_MATCH)" $LENGTH_MATCH report_capability "Packet length Match" $LENGTH_MATCH
report_capability "IP range Match (IPRANGE_MATCH)" $IPRANGE_MATCH report_capability "IP range Match" $IPRANGE_MATCH
report_capability "Recent Match (RECENT_MATCH)" $RECENT_MATCH report_capability "Recent Match" $RECENT_MATCH
report_capability "Owner Match (OWNER_MATCH)" $OWNER_MATCH report_capability "Owner Match" $OWNER_MATCH
if [ -n "$IPSET_MATCH" ]; then if [ -n "$IPSET_MATCH" ]; then
report_capability "Ipset Match (IPSET_MATCH)" $IPSET_MATCH report_capability "Ipset Match" $IPSET_MATCH
[ -n "$OLD_IPSET_MATCH" ] && report_capability "OLD_Ipset Match (OLD_IPSET_MATCH)" $OLD_IPSET_MATCH [ -n "$OLD_IPSET_MATCH" ] && report_capability "OLD_Ipset Match" $OLD_IPSET_MATCH
fi fi
report_capability "CONNMARK Target (CONNMARK)" $CONNMARK report_capability "CONNMARK Target" $CONNMARK
[ -n "$CONNMARK" ] && report_capability "Extended CONNMARK Target (XCONNMARK)" $XCONNMARK [ -n "$CONNMARK" ] && report_capability "Extended CONNMARK Target" $XCONNMARK
report_capability "Connmark Match (CONNMARK_MATCH)" $CONNMARK_MATCH report_capability "Connmark Match" $CONNMARK_MATCH
[ -n "$CONNMARK_MATCH" ] && report_capability "Extended Connmark Match (XCONNMARK_MATCH)" $XCONNMARK_MATCH [ -n "$CONNMARK_MATCH" ] && report_capability "Extended Connmark Match" $XCONNMARK_MATCH
report_capability "Raw Table (RAW_TABLE)" $RAW_TABLE report_capability "Raw Table" $RAW_TABLE
report_capability "Rawpost Table (RAWPOST_TABLE)" $RAWPOST_TABLE report_capability "Rawpost Table" $RAWPOST_TABLE
report_capability "IPP2P Match (IPP2P_MATCH)" $IPP2P_MATCH report_capability "IPP2P Match" $IPP2P_MATCH
[ -n "$OLD_IPP2P_MATCH" ] && report_capability "Old IPP2P Match Syntax (OLD_IPP2P_MATCH)" $OLD_IPP2P_MATCH [ -n "$OLD_IPP2P_MATCH" ] && report_capability "Old IPP2P Match Syntax" $OLD_IPP2P_MATCH
report_capability "CLASSIFY Target (CLASSIFY_TARGET)" $CLASSIFY_TARGET report_capability "CLASSIFY Target" $CLASSIFY_TARGET
report_capability "Extended REJECT (ENHANCED_REJECT)" $ENHANCED_REJECT report_capability "Extended REJECT" $ENHANCED_REJECT
report_capability "Repeat match (KLUDGEFREE)" $KLUDGEFREE report_capability "Repeat match" $KLUDGEFREE
report_capability "MARK Target (MARK)" $MARK report_capability "MARK Target" $MARK
[ -n "$MARK" ] && report_capability "Extended MARK Target (XMARK)" $XMARK [ -n "$MARK" ] && report_capability "Extended MARK Target" $XMARK
[ -n "$XMARK" ] && report_capability "Extended MARK Target 2 (EXMARK)" $EXMARK [ -n "$XMARK" ] && report_capability "Extended MARK Target 2" $EXMARK
report_capability "Mangle FORWARD Chain (MANGLE_FORWARD)" $MANGLE_FORWARD report_capability "Mangle FORWARD Chain" $MANGLE_FORWARD
report_capability "Comments (COMMENTS)" $COMMENTS report_capability "Comments" $COMMENTS
report_capability "Address Type Match (ADDRTYPE)" $ADDRTYPE report_capability "Address Type Match" $ADDRTYPE
report_capability "TCPMSS Match (TCPMSS_MATCH)" $TCPMSS_MATCH report_capability "TCPMSS Match" $TCPMSS_MATCH
report_capability "Hashlimit Match (HASHLIMIT_MATCH)" $HASHLIMIT_MATCH report_capability "Hashlimit Match" $HASHLIMIT_MATCH
[ -n "$OLD_HL_MATCH" ] && report_capability "Old Hashlimit Match (OLD_HL_MATCH)" $OLD_HL_MATCH [ -n "$OLD_HL_MATCH" ] && report_capability "Old Hashlimit Match" $OLD_HL_MATCH
report_capability "NFQUEUE Target (NFQUEUE_TARGET)" $NFQUEUE_TARGET report_capability "NFQUEUE Target" $NFQUEUE_TARGET
report_capability "Realm Match (RELM_MATCH)" $REALM_MATCH report_capability "Realm Match" $REALM_MATCH
report_capability "Helper Match (HELPER_MATCH)" $HELPER_MATCH report_capability "Helper Match" $HELPER_MATCH
report_capability "Connlimit Match (CONNLIMIT_MATCH)" $CONNLIMIT_MATCH report_capability "Connlimit Match" $CONNLIMIT_MATCH
report_capability "Time Match (TIME_MATCH)" $TIME_MATCH report_capability "Time Match" $TIME_MATCH
report_capability "Goto Support (GOTO_TARGET)" $GOTO_TARGET report_capability "Goto Support" $GOTO_TARGET
report_capability "LOGMARK Target (LOGMARK_TARGET)" $LOGMARK_TARGET report_capability "LOGMARK Target" $LOGMARK_TARGET
report_capability "IPMARK Target (IPMARK_TARGET)" $IPMARK_TARGET report_capability "IPMARK Target" $IPMARK_TARGET
report_capability "LOG Target (LOG_TARGET)" $LOG_TARGET report_capability "LOG Target" $LOG_TARGET
report_capability "ULOG Target (ULOG_TARGET)" $ULOG_TARGET report_capability "ULOG Target" $ULOG_TARGET
report_capability "NFLOG Target (NFLOG_TARGET)" $NFLOG_TARGET report_capability "NFLOG Target" $NFLOG_TARGET
report_capability "Persistent SNAT (PERSISTENT_SNAT)" $PERSISTENT_SNAT report_capability "Persistent SNAT" $PERSISTENT_SNAT
report_capability "TPROXY Target (TPROXY_TARGET)" $TPROXY_TARGET report_capability "TPROXY Target" $TPROXY_TARGET
report_capability "FLOW Classifier (FLOW_FILTER)" $FLOW_FILTER report_capability "FLOW Classifier" $FLOW_FILTER
report_capability "fwmark route mask (FWMARK_RT_MASK)" $FWMARK_RT_MASK report_capability "fwmark route mask" $FWMARK_RT_MASK
report_capability "Mark in any table (MARK_ANYWHERE)" $MARK_ANYWHERE report_capability "Mark in any table" $MARK_ANYWHERE
report_capability "Header Match (HEADER_MATCH)" $HEADER_MATCH report_capability "Header Match" $HEADER_MATCH
report_capability "ACCOUNT Target (ACCOUNT_TARGET)" $ACCOUNT_TARGET report_capability "ACCOUNT Target" $ACCOUNT_TARGET
report_capability "AUDIT Target (AUDIT_TARGET)" $AUDIT_TARGET report_capability "AUDIT Target" $AUDIT_TARGET
report_capability "ipset V5 (IPSET_V5)" $IPSET_V5 report_capability "ipset V5" $IPSET_V5
report_capability "Condition Match (CONDITION_MATCH)" $CONDITION_MATCH report_capability "Condition Match" $CONDITION_MATCH
report_capability "Statistic Match (STATISTIC_MATCH)" $STATISTIC_MATCH report_capability "Statistic Match" $STATISTIC_MATCH
report_capability "IMQ Target (IMQ_TARGET)" $IMQ_TARGET report_capability "IMQ Target" $IMQ_TARGET
report_capability "DSCP Match (DSCP_MATCH)" $DSCP_MATCH report_capability "DSCP Match" $DSCP_MATCH
report_capability "DSCP Target (DSCP_TARGET)" $DSCP_TARGET report_capability "DSCP Target" $DSCP_TARGET
if [ $g_family -eq 4 ]; then if [ $g_family -eq 4 ]; then
report_capability "iptables -S (IPTABLES_S)" $IPTABLES_S report_capability "iptables -S" $IPTABLES_S
else else
report_capability "ip6tables -S (IPTABLES_S)" $IPTABLES_S report_capability "ip6tables -S" $IPTABLES_S
fi fi
report_capability "Basic Filter (BASIC_FILTER)" $BASIC_FILTER report_capability "Basic Filter" $BASIC_FILTER
report_capability "CT Target (CT_TARGET)" $CT_TARGET report_capability "CT Target" $CT_TARGET
fi fi
[ -n "$PKTTYPE" ] || USEPKTTYPE= [ -n "$PKTTYPE" ] || USEPKTTYPE=

View File

@ -1470,9 +1470,6 @@ sub do_open_file( $ ) {
open $currentfile, '<', $fname or fatal_error "Unable to open $fname: $!"; open $currentfile, '<', $fname or fatal_error "Unable to open $fname: $!";
$currentlinenumber = 0; $currentlinenumber = 0;
$ifstack = @ifstack; $ifstack = @ifstack;
#
# Must be last
#
$currentfilename = $fname; $currentfilename = $fname;
} }
@ -1527,7 +1524,7 @@ sub close_file() {
} }
# #
# Process an ?IF, ?ELSE, or ?ENDIF. Returns the new $omitting setting. # Process an ?IF, ?ELSE, or ?ENDIF
# #
sub process_conditional($$$) { sub process_conditional($$$) {
my ( $omitting, $keyword, $rest ) = @_; my ( $omitting, $keyword, $rest ) = @_;
@ -1538,23 +1535,18 @@ sub process_conditional($$$) {
fatal_error "Missing IF variable" unless $rest; fatal_error "Missing IF variable" unless $rest;
my $invert = $rest =~ s/^!\s*//; my $invert = $rest =~ s/^!\s*//;
fatal_error "Invalid IF variable ($rest)" unless ( $rest =~ s/^\$// || $rest =~ /^__/ ) && $rest =~ /^\w+$/; fatal_error "Invalid IF variable ($rest)" unless $rest =~ s/^\$// && $rest =~ /^\w+$/;
push @ifstack, [ 'IF', $omitting, $currentlinenumber ]; push @ifstack, [ 'IF', $omitting, $currentlinenumber ];
if ( $rest eq '__IPV4' ) { if ( $rest eq '__IPV6' ) {
$omitting = $family == F_IPV6;
} elsif ( $rest eq '__IPV6' ) {
$omitting = $family == F_IPV4; $omitting = $family == F_IPV4;
} elsif ( $rest eq '__IPV4' ) {
$omitting = $family == F_IPV6;
} else { } else {
my $cap;
($cap = $rest) =~ s/^__//;
$omitting = ! ( exists $ENV{$rest} ? $ENV{$rest} : $omitting = ! ( exists $ENV{$rest} ? $ENV{$rest} :
exists $params{$rest} ? $params{$rest} : exists $params{$rest} ? $params{$rest} :
exists $config{$rest} ? $config{$rest} : exists $config{$rest} ? $config{$rest} : 0 );
exists $capdesc{$cap} ? have_capability( $cap ) : 0 );
} }
$omitting = ! $omitting if $invert; $omitting = ! $omitting if $invert;

View File

@ -46,7 +46,7 @@ my $chainref = get_action_chain;
my ( $level, $tag ) = get_action_logging; my ( $level, $tag ) = get_action_logging;
my $target = require_audit ( $action , $audit ); my $target = require_audit ( $action , $audit );
?IF __ADDRTYPE if ( have_capability( 'ADDRTYPE' ) ) {
if ( $level ne '' ) { if ( $level ne '' ) {
log_rule_limit $level, $chainref, 'dropBcast' , $action, '', $tag, 'add', ' -m addrtype --dst-type BROADCAST '; log_rule_limit $level, $chainref, 'dropBcast' , $action, '', $tag, 'add', ' -m addrtype --dst-type BROADCAST ';
log_rule_limit $level, $chainref, 'dropBcast' , $action, '', $tag, 'add', ' -m addrtype --dst-type MULTICAST '; log_rule_limit $level, $chainref, 'dropBcast' , $action, '', $tag, 'add', ' -m addrtype --dst-type MULTICAST ';
@ -56,14 +56,14 @@ my $target = require_audit ( $action , $audit );
add_jump $chainref, $target, 0, '-m addrtype --dst-type BROADCAST '; add_jump $chainref, $target, 0, '-m addrtype --dst-type BROADCAST ';
add_jump $chainref, $target, 0, '-m addrtype --dst-type MULTICAST '; add_jump $chainref, $target, 0, '-m addrtype --dst-type MULTICAST ';
add_jump $chainref, $target, 0, '-m addrtype --dst-type ANYCAST '; add_jump $chainref, $target, 0, '-m addrtype --dst-type ANYCAST ';
?ELSE #Begin no Addrtype support } else {
add_commands $chainref, 'for address in $ALL_BCASTS; do'; add_commands $chainref, 'for address in $ALL_BCASTS; do';
incr_cmd_level $chainref; incr_cmd_level $chainref;
log_rule_limit $level, $chainref, 'Broadcast' , $action, '', $tag, 'add', ' -d $address ' if $level ne ''; log_rule_limit $level, $chainref, 'Broadcast' , $action, '', $tag, 'add', ' -d $address ' if $level ne '';
add_jump $chainref, $target, 0, "-d \$address "; add_jump $chainref, $target, 0, "-d \$address ";
decr_cmd_level $chainref; decr_cmd_level $chainref;
add_commands $chainref, 'done'; add_commands $chainref, 'done';
?END #No Addrtype support }
log_rule_limit $level, $chainref, 'Broadcast' , $action, '', $tag, 'add', ' -d 224.0.0.0/4 ' if $level ne ''; log_rule_limit $level, $chainref, 'Broadcast' , $action, '', $tag, 'add', ' -d 224.0.0.0/4 ' if $level ne '';
add_jump $chainref, $target, 0, '-d 224.0.0.0/4 '; add_jump $chainref, $target, 0, '-d 224.0.0.0/4 ';

View File

@ -50,32 +50,32 @@ if ( $level ne '-' || $audit ne '-' ) {
$target = 'DROP'; $target = 'DROP';
} }
?IF __ADDRTYPE if ( have_capability( 'ADDRTYPE' ) ) {
?IF __IPV4 if ( $family == F_IPV4 ) {
add_ijump $chainref , j => 'RETURN', s => '0.0.0.0'; ; add_ijump $chainref , j => 'RETURN', s => '0.0.0.0'; ;
?ELSE } else {
add_ijump $chainref , j => 'RETURN', s => '::'; add_ijump $chainref , j => 'RETURN', s => '::';
?END }
add_ijump( $chainref, g => $target, addrtype => '--src-type BROADCAST' ) ; add_ijump( $chainref, g => $target, addrtype => '--src-type BROADCAST' ) ;
?ELSE # Begin no Addrtype support } else {
?IF __IPV4 if ( $family == F_IPV4 ) {
add_commands $chainref, 'for address in $ALL_BCASTS; do'; add_commands $chainref, 'for address in $ALL_BCASTS; do';
?ELSE } else {
add_commands $chainref, 'for address in $ALL_ACASTS; do'; add_commands $chainref, 'for address in $ALL_ACASTS; do';
?END }
incr_cmd_level $chainref; incr_cmd_level $chainref;
add_ijump( $chainref, g => $target, s => '$address' ); add_ijump( $chainref, g => $target, s => '$address' );
decr_cmd_level $chainref; decr_cmd_level $chainref;
add_commands $chainref, 'done'; add_commands $chainref, 'done';
?END # No Addrtype support }
?IF __IPV4 if ( $family == F_IPV4 ) {
add_ijump( $chainref, g => $target, s => '224.0.0.0/4' ); add_ijump( $chainref, g => $target, s => '224.0.0.0/4' );
?ELSE } else {
add_ijump( $chainref, g => $target, s => IPv6_MULTICAST ); add_ijump( $chainref, g => $target, s => IPv6_MULTICAST );
?END }
END PERL; END PERL;

File diff suppressed because it is too large Load Diff

View File

@ -1485,18 +1485,9 @@ SHELL cat /etc/shorewall/rules.d/*.rules 2&gt; /dev/null || true</programlisting
pre-defined ones, it is searched for in the compiler's environmental pre-defined ones, it is searched for in the compiler's environmental
variables, in variables set in <filename>/etc/shorewall/params</filename>, variables, in variables set in <filename>/etc/shorewall/params</filename>,
and in options set in <filename>/etc/shorewall/shorewall.conf</filename> and in options set in <filename>/etc/shorewall/shorewall.conf</filename>
in that order. If the <replaceable>variable</replaceable> is still not in that order. If it is not found in any of those places, the
found and it begins with '__', then those leading characters are stripped
off and the result is searched for in the defined
<firstterm>capabilities</firstterm>. The current set of capabilities may
be obtained by the command <command>shorewall show capabilities</command>
(the capability names are in parentheses).</para>
<para>If it is not found in any of those places, the
<replaceable>variable</replaceable> is assumed to have a value of 0 <replaceable>variable</replaceable> is assumed to have a value of 0
(false).</para> (false). If "!" is present, the result of the test is inverted.</para>
<para>If "!" is present, the result value is inverted.</para>
<para>The setting in <filename>/etc/shorewall/params</filename> by be <para>The setting in <filename>/etc/shorewall/params</filename> by be
overridden at runtime, provided the setting in overridden at runtime, provided the setting in