forked from extern/shorewall_code
Support ipset lists in the tcfilters file.
- Also document the fact that ipset match options are not available in the tcfilters file. Signed-off-by: Tom Eastep <teastep@shorewall.net>
This commit is contained in:
parent
1d4a87a0d0
commit
7ddc65133e
@ -2191,11 +2191,32 @@ sub process_tc_filter1( $$$$$$$$$ ) {
|
|||||||
#
|
#
|
||||||
# Handle an ipset name in the SOURCE or DEST columns of a filter
|
# Handle an ipset name in the SOURCE or DEST columns of a filter
|
||||||
#
|
#
|
||||||
|
sub handle_ematch( $$ );
|
||||||
|
|
||||||
sub handle_ematch( $$ ) {
|
sub handle_ematch( $$ ) {
|
||||||
my ( $setname, $option ) = @_;
|
my ( $setname, $option ) = @_;
|
||||||
|
|
||||||
my $options = $option;
|
my $options = $option;
|
||||||
|
|
||||||
|
if ( $setname =~ /^\+\[(.+)\]$/ ) {
|
||||||
|
my @sets = split_host_list( $1, 1, 1 );
|
||||||
|
|
||||||
|
fatal_error "Multiple ipset matches require the Repeat Match capability in your kernel and iptables" unless $globals{KLUDGEFREE};
|
||||||
|
|
||||||
|
my $result = @sets > 1 ? "\\(\\\n" : '';
|
||||||
|
my $sets = 0;
|
||||||
|
|
||||||
|
for $setname ( @sets ) {
|
||||||
|
$result .= ' or' if $sets++;
|
||||||
|
$result .= "\\\n " if @sets > 1;
|
||||||
|
$result .= handle_ematch( $setname, $option );
|
||||||
|
}
|
||||||
|
|
||||||
|
$result .= "\\\n \\)" if @sets > 1;
|
||||||
|
|
||||||
|
return $result;
|
||||||
|
}
|
||||||
|
|
||||||
require_capability 'BASIC_EMATCH', 'IPSets', '';
|
require_capability 'BASIC_EMATCH', 'IPSets', '';
|
||||||
|
|
||||||
if ( $setname =~ /^(.*)\[([1-6])\]$/ ) {
|
if ( $setname =~ /^(.*)\[([1-6])\]$/ ) {
|
||||||
|
@ -99,8 +99,14 @@
|
|||||||
role="bold">myobject</emphasis> nfacct counter will be incremented.</para>
|
role="bold">myobject</emphasis> nfacct counter will be incremented.</para>
|
||||||
|
|
||||||
<para>Beginning with Shorewall 4.6.0, an ipset name (and src/dst list, if
|
<para>Beginning with Shorewall 4.6.0, an ipset name (and src/dst list, if
|
||||||
any) can be immediately be followed by a list of match options. Available
|
any) can be immediately be followed by a list of match options.</para>
|
||||||
options are:</para>
|
|
||||||
|
<important>
|
||||||
|
<para>These additional match options are not available in <ulink
|
||||||
|
url="shorewall-tcfilters.html">shorewall-tcfilters(5)</ulink>.</para>
|
||||||
|
</important>
|
||||||
|
|
||||||
|
<para>Available options are:</para>
|
||||||
|
|
||||||
<variablelist>
|
<variablelist>
|
||||||
<varlistentry>
|
<varlistentry>
|
||||||
|
@ -98,8 +98,14 @@
|
|||||||
role="bold">myobject</emphasis> nfacct counter will be incremented.</para>
|
role="bold">myobject</emphasis> nfacct counter will be incremented.</para>
|
||||||
|
|
||||||
<para>Beginning with Shorewall 4.6.0, an ipset name (and src/dst list, if
|
<para>Beginning with Shorewall 4.6.0, an ipset name (and src/dst list, if
|
||||||
any) can be immediately be followed by a list of match options. Available
|
any) can be immediately be followed by a list of match options.</para>
|
||||||
options are:</para>
|
|
||||||
|
<important>
|
||||||
|
<para>These additional match options are not available in <ulink
|
||||||
|
url="shorewall6-tcfilters.html">shorewall6-tcfilters(5)</ulink>.</para>
|
||||||
|
</important>
|
||||||
|
|
||||||
|
<para>Available options are:</para>
|
||||||
|
|
||||||
<variablelist>
|
<variablelist>
|
||||||
<varlistentry>
|
<varlistentry>
|
||||||
|
Loading…
Reference in New Issue
Block a user