forked from extern/shorewall_code
Add Enhanced Multi-port match capability
Signed-off-by: Tom Eastep <teastep@shorewall.net>
This commit is contained in:
Tom Eastep
parent
fd2fcc996f
commit
8442477224
@ -2134,6 +2134,7 @@ determine_capabilities() {
|
||||
OLD_CONNTRACK_MATCH=
|
||||
MULTIPORT=
|
||||
XMULTIPORT=
|
||||
EMULTIPORT=
|
||||
POLICY_MATCH=
|
||||
PHYSDEV_MATCH=
|
||||
PHYSDEV_BRIDGE=
|
||||
@ -2278,7 +2279,8 @@ determine_capabilities() {
|
||||
qt $g_tool -A $chain -p tcp -m multiport --sports 60 -m multiport --dports 99 -j ACCEPT && KLUDEFREE=Yes
|
||||
fi
|
||||
|
||||
qt $g_tool -A $chain -p tcp -m multiport --dports 21:22 -j ACCEPT && XMULTIPORT=Yes
|
||||
qt $g_tool -A $chain -p tcp -m multiport --dports 21:22 -j ACCEPT && XMULTIPORT=Yes
|
||||
qt $g_tool -A $chain -p sctp -m multiport --dports 21,22 -j ACCEPT && EMULTIPORT=Yes
|
||||
qt $g_tool -A $chain -m policy --pol ipsec --mode tunnel --dir in -j ACCEPT && POLICY_MATCH=Yes
|
||||
|
||||
if qt $g_tool -A $chain -m physdev --physdev-out eth0 -j ACCEPT; then
|
||||
@ -2535,7 +2537,8 @@ report_capabilities_unsorted() {
|
||||
report_capability "NAT (NAT_ENABLED)" $NAT_ENABLED
|
||||
report_capability "Packet Mangling (MANGLE_ENABLED)" $MANGLE_ENABLED
|
||||
report_capability "Multi-port Match (MULTIPORT)" $MULTIPORT
|
||||
[ -n "$MULTIPORT" ] && report_capability "Extended Multi-port Match (XMULIPORT)" $XMULTIPORT
|
||||
[ -n "$MULTIPORT" ] && report_capability "Extended Multi-port Match (XMULIPORT)" $XMULTIPORT
|
||||
[ -n "$EMULTIPORT" ] && report_capability "Enhanced Multi-port Match (EMULIPORT)" $EMULTIPORT
|
||||
report_capability "Connection Tracking Match (CONNTRACK_MATCH)" $CONNTRACK_MATCH
|
||||
if [ -n "$CONNTRACK_MATCH" ]; then
|
||||
report_capability "Extended Connection Tracking Match Support (NEW_CONNTRACK_MATCH)" $NEW_CONNTRACK_MATCH
|
||||
@ -2656,6 +2659,7 @@ report_capabilities_unsorted1() {
|
||||
report_capability1 MANGLE_ENABLED
|
||||
report_capability1 MULTIPORT
|
||||
report_capability1 XMULTIPORT
|
||||
report_capability1 EMULTIPORT
|
||||
report_capability1 CONNTRACK_MATCH
|
||||
report_capability1 NEW_CONNTRACK_MATCH
|
||||
report_capability1 OLD_CONNTRACK_MATCH
|
||||
|
||||
@ -4162,16 +4162,15 @@ sub do_proto( $$$;$ )
|
||||
PROTO:
|
||||
{
|
||||
if ( $proto == TCP || $proto == UDP || $proto == SCTP || $proto == DCCP || $proto == UDPLITE ) {
|
||||
my $multiport = 0;
|
||||
my $multiport = ( $proto == UDPLITE );
|
||||
my $srcndst = 0;
|
||||
|
||||
if ( $ports ne '' ) {
|
||||
$invert = $ports =~ s/^!// ? '! ' : '';
|
||||
$sports = '', require_capability( 'MULTIPORT', "'=' in the SOURCE PORT(S) column", 's' ) if ( $srcndst = $sports eq '=' );
|
||||
|
||||
if ( $ports =~ tr/,/,/ > 0 || $sports =~ tr/,/,/ > 0 || $proto == UDPLITE ) {
|
||||
if ( $multiport || $ports =~ tr/,/,/ > 0 || $sports =~ tr/,/,/ > 0 ) {
|
||||
fatal_error "Port lists require Multiport support in your kernel/iptables" unless have_capability( 'MULTIPORT',1 );
|
||||
fatal_error "Multiple ports not supported with SCTP" if $proto == SCTP;
|
||||
|
||||
if ( port_count ( $ports ) > 15 ) {
|
||||
if ( $restricted ) {
|
||||
@ -4190,7 +4189,11 @@ sub do_proto( $$$;$ )
|
||||
$output .= ( $srcndst ? "-m multiport ${invert}--ports ${ports} " : "${invert}--dport ${ports} " );
|
||||
}
|
||||
} else {
|
||||
$multiport = ( ( $sports =~ tr/,/,/ ) > 0 || $proto == UDPLITE );
|
||||
$multiport ||= ( $sports =~ tr/,/,/ ) > 0 ;;
|
||||
}
|
||||
|
||||
if ( $multiport && $proto != TCP && $proto != UDP ) {
|
||||
require_capability( 'EMULTIPORT', 'Protocol ' . ( $pname || $proto ), 's' );
|
||||
}
|
||||
|
||||
if ( $sports ne '' ) {
|
||||
@ -4356,16 +4359,15 @@ sub do_iproto( $$$ )
|
||||
PROTO:
|
||||
{
|
||||
if ( $proto == TCP || $proto == UDP || $proto == SCTP || $proto == DCCP || $proto == UDPLITE ) {
|
||||
my $multiport = 0;
|
||||
my $multiport = ( $proto == UDPLITE );
|
||||
my $srcndst = 0;
|
||||
|
||||
if ( $ports ne '' ) {
|
||||
$invert = $ports =~ s/^!// ? '! ' : '';
|
||||
$sports = '', require_capability( 'MULTIPORT', "'=' in the SOURCE PORT(S) column", 's' ) if ( $srcndst = $sports eq '=' );
|
||||
|
||||
if ( $ports =~ tr/,/,/ > 0 || $sports =~ tr/,/,/ > 0 || $proto == UDPLITE ) {
|
||||
if ( $multiport || $ports =~ tr/,/,/ > 0 || $sports =~ tr/,/,/ > 0 ) {
|
||||
fatal_error "Port lists require Multiport support in your kernel/iptables" unless have_capability( 'MULTIPORT' , 1 );
|
||||
fatal_error "Multiple ports not supported with SCTP" if $proto == SCTP;
|
||||
|
||||
if ( port_count ( $ports ) > 15 ) {
|
||||
if ( $restricted ) {
|
||||
@ -4389,7 +4391,7 @@ sub do_iproto( $$$ )
|
||||
}
|
||||
}
|
||||
} else {
|
||||
$multiport = ( ( $sports =~ tr/,/,/ ) > 0 || $proto == UDPLITE );
|
||||
$multiport ||= ( ( $sports =~ tr/,/,/ ) > 0 );
|
||||
}
|
||||
|
||||
if ( $sports ne '' ) {
|
||||
|
||||
@ -286,6 +286,7 @@ our %capdesc = ( NAT_ENABLED => 'NAT',
|
||||
MANGLE_ENABLED => 'Packet Mangling',
|
||||
MULTIPORT => 'Multi-port Match' ,
|
||||
XMULTIPORT => 'Extended Multi-port Match',
|
||||
EMULTIPORT => 'Enhanced Multi-port Match',
|
||||
CONNTRACK_MATCH => 'Connection Tracking Match',
|
||||
OLD_CONNTRACK_MATCH =>
|
||||
'Old conntrack match syntax',
|
||||
@ -358,6 +359,7 @@ our %capdesc = ( NAT_ENABLED => 'NAT',
|
||||
CHECKSUM_TARGET => 'Checksum Target',
|
||||
ARPTABLESJF => 'Arptables JF',
|
||||
MASQUERADE_TGT => 'MASQUERADE Target',
|
||||
|
||||
AMANDA_HELPER => 'Amanda Helper',
|
||||
FTP_HELPER => 'FTP Helper',
|
||||
FTP0_HELPER => 'FTP-0 Helper',
|
||||
@ -835,6 +837,7 @@ sub initialize( $;$$) {
|
||||
MANGLE_ENABLED => undef,
|
||||
MULTIPORT => undef,
|
||||
XMULTIPORT => undef,
|
||||
EMULTIPORT => undef,
|
||||
CONNTRACK_MATCH => undef,
|
||||
NEW_CONNTRACK_MATCH => undef,
|
||||
OLD_CONNTRACK_MATCH => undef,
|
||||
@ -3629,6 +3632,10 @@ sub Xmultiport() {
|
||||
qt1( "$iptables -A $sillyname -p tcp -m multiport --dports 21:22 -j ACCEPT" );
|
||||
}
|
||||
|
||||
sub Emultiport() {
|
||||
qt1( "$iptables -A $sillyname -p sctp -m multiport --dports 21,22 -j ACCEPT" );
|
||||
}
|
||||
|
||||
sub Policy_Match() {
|
||||
qt1( "$iptables -A $sillyname -m policy --pol ipsec --mode tunnel --dir in -j ACCEPT" );
|
||||
}
|
||||
@ -4062,6 +4069,7 @@ our %detect_capability =
|
||||
DSCP_MATCH => \&Dscp_Match,
|
||||
DSCP_TARGET => \&Dscp_Target,
|
||||
ENHANCED_REJECT => \&Enhanced_Reject,
|
||||
EMULTIPORT => \&Emultiport,
|
||||
EXMARK => \&Exmark,
|
||||
FLOW_FILTER => \&Flow_Filter,
|
||||
FTP_HELPER => \&FTP_Helper,
|
||||
@ -4200,6 +4208,7 @@ sub determine_capabilities() {
|
||||
|
||||
$capabilities{ MULTIPORT } = detect_capability( 'MULTIPORT' );
|
||||
$capabilities{XMULTIPORT} = detect_capability( 'XMULTIPORT' );
|
||||
$capabilities{EMULTIPORT} = detect_capability( 'EMULTIPORT' );
|
||||
$capabilities{POLICY_MATCH} = detect_capability( 'POLICY_MATCH' );
|
||||
|
||||
if ( $capabilities{PHYSDEV_MATCH} = detect_capability( 'PHYSDEV_MATCH' ) ) {
|
||||
|
||||
Loading…
Reference in New Issue
Block a user