holm/shorewall_code
1
0
Fork 0
forked from extern/shorewall_code
Code Pull Requests Activity

Add Enhanced Multi-port match capability

Browse Source 
Signed-off-by: Tom Eastep <teastep@shorewall.net>
This commit is contained in:
Tom Eastep 2013-03-10 09:04:47 -07:00
parent fd2fcc996f
commit 8442477224
3 changed files with 25 additions and 10 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
Shorewall-core/lib.cli
View File

@ -2134,6 +2134,7 @@ determine_capabilities() {
OLD_CONNTRACK_MATCH= OLD_CONNTRACK_MATCH=
MULTIPORT= MULTIPORT=
XMULTIPORT= XMULTIPORT=
EMULTIPORT=
POLICY_MATCH= POLICY_MATCH=
PHYSDEV_MATCH= PHYSDEV_MATCH=
PHYSDEV_BRIDGE= PHYSDEV_BRIDGE=
@ -2278,7 +2279,8 @@ determine_capabilities() {
qt $g_tool -A $chain -p tcp -m multiport --sports 60 -m multiport --dports 99 -j ACCEPT && KLUDEFREE=Yes qt $g_tool -A $chain -p tcp -m multiport --sports 60 -m multiport --dports 99 -j ACCEPT && KLUDEFREE=Yes
fi fi
qt $g_tool -A $chain -p tcp -m multiport --dports 21:22 -j ACCEPT && XMULTIPORT=Yes qt $g_tool -A $chain -p tcp -m multiport --dports 21:22 -j ACCEPT && XMULTIPORT=Yes
qt $g_tool -A $chain -p sctp -m multiport --dports 21,22 -j ACCEPT && EMULTIPORT=Yes
qt $g_tool -A $chain -m policy --pol ipsec --mode tunnel --dir in -j ACCEPT && POLICY_MATCH=Yes qt $g_tool -A $chain -m policy --pol ipsec --mode tunnel --dir in -j ACCEPT && POLICY_MATCH=Yes
if qt $g_tool -A $chain -m physdev --physdev-out eth0 -j ACCEPT; then if qt $g_tool -A $chain -m physdev --physdev-out eth0 -j ACCEPT; then
@ -2535,7 +2537,8 @@ report_capabilities_unsorted() {
report_capability "NAT (NAT_ENABLED)" $NAT_ENABLED report_capability "NAT (NAT_ENABLED)" $NAT_ENABLED
report_capability "Packet Mangling (MANGLE_ENABLED)" $MANGLE_ENABLED report_capability "Packet Mangling (MANGLE_ENABLED)" $MANGLE_ENABLED
report_capability "Multi-port Match (MULTIPORT)" $MULTIPORT report_capability "Multi-port Match (MULTIPORT)" $MULTIPORT
[ -n "$MULTIPORT" ] && report_capability "Extended Multi-port Match (XMULIPORT)" $XMULTIPORT [ -n "$MULTIPORT" ] && report_capability "Extended Multi-port Match (XMULIPORT)" $XMULTIPORT
[ -n "$EMULTIPORT" ] && report_capability "Enhanced Multi-port Match (EMULIPORT)" $EMULTIPORT
report_capability "Connection Tracking Match (CONNTRACK_MATCH)" $CONNTRACK_MATCH report_capability "Connection Tracking Match (CONNTRACK_MATCH)" $CONNTRACK_MATCH
if [ -n "$CONNTRACK_MATCH" ]; then if [ -n "$CONNTRACK_MATCH" ]; then
report_capability "Extended Connection Tracking Match Support (NEW_CONNTRACK_MATCH)" $NEW_CONNTRACK_MATCH report_capability "Extended Connection Tracking Match Support (NEW_CONNTRACK_MATCH)" $NEW_CONNTRACK_MATCH
@ -2656,6 +2659,7 @@ report_capabilities_unsorted1() {
report_capability1 MANGLE_ENABLED report_capability1 MANGLE_ENABLED
report_capability1 MULTIPORT report_capability1 MULTIPORT
report_capability1 XMULTIPORT report_capability1 XMULTIPORT
report_capability1 EMULTIPORT
report_capability1 CONNTRACK_MATCH report_capability1 CONNTRACK_MATCH
report_capability1 NEW_CONNTRACK_MATCH report_capability1 NEW_CONNTRACK_MATCH
report_capability1 OLD_CONNTRACK_MATCH report_capability1 OLD_CONNTRACK_MATCH

18
Shorewall/Perl/Shorewall/Chains.pm
View File

@ -4162,16 +4162,15 @@ sub do_proto( $$$;$ )
PROTO: PROTO:
{ {
if ( $proto == TCP || $proto == UDP || $proto == SCTP || $proto == DCCP || $proto == UDPLITE ) { if ( $proto == TCP || $proto == UDP || $proto == SCTP || $proto == DCCP || $proto == UDPLITE ) {
my $multiport = 0; my $multiport = ( $proto == UDPLITE );
my $srcndst = 0; my $srcndst = 0;
if ( $ports ne '' ) { if ( $ports ne '' ) {
$invert = $ports =~ s/^!// ? '! ' : ''; $invert = $ports =~ s/^!// ? '! ' : '';
$sports = '', require_capability( 'MULTIPORT', "'=' in the SOURCE PORT(S) column", 's' ) if ( $srcndst = $sports eq '=' ); $sports = '', require_capability( 'MULTIPORT', "'=' in the SOURCE PORT(S) column", 's' ) if ( $srcndst = $sports eq '=' );
if ( $ports =~ tr/,/,/ > 0 || $sports =~ tr/,/,/ > 0 || $proto == UDPLITE ) { if ( $multiport || $ports =~ tr/,/,/ > 0 || $sports =~ tr/,/,/ > 0 ) {
fatal_error "Port lists require Multiport support in your kernel/iptables" unless have_capability( 'MULTIPORT',1 ); fatal_error "Port lists require Multiport support in your kernel/iptables" unless have_capability( 'MULTIPORT',1 );
fatal_error "Multiple ports not supported with SCTP" if $proto == SCTP;
if ( port_count ( $ports ) > 15 ) { if ( port_count ( $ports ) > 15 ) {
if ( $restricted ) { if ( $restricted ) {
@ -4190,7 +4189,11 @@ sub do_proto( $$$;$ )
$output .= ( $srcndst ? "-m multiport ${invert}--ports ${ports} " : "${invert}--dport ${ports} " ); $output .= ( $srcndst ? "-m multiport ${invert}--ports ${ports} " : "${invert}--dport ${ports} " );
} }
} else { } else {
$multiport = ( ( $sports =~ tr/,/,/ ) > 0 || $proto == UDPLITE ); $multiport ||= ( $sports =~ tr/,/,/ ) > 0 ;;
}
if ( $multiport && $proto != TCP && $proto != UDP ) {
require_capability( 'EMULTIPORT', 'Protocol ' . ( $pname || $proto ), 's' );
} }
if ( $sports ne '' ) { if ( $sports ne '' ) {
@ -4356,16 +4359,15 @@ sub do_iproto( $$$ )
PROTO: PROTO:
{ {
if ( $proto == TCP || $proto == UDP || $proto == SCTP || $proto == DCCP || $proto == UDPLITE ) { if ( $proto == TCP || $proto == UDP || $proto == SCTP || $proto == DCCP || $proto == UDPLITE ) {
my $multiport = 0; my $multiport = ( $proto == UDPLITE );
my $srcndst = 0; my $srcndst = 0;
if ( $ports ne '' ) { if ( $ports ne '' ) {
$invert = $ports =~ s/^!// ? '! ' : ''; $invert = $ports =~ s/^!// ? '! ' : '';
$sports = '', require_capability( 'MULTIPORT', "'=' in the SOURCE PORT(S) column", 's' ) if ( $srcndst = $sports eq '=' ); $sports = '', require_capability( 'MULTIPORT', "'=' in the SOURCE PORT(S) column", 's' ) if ( $srcndst = $sports eq '=' );
if ( $ports =~ tr/,/,/ > 0 || $sports =~ tr/,/,/ > 0 || $proto == UDPLITE ) { if ( $multiport || $ports =~ tr/,/,/ > 0 || $sports =~ tr/,/,/ > 0 ) {
fatal_error "Port lists require Multiport support in your kernel/iptables" unless have_capability( 'MULTIPORT' , 1 ); fatal_error "Port lists require Multiport support in your kernel/iptables" unless have_capability( 'MULTIPORT' , 1 );
fatal_error "Multiple ports not supported with SCTP" if $proto == SCTP;
if ( port_count ( $ports ) > 15 ) { if ( port_count ( $ports ) > 15 ) {
if ( $restricted ) { if ( $restricted ) {
@ -4389,7 +4391,7 @@ sub do_iproto( $$$ )
} }
} }
} else { } else {
$multiport = ( ( $sports =~ tr/,/,/ ) > 0 || $proto == UDPLITE ); $multiport ||= ( ( $sports =~ tr/,/,/ ) > 0 );
} }
if ( $sports ne '' ) { if ( $sports ne '' ) {

9
Shorewall/Perl/Shorewall/Config.pm
View File

@ -286,6 +286,7 @@ our %capdesc = ( NAT_ENABLED => 'NAT',
MANGLE_ENABLED => 'Packet Mangling', MANGLE_ENABLED => 'Packet Mangling',
MULTIPORT => 'Multi-port Match' , MULTIPORT => 'Multi-port Match' ,
XMULTIPORT => 'Extended Multi-port Match', XMULTIPORT => 'Extended Multi-port Match',
EMULTIPORT => 'Enhanced Multi-port Match',
CONNTRACK_MATCH => 'Connection Tracking Match', CONNTRACK_MATCH => 'Connection Tracking Match',
OLD_CONNTRACK_MATCH => OLD_CONNTRACK_MATCH =>
'Old conntrack match syntax', 'Old conntrack match syntax',
@ -358,6 +359,7 @@ our %capdesc = ( NAT_ENABLED => 'NAT',
CHECKSUM_TARGET => 'Checksum Target', CHECKSUM_TARGET => 'Checksum Target',
ARPTABLESJF => 'Arptables JF', ARPTABLESJF => 'Arptables JF',
MASQUERADE_TGT => 'MASQUERADE Target', MASQUERADE_TGT => 'MASQUERADE Target',
AMANDA_HELPER => 'Amanda Helper', AMANDA_HELPER => 'Amanda Helper',
FTP_HELPER => 'FTP Helper', FTP_HELPER => 'FTP Helper',
FTP0_HELPER => 'FTP-0 Helper', FTP0_HELPER => 'FTP-0 Helper',
@ -835,6 +837,7 @@ sub initialize( $;$$) {
MANGLE_ENABLED => undef, MANGLE_ENABLED => undef,
MULTIPORT => undef, MULTIPORT => undef,
XMULTIPORT => undef, XMULTIPORT => undef,
EMULTIPORT => undef,
CONNTRACK_MATCH => undef, CONNTRACK_MATCH => undef,
NEW_CONNTRACK_MATCH => undef, NEW_CONNTRACK_MATCH => undef,
OLD_CONNTRACK_MATCH => undef, OLD_CONNTRACK_MATCH => undef,
@ -3629,6 +3632,10 @@ sub Xmultiport() {
qt1( "$iptables -A $sillyname -p tcp -m multiport --dports 21:22 -j ACCEPT" ); qt1( "$iptables -A $sillyname -p tcp -m multiport --dports 21:22 -j ACCEPT" );
} }
sub Emultiport() {
qt1( "$iptables -A $sillyname -p sctp -m multiport --dports 21,22 -j ACCEPT" );
}
sub Policy_Match() { sub Policy_Match() {
qt1( "$iptables -A $sillyname -m policy --pol ipsec --mode tunnel --dir in -j ACCEPT" ); qt1( "$iptables -A $sillyname -m policy --pol ipsec --mode tunnel --dir in -j ACCEPT" );
} }
@ -4062,6 +4069,7 @@ our %detect_capability =
DSCP_MATCH => \&Dscp_Match, DSCP_MATCH => \&Dscp_Match,
DSCP_TARGET => \&Dscp_Target, DSCP_TARGET => \&Dscp_Target,
ENHANCED_REJECT => \&Enhanced_Reject, ENHANCED_REJECT => \&Enhanced_Reject,
EMULTIPORT => \&Emultiport,
EXMARK => \&Exmark, EXMARK => \&Exmark,
FLOW_FILTER => \&Flow_Filter, FLOW_FILTER => \&Flow_Filter,
FTP_HELPER => \&FTP_Helper, FTP_HELPER => \&FTP_Helper,
@ -4200,6 +4208,7 @@ sub determine_capabilities() {
$capabilities{ MULTIPORT } = detect_capability( 'MULTIPORT' ); $capabilities{ MULTIPORT } = detect_capability( 'MULTIPORT' );
$capabilities{XMULTIPORT} = detect_capability( 'XMULTIPORT' ); $capabilities{XMULTIPORT} = detect_capability( 'XMULTIPORT' );
$capabilities{EMULTIPORT} = detect_capability( 'EMULTIPORT' );
$capabilities{POLICY_MATCH} = detect_capability( 'POLICY_MATCH' ); $capabilities{POLICY_MATCH} = detect_capability( 'POLICY_MATCH' );
if ( $capabilities{PHYSDEV_MATCH} = detect_capability( 'PHYSDEV_MATCH' ) ) { if ( $capabilities{PHYSDEV_MATCH} = detect_capability( 'PHYSDEV_MATCH' ) ) {