Add NFacct Match capability

Signed-off-by: Tom Eastep <teastep@shorewall.net>
2012-07-28 08:19:05 -07:00 · 2012-07-28 08:19:05 -07:00 · 87c0f934aa
commit 87c0f934aa
parent 55519bd9ac
2 changed files with 26 additions and 1 deletions
--- a/Shorewall-core/lib.cli
+++ b/Shorewall-core/lib.cli
@ -1996,6 +1996,7 @@ determine_capabilities() {
    DSCP_TARGET=
    GEOIP_MATCH=
    RPFILTER_MATCH=
+    NFACCT_MATCH=

    chain=fooX$$

@ -2130,6 +2131,12 @@ determine_capabilities() {
 	qt $g_tool -t mangle -A $chain -j DSCP --set-dscp 0 && DSCP_TARGET=Yes
 	qt $g_tool -t mangle -A $chain -m rpfilter && RPFILTER_MATCH=Yes

+	if qt nfacct add $chain; then
+	    qt $g_tool -t mangle -A $chain -m nfacct --nfacct-name $chain && NFACCT_MATCH=Yes
+	    qt $g_tool -t mangle -D $chain -m nfacct --nfacct-name $chain
+	    qt nfacct del $chain
+	fi
+
 	qt $g_tool -t mangle -F $chain
 	qt $g_tool -t mangle -X $chain

@ -2322,6 +2329,7 @@ report_capabilities() {
 	report_capability "DSCP Target (DSCP_TARGET)" $DSCP_TARGET
 	report_capability "Geo IP match" $GEOIP_MATCH
 	report_capability "RPFilter match" $RPFILTER_MATCH
+	report_capability "NFAcct match" $NFACCT_MATCH

 	if [ $g_family -eq 4 ]; then
 	    report_capability "iptables -S (IPTABLES_S)" $IPTABLES_S
@ -2414,6 +2422,7 @@ report_capabilities1() {
    report_capability1 DSCP_TARGET
    report_capability1 GEOIP_MATCH
    report_capability1 RPFILTER_MATCH
+    report_capability1 NFACCT_MATCH

    echo CAPVERSION=$SHOREWALL_CAPVERSION
    echo KERNELVERSION=$KERNELVERSION
--- a/Shorewall/Perl/Shorewall/Config.pm
+++ b/Shorewall/Perl/Shorewall/Config.pm
@ -308,7 +308,8 @@ my  %capdesc = ( NAT_ENABLED     => 'NAT',
 		 DSCP_MATCH      => 'DSCP Match',
 		 DSCP_TARGET     => 'DSCP Target',
 		 GEOIP_MATCH     => 'GeoIP Match' ,
-		 RPFILTER_MATCH  => 'RPFilter Match', 
+		 RPFILTER_MATCH  => 'RPFilter Match',
+		 NFACCT_MATCH    => 'NFAcct Match',
 		 #
 		 # Constants
 		 #
@ -763,6 +764,7 @@ sub initialize( $;$ ) {
 	       DSCP_TARGET => undef,
 	       GEOIP_MATCH => undef,
 	       RPFILTER_MATCH => undef,
+	       NFACCT_MATCH => undef,
 	       CAPVERSION => undef,
 	       LOG_OPTIONS => 1,
 	       KERNELVERSION => undef,
@ -3216,6 +3218,18 @@ sub RPFilter_Match() {
    have_capability 'MANGLE_ENABLED' && qt1( "$iptables -t mangle -A $sillyname -m rpfilter" );
 }

+sub NFAcct_Match() {
+    my $result;
+
+    if ( qt1( "nfacct add $sillyname" ) ) {
+	$result = qt1( "$iptables -A $sillyname -m nfacct --nfacct-name $sillyname" );
+	qt( "iptables -D $sillyname -m nfacct $sillyname" );
+	qt( "nfacct del $sillyname" );
+    }
+
+    $result;
+}
+
 sub GeoIP_Match() {
    qt1( "$iptables -A $sillyname -m geoip --src-cc US" );
 }
@ -3265,6 +3279,7 @@ our %detect_capability =
      MULTIPORT => \&Multiport,
      NAT_ENABLED => \&Nat_Enabled,
      NEW_CONNTRACK_MATCH => \&New_Conntrack_Match,
+      NFACCT_MATCH => \&NFAcct_Match,
      NFQUEUE_TARGET => \&Nfqueue_Target,
      OLD_CONNTRACK_MATCH => \&Old_Conntrack_Match,
      OLD_HL_MATCH => \&Old_Hashlimit_Match,
@ -3420,6 +3435,7 @@ sub determine_capabilities() {
 	$capabilities{DSCP_TARGET}     = detect_capability( 'DSCP_TARGET' );
 	$capabilities{GEOIP_MATCH}     = detect_capability( 'GEOIP_MATCH' );
 	$capabilities{RPFILTER_MATCH}  = detect_capability( 'RPFILTER_MATCH' );
+	$capabilities{NFACCT_MATCH}    = detect_capability( 'NFACCT_MATCH' );

 	qt1( "$iptables -F $sillyname" );
 	qt1( "$iptables -X $sillyname" );