holm/shorewall_code
1
0
Fork 0
forked from extern/shorewall_code
Code Pull Requests Activity

Add NFacct Match capability

Browse Source 
Signed-off-by: Tom Eastep <teastep@shorewall.net>
This commit is contained in:
Tom Eastep 2012-07-28 08:19:05 -07:00
parent 55519bd9ac
commit 87c0f934aa
2 changed files with 26 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

9
Shorewall-core/lib.cli
View File

@ -1996,6 +1996,7 @@ determine_capabilities() {
DSCP_TARGET= DSCP_TARGET=
GEOIP_MATCH= GEOIP_MATCH=
RPFILTER_MATCH= RPFILTER_MATCH=
NFACCT_MATCH=
chain=fooX$$ chain=fooX$$
@ -2130,6 +2131,12 @@ determine_capabilities() {
qt $g_tool -t mangle -A $chain -j DSCP --set-dscp 0 && DSCP_TARGET=Yes qt $g_tool -t mangle -A $chain -j DSCP --set-dscp 0 && DSCP_TARGET=Yes
qt $g_tool -t mangle -A $chain -m rpfilter && RPFILTER_MATCH=Yes qt $g_tool -t mangle -A $chain -m rpfilter && RPFILTER_MATCH=Yes
if qt nfacct add $chain; then
qt $g_tool -t mangle -A $chain -m nfacct --nfacct-name $chain && NFACCT_MATCH=Yes
qt $g_tool -t mangle -D $chain -m nfacct --nfacct-name $chain
qt nfacct del $chain
fi
qt $g_tool -t mangle -F $chain qt $g_tool -t mangle -F $chain
qt $g_tool -t mangle -X $chain qt $g_tool -t mangle -X $chain
@ -2322,6 +2329,7 @@ report_capabilities() {
report_capability "DSCP Target (DSCP_TARGET)" $DSCP_TARGET report_capability "DSCP Target (DSCP_TARGET)" $DSCP_TARGET
report_capability "Geo IP match" $GEOIP_MATCH report_capability "Geo IP match" $GEOIP_MATCH
report_capability "RPFilter match" $RPFILTER_MATCH report_capability "RPFilter match" $RPFILTER_MATCH
report_capability "NFAcct match" $NFACCT_MATCH
if [ $g_family -eq 4 ]; then if [ $g_family -eq 4 ]; then
report_capability "iptables -S (IPTABLES_S)" $IPTABLES_S report_capability "iptables -S (IPTABLES_S)" $IPTABLES_S
@ -2414,6 +2422,7 @@ report_capabilities1() {
report_capability1 DSCP_TARGET report_capability1 DSCP_TARGET
report_capability1 GEOIP_MATCH report_capability1 GEOIP_MATCH
report_capability1 RPFILTER_MATCH report_capability1 RPFILTER_MATCH
report_capability1 NFACCT_MATCH
echo CAPVERSION=$SHOREWALL_CAPVERSION echo CAPVERSION=$SHOREWALL_CAPVERSION
echo KERNELVERSION=$KERNELVERSION echo KERNELVERSION=$KERNELVERSION

18
Shorewall/Perl/Shorewall/Config.pm
View File

@ -308,7 +308,8 @@ my %capdesc = ( NAT_ENABLED => 'NAT',
DSCP_MATCH => 'DSCP Match', DSCP_MATCH => 'DSCP Match',
DSCP_TARGET => 'DSCP Target', DSCP_TARGET => 'DSCP Target',
GEOIP_MATCH => 'GeoIP Match' , GEOIP_MATCH => 'GeoIP Match' ,
RPFILTER_MATCH => 'RPFilter Match', RPFILTER_MATCH => 'RPFilter Match',
NFACCT_MATCH => 'NFAcct Match',
# #
# Constants # Constants
# #
@ -763,6 +764,7 @@ sub initialize( $;$ ) {
DSCP_TARGET => undef, DSCP_TARGET => undef,
GEOIP_MATCH => undef, GEOIP_MATCH => undef,
RPFILTER_MATCH => undef, RPFILTER_MATCH => undef,
NFACCT_MATCH => undef,
CAPVERSION => undef, CAPVERSION => undef,
LOG_OPTIONS => 1, LOG_OPTIONS => 1,
KERNELVERSION => undef, KERNELVERSION => undef,
@ -3216,6 +3218,18 @@ sub RPFilter_Match() {
have_capability 'MANGLE_ENABLED' && qt1( "$iptables -t mangle -A $sillyname -m rpfilter" ); have_capability 'MANGLE_ENABLED' && qt1( "$iptables -t mangle -A $sillyname -m rpfilter" );
} }
sub NFAcct_Match() {
my $result;
if ( qt1( "nfacct add $sillyname" ) ) {
$result = qt1( "$iptables -A $sillyname -m nfacct --nfacct-name $sillyname" );
qt( "iptables -D $sillyname -m nfacct $sillyname" );
qt( "nfacct del $sillyname" );
}
$result;
}
sub GeoIP_Match() { sub GeoIP_Match() {
qt1( "$iptables -A $sillyname -m geoip --src-cc US" ); qt1( "$iptables -A $sillyname -m geoip --src-cc US" );
} }
@ -3265,6 +3279,7 @@ our %detect_capability =
MULTIPORT => \&Multiport, MULTIPORT => \&Multiport,
NAT_ENABLED => \&Nat_Enabled, NAT_ENABLED => \&Nat_Enabled,
NEW_CONNTRACK_MATCH => \&New_Conntrack_Match, NEW_CONNTRACK_MATCH => \&New_Conntrack_Match,
NFACCT_MATCH => \&NFAcct_Match,
NFQUEUE_TARGET => \&Nfqueue_Target, NFQUEUE_TARGET => \&Nfqueue_Target,
OLD_CONNTRACK_MATCH => \&Old_Conntrack_Match, OLD_CONNTRACK_MATCH => \&Old_Conntrack_Match,
OLD_HL_MATCH => \&Old_Hashlimit_Match, OLD_HL_MATCH => \&Old_Hashlimit_Match,
@ -3420,6 +3435,7 @@ sub determine_capabilities() {
$capabilities{DSCP_TARGET} = detect_capability( 'DSCP_TARGET' ); $capabilities{DSCP_TARGET} = detect_capability( 'DSCP_TARGET' );
$capabilities{GEOIP_MATCH} = detect_capability( 'GEOIP_MATCH' ); $capabilities{GEOIP_MATCH} = detect_capability( 'GEOIP_MATCH' );
$capabilities{RPFILTER_MATCH} = detect_capability( 'RPFILTER_MATCH' ); $capabilities{RPFILTER_MATCH} = detect_capability( 'RPFILTER_MATCH' );
$capabilities{NFACCT_MATCH} = detect_capability( 'NFACCT_MATCH' );
qt1( "$iptables -F $sillyname" ); qt1( "$iptables -F $sillyname" );
qt1( "$iptables -X $sillyname" ); qt1( "$iptables -X $sillyname" );