From 8fe0a32fd3309a223e77ccd9ad4f4fbaac1f86ea Mon Sep 17 00:00:00 2001 From: teastep Date: Tue, 4 Oct 2005 18:20:28 +0000 Subject: [PATCH] Add IPP2P UDP support -- Take 2 git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@2794 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb --- Shorewall/firewall | 184 ++++++++++++++++++++++++++++----------------- 1 file changed, 115 insertions(+), 69 deletions(-) diff --git a/Shorewall/firewall b/Shorewall/firewall index d399c12a9..fd6e30945 100755 --- a/Shorewall/firewall +++ b/Shorewall/firewall @@ -3143,6 +3143,30 @@ process_tc_rule() mark="${mark%:*}" } + do_ipp2p() + { + case $proto in + ipp2p|IPP2P|ipp2p-tcp|IPP2P-TCP) + [ -n "$IPP2P_MATCH" ] || fatal_error "Your kernel and/or iptables does not have IPP2P match support. Rule: \"$rule\"" + [ "x$port" = "x-" ] && port="ipp2p" + r="${r}-p tcp -m ipp2p --${port} " + ;; + ipp2p-udp|IPP2P-UDP) + [ -n "$IPP2P_MATCH" ] || fatal_error "Your kernel and/or iptables does not have IPP2P match support. Rule: \"$rule\"" + [ "x$port" = "x-" ] && port="ipp2p" + r="${r}-p udp -m ipp2p --${port} " + ;; + ipp2p-both|IPP2P-both) + [ -n "$IPP2P_MATCH" ] || fatal_error "Your kernel and/or iptables does not have IPP2P match support. Rule: \"$rule\"" + [ "x$port" = "x-" ] && port="ipp2p" + r="${r}-m ipp2p --${port} " + ;; + *) + fatal_error "Unknown Protocol $proto. Rule: \"$rule\"" + ;; + esac + } + add_a_tc_rule() { r= @@ -3213,20 +3237,8 @@ process_tc_rule() multiport= case $proto in - ipp2p|IPP2P|ipp2p-tcp|IPP2P-TCP) - [ -n "$IPP2P_MATCH" ] || fatal_error "Your kernel and/or iptables does not have IPP2P match support. Rule: \"$rule\"" - [ "x$port" = "x-" ] && port="ipp2p" - r="${r}-p tcp -m ipp2p --${port} " - ;; - ipp2p-udp|IPP2P-UDP) - [ -n "$IPP2P_MATCH" ] || fatal_error "Your kernel and/or iptables does not have IPP2P match support. Rule: \"$rule\"" - [ "x$port" = "x-" ] && port="ipp2p" - r="${r}-p udp -m ipp2p --${port} " - ;; - ipp2p-both|IPP2P-both) - [ -n "$IPP2P_MATCH" ] || fatal_error "Your kernel and/or iptables does not have IPP2P match support. Rule: \"$rule\"" - [ "x$port" = "x-" ] && port="ipp2p" - r="${r}-m ipp2p --${port} " + ipp2p*|IPP2P*) + do_ipp2p ;; icmp|ICMP|1) r="${r}-p icmp " @@ -3538,6 +3550,28 @@ process_accounting_rule() { rule="$rule -j $jumpchain" } + do_ipp2p() { + case $proto in + ipp2p|IPP2P|ipp2p-tcp|IPP2P-TCP) + [ -n "$IPP2P_MATCH" ] || fatal_error "Your kernel and/or iptables does not have IPP2P match support" + rule="$rule -p tcp -m ipp2p --${port:-ipp2p}" + port= + ;; + ipp2p-udp|IPP2P-udp) + [ -n "$IPP2P_MATCH" ] || fatal_error "Your kernel and/or iptables does not have IPP2P match support" + rule="$rule -p udp -m ipp2p --${port:-ipp2p}" + port= + ;; + ipp2p-all|IPP2P-all) + [ -n "$IPP2P_MATCH" ] || fatal_error "Your kernel and/or iptables does not have IPP2P match support" + rule="$rule -m ipp2p --${port:-ipp2p}" + port= + ;; + *) + fatal_error "Unknown Protocol $proto" + ;; + esac + } case $source in *:*) @@ -3576,21 +3610,9 @@ process_accounting_rule() { [ -n "$proto" ] && case $proto in -|any|all) ;; - ipp2p|IPP2P|ipp2p-tcp|IPP2P-TCP) - [ -n "$IPP2P_MATCH" ] || fatal_error "Your kernel and/or iptables does not have IPP2P match support" - rule="$rule -p tcp -m ipp2p --${port:-ipp2p}" - port= - ;; - ipp2p-udp|IPP2P-udp) - [ -n "$IPP2P_MATCH" ] || fatal_error "Your kernel and/or iptables does not have IPP2P match support" - rule="$rule -p udp -m ipp2p --${port:-ipp2p}" - port= - ;; - ipp2p-all|IPP2P-all) - [ -n "$IPP2P_MATCH" ] || fatal_error "Your kernel and/or iptables does not have IPP2P match support" - rule="$rule -m ipp2p --${port:-ipp2p}" - port= - ;; + ipp2p*|IPP2P*) + do_ipp2p + ;; *) rule="$rule -p $proto" ;; @@ -3937,6 +3959,36 @@ add_an_action() user= } + do_ipp2p() { + case $proto in + ipp2p|IPP2P|ipp2p-tcp|IPP2P-TCP) + [ -n "$IPP2P_MATCH" ] || fatal_error "Your kernel and/or iptables does not have IPP2P match support. Rule: \"$rule\"" + dports="-m ipp2p --${port:-ipp2p}" + port= + proto=tcp + do_ports + ;; + ipp2p-udpIPP2P-udp) + [ -n "$IPP2P_MATCH" ] || fatal_error "Your kernel and/or iptables does not have IPP2P match support. Rule: \"$rule\"" + dports="-m ipp2p --${port:-ipp2p}" + port= + proto=udp + do_ports + ;; + ipp2p-all|IPP2P-all) + [ -n "$port" ] && \ + fatal_error "Port number not allowed with protocol \"$proto\"; rule: \"$rule\"" + [ -n "$IPP2P_MATCH" ] || fatal_error "Your kernel and/or iptables does not have IPP2P match support. Rule: \"$rule\"" + dports="-m ipp2p --${port:-ipp2p}" + port= + proto=all + ;; + *) + fatal_error "Unknown protocol $proto. Rule: \"$rule\"" + ;; + esac + } + # Set source variables. The 'cli' variable will hold the client match predicate(s). cli= @@ -4008,25 +4060,8 @@ add_an_action() icmp|ICMP|1) [ -n "$port" ] && dports="--icmp-type $port" ;; - ipp2p|IPP2P|ipp2p-tcp|IPP2P-TCP) - [ -n "$IPP2P_MATCH" ] || fatal_error "Your kernel and/or iptables does not have IPP2P match support. Rule: \"$rule\"" - dports="-m ipp2p --${port:-ipp2p}" - port= - proto=tcp - do_ports - ipp2p-udpIPP2P-udp) - [ -n "$IPP2P_MATCH" ] || fatal_error "Your kernel and/or iptables does not have IPP2P match support. Rule: \"$rule\"" - dports="-m ipp2p --${port:-ipp2p}" - port= - proto=udp - do_ports - ipp2p-all|IPP2P-all) - [ -n "$port" ] && \ - fatal_error "Port number not allowed with protocol \"$proto\"; rule: \"$rule\"" - [ -n "$IPP2P_MATCH" ] || fatal_error "Your kernel and/or iptables does not have IPP2P match support. Rule: \"$rule\"" - dports="-m ipp2p --${port:-ipp2p}" - port= - proto=all + ipp2p*|IPP2P*) + do_ipp2p ;; *) [ -n "$port" ] && \ @@ -5266,6 +5301,36 @@ process_rule() # $1 = target state= } + do_ipp2p() { + case $proto in + ipp2p|IPP2P|ipp2p-tcp|IPP2P-TCP) + [ -n "$IPP2P_MATCH" ] || fatal_error "Your kernel and/or iptables does not have IPP2P match support. Rule: \"$rule\"" + dports="-m ipp2p --${port:-ipp2p}" + port= + proto=tcp + do_ports + ;; + ipp2p-udp|IPP2P-UDP) + [ -n "$IPP2P_MATCH" ] || fatal_error "Your kernel and/or iptables does not have IPP2P match support. Rule: \"$rule\"" + dports="-m ipp2p --${port:-ipp2p}" + port= + proto=udp + do_ports + ;; + ipp2p-all|IPP2P-ALL) + [ -n "$port" ] && \ + fatal_error "Port number not allowed with protocol \"$proto\"; rule: \"$rule\"" + [ -n "$IPP2P_MATCH" ] || fatal_error "Your kernel and/or iptables does not have IPP2P match support. Rule: \"$rule\"" + dports="-m ipp2p --${port:-ipp2p}" + port= + proto=all + ;; + *) + fatal_error "Unknown protocol $proto. Rule: \"$rule\"" + ;; + esac + } + # Set source variables. The 'cli' variable will hold the client match predicate(s). cli= @@ -5347,27 +5412,8 @@ process_rule() # $1 = target fatal_error "Port number not allowed with protocol \"all\"; rule: \"$rule\"" proto= ;; - ipp2p|IPP2P|ipp2p-tcp|IPP2P-TCP) - [ -n "$IPP2P_MATCH" ] || fatal_error "Your kernel and/or iptables does not have IPP2P match support. Rule: \"$rule\"" - dports="-m ipp2p --${port:-ipp2p}" - port= - proto=tcp - do_ports - ;; - ipp2p-udp|IPP2P-UDP) - [ -n "$IPP2P_MATCH" ] || fatal_error "Your kernel and/or iptables does not have IPP2P match support. Rule: \"$rule\"" - dports="-m ipp2p --${port:-ipp2p}" - port= - proto=udp - do_ports - ;; - ipp2p-all|IPP2P-ALL) - [ -n "$port" ] && \ - fatal_error "Port number not allowed with protocol \"$proto\"; rule: \"$rule\"" - [ -n "$IPP2P_MATCH" ] || fatal_error "Your kernel and/or iptables does not have IPP2P match support. Rule: \"$rule\"" - dports="-m ipp2p --${port:-ipp2p}" - port= - proto=all + ipp2p*|IPP2P*) + do_ipp2p ;; *) [ -n "$port" ] && \