forked from extern/shorewall_code
Detect and require ipset match capability
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@2103 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
parent
4a744de512
commit
911746db04
@ -561,6 +561,8 @@ get_set_flags() # $1 = set name and optional [levels], $2 = src or dst
|
|||||||
{
|
{
|
||||||
local temp setname=$1 options=$2
|
local temp setname=$1 options=$2
|
||||||
|
|
||||||
|
[ -n "$IPSET_MATCH" ] || fatal_error "Your kernel and/or iptables does not include ipset match: $1"
|
||||||
|
|
||||||
case $1 in
|
case $1 in
|
||||||
*\[[1-6]\])
|
*\[[1-6]\])
|
||||||
temp=${1#*\[}
|
temp=${1#*\[}
|
||||||
@ -5899,6 +5901,7 @@ determine_capabilities() {
|
|||||||
IPRANGE_MATCH=
|
IPRANGE_MATCH=
|
||||||
RECENT_MATCH=
|
RECENT_MATCH=
|
||||||
OWNER_MATCH=
|
OWNER_MATCH=
|
||||||
|
IPSET_MATCH=
|
||||||
|
|
||||||
qt $IPTABLES -N fooX1234
|
qt $IPTABLES -N fooX1234
|
||||||
qt $IPTABLES -A fooX1234 -m conntrack --ctorigdst 192.168.1.1 -j ACCEPT && CONNTRACK_MATCH=Yes
|
qt $IPTABLES -A fooX1234 -m conntrack --ctorigdst 192.168.1.1 -j ACCEPT && CONNTRACK_MATCH=Yes
|
||||||
@ -5910,6 +5913,16 @@ determine_capabilities() {
|
|||||||
qt $IPTABLES -A fooX1234 -m recent --update -j ACCEPT && RECENT_MATCH=Yes
|
qt $IPTABLES -A fooX1234 -m recent --update -j ACCEPT && RECENT_MATCH=Yes
|
||||||
qt $IPTABLES -A fooX1234 -m owner --cmd-owner foo -j ACCEPT && OWNER_MATCH=Yes
|
qt $IPTABLES -A fooX1234 -m owner --cmd-owner foo -j ACCEPT && OWNER_MATCH=Yes
|
||||||
|
|
||||||
|
qt ipset -X fooX1234 # Just in case something went wrong the last time
|
||||||
|
|
||||||
|
if qt ipset -N fooX1234 iphash ; then
|
||||||
|
if qt $IPTABLES -A fooX1234 -m set --set fooX1234 src -j ACCEPT; then
|
||||||
|
qt $IPTABLES -D fooX1234 -m set --set fooX1234 src -j ACCEPT
|
||||||
|
IPSET_MATCH=Yes
|
||||||
|
fi
|
||||||
|
qt ipset -X fooX1234
|
||||||
|
fi
|
||||||
|
|
||||||
if [ -n "$PKTTYPE" ]; then
|
if [ -n "$PKTTYPE" ]; then
|
||||||
qt $IPTABLES -A fooX1234 -m pkttype --pkt-type broadcast -j ACCEPT || PKTTYPE=
|
qt $IPTABLES -A fooX1234 -m pkttype --pkt-type broadcast -j ACCEPT || PKTTYPE=
|
||||||
fi
|
fi
|
||||||
@ -5940,6 +5953,7 @@ report_capabilities() {
|
|||||||
report_capability "IP range Match" $IPRANGE_MATCH
|
report_capability "IP range Match" $IPRANGE_MATCH
|
||||||
report_capability "Recent Match" $RECENT_MATCH
|
report_capability "Recent Match" $RECENT_MATCH
|
||||||
report_capability "Owner Match" $OWNER_MATCH
|
report_capability "Owner Match" $OWNER_MATCH
|
||||||
|
report_capability "Ipset Match" $IPSET_MATCH
|
||||||
}
|
}
|
||||||
|
|
||||||
#
|
#
|
||||||
|
Loading…
Reference in New Issue
Block a user