holm/shorewall_code
1
0
Fork 0
forked from extern/shorewall_code
Code Pull Requests Activity

Remove the USEPKTTYPE capability

Browse Source 
Signed-off-by: Tom Eastep <teastep@shorewall.net>
This commit is contained in:
Tom Eastep 2018-02-16 11:06:24 -08:00
parent bc65d29650
commit 9a83365986
No known key found for this signature in database
GPG Key ID: 96E6B3F2423A4D10
4 changed files with 5 additions and 18 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
Shorewall-core/lib.cli
View File

@ -25,7 +25,7 @@
# loaded after this one and replaces some of the functions declared here. # loaded after this one and replaces some of the functions declared here.
# #
SHOREWALL_CAPVERSION=50112 SHOREWALL_CAPVERSION=50200
if [ -z "$g_basedir" ]; then if [ -z "$g_basedir" ]; then
# #
@ -2793,7 +2793,6 @@ determine_capabilities() {
LENGTH_MATCH= LENGTH_MATCH=
CLASSIFY_TARGET= CLASSIFY_TARGET=
ENHANCED_REJECT= ENHANCED_REJECT=
USEPKTTYPE=
KLUDGEFREE= KLUDGEFREE=
MARK= MARK=
XMARK= XMARK=
@ -3140,7 +3139,6 @@ determine_capabilities() {
fi fi
fi fi
qt $g_tool -A $chain -m pkttype --pkt-type broadcast -j ACCEPT && USEPKTTYPE=Yes
qt $g_tool -A $chain -m addrtype --src-type BROADCAST -j ACCEPT && ADDRTYPE=Yes qt $g_tool -A $chain -m addrtype --src-type BROADCAST -j ACCEPT && ADDRTYPE=Yes
qt $g_tool -A $chain -p tcp --tcp-flags SYN,RST SYN -m tcpmss --mss 1000:1500 -j ACCEPT && TCPMSS_MATCH=Yes qt $g_tool -A $chain -p tcp --tcp-flags SYN,RST SYN -m tcpmss --mss 1000:1500 -j ACCEPT && TCPMSS_MATCH=Yes
qt $g_tool -A $chain -m hashlimit --hashlimit-upto 4 --hashlimit-burst 5 --hashlimit-name $chain --hashlimit-mode dstip -j ACCEPT && HASHLIMIT_MATCH=Yes qt $g_tool -A $chain -m hashlimit --hashlimit-upto 4 --hashlimit-burst 5 --hashlimit-name $chain --hashlimit-mode dstip -j ACCEPT && HASHLIMIT_MATCH=Yes
@ -3254,7 +3252,6 @@ report_capabilities_unsorted() {
report_capability "Extended Connection Tracking Match Support (NEW_CONNTRACK_MATCH)" $NEW_CONNTRACK_MATCH report_capability "Extended Connection Tracking Match Support (NEW_CONNTRACK_MATCH)" $NEW_CONNTRACK_MATCH
[ -n "$OLD_CONNTRACK_MATCH" ] && report_capability "Old Connection Tracking Match Syntax (OLD_CONNTRACK_MATCH)" $OLD_CONNTRACK_MATCH [ -n "$OLD_CONNTRACK_MATCH" ] && report_capability "Old Connection Tracking Match Syntax (OLD_CONNTRACK_MATCH)" $OLD_CONNTRACK_MATCH
fi fi
report_capability "Packet Type Match (USEPKTTYPE)" $USEPKTTYPE
report_capability "Policy Match (POLICY_MATCH)" $POLICY_MATCH report_capability "Policy Match (POLICY_MATCH)" $POLICY_MATCH
report_capability "Physdev Match (PHYSDEV_MATCH)" $PHYSDEV_MATCH report_capability "Physdev Match (PHYSDEV_MATCH)" $PHYSDEV_MATCH
report_capability "Physdev-is-bridged Support (PHYSDEV_BRIDGE)" $PHYSDEV_BRIDGE report_capability "Physdev-is-bridged Support (PHYSDEV_BRIDGE)" $PHYSDEV_BRIDGE
@ -3371,8 +3368,6 @@ report_capabilities() {
report_capabilities_unsorted | sort report_capabilities_unsorted | sort
fi fi
[ -n "$PKTTYPE" ] || USEPKTTYPE=
} }
report_capabilities_unsorted1() { report_capabilities_unsorted1() {
@ -3389,7 +3384,6 @@ report_capabilities_unsorted1() {
report_capability1 CONNTRACK_MATCH report_capability1 CONNTRACK_MATCH
report_capability1 NEW_CONNTRACK_MATCH report_capability1 NEW_CONNTRACK_MATCH
report_capability1 OLD_CONNTRACK_MATCH report_capability1 OLD_CONNTRACK_MATCH
report_capability1 USEPKTTYPE
report_capability1 POLICY_MATCH report_capability1 POLICY_MATCH
report_capability1 PHYSDEV_MATCH report_capability1 PHYSDEV_MATCH
report_capability1 PHYSDEV_BRIDGE report_capability1 PHYSDEV_BRIDGE

13
Shorewall/Perl/Shorewall/Config.pm
View File

@ -414,7 +414,6 @@ our %capdesc = ( NAT_ENABLED => 'NAT',
'Old conntrack match syntax', 'Old conntrack match syntax',
NEW_CONNTRACK_MATCH => NEW_CONNTRACK_MATCH =>
'Extended Connection Tracking Match', 'Extended Connection Tracking Match',
USEPKTTYPE => 'Packet Type Match',
POLICY_MATCH => 'Policy Match', POLICY_MATCH => 'Policy Match',
PHYSDEV_MATCH => 'Physdev Match', PHYSDEV_MATCH => 'Physdev Match',
PHYSDEV_BRIDGE => 'Physdev-is-bridged support', PHYSDEV_BRIDGE => 'Physdev-is-bridged support',
@ -498,6 +497,9 @@ our %capdesc = ( NAT_ENABLED => 'NAT',
RESTORE_WAIT_OPTION RESTORE_WAIT_OPTION
=> 'iptables-restore --wait option', => 'iptables-restore --wait option',
NAT_INPUT_CHAIN => 'INPUT chain in NAT table', NAT_INPUT_CHAIN => 'INPUT chain in NAT table',
#
# Helpers
#
AMANDA_HELPER => 'Amanda Helper', AMANDA_HELPER => 'Amanda Helper',
FTP_HELPER => 'FTP Helper', FTP_HELPER => 'FTP Helper',
FTP0_HELPER => 'FTP-0 Helper', FTP0_HELPER => 'FTP-0 Helper',
@ -835,7 +837,7 @@ sub initialize( $;$$$) {
EXPORT => 0, EXPORT => 0,
KLUDGEFREE => '', KLUDGEFREE => '',
VERSION => '5.2.0-Beta1', VERSION => '5.2.0-Beta1',
CAPVERSION => 50112 , CAPVERSION => 50200 ,
BLACKLIST_LOG_TAG => '', BLACKLIST_LOG_TAG => '',
RELATED_LOG_TAG => '', RELATED_LOG_TAG => '',
MACLIST_LOG_TAG => '', MACLIST_LOG_TAG => '',
@ -1049,7 +1051,6 @@ sub initialize( $;$$$) {
CONNTRACK_MATCH => undef, CONNTRACK_MATCH => undef,
NEW_CONNTRACK_MATCH => undef, NEW_CONNTRACK_MATCH => undef,
OLD_CONNTRACK_MATCH => undef, OLD_CONNTRACK_MATCH => undef,
USEPKTTYPE => undef,
POLICY_MATCH => undef, POLICY_MATCH => undef,
PHYSDEV_MATCH => undef, PHYSDEV_MATCH => undef,
PHYSDEV_BRIDGE => undef, PHYSDEV_BRIDGE => undef,
@ -4751,10 +4752,6 @@ sub IPSET_V5() {
$result; $result;
} }
sub Usepkttype() {
qt1( "$iptables $iptablesw -A $sillyname -m pkttype --pkt-type broadcast -j ACCEPT" );
}
sub Addrtype() { sub Addrtype() {
qt1( "$iptables $iptablesw -A $sillyname -m addrtype --src-type BROADCAST -j ACCEPT" ); qt1( "$iptables $iptablesw -A $sillyname -m addrtype --src-type BROADCAST -j ACCEPT" );
} }
@ -5110,7 +5107,6 @@ our %detect_capability =
TIME_MATCH => \&Time_Match, TIME_MATCH => \&Time_Match,
TPROXY_TARGET => \&Tproxy_Target, TPROXY_TARGET => \&Tproxy_Target,
UDPLITEREDIRECT => \&Udpliteredirect, UDPLITEREDIRECT => \&Udpliteredirect,
USEPKTTYPE => \&Usepkttype,
XCONNMARK_MATCH => \&Xconnmark_Match, XCONNMARK_MATCH => \&Xconnmark_Match,
XCONNMARK => \&Xconnmark, XCONNMARK => \&Xconnmark,
XMARK => \&Xmark, XMARK => \&Xmark,
@ -5221,7 +5217,6 @@ sub determine_capabilities() {
$capabilities{MANGLE_FORWARD} = detect_capability( 'MANGLE_FORWARD' ); $capabilities{MANGLE_FORWARD} = detect_capability( 'MANGLE_FORWARD' );
$capabilities{RAW_TABLE} = detect_capability( 'RAW_TABLE' ); $capabilities{RAW_TABLE} = detect_capability( 'RAW_TABLE' );
$capabilities{IPSET_MATCH} = detect_capability( 'IPSET_MATCH' ); $capabilities{IPSET_MATCH} = detect_capability( 'IPSET_MATCH' );
$capabilities{USEPKTTYPE} = detect_capability( 'USEPKTTYPE' );
$capabilities{ADDRTYPE} = detect_capability( 'ADDRTYPE' ); $capabilities{ADDRTYPE} = detect_capability( 'ADDRTYPE' );
$capabilities{TCPMSS_MATCH} = detect_capability( 'TCPMSS_MATCH' ); $capabilities{TCPMSS_MATCH} = detect_capability( 'TCPMSS_MATCH' );
$capabilities{NFQUEUE_TARGET} = detect_capability( 'NFQUEUE_TARGET' ); $capabilities{NFQUEUE_TARGET} = detect_capability( 'NFQUEUE_TARGET' );

1
docs/CompiledPrograms.xml
View File

@ -762,7 +762,6 @@ MANGLE_ENABLED=Yes
MULTIPORT=Yes MULTIPORT=Yes
XMULTIPORT=Yes XMULTIPORT=Yes
CONNTRACK_MATCH=Yes CONNTRACK_MATCH=Yes
USEPKTTYPE=Yes
POLICY_MATCH=Yes POLICY_MATCH=Yes
PHYSDEV_MATCH=Yes PHYSDEV_MATCH=Yes
PHYSDEV_BRIDGE=Yes PHYSDEV_BRIDGE=Yes

1
docs/Shorewall-Lite.xml
View File

@ -709,7 +709,6 @@ MANGLE_ENABLED=Yes
MULTIPORT=Yes MULTIPORT=Yes
XMULTIPORT=Yes XMULTIPORT=Yes
CONNTRACK_MATCH=Yes CONNTRACK_MATCH=Yes
USEPKTTYPE=Yes
POLICY_MATCH=Yes POLICY_MATCH=Yes
PHYSDEV_MATCH=Yes PHYSDEV_MATCH=Yes
PHYSDEV_BRIDGE=Yes PHYSDEV_BRIDGE=Yes