From a419469814da6a7c28752f8b03d83c2e3b7c1d6e Mon Sep 17 00:00:00 2001 From: teastep Date: Sun, 29 Jul 2007 21:30:22 +0000 Subject: [PATCH] Detect the lack of state match git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@7001 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb --- Shorewall-common/changelog.txt | 2 ++ Shorewall-common/releasenotes.txt | 7 +++++++ Shorewall-perl/Shorewall/Compiler.pm | 12 ++++++++++++ 3 files changed, 21 insertions(+) diff --git a/Shorewall-common/changelog.txt b/Shorewall-common/changelog.txt index 79818b515..82de2ec0d 100644 --- a/Shorewall-common/changelog.txt +++ b/Shorewall-common/changelog.txt @@ -23,6 +23,8 @@ Changes in 4.0.1 11) Allow '/min' in RATE/BURST column. +12) Check for state match + Changes in 4.0.0 Final 1) Fix lite install.sh manpage problem. diff --git a/Shorewall-common/releasenotes.txt b/Shorewall-common/releasenotes.txt index b05abdc71..244b566d1 100644 --- a/Shorewall-common/releasenotes.txt +++ b/Shorewall-common/releasenotes.txt @@ -114,6 +114,13 @@ Other changes in Shorewall 4.0.1. all all REJECT info loc net ACCEPT +4) Recent kernels are apparently hard to configure and we have been + seeing a lot of problem reports where the root cause is the lack of + state match support in the kernel. This problem is difficult to + diagnose when using Shorewall-perl so the generated shell program + now checks specifically for this problem and terminates with an + error if the capability doesn't exist. + Migration Considerations: 1) Beginning with Shorewall 4.0.0, there is no single 'shorewall' diff --git a/Shorewall-perl/Shorewall/Compiler.pm b/Shorewall-perl/Shorewall/Compiler.pm index 4fee33ad4..c73bb7f8b 100644 --- a/Shorewall-perl/Shorewall/Compiler.pm +++ b/Shorewall-perl/Shorewall/Compiler.pm @@ -166,6 +166,18 @@ sub generate_script_1() { '[ -d ${VARDIR} ] || mkdir -p ${VARDIR}' ); + emit ( '', + '#', + '# Recent kernels are difficult to configure -- we see state match omitted a lot so we check for it here', + '#', + '$IPTABLES -N foox1234', + '$IPTABLES -A foox1234 -m state --state ESTABLISHED,RELATED -j ACCEPT', + 'result=$?', + '$IPTABLES -F foox1234', + '$IPTABLES -X foox1234', + '[ $result = 0 ] || startup_error "Your kernel/iptables do not include state match support. No version of Shorewall will run on this system"', + '' ); + pop_indent; emit "}\n"; # End of initialize()