From a794027f6356ca4d969c7a7b12532cb5e675aa95 Mon Sep 17 00:00:00 2001 From: Tom Eastep Date: Sun, 4 Dec 2011 14:35:53 -0800 Subject: [PATCH] Implement CT capability Signed-off-by: Tom Eastep --- Shorewall/Perl/Shorewall/Config.pm | 18 ++- Shorewall/lib.base | 2 +- Shorewall/lib.cli | 216 ++++++++++++----------------- 3 files changed, 104 insertions(+), 132 deletions(-) diff --git a/Shorewall/Perl/Shorewall/Config.pm b/Shorewall/Perl/Shorewall/Config.pm index 5fea8ef45..4909418e0 100644 --- a/Shorewall/Perl/Shorewall/Config.pm +++ b/Shorewall/Perl/Shorewall/Config.pm @@ -287,6 +287,7 @@ my %capdesc = ( NAT_ENABLED => 'NAT', CONDITION_MATCH => 'Condition Match', IPTABLES_S => 'iptables -S', BASIC_FILTER => 'Basic Filter', + CT_TARGET => 'CT Target', CAPVERSION => 'Capability Version', KERNELVERSION => 'Kernel Version', ); @@ -451,7 +452,7 @@ sub initialize( $ ) { STATEMATCH => '-m state --state', UNTRACKED => 0, VERSION => "4.4.22.1", - CAPVERSION => 40425 , + CAPVERSION => 40427 , ); # # From shorewall.conf file @@ -672,6 +673,7 @@ sub initialize( $ ) { CONDITION_MATCH => undef, IPTABLES_S => undef, BASIC_FILTER => undef, + CT_TARGET => undef, CAPVERSION => undef, KERNELVERSION => undef, ); @@ -2738,6 +2740,19 @@ sub Iptables_S() { qt1( "$iptables -S INPUT" ) } +sub Ct_Target() { + my $ct_target; + + if ( have_capability 'RAW_TABLE' ) { + qt1( "$iptables -t raw -N $sillyname" ); + $ct_target = qt1( "$iptables -t raw -A $sillyname -j CT --notrack" ); + qt1( "$iptables -t raw -F $sillyname" ); + qt1( "$iptables -t raw -X $sillyname" ); + } + + $ct_target; +} + our %detect_capability = ( ACCOUNT_TARGET =>\&Account_Target, AUDIT_TARGET => \&Audit_Target, @@ -2750,6 +2765,7 @@ our %detect_capability = CONNMARK => \&Connmark, CONNMARK_MATCH => \&Connmark_Match, CONNTRACK_MATCH => \&Conntrack_Match, + CT_MATCH => \&Ct_Target, ENHANCED_REJECT => \&Enhanced_Reject, EXMARK => \&Exmark, FLOW_FILTER => \&Flow_Filter, diff --git a/Shorewall/lib.base b/Shorewall/lib.base index cc422889a..9b073abf3 100644 --- a/Shorewall/lib.base +++ b/Shorewall/lib.base @@ -28,7 +28,7 @@ # SHOREWALL_LIBVERSION=40407 -SHOREWALL_CAPVERSION=40426 +SHOREWALL_CAPVERSION=40427 [ -n "${g_program:=shorewall}" ] [ -n "${VARDIR:=/var/lib/$g_program}" ] diff --git a/Shorewall/lib.cli b/Shorewall/lib.cli index 60a587466..2d3cd6230 100644 --- a/Shorewall/lib.cli +++ b/Shorewall/lib.cli @@ -1762,74 +1762,9 @@ determine_4_capabilities() { exit 1 fi - [ "$IP" = ip -o -z "$IP" ] && IP=$(which ip) - - [ -n "$IP" -a -x "$IP" ] || IP= - - [ "$TC" = tc -o -z "$TC" ] && TC=$(which tc) - - [ -n "$TC" -a -x "$TC" ] || TC= - qt $IPTABLES -t nat -L -n && NAT_ENABLED=Yes || NAT_ENABLED= qt $IPTABLES -t mangle -L -n && MANGLE_ENABLED=Yes || MANGLE_ENABLED= - CONNTRACK_MATCH= - NEW_CONNTRACK_MATCH= - OLD_CONNTRACK_MATCH= - MULTIPORT= - XMULTIPORT= - POLICY_MATCH= - PHYSDEV_MATCH= - PHYSDEV_BRIDGE= - IPRANGE_MATCH= - RECENT_MATCH= - OWNER_MATCH= - IPSET_MATCH= - OLD_IPSET_MATCH= - IPSET_V5= - CONNMARK= - XCONNMARK= - CONNMARK_MATCH= - XCONNMARK_MATCH= - RAW_TABLE= - RAWPOST_TABLE= - IPP2P_MATCH= - OLD_IPP2P_MATCH= - LENGTH_MATCH= - CLASSIFY_TARGET= - ENHANCED_REJECT= - USEPKTTYPE= - KLUDGEFREE= - MARK= - XMARK= - EXMARK= - TPROXY_TARGET= - MANGLE_FORWARD= - COMMENTS= - ADDRTYPE= - TCPMSS_MATCH= - HASHLIMIT_MATCH= - NFQUEUE_TARGET= - REALM_MATCH= - HELPER_MATCH= - CONNLIMIT_MATCH= - TIME_MATCH= - GOTO_TARGET= - LOGMARK_TARGET= - IPMARK_TARGET= - LOG_TARGET=Yes - ULOG_TARGET= - NFLOG_TARGET= - PERSISTENT_SNAT= - FLOW_FILTER= - FWMARK_RT_MASK= - MARK_ANYWHERE= - HEADER_MATCH= - ACCOUNT_TARGET= - AUDIT_TARGET= - CONDITION_MATCH= - IPTABLES_S= - BASIC_FILTER= chain=fooX$$ @@ -1936,6 +1871,14 @@ determine_4_capabilities() { qt $IPTABLES -t raw -L -n && RAW_TABLE=Yes qt $IPTABLES -t rawpost -L -n && RAWPOST_TABLE=Yes + if [ -n "$RAW_TABLE" ]; then + qt $IPTABLES -t raw -N $chain + qt $IPTABLES -t raw -A $chain -j CT --notrack && CT_TARGET=Yes + qt $IPTABLES -t raw -N $chain + qt $IPTABLES -t raw -F $chain + qt $IPTABLES -t raw -X $chain + fi + if qt mywhich ipset; then qt ipset -X $chain # Just in case something went wrong the last time @@ -2008,63 +1951,6 @@ determine_4_capabilities() { } determine_6_capabilities() { - CONNTRACK_MATCH= - NEW_CONNTRACK_MATCH= - OLD_CONNTRACK_MATCH= - MULTIPORT= - XMULTIPORT= - POLICY_MATCH= - PHYSDEV_MATCH= - PHYSDEV_BRIDGE= - IPRANGE_MATCH= - RECENT_MATCH= - OWNER_MATCH= - IPSET_MATCH= - OLD_IPSET_MATCH= - IPSET_V5= - CONNMARK= - XCONNMARK= - CONNMARK_MATCH= - XCONNMARK_MATCH= - RAW_TABLE= - RAWPOST_TABLE= - IPP2P_MATCH= - OLD_IPP2P_MATCH= - LENGTH_MATCH= - CLASSIFY_TARGET= - ENHANCED_REJECT= - USEPKTTYPE= - KLUDGEFREE= - MARK= - XMARK= - EXMARK= - TPROXY_TARGET= - MANGLE_FORWARD= - COMMENTS= - ADDRTYPE= - TCPMSS_MATCH= - HASHLIMIT_MATCH= - NFQUEUE_TARGET= - REALM_MATCH= - HELPER_MATCH= - CONNLIMIT_MATCH= - TIME_MATCH= - GOTO_TARGET= - IPMARK_TARGET= - LOG_TARGET=Yes - ULOG_TARGET= - NFLOG_TARGET= - LOGMARK_TARGET= - FLOW_FILTER= - FWMARK_RT_MASK= - MARK_ANYWHERE= - HEADER_MATCH= - ACCOUNT_TARGET= - AUDIT_TARGET= - IPSET_V5= - CONDITION_MATCH= - IPTABLES_S= - BASIC_FILTER= chain=fooX$$ @@ -2075,14 +1961,6 @@ determine_6_capabilities() { exit 1 fi - [ -n "$IP" ] || IP=$(which ip) - - [ -n "$IP" -a -x "$IP" ] || IP= - - [ "$TC" = tc -o -z "$TC" ] && TC=$(which tc) - - [ -n "$TC" -a -x "$TC" ] || TC= - qt $IP6TABLES -t mangle -L -n && MANGLE_ENABLED=Yes || MANGLE_ENABLED= qt $IP6TABLES -F $chain @@ -2180,6 +2058,14 @@ determine_6_capabilities() { qt $IP6TABLES -t raw -L -n && RAW_TABLE=Yes qt $IP6TABLES -t rawpost -L -n && RAWPOST_TABLE=Yes + if [ -n "$RAW_TABLE" ]; then + qt $IP6TABLES -t raw -N $chain + qt $IP6TABLES -t raw -A $chain -j CT --notrack && CT_TARGET=Yes + qt $IP6TABLES -t raw -N $chain + qt $IP6TABLES -t raw -F $chain + qt $IP6TABLES -t raw -X $chain + fi + if qt mywhich ipset; then qt ipset -X $chain # Just in case something went wrong the last time @@ -2247,6 +2133,74 @@ determine_6_capabilities() { } determine_capabilities() { + + [ "$IP" = ip -o -z "$IP" ] && IP=$(which ip) + + [ -n "$IP" -a -x "$IP" ] || IP= + + [ "$TC" = tc -o -z "$TC" ] && TC=$(which tc) + + [ -n "$TC" -a -x "$TC" ] || TC= + + CONNTRACK_MATCH= + NEW_CONNTRACK_MATCH= + OLD_CONNTRACK_MATCH= + MULTIPORT= + XMULTIPORT= + POLICY_MATCH= + PHYSDEV_MATCH= + PHYSDEV_BRIDGE= + IPRANGE_MATCH= + RECENT_MATCH= + OWNER_MATCH= + IPSET_MATCH= + OLD_IPSET_MATCH= + IPSET_V5= + CONNMARK= + XCONNMARK= + CONNMARK_MATCH= + XCONNMARK_MATCH= + RAW_TABLE= + RAWPOST_TABLE= + IPP2P_MATCH= + OLD_IPP2P_MATCH= + LENGTH_MATCH= + CLASSIFY_TARGET= + ENHANCED_REJECT= + USEPKTTYPE= + KLUDGEFREE= + MARK= + XMARK= + EXMARK= + TPROXY_TARGET= + MANGLE_FORWARD= + COMMENTS= + ADDRTYPE= + TCPMSS_MATCH= + HASHLIMIT_MATCH= + NFQUEUE_TARGET= + REALM_MATCH= + HELPER_MATCH= + CONNLIMIT_MATCH= + TIME_MATCH= + GOTO_TARGET= + LOGMARK_TARGET= + IPMARK_TARGET= + LOG_TARGET=Yes + ULOG_TARGET= + NFLOG_TARGET= + PERSISTENT_SNAT= + FLOW_FILTER= + FWMARK_RT_MASK= + MARK_ANYWHERE= + HEADER_MATCH= + ACCOUNT_TARGET= + AUDIT_TARGET= + CONDITION_MATCH= + IPTABLES_S= + BASIC_FILTER= + CT_TARGET= + if [ $g_family -eq 4 ]; then determine_4_capabilities else @@ -2337,6 +2291,7 @@ report_capabilities() { fi report_capability "Basic Filter" $BASIC_FILTER + report_capability "CT Target" $CT_TARGET fi [ -n "$PKTTYPE" ] || USEPKTTYPE= @@ -2412,6 +2367,7 @@ report_capabilities1() { report_capability1 CONDITION_MATCH report_capability1 IPTABLES_S report_capability1 BASIC_FILTER + report_capability1 CT_TARGET echo CAPVERSION=$SHOREWALL_CAPVERSION echo KERNELVERSION=$KERNELVERSION