diff --git a/Shorewall-core/lib.cli b/Shorewall-core/lib.cli index 1bcfd679d..35fe1a008 100644 --- a/Shorewall-core/lib.cli +++ b/Shorewall-core/lib.cli @@ -25,7 +25,7 @@ # loaded after this one and replaces some of the functions declared here. # -SHOREWALL_CAPVERSION=50100 +SHOREWALL_CAPVERSION=50105 if [ -z "$g_basedir" ]; then # @@ -2803,6 +2803,7 @@ determine_capabilities() { WAIT_OPTION= CPU_FANOUT= NETMAP_TARGET= + NFLOG_SIZE= AMANDA_HELPER= FTP_HELPER= @@ -3136,10 +3137,13 @@ determine_capabilities() { qt $g_tool -A $chain -j LOGMARK && LOGMARK_TARGET=Yes qt $g_tool -A $chain -j LOG || LOG_TARGET= qt $g_tool -A $chain -j ULOG && ULOG_TARGET=Yes - qt $g_tool -A $chain -j NFLOG && NFLOG_TARGET=Yes qt $g_tool -A $chain -j MARK --set-mark 5 && MARK_ANYWHERE=Yes qt $g_tool -A $chain -m statistic --mode nth --every 2 --packet 1 && STATISTIC_MATCH=Yes qt $g_tool -A $chain -m geoip --src-cc US && GEOIP_MATCH=Yes + if qt $g_tool -A $chain -j NFLOG; then + NFLOG_TARGET=Yes + qt $g_tool -A $chain -j NFLOG --nflog-size 64 && NFLOG_SIZE=Yes + fi if [ $g_family -eq 4 ]; then qt $g_tool -A $chain -j ACCOUNT --addr 192.168.1.0/29 --tname $chain && ACCOUNT_TARGET=Yes @@ -3305,6 +3309,7 @@ report_capabilities_unsorted() { report_capability "CT Target (CT_TARGET)" $CT_TARGET report_capability "NFQUEUE CPU Fanout (CPU_FANOUT)" $CPU_FANOUT report_capability "NETMAP Target (NETMAP_TARGET)" $NETMAP_TARGET + report_capability "--nflog-size support (NFLOG_SIZE)" $NFLOG_SIZE echo " Kernel Version (KERNELVERSION): $KERNELVERSION" echo " Capabilities Version (CAPVERSION): $CAPVERSION" @@ -3411,6 +3416,7 @@ report_capabilities_unsorted1() { report_capability1 WAIT_OPTION report_capability1 CPU_FANOUT report_capability1 NETMAP_TARGET + report_capability1 NFLOG_SIZE report_capability1 AMANDA_HELPER report_capability1 FTP_HELPER diff --git a/Shorewall/Perl/Shorewall/Config.pm b/Shorewall/Perl/Shorewall/Config.pm index 4d9eff177..3cbb70577 100644 --- a/Shorewall/Perl/Shorewall/Config.pm +++ b/Shorewall/Perl/Shorewall/Config.pm @@ -413,6 +413,7 @@ our %capdesc = ( NAT_ENABLED => 'NAT', WAIT_OPTION => 'iptables --wait option', CPU_FANOUT => 'NFQUEUE CPU Fanout', NETMAP_TARGET => 'NETMAP Target', + NFLOG_SIZE => '--nflog-size support', AMANDA_HELPER => 'Amanda Helper', FTP_HELPER => 'FTP Helper', @@ -751,7 +752,7 @@ sub initialize( $;$$) { EXPORT => 0, KLUDGEFREE => '', VERSION => "5.1.5-RC1", - CAPVERSION => 50100 , + CAPVERSION => 50105 , BLACKLIST_LOG_TAG => '', RELATED_LOG_TAG => '', MACLIST_LOG_TAG => '', @@ -1043,6 +1044,7 @@ sub initialize( $;$$) { WAIT_OPTION => undef, CPU_FANOUT => undef, NETMAP_TARGET => undef, + NFLOG_SIZE => undef, AMANDA_HELPER => undef, FTP_HELPER => undef, @@ -4818,6 +4820,10 @@ sub NFLog_Target() { qt1( "$iptables $iptablesw -A $sillyname -j NFLOG" ); } +sub NFLog_Size() { + have_capability( 'NFLOG_TARGET' ) && qt1( "$iptables $iptablesw -A $sillyname -j NFLOG --nflog-size 64" ); +} + sub Logmark_Target() { qt1( "$iptables $iptablesw -A $sillyname -j LOGMARK" ); } @@ -4993,6 +4999,7 @@ our %detect_capability = LOG_TARGET => \&Log_Target, ULOG_TARGET => \&Ulog_Target, NFLOG_TARGET => \&NFLog_Target, + NFLOG_SIZE => \&NFLog_Size, MANGLE_ENABLED => \&Mangle_Enabled, MANGLE_FORWARD => \&Mangle_Forward, MARK => \&Mark, @@ -5186,6 +5193,7 @@ sub determine_capabilities() { $capabilities{TCPMSS_TARGET} = detect_capability( 'TCPMSS_TARGET' ); $capabilities{CPU_FANOUT} = detect_capability( 'CPU_FANOUT' ); $capabilities{NETMAP_TARGET} = detect_capability( 'NETMAP_TARGET' ); + $capabilities{NFLOG_SIZE} = detect_capability( 'NFLOG_SIZE' ); unless ( have_capability 'CT_TARGET' ) { $capabilities{HELPER_MATCH} = detect_capability 'HELPER_MATCH'; @@ -6039,6 +6047,12 @@ sub get_configuration( $$$$ ) { $have_capabilities = 1; } + if ( have_capability( 'NFLOG_SIZE' ) ) { + @suffixes = qw(group size threshold nlgroup cprange qthreshold); + } else { + @suffixes = qw(group range threshold nlgroup cprange qthreshold); + } + get_params( $export ); process_shorewall_conf( $update, $annotate );