Accurately detect 'flow' availability

Signed-off-by: Tom Eastep <teastep@shorewall.net>
2010-02-10 14:50:26 -08:00 · 2010-02-10 14:50:26 -08:00 · b8c195f570
commit b8c195f570
parent b1c64913b4
4 changed files with 38 additions and 8 deletions
--- a/Shorewall/Perl/Shorewall/Config.pm
+++ b/Shorewall/Perl/Shorewall/Config.pm
@ -245,6 +245,7 @@ our %capdesc = ( NAT_ENABLED     => 'NAT',
 		 PERSISTENT_SNAT => 'Persistent SNAT',
 		 OLD_HL_MATCH    => 'Old Hash Limit Match',
 		 TPROXY_TARGET   => 'TPROXY Target',
+		 FLOW_FILTER     => 'Flow Classifier',
 		 CAPVERSION      => 'Capability Version',
 		 KERNELVERSION   => 'Kernel Version',
 	       );
@ -283,6 +284,7 @@ our $Product;                 # $product with initial cap.
 our $sillyname;               # Name of temporary filter chains for testing capabilities
 our $sillyname1;
 our $iptables;                # Path to iptables/ip6tables
+our $tc;                      # Path to tc

 use constant { MIN_VERBOSITY => -1,
 	       MAX_VERBOSITY => 2 ,
@ -336,7 +338,7 @@ sub initialize( $ ) {
 		    EXPORT => 0,
 		    UNTRACKED => 0,
 		    VERSION => "4.4.7",
-		    CAPVERSION => 40407 ,
+		    CAPVERSION => 40408 ,
 		  );

    #
@ -2297,6 +2299,10 @@ sub Logmark_Target() {
    qt1( "$iptables -A $sillyname -j LOGMARK" );
 }

+sub Flow_Filter() {
+    $tc && system( "$tc filter add flow add help 2>&1 | grep -q ^Usage" ) == 0;
+}
+
 our %detect_capability =
    ( ADDRTYPE => \&Addrtype,
      CLASSIFY_TARGET => \&Classify_Target,
@ -2307,6 +2313,7 @@ our %detect_capability =
      CONNTRACK_MATCH => \&Conntrack_Match,
      ENHANCED_REJECT => \&Enhanced_Reject,
      EXMARK => \&Exmark,
+      FLOW_FILTER => \&Flow_Filter,
      GOTO_TARGET => \&Goto_Target,
      HASHLIMIT_MATCH => \&Hashlimit_Match,
      HELPER_MATCH => \&Helper_Match,
@ -2369,9 +2376,8 @@ sub have_capability( $ ) {
 #
 # Determine which optional facilities are supported by iptables/netfilter
 #
-sub determine_capabilities( $ ) {
+sub determine_capabilities() {

-    $iptables   = $_[0];
    my $pid     = $$;

    $capabilities{CAPVERSION} = $globals{CAPVERSION};
@ -2603,7 +2609,7 @@ sub get_capabilities( $ ) {
    my $export = $_[0];

    if ( ! $export && $> == 0 ) { # $> == $EUID
-	my $iptables = $config{$toolNAME};
+	$iptables = $config{$toolNAME};

 	if ( $iptables ) {
 	    fatal_error "$toolNAME=$iptables does not exist or is not executable" unless -x $iptables;
@ -2615,12 +2621,18 @@ sub get_capabilities( $ ) {

 	fatal_error "$iptables_restore does not exist or is not executable" unless -x $iptables_restore;

+	$tc = $config{TC};
+
+	if ( $tc ) {
+	    fatal_error "TC=$tc does not exist or is not executable" unless -x $tc;
+	}
+
 	load_kernel_modules;

 	if ( open_file 'capabilities' ) {
 	    read_capabilities;
 	} else {
-	    determine_capabilities $iptables;
+	    determine_capabilities;
 	}
    } else {
 	unless ( open_file 'capabilities' ) {
--- a/Shorewall/Perl/Shorewall/Tc.pm
+++ b/Shorewall/Perl/Shorewall/Tc.pm
@ -515,7 +515,7 @@ sub process_simple_device() {
    while ( ++$i <= 3 ) {
 	emit "run_tc qdisc add dev $physical parent $number:$i handle ${number}${i}: sfq quantum 1875 limit 127 perturb 10";
 	emit "run_tc filter add dev $physical protocol all parent $number: handle $i fw classid $devnum:$i";
-	emit "run_tc filter add dev $physical protocol all prio 1 parent ${number}$i: handle ${number}${i} flow hash keys $type divisor 1024" unless $type eq '-' || have_capability 'OLD_HL_MATCH';
+	emit "run_tc filter add dev $physical protocol all prio 1 parent ${number}$i: handle ${number}${i} flow hash keys $type divisor 1024" if $type ne '-' && have_capability 'FLOW_FILTER';
 	emit '';
    }

--- a/Shorewall/lib.base
+++ b/Shorewall/lib.base
@ -30,7 +30,7 @@
 #

 SHOREWALL_LIBVERSION=40407
-SHOREWALL_CAPVERSION=40407
+SHOREWALL_CAPVERSION=40408

 [ -n "${VARDIR:=/var/lib/shorewall}" ]
 [ -n "${SHAREDIR:=/usr/share/shorewall}" ]
@ -784,6 +784,10 @@ determine_capabilities() {
 	exit 1
    fi

+    [ "$TC" = tc -o -z "$TC" ] && TC=$(which tc)
+
+    [ -n "$TC" -a -x "$TC" ] || TC=
+
    qt $IPTABLES -t nat    -L -n && NAT_ENABLED=Yes    || NAT_ENABLED=
    qt $IPTABLES -t mangle -L -n && MANGLE_ENABLED=Yes || MANGLE_ENABLED=

@ -830,6 +834,7 @@ determine_capabilities() {
    IPMARK_TARGET=
    LOG_TARGET=Yes
    PERSISTENT_SNAT=
+    FLOW_FILTER=

    chain=fooX$$

@ -968,6 +973,8 @@ determine_capabilities() {
    qt $IPTABLES -F $chain1
    qt $IPTABLES -X $chain1

+    [ -n "$TC" ] && $TC filter add flow help 2>&1 | grep -q ^Usage && FLOW_FILTER=Yes
+
    CAPVERSION=$SHOREWALL_CAPVERSION
    KERNELVERSION=$(printf "%d%02d%02d" $(uname -r 2> /dev/null | sed -e 's/-.*//' -e 's/^\([0-9][0-9]*\)\.\([0-9][0-9]*\)\.\([0-9][0-9]*\).*$/\1 \2 \3/g'))
 }
@ -1033,6 +1040,7 @@ report_capabilities() {
 	report_capability "LOG Target" $LOG_TARGET
 	report_capability "Persistent SNAT" $PERSISTENT_SNAT
 	report_capability "TPROXY Target" $TPROXY_TARGET
+	report_capability "FLOW Classifier" $FLOW_FILTER
    fi

    [ -n "$PKTTYPE" ] || USEPKTTYPE=
@ -1094,6 +1102,7 @@ report_capabilities1() {
    report_capability1 LOG_TARGET
    report_capability1 PERSISTENT_SNAT
    report_capability1 TPROXY_TARGET
+    report_capability1 FLOW_FILTER
    
    echo CAPVERSION=$SHOREWALL_CAPVERSION
    echo KERNELVERSION=$KERNELVERSION
--- a/Shorewall6/lib.base
+++ b/Shorewall6/lib.base
@ -33,7 +33,7 @@
 #

 SHOREWALL_LIBVERSION=40407
-SHOREWALL_CAPVERSION=40407
+SHOREWALL_CAPVERSION=40408

 [ -n "${VARDIR:=/var/lib/shorewall6}" ]
 [ -n "${SHAREDIR:=/usr/share/shorewall6}" ]
@ -737,6 +737,7 @@ determine_capabilities() {
    GOTO_TARGET=
    IPMARK_TARGET=
    LOG_TARGET=Yes
+    FLOW_FILTER=

    chain=fooX$$

@ -747,6 +748,10 @@ determine_capabilities() {
 	exit 1
    fi

+    [ -n "$IP" ] || IP=$(which ip)
+
+    [ -n "$IP" -a -x "$IP" ] || IP=
+
    qt $IP6TABLES -t mangle -L -n && MANGLE_ENABLED=Yes || MANGLE_ENABLED=

    qt $IP6TABLES -F $chain
@ -875,6 +880,8 @@ determine_capabilities() {
    qt $IP6TABLES -F $chain1
    qt $IP6TABLES -X $chain1

+    [ -n "$IP" ] && $IP filter add flow help 2>&1 | grep -q ^Usage && FLOW_FILTER=Yes
+
    CAPVERSION=$SHOREWALL_CAPVERSION
    KERNELVERSION=$(printf "%d%02d%02d" $(uname -r 2> /dev/null | sed -e 's/-.*//' -e 's/^\([0-9][0-9]*\)\.\([0-9][0-9]*\)\.\([0-9][0-9]*\).*$/\1 \2 \3/g'))
 }
@ -937,6 +944,7 @@ report_capabilities() {
 	report_capability "IPMARK Target" $IPMARK_TARGET
 	report_capability "LOG Target" $LOG_TARGET
 	report_capability "TPROXY Target" $TPROXY_TARGET
+	report_capability "FLOW Classifier" $FLOW_FILTER
    fi

    [ -n "$PKTTYPE" ] || USEPKTTYPE=
@ -995,6 +1003,7 @@ report_capabilities1() {
    report_capability1 IPMARK_TARGET
    report_capability1 LOG_TARGET
    report_capability1 TPROXY_TARGET
+    report_capability1 FLOW_FILTER
    
    echo CAPVERSION=$SHOREWALL_CAPVERSION
    echo KERNELVERSION=$KERNELVERSION