holm/shorewall_code
1
0
Fork 0
forked from extern/shorewall_code
Code Pull Requests Activity

Accurately detect 'flow' availability

Browse Source 
Signed-off-by: Tom Eastep <teastep@shorewall.net>
This commit is contained in:
Tom Eastep 2010-02-10 14:50:26 -08:00
parent b1c64913b4
commit b8c195f570
4 changed files with 38 additions and 8 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

22
Shorewall/Perl/Shorewall/Config.pm
View File

@ -245,6 +245,7 @@ our %capdesc = ( NAT_ENABLED => 'NAT',
PERSISTENT_SNAT => 'Persistent SNAT', PERSISTENT_SNAT => 'Persistent SNAT',
OLD_HL_MATCH => 'Old Hash Limit Match', OLD_HL_MATCH => 'Old Hash Limit Match',
TPROXY_TARGET => 'TPROXY Target', TPROXY_TARGET => 'TPROXY Target',
FLOW_FILTER => 'Flow Classifier',
CAPVERSION => 'Capability Version', CAPVERSION => 'Capability Version',
KERNELVERSION => 'Kernel Version', KERNELVERSION => 'Kernel Version',
); );
@ -283,6 +284,7 @@ our $Product; # $product with initial cap.
our $sillyname; # Name of temporary filter chains for testing capabilities our $sillyname; # Name of temporary filter chains for testing capabilities
our $sillyname1; our $sillyname1;
our $iptables; # Path to iptables/ip6tables our $iptables; # Path to iptables/ip6tables
our $tc; # Path to tc
use constant { MIN_VERBOSITY => -1, use constant { MIN_VERBOSITY => -1,
MAX_VERBOSITY => 2 , MAX_VERBOSITY => 2 ,
@ -336,7 +338,7 @@ sub initialize( $ ) {
EXPORT => 0, EXPORT => 0,
UNTRACKED => 0, UNTRACKED => 0,
VERSION => "4.4.7", VERSION => "4.4.7",
CAPVERSION => 40407 , CAPVERSION => 40408 ,
); );
# #
@ -2297,6 +2299,10 @@ sub Logmark_Target() {
qt1( "$iptables -A $sillyname -j LOGMARK" ); qt1( "$iptables -A $sillyname -j LOGMARK" );
} }
sub Flow_Filter() {
$tc && system( "$tc filter add flow add help 2>&1 | grep -q ^Usage" ) == 0;
}
our %detect_capability = our %detect_capability =
( ADDRTYPE => \&Addrtype, ( ADDRTYPE => \&Addrtype,
CLASSIFY_TARGET => \&Classify_Target, CLASSIFY_TARGET => \&Classify_Target,
@ -2307,6 +2313,7 @@ our %detect_capability =
CONNTRACK_MATCH => \&Conntrack_Match, CONNTRACK_MATCH => \&Conntrack_Match,
ENHANCED_REJECT => \&Enhanced_Reject, ENHANCED_REJECT => \&Enhanced_Reject,
EXMARK => \&Exmark, EXMARK => \&Exmark,
FLOW_FILTER => \&Flow_Filter,
GOTO_TARGET => \&Goto_Target, GOTO_TARGET => \&Goto_Target,
HASHLIMIT_MATCH => \&Hashlimit_Match, HASHLIMIT_MATCH => \&Hashlimit_Match,
HELPER_MATCH => \&Helper_Match, HELPER_MATCH => \&Helper_Match,
@ -2369,9 +2376,8 @@ sub have_capability( $ ) {
# #
# Determine which optional facilities are supported by iptables/netfilter # Determine which optional facilities are supported by iptables/netfilter
# #
sub determine_capabilities( $ ) { sub determine_capabilities() {
$iptables = $_[0];
my $pid = $$; my $pid = $$;
$capabilities{CAPVERSION} = $globals{CAPVERSION}; $capabilities{CAPVERSION} = $globals{CAPVERSION};
@ -2603,7 +2609,7 @@ sub get_capabilities( $ ) {
my $export = $_[0]; my $export = $_[0];
if ( ! $export && $> == 0 ) { # $> == $EUID if ( ! $export && $> == 0 ) { # $> == $EUID
my $iptables = $config{$toolNAME}; $iptables = $config{$toolNAME};
if ( $iptables ) { if ( $iptables ) {
fatal_error "$toolNAME=$iptables does not exist or is not executable" unless -x $iptables; fatal_error "$toolNAME=$iptables does not exist or is not executable" unless -x $iptables;
@ -2615,12 +2621,18 @@ sub get_capabilities( $ ) {
fatal_error "$iptables_restore does not exist or is not executable" unless -x $iptables_restore; fatal_error "$iptables_restore does not exist or is not executable" unless -x $iptables_restore;
$tc = $config{TC};
if ( $tc ) {
fatal_error "TC=$tc does not exist or is not executable" unless -x $tc;
}
load_kernel_modules; load_kernel_modules;
if ( open_file 'capabilities' ) { if ( open_file 'capabilities' ) {
read_capabilities; read_capabilities;
} else { } else {
determine_capabilities $iptables; determine_capabilities;
} }
} else { } else {
unless ( open_file 'capabilities' ) { unless ( open_file 'capabilities' ) {

2
Shorewall/Perl/Shorewall/Tc.pm
View File

@ -515,7 +515,7 @@ sub process_simple_device() {
while ( ++$i <= 3 ) { while ( ++$i <= 3 ) {
emit "run_tc qdisc add dev $physical parent $number:$i handle ${number}${i}: sfq quantum 1875 limit 127 perturb 10"; emit "run_tc qdisc add dev $physical parent $number:$i handle ${number}${i}: sfq quantum 1875 limit 127 perturb 10";
emit "run_tc filter add dev $physical protocol all parent $number: handle $i fw classid $devnum:$i"; emit "run_tc filter add dev $physical protocol all parent $number: handle $i fw classid $devnum:$i";
emit "run_tc filter add dev $physical protocol all prio 1 parent ${number}$i: handle ${number}${i} flow hash keys $type divisor 1024" unless $type eq '-' || have_capability 'OLD_HL_MATCH'; emit "run_tc filter add dev $physical protocol all prio 1 parent ${number}$i: handle ${number}${i} flow hash keys $type divisor 1024" if $type ne '-' && have_capability 'FLOW_FILTER';
emit ''; emit '';
} }

11
Shorewall/lib.base
View File

@ -30,7 +30,7 @@
# #
SHOREWALL_LIBVERSION=40407 SHOREWALL_LIBVERSION=40407
SHOREWALL_CAPVERSION=40407 SHOREWALL_CAPVERSION=40408
[ -n "${VARDIR:=/var/lib/shorewall}" ] [ -n "${VARDIR:=/var/lib/shorewall}" ]
[ -n "${SHAREDIR:=/usr/share/shorewall}" ] [ -n "${SHAREDIR:=/usr/share/shorewall}" ]
@ -784,6 +784,10 @@ determine_capabilities() {
exit 1 exit 1
fi fi
[ "$TC" = tc -o -z "$TC" ] && TC=$(which tc)
[ -n "$TC" -a -x "$TC" ] || TC=
qt $IPTABLES -t nat -L -n && NAT_ENABLED=Yes || NAT_ENABLED= qt $IPTABLES -t nat -L -n && NAT_ENABLED=Yes || NAT_ENABLED=
qt $IPTABLES -t mangle -L -n && MANGLE_ENABLED=Yes || MANGLE_ENABLED= qt $IPTABLES -t mangle -L -n && MANGLE_ENABLED=Yes || MANGLE_ENABLED=
@ -830,6 +834,7 @@ determine_capabilities() {
IPMARK_TARGET= IPMARK_TARGET=
LOG_TARGET=Yes LOG_TARGET=Yes
PERSISTENT_SNAT= PERSISTENT_SNAT=
FLOW_FILTER=
chain=fooX$$ chain=fooX$$
@ -968,6 +973,8 @@ determine_capabilities() {
qt $IPTABLES -F $chain1 qt $IPTABLES -F $chain1
qt $IPTABLES -X $chain1 qt $IPTABLES -X $chain1
[ -n "$TC" ] && $TC filter add flow help 2>&1 | grep -q ^Usage && FLOW_FILTER=Yes
CAPVERSION=$SHOREWALL_CAPVERSION CAPVERSION=$SHOREWALL_CAPVERSION
KERNELVERSION=$(printf "%d%02d%02d" $(uname -r 2> /dev/null | sed -e 's/-.*//' -e 's/^\([0-9][0-9]*\)\.\([0-9][0-9]*\)\.\([0-9][0-9]*\).*$/\1 \2 \3/g')) KERNELVERSION=$(printf "%d%02d%02d" $(uname -r 2> /dev/null | sed -e 's/-.*//' -e 's/^\([0-9][0-9]*\)\.\([0-9][0-9]*\)\.\([0-9][0-9]*\).*$/\1 \2 \3/g'))
} }
@ -1033,6 +1040,7 @@ report_capabilities() {
report_capability "LOG Target" $LOG_TARGET report_capability "LOG Target" $LOG_TARGET
report_capability "Persistent SNAT" $PERSISTENT_SNAT report_capability "Persistent SNAT" $PERSISTENT_SNAT
report_capability "TPROXY Target" $TPROXY_TARGET report_capability "TPROXY Target" $TPROXY_TARGET
report_capability "FLOW Classifier" $FLOW_FILTER
fi fi
[ -n "$PKTTYPE" ] || USEPKTTYPE= [ -n "$PKTTYPE" ] || USEPKTTYPE=
@ -1094,6 +1102,7 @@ report_capabilities1() {
report_capability1 LOG_TARGET report_capability1 LOG_TARGET
report_capability1 PERSISTENT_SNAT report_capability1 PERSISTENT_SNAT
report_capability1 TPROXY_TARGET report_capability1 TPROXY_TARGET
report_capability1 FLOW_FILTER
echo CAPVERSION=$SHOREWALL_CAPVERSION echo CAPVERSION=$SHOREWALL_CAPVERSION
echo KERNELVERSION=$KERNELVERSION echo KERNELVERSION=$KERNELVERSION

11
Shorewall6/lib.base
View File

@ -33,7 +33,7 @@
# #
SHOREWALL_LIBVERSION=40407 SHOREWALL_LIBVERSION=40407
SHOREWALL_CAPVERSION=40407 SHOREWALL_CAPVERSION=40408
[ -n "${VARDIR:=/var/lib/shorewall6}" ] [ -n "${VARDIR:=/var/lib/shorewall6}" ]
[ -n "${SHAREDIR:=/usr/share/shorewall6}" ] [ -n "${SHAREDIR:=/usr/share/shorewall6}" ]
@ -737,6 +737,7 @@ determine_capabilities() {
GOTO_TARGET= GOTO_TARGET=
IPMARK_TARGET= IPMARK_TARGET=
LOG_TARGET=Yes LOG_TARGET=Yes
FLOW_FILTER=
chain=fooX$$ chain=fooX$$
@ -747,6 +748,10 @@ determine_capabilities() {
exit 1 exit 1
fi fi
[ -n "$IP" ] || IP=$(which ip)
[ -n "$IP" -a -x "$IP" ] || IP=
qt $IP6TABLES -t mangle -L -n && MANGLE_ENABLED=Yes || MANGLE_ENABLED= qt $IP6TABLES -t mangle -L -n && MANGLE_ENABLED=Yes || MANGLE_ENABLED=
qt $IP6TABLES -F $chain qt $IP6TABLES -F $chain
@ -875,6 +880,8 @@ determine_capabilities() {
qt $IP6TABLES -F $chain1 qt $IP6TABLES -F $chain1
qt $IP6TABLES -X $chain1 qt $IP6TABLES -X $chain1
[ -n "$IP" ] && $IP filter add flow help 2>&1 | grep -q ^Usage && FLOW_FILTER=Yes
CAPVERSION=$SHOREWALL_CAPVERSION CAPVERSION=$SHOREWALL_CAPVERSION
KERNELVERSION=$(printf "%d%02d%02d" $(uname -r 2> /dev/null | sed -e 's/-.*//' -e 's/^\([0-9][0-9]*\)\.\([0-9][0-9]*\)\.\([0-9][0-9]*\).*$/\1 \2 \3/g')) KERNELVERSION=$(printf "%d%02d%02d" $(uname -r 2> /dev/null | sed -e 's/-.*//' -e 's/^\([0-9][0-9]*\)\.\([0-9][0-9]*\)\.\([0-9][0-9]*\).*$/\1 \2 \3/g'))
} }
@ -937,6 +944,7 @@ report_capabilities() {
report_capability "IPMARK Target" $IPMARK_TARGET report_capability "IPMARK Target" $IPMARK_TARGET
report_capability "LOG Target" $LOG_TARGET report_capability "LOG Target" $LOG_TARGET
report_capability "TPROXY Target" $TPROXY_TARGET report_capability "TPROXY Target" $TPROXY_TARGET
report_capability "FLOW Classifier" $FLOW_FILTER
fi fi
[ -n "$PKTTYPE" ] || USEPKTTYPE= [ -n "$PKTTYPE" ] || USEPKTTYPE=
@ -995,6 +1003,7 @@ report_capabilities1() {
report_capability1 IPMARK_TARGET report_capability1 IPMARK_TARGET
report_capability1 LOG_TARGET report_capability1 LOG_TARGET
report_capability1 TPROXY_TARGET report_capability1 TPROXY_TARGET
report_capability1 FLOW_FILTER
echo CAPVERSION=$SHOREWALL_CAPVERSION echo CAPVERSION=$SHOREWALL_CAPVERSION
echo KERNELVERSION=$KERNELVERSION echo KERNELVERSION=$KERNELVERSION