forked from extern/shorewall_code
Accurately detect 'flow' availability
Signed-off-by: Tom Eastep <teastep@shorewall.net>
This commit is contained in:
parent
b1c64913b4
commit
b8c195f570
@ -245,6 +245,7 @@ our %capdesc = ( NAT_ENABLED => 'NAT',
|
|||||||
PERSISTENT_SNAT => 'Persistent SNAT',
|
PERSISTENT_SNAT => 'Persistent SNAT',
|
||||||
OLD_HL_MATCH => 'Old Hash Limit Match',
|
OLD_HL_MATCH => 'Old Hash Limit Match',
|
||||||
TPROXY_TARGET => 'TPROXY Target',
|
TPROXY_TARGET => 'TPROXY Target',
|
||||||
|
FLOW_FILTER => 'Flow Classifier',
|
||||||
CAPVERSION => 'Capability Version',
|
CAPVERSION => 'Capability Version',
|
||||||
KERNELVERSION => 'Kernel Version',
|
KERNELVERSION => 'Kernel Version',
|
||||||
);
|
);
|
||||||
@ -283,6 +284,7 @@ our $Product; # $product with initial cap.
|
|||||||
our $sillyname; # Name of temporary filter chains for testing capabilities
|
our $sillyname; # Name of temporary filter chains for testing capabilities
|
||||||
our $sillyname1;
|
our $sillyname1;
|
||||||
our $iptables; # Path to iptables/ip6tables
|
our $iptables; # Path to iptables/ip6tables
|
||||||
|
our $tc; # Path to tc
|
||||||
|
|
||||||
use constant { MIN_VERBOSITY => -1,
|
use constant { MIN_VERBOSITY => -1,
|
||||||
MAX_VERBOSITY => 2 ,
|
MAX_VERBOSITY => 2 ,
|
||||||
@ -336,7 +338,7 @@ sub initialize( $ ) {
|
|||||||
EXPORT => 0,
|
EXPORT => 0,
|
||||||
UNTRACKED => 0,
|
UNTRACKED => 0,
|
||||||
VERSION => "4.4.7",
|
VERSION => "4.4.7",
|
||||||
CAPVERSION => 40407 ,
|
CAPVERSION => 40408 ,
|
||||||
);
|
);
|
||||||
|
|
||||||
#
|
#
|
||||||
@ -2297,6 +2299,10 @@ sub Logmark_Target() {
|
|||||||
qt1( "$iptables -A $sillyname -j LOGMARK" );
|
qt1( "$iptables -A $sillyname -j LOGMARK" );
|
||||||
}
|
}
|
||||||
|
|
||||||
|
sub Flow_Filter() {
|
||||||
|
$tc && system( "$tc filter add flow add help 2>&1 | grep -q ^Usage" ) == 0;
|
||||||
|
}
|
||||||
|
|
||||||
our %detect_capability =
|
our %detect_capability =
|
||||||
( ADDRTYPE => \&Addrtype,
|
( ADDRTYPE => \&Addrtype,
|
||||||
CLASSIFY_TARGET => \&Classify_Target,
|
CLASSIFY_TARGET => \&Classify_Target,
|
||||||
@ -2307,6 +2313,7 @@ our %detect_capability =
|
|||||||
CONNTRACK_MATCH => \&Conntrack_Match,
|
CONNTRACK_MATCH => \&Conntrack_Match,
|
||||||
ENHANCED_REJECT => \&Enhanced_Reject,
|
ENHANCED_REJECT => \&Enhanced_Reject,
|
||||||
EXMARK => \&Exmark,
|
EXMARK => \&Exmark,
|
||||||
|
FLOW_FILTER => \&Flow_Filter,
|
||||||
GOTO_TARGET => \&Goto_Target,
|
GOTO_TARGET => \&Goto_Target,
|
||||||
HASHLIMIT_MATCH => \&Hashlimit_Match,
|
HASHLIMIT_MATCH => \&Hashlimit_Match,
|
||||||
HELPER_MATCH => \&Helper_Match,
|
HELPER_MATCH => \&Helper_Match,
|
||||||
@ -2369,9 +2376,8 @@ sub have_capability( $ ) {
|
|||||||
#
|
#
|
||||||
# Determine which optional facilities are supported by iptables/netfilter
|
# Determine which optional facilities are supported by iptables/netfilter
|
||||||
#
|
#
|
||||||
sub determine_capabilities( $ ) {
|
sub determine_capabilities() {
|
||||||
|
|
||||||
$iptables = $_[0];
|
|
||||||
my $pid = $$;
|
my $pid = $$;
|
||||||
|
|
||||||
$capabilities{CAPVERSION} = $globals{CAPVERSION};
|
$capabilities{CAPVERSION} = $globals{CAPVERSION};
|
||||||
@ -2603,7 +2609,7 @@ sub get_capabilities( $ ) {
|
|||||||
my $export = $_[0];
|
my $export = $_[0];
|
||||||
|
|
||||||
if ( ! $export && $> == 0 ) { # $> == $EUID
|
if ( ! $export && $> == 0 ) { # $> == $EUID
|
||||||
my $iptables = $config{$toolNAME};
|
$iptables = $config{$toolNAME};
|
||||||
|
|
||||||
if ( $iptables ) {
|
if ( $iptables ) {
|
||||||
fatal_error "$toolNAME=$iptables does not exist or is not executable" unless -x $iptables;
|
fatal_error "$toolNAME=$iptables does not exist or is not executable" unless -x $iptables;
|
||||||
@ -2615,12 +2621,18 @@ sub get_capabilities( $ ) {
|
|||||||
|
|
||||||
fatal_error "$iptables_restore does not exist or is not executable" unless -x $iptables_restore;
|
fatal_error "$iptables_restore does not exist or is not executable" unless -x $iptables_restore;
|
||||||
|
|
||||||
|
$tc = $config{TC};
|
||||||
|
|
||||||
|
if ( $tc ) {
|
||||||
|
fatal_error "TC=$tc does not exist or is not executable" unless -x $tc;
|
||||||
|
}
|
||||||
|
|
||||||
load_kernel_modules;
|
load_kernel_modules;
|
||||||
|
|
||||||
if ( open_file 'capabilities' ) {
|
if ( open_file 'capabilities' ) {
|
||||||
read_capabilities;
|
read_capabilities;
|
||||||
} else {
|
} else {
|
||||||
determine_capabilities $iptables;
|
determine_capabilities;
|
||||||
}
|
}
|
||||||
} else {
|
} else {
|
||||||
unless ( open_file 'capabilities' ) {
|
unless ( open_file 'capabilities' ) {
|
||||||
|
@ -515,7 +515,7 @@ sub process_simple_device() {
|
|||||||
while ( ++$i <= 3 ) {
|
while ( ++$i <= 3 ) {
|
||||||
emit "run_tc qdisc add dev $physical parent $number:$i handle ${number}${i}: sfq quantum 1875 limit 127 perturb 10";
|
emit "run_tc qdisc add dev $physical parent $number:$i handle ${number}${i}: sfq quantum 1875 limit 127 perturb 10";
|
||||||
emit "run_tc filter add dev $physical protocol all parent $number: handle $i fw classid $devnum:$i";
|
emit "run_tc filter add dev $physical protocol all parent $number: handle $i fw classid $devnum:$i";
|
||||||
emit "run_tc filter add dev $physical protocol all prio 1 parent ${number}$i: handle ${number}${i} flow hash keys $type divisor 1024" unless $type eq '-' || have_capability 'OLD_HL_MATCH';
|
emit "run_tc filter add dev $physical protocol all prio 1 parent ${number}$i: handle ${number}${i} flow hash keys $type divisor 1024" if $type ne '-' && have_capability 'FLOW_FILTER';
|
||||||
emit '';
|
emit '';
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -30,7 +30,7 @@
|
|||||||
#
|
#
|
||||||
|
|
||||||
SHOREWALL_LIBVERSION=40407
|
SHOREWALL_LIBVERSION=40407
|
||||||
SHOREWALL_CAPVERSION=40407
|
SHOREWALL_CAPVERSION=40408
|
||||||
|
|
||||||
[ -n "${VARDIR:=/var/lib/shorewall}" ]
|
[ -n "${VARDIR:=/var/lib/shorewall}" ]
|
||||||
[ -n "${SHAREDIR:=/usr/share/shorewall}" ]
|
[ -n "${SHAREDIR:=/usr/share/shorewall}" ]
|
||||||
@ -784,6 +784,10 @@ determine_capabilities() {
|
|||||||
exit 1
|
exit 1
|
||||||
fi
|
fi
|
||||||
|
|
||||||
|
[ "$TC" = tc -o -z "$TC" ] && TC=$(which tc)
|
||||||
|
|
||||||
|
[ -n "$TC" -a -x "$TC" ] || TC=
|
||||||
|
|
||||||
qt $IPTABLES -t nat -L -n && NAT_ENABLED=Yes || NAT_ENABLED=
|
qt $IPTABLES -t nat -L -n && NAT_ENABLED=Yes || NAT_ENABLED=
|
||||||
qt $IPTABLES -t mangle -L -n && MANGLE_ENABLED=Yes || MANGLE_ENABLED=
|
qt $IPTABLES -t mangle -L -n && MANGLE_ENABLED=Yes || MANGLE_ENABLED=
|
||||||
|
|
||||||
@ -830,6 +834,7 @@ determine_capabilities() {
|
|||||||
IPMARK_TARGET=
|
IPMARK_TARGET=
|
||||||
LOG_TARGET=Yes
|
LOG_TARGET=Yes
|
||||||
PERSISTENT_SNAT=
|
PERSISTENT_SNAT=
|
||||||
|
FLOW_FILTER=
|
||||||
|
|
||||||
chain=fooX$$
|
chain=fooX$$
|
||||||
|
|
||||||
@ -968,6 +973,8 @@ determine_capabilities() {
|
|||||||
qt $IPTABLES -F $chain1
|
qt $IPTABLES -F $chain1
|
||||||
qt $IPTABLES -X $chain1
|
qt $IPTABLES -X $chain1
|
||||||
|
|
||||||
|
[ -n "$TC" ] && $TC filter add flow help 2>&1 | grep -q ^Usage && FLOW_FILTER=Yes
|
||||||
|
|
||||||
CAPVERSION=$SHOREWALL_CAPVERSION
|
CAPVERSION=$SHOREWALL_CAPVERSION
|
||||||
KERNELVERSION=$(printf "%d%02d%02d" $(uname -r 2> /dev/null | sed -e 's/-.*//' -e 's/^\([0-9][0-9]*\)\.\([0-9][0-9]*\)\.\([0-9][0-9]*\).*$/\1 \2 \3/g'))
|
KERNELVERSION=$(printf "%d%02d%02d" $(uname -r 2> /dev/null | sed -e 's/-.*//' -e 's/^\([0-9][0-9]*\)\.\([0-9][0-9]*\)\.\([0-9][0-9]*\).*$/\1 \2 \3/g'))
|
||||||
}
|
}
|
||||||
@ -1033,6 +1040,7 @@ report_capabilities() {
|
|||||||
report_capability "LOG Target" $LOG_TARGET
|
report_capability "LOG Target" $LOG_TARGET
|
||||||
report_capability "Persistent SNAT" $PERSISTENT_SNAT
|
report_capability "Persistent SNAT" $PERSISTENT_SNAT
|
||||||
report_capability "TPROXY Target" $TPROXY_TARGET
|
report_capability "TPROXY Target" $TPROXY_TARGET
|
||||||
|
report_capability "FLOW Classifier" $FLOW_FILTER
|
||||||
fi
|
fi
|
||||||
|
|
||||||
[ -n "$PKTTYPE" ] || USEPKTTYPE=
|
[ -n "$PKTTYPE" ] || USEPKTTYPE=
|
||||||
@ -1094,6 +1102,7 @@ report_capabilities1() {
|
|||||||
report_capability1 LOG_TARGET
|
report_capability1 LOG_TARGET
|
||||||
report_capability1 PERSISTENT_SNAT
|
report_capability1 PERSISTENT_SNAT
|
||||||
report_capability1 TPROXY_TARGET
|
report_capability1 TPROXY_TARGET
|
||||||
|
report_capability1 FLOW_FILTER
|
||||||
|
|
||||||
echo CAPVERSION=$SHOREWALL_CAPVERSION
|
echo CAPVERSION=$SHOREWALL_CAPVERSION
|
||||||
echo KERNELVERSION=$KERNELVERSION
|
echo KERNELVERSION=$KERNELVERSION
|
||||||
|
@ -33,7 +33,7 @@
|
|||||||
#
|
#
|
||||||
|
|
||||||
SHOREWALL_LIBVERSION=40407
|
SHOREWALL_LIBVERSION=40407
|
||||||
SHOREWALL_CAPVERSION=40407
|
SHOREWALL_CAPVERSION=40408
|
||||||
|
|
||||||
[ -n "${VARDIR:=/var/lib/shorewall6}" ]
|
[ -n "${VARDIR:=/var/lib/shorewall6}" ]
|
||||||
[ -n "${SHAREDIR:=/usr/share/shorewall6}" ]
|
[ -n "${SHAREDIR:=/usr/share/shorewall6}" ]
|
||||||
@ -737,6 +737,7 @@ determine_capabilities() {
|
|||||||
GOTO_TARGET=
|
GOTO_TARGET=
|
||||||
IPMARK_TARGET=
|
IPMARK_TARGET=
|
||||||
LOG_TARGET=Yes
|
LOG_TARGET=Yes
|
||||||
|
FLOW_FILTER=
|
||||||
|
|
||||||
chain=fooX$$
|
chain=fooX$$
|
||||||
|
|
||||||
@ -747,6 +748,10 @@ determine_capabilities() {
|
|||||||
exit 1
|
exit 1
|
||||||
fi
|
fi
|
||||||
|
|
||||||
|
[ -n "$IP" ] || IP=$(which ip)
|
||||||
|
|
||||||
|
[ -n "$IP" -a -x "$IP" ] || IP=
|
||||||
|
|
||||||
qt $IP6TABLES -t mangle -L -n && MANGLE_ENABLED=Yes || MANGLE_ENABLED=
|
qt $IP6TABLES -t mangle -L -n && MANGLE_ENABLED=Yes || MANGLE_ENABLED=
|
||||||
|
|
||||||
qt $IP6TABLES -F $chain
|
qt $IP6TABLES -F $chain
|
||||||
@ -875,6 +880,8 @@ determine_capabilities() {
|
|||||||
qt $IP6TABLES -F $chain1
|
qt $IP6TABLES -F $chain1
|
||||||
qt $IP6TABLES -X $chain1
|
qt $IP6TABLES -X $chain1
|
||||||
|
|
||||||
|
[ -n "$IP" ] && $IP filter add flow help 2>&1 | grep -q ^Usage && FLOW_FILTER=Yes
|
||||||
|
|
||||||
CAPVERSION=$SHOREWALL_CAPVERSION
|
CAPVERSION=$SHOREWALL_CAPVERSION
|
||||||
KERNELVERSION=$(printf "%d%02d%02d" $(uname -r 2> /dev/null | sed -e 's/-.*//' -e 's/^\([0-9][0-9]*\)\.\([0-9][0-9]*\)\.\([0-9][0-9]*\).*$/\1 \2 \3/g'))
|
KERNELVERSION=$(printf "%d%02d%02d" $(uname -r 2> /dev/null | sed -e 's/-.*//' -e 's/^\([0-9][0-9]*\)\.\([0-9][0-9]*\)\.\([0-9][0-9]*\).*$/\1 \2 \3/g'))
|
||||||
}
|
}
|
||||||
@ -937,6 +944,7 @@ report_capabilities() {
|
|||||||
report_capability "IPMARK Target" $IPMARK_TARGET
|
report_capability "IPMARK Target" $IPMARK_TARGET
|
||||||
report_capability "LOG Target" $LOG_TARGET
|
report_capability "LOG Target" $LOG_TARGET
|
||||||
report_capability "TPROXY Target" $TPROXY_TARGET
|
report_capability "TPROXY Target" $TPROXY_TARGET
|
||||||
|
report_capability "FLOW Classifier" $FLOW_FILTER
|
||||||
fi
|
fi
|
||||||
|
|
||||||
[ -n "$PKTTYPE" ] || USEPKTTYPE=
|
[ -n "$PKTTYPE" ] || USEPKTTYPE=
|
||||||
@ -995,6 +1003,7 @@ report_capabilities1() {
|
|||||||
report_capability1 IPMARK_TARGET
|
report_capability1 IPMARK_TARGET
|
||||||
report_capability1 LOG_TARGET
|
report_capability1 LOG_TARGET
|
||||||
report_capability1 TPROXY_TARGET
|
report_capability1 TPROXY_TARGET
|
||||||
|
report_capability1 FLOW_FILTER
|
||||||
|
|
||||||
echo CAPVERSION=$SHOREWALL_CAPVERSION
|
echo CAPVERSION=$SHOREWALL_CAPVERSION
|
||||||
echo KERNELVERSION=$KERNELVERSION
|
echo KERNELVERSION=$KERNELVERSION
|
||||||
|
Loading…
Reference in New Issue
Block a user