|
|
@@ -57,10 +57,14 @@ const (
|
|
|
)
|
|
|
|
|
|
type IPTables struct {
|
|
|
- path string
|
|
|
- proto Protocol
|
|
|
- hasCheck bool
|
|
|
- hasWait bool
|
|
|
+ path string
|
|
|
+ proto Protocol
|
|
|
+ hasCheck bool
|
|
|
+ hasWait bool
|
|
|
+ hasRandomFully bool
|
|
|
+ v1 int
|
|
|
+ v2 int
|
|
|
+ v3 int
|
|
|
}
|
|
|
|
|
|
// New creates a new IPTables.
|
|
|
@@ -76,15 +80,22 @@ func NewWithProtocol(proto Protocol) (*IPTables, error) {
|
|
|
if err != nil {
|
|
|
return nil, err
|
|
|
}
|
|
|
- checkPresent, waitPresent, err := getIptablesCommandSupport(path)
|
|
|
+ vstring, err := getIptablesVersionString(path)
|
|
|
+ v1, v2, v3, err := extractIptablesVersion(vstring)
|
|
|
+
|
|
|
+ checkPresent, waitPresent, randomFullyPresent, err := getIptablesCommandSupport(v1, v2, v3)
|
|
|
if err != nil {
|
|
|
return nil, fmt.Errorf("error checking iptables version: %v", err)
|
|
|
}
|
|
|
ipt := IPTables{
|
|
|
- path: path,
|
|
|
- proto: proto,
|
|
|
- hasCheck: checkPresent,
|
|
|
- hasWait: waitPresent,
|
|
|
+ path: path,
|
|
|
+ proto: proto,
|
|
|
+ hasCheck: checkPresent,
|
|
|
+ hasWait: waitPresent,
|
|
|
+ hasRandomFully: randomFullyPresent,
|
|
|
+ v1: v1,
|
|
|
+ v2: v2,
|
|
|
+ v3: v3,
|
|
|
}
|
|
|
return &ipt, nil
|
|
|
}
|
|
|
@@ -301,6 +312,16 @@ func (ipt *IPTables) ChangePolicy(table, chain, target string) error {
|
|
|
return ipt.run("-t", table, "-P", chain, target)
|
|
|
}
|
|
|
|
|
|
+// Check if the underlying iptables command supports the --random-fully flag
|
|
|
+func (ipt *IPTables) HasRandomFully() bool {
|
|
|
+ return ipt.hasRandomFully
|
|
|
+}
|
|
|
+
|
|
|
+// Return version components of the underlying iptables command
|
|
|
+func (ipt *IPTables) GetIptablesVersion() (int, int, int) {
|
|
|
+ return ipt.v1, ipt.v2, ipt.v3
|
|
|
+}
|
|
|
+
|
|
|
// run runs an iptables command with the given arguments, ignoring
|
|
|
// any stdout output
|
|
|
func (ipt *IPTables) run(args ...string) error {
|
|
|
@@ -355,18 +376,9 @@ func getIptablesCommand(proto Protocol) string {
|
|
|
}
|
|
|
|
|
|
// Checks if iptables has the "-C" and "--wait" flag
|
|
|
-func getIptablesCommandSupport(path string) (bool, bool, error) {
|
|
|
- vstring, err := getIptablesVersionString(path)
|
|
|
- if err != nil {
|
|
|
- return false, false, err
|
|
|
- }
|
|
|
-
|
|
|
- v1, v2, v3, err := extractIptablesVersion(vstring)
|
|
|
- if err != nil {
|
|
|
- return false, false, err
|
|
|
- }
|
|
|
+func getIptablesCommandSupport(v1 int, v2 int, v3 int) (bool, bool, bool, error) {
|
|
|
|
|
|
- return iptablesHasCheckCommand(v1, v2, v3), iptablesHasWaitCommand(v1, v2, v3), nil
|
|
|
+ return iptablesHasCheckCommand(v1, v2, v3), iptablesHasWaitCommand(v1, v2, v3), iptablesHasRandomFully(v1, v2, v3), nil
|
|
|
}
|
|
|
|
|
|
// getIptablesVersion returns the first three components of the iptables version.
|
|
|
@@ -436,6 +448,20 @@ func iptablesHasWaitCommand(v1 int, v2 int, v3 int) bool {
|
|
|
return false
|
|
|
}
|
|
|
|
|
|
+// Checks if an iptables version is after 1.6.2, when --random-fully was added
|
|
|
+func iptablesHasRandomFully(v1 int, v2 int, v3 int) bool {
|
|
|
+ if v1 > 1 {
|
|
|
+ return true
|
|
|
+ }
|
|
|
+ if v1 == 1 && v2 > 6 {
|
|
|
+ return true
|
|
|
+ }
|
|
|
+ if v1 == 1 && v2 == 6 && v3 >= 2 {
|
|
|
+ return true
|
|
|
+ }
|
|
|
+ return false
|
|
|
+}
|
|
|
+
|
|
|
// Checks if a rule specification exists for a table
|
|
|
func (ipt *IPTables) existsForOldIptables(table, chain string, rulespec []string) (bool, error) {
|
|
|
rs := strings.Join(append([]string{"-A", chain}, rulespec...), " ")
|
Casey Callendrello