|
|
@@ -57,10 +57,11 @@ const (
|
|
|
)
|
|
|
|
|
|
type IPTables struct {
|
|
|
- path string
|
|
|
- proto Protocol
|
|
|
- hasCheck bool
|
|
|
- hasWait bool
|
|
|
+ path string
|
|
|
+ proto Protocol
|
|
|
+ hasCheck bool
|
|
|
+ hasWait bool
|
|
|
+ hasRandomFully bool
|
|
|
}
|
|
|
|
|
|
// New creates a new IPTables.
|
|
|
@@ -76,15 +77,16 @@ func NewWithProtocol(proto Protocol) (*IPTables, error) {
|
|
|
if err != nil {
|
|
|
return nil, err
|
|
|
}
|
|
|
- checkPresent, waitPresent, err := getIptablesCommandSupport(path)
|
|
|
+ checkPresent, waitPresent, randomFullyPresent, err := getIptablesCommandSupport(path)
|
|
|
if err != nil {
|
|
|
return nil, fmt.Errorf("error checking iptables version: %v", err)
|
|
|
}
|
|
|
ipt := IPTables{
|
|
|
- path: path,
|
|
|
- proto: proto,
|
|
|
- hasCheck: checkPresent,
|
|
|
- hasWait: waitPresent,
|
|
|
+ path: path,
|
|
|
+ proto: proto,
|
|
|
+ hasCheck: checkPresent,
|
|
|
+ hasWait: waitPresent,
|
|
|
+ hasRandomFully: randomFullyPresent,
|
|
|
}
|
|
|
return &ipt, nil
|
|
|
}
|
|
|
@@ -355,18 +357,18 @@ func getIptablesCommand(proto Protocol) string {
|
|
|
}
|
|
|
|
|
|
// Checks if iptables has the "-C" and "--wait" flag
|
|
|
-func getIptablesCommandSupport(path string) (bool, bool, error) {
|
|
|
+func getIptablesCommandSupport(path string) (bool, bool, bool, error) {
|
|
|
vstring, err := getIptablesVersionString(path)
|
|
|
if err != nil {
|
|
|
- return false, false, err
|
|
|
+ return false, false, false, err
|
|
|
}
|
|
|
|
|
|
v1, v2, v3, err := extractIptablesVersion(vstring)
|
|
|
if err != nil {
|
|
|
- return false, false, err
|
|
|
+ return false, false, false, err
|
|
|
}
|
|
|
|
|
|
- return iptablesHasCheckCommand(v1, v2, v3), iptablesHasWaitCommand(v1, v2, v3), nil
|
|
|
+ return iptablesHasCheckCommand(v1, v2, v3), iptablesHasWaitCommand(v1, v2, v3), iptablesHasRandomFully(v1, v2, v3), nil
|
|
|
}
|
|
|
|
|
|
// getIptablesVersion returns the first three components of the iptables version.
|
|
|
@@ -436,6 +438,20 @@ func iptablesHasWaitCommand(v1 int, v2 int, v3 int) bool {
|
|
|
return false
|
|
|
}
|
|
|
|
|
|
+// Checks if an iptables version is after 1.6.2, when --random-fully was added
|
|
|
+func iptablesHasRandomFully(v1 int, v2 int, v3 int) bool {
|
|
|
+ if v1 > 1 {
|
|
|
+ return true
|
|
|
+ }
|
|
|
+ if v1 == 1 && v2 > 6 {
|
|
|
+ return true
|
|
|
+ }
|
|
|
+ if v1 == 1 && v2 == 6 && v3 >= 2 {
|
|
|
+ return true
|
|
|
+ }
|
|
|
+ return false
|
|
|
+}
|
|
|
+
|
|
|
// Checks if a rule specification exists for a table
|
|
|
func (ipt *IPTables) existsForOldIptables(table, chain string, rulespec []string) (bool, error) {
|
|
|
rs := strings.Join(append([]string{"-A", chain}, rulespec...), " ")
|
Arto Jantunen