Re: [Shorewall-users] various ERRORs

Mon, 04 Oct 2010 14:24:53 -0700 

On 10/4/10 11:36 AM, Mr Dash Four wrote:
> 
>> 1)  Multiple source or destination ipset matches can be generated by
>>     enclosing the ipset list in [...].
>>
>>     Example (/etc/shorewall/rules):
>>
>>         ACCEPT $FW net:+[dest-ip-map,dest-port-map]
>>   
> Converting the 'old' format from "$FW:!+dest-port[dst] net:+dest-net" to 
> "$FW   net:+[dest-net,!dest-port]" gives me ERROR: Invalid DEST
> Converting the 'old' format from "$FW:+dest-port[dst] net:!+dest-net" to 
> "$FW   net:+[!dest-net,dest-port]" gives me ERROR: Missing ']' (+[)
> Converting the 'old' format from "$FW:!+dest-port[dst] net:!+dest-net" 
> to "$FW   net:!+[dest-net,dest-port]" gives me ERROR: An ipset name 
> (+[dest-net,dest-port]) is not allowed in this context

Short description: Exclusion in setlists doesn't work.

Attached is a patch against /usr/share/shorewall/Shorewall/Chains.pm.

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________

diff --git a/Shorewall/Perl/Shorewall/Chains.pm 
b/Shorewall/Perl/Shorewall/Chains.pm
index 308b645..7af1ce2 100644
--- a/Shorewall/Perl/Shorewall/Chains.pm
+++ b/Shorewall/Perl/Shorewall/Chains.pm
@@ -3564,21 +3564,46 @@ sub expand_rule( $$$$$$$$$$;$ )
     # Determine if there is Source Exclusion
     #
     if ( $inets ) {
-       fatal_error "Invalid SOURCE" if $inets =~ /^([^!]+)?,!([^!]+)$/ || 
$inets =~ /.*!.*!/;
+       if ( $inets =~ /^(!?)(\+\[(.*)\])$/ ) {
+           if ( $1 ) {
+               $inets = '';
+               $iexcl = $3;
 
-       if ( $inets =~ /^([^!]+)?!([^!]+)$/ ) {
-           $inets = $1;
-           $iexcl = $2;
+               my @iexcl = mysplit $iexcl;
+
+               for ( @iexcl ) {
+                   fatal_error "Expected ipset name ($_)" unless 
/^(!?)(\+?)[a-zA-Z][-\w]*(\[.*\])?/;
+                   /^\+/ || s/^/+/;
+               }
+               
+               $iexcl = join ',', @iexcl;
+           } else {
+               $inets = $2;
+               $iexcl = '';
+           }
        } else {
-           $iexcl = '';
-       }
+           my @inets = mysplit $inets;
 
-       unless ( $inets || ( $iiface && $restriction & POSTROUTE_RESTRICT ) ) {
-           my @iexcl = mysplit $iexcl;
-           if ( @iexcl == 1 ) {
-               $rule .= match_source_net "!$iexcl" , $restriction;
+           shift @inets;
+
+           for ( @inets ) {
+               fatal_error "Invalid SOURCE ($inets)" if /^!/;
+           }
+
+           if ( $inets =~ /^([^!]+)?!([^!]+)$/ ) {
+               $inets = $1;
+               $iexcl = $2;
+           } else {
                $iexcl = '';
-               $trivialiexcl = 1;
+           }
+
+           unless ( $inets || ( $iiface && $restriction & POSTROUTE_RESTRICT ) 
) {
+               my @iexcl = mysplit $iexcl;
+               if ( @iexcl == 1 ) {
+                   $rule .= match_source_net "!$iexcl" , $restriction;
+                   $iexcl = '';
+                   $trivialiexcl = 1;
+               }
            }
 
        }
@@ -3590,21 +3615,48 @@ sub expand_rule( $$$$$$$$$$;$ )
     # Determine if there is Destination Exclusion
     #
     if ( $dnets ) {
-       fatal_error "Invalid DEST" if  $dnets =~ /^([^!]+)?,!([^!]+)$/ || 
$dnets =~ /.*!.*!/;
+       if ( $dnets =~ /^(!?)(\+\[(.*)\])$/ ) {
+           if ( $1 ) {
+               $dnets = '';
+               $dexcl = $3;
+
+               my @dexcl = mysplit $dexcl;
 
-       if ( $dnets =~ /^([^!]+)?!([^!]+)$/ ) {
-           $dnets = $1;
-           $dexcl = $2;
+               for ( @dexcl ) {
+                   fatal_error "Expected ipset name ($_)" unless 
/^(!?)(\+?)[a-zA-Z][-\w]*(\[.*\])?/;
+                   /^\+/ || s/^/+/;
+               }
+
+               $dexcl = join ',', @dexcl;
+           } else {
+               $dnets = $2;
+               $dexcl = '';
+           }
        } else {
-           $dexcl = '';
-       }
+           my @dnets = mysplit $dnets;
 
-       unless ( $dnets ) {
-           my @dexcl = mysplit $dexcl;
-           if ( @dexcl == 1 ) {
-               $rule .= match_dest_net "!$dexcl";
+           shift @dnets;
+
+           for ( @dnets ) {
+               fatal_error "Invalid DEST ($dnets)" if /^!/;
+           }
+
+           fatal_error "Invalid DEST" if  $dnets =~ /^([^!]+)?,!([^!]+)$/ || 
$dnets =~ /.*!.*!/;
+
+           if ( $dnets =~ /^([^!]+)?!([^!]+)$/ ) {
+               $dnets = $1;
+               $dexcl = $2;
+           } else {
                $dexcl = '';
-               $trivialdexcl = 1;
+           }
+
+           unless ( $dnets || $dexcl =~ /!/ ) {
+               my @dexcl = mysplit $dexcl;
+               if ( @dexcl == 1 ) {
+                   $rule .= match_dest_net "!$dexcl";
+                   $dexcl = '';
+                   $trivialdexcl = 1;
+               }
            }
        }
     } else {

Attachment: signature.asc
Description: OpenPGP digital signature

------------------------------------------------------------------------------
Virtualization is moving to the mainstream and overtaking non-virtualized
environment for deploying applications. Does it make network security 
easier or more difficult to achieve? Read this whitepaper to separate the 
two and get a better understanding.
http://p.sf.net/sfu/hp-phase2-d2d
_______________________________________________
Shorewall-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/shorewall-users

Reply via email to