On Fri, 2011-09-23 at 22:44 +0100, Steven Jan Springl wrote: > T > 'shorewall show capabilities' indicates that condition match is available. > > If I create a capabilities, shorewall allows a condition name to be > specified. > > If the capabilities file does not exist, specifying a condition name produces > the following message: > > ERROR: A non-empty CONDITION column requires Condition Match in your kernel > and iptables : /etc/shorewallT6/rules (line 16) > > ---------------------------------------------------------------------------------------------------------------------------- > > The rules manual page indicates that inversion may be used in the condition > column. > > Specifying !telnet in the condition column produces the following message: > > ERROR: Invalid condition name (!telnet) : /etc/shorewallT6/rules (line 16) >
Steven, Here's a patch for the first problem. I'm sending you the Chains.pm module by private mail. I've renamed the CONDITION column to SWITCH and a patch to fix the second problem won't apply to your version. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________
diff --git a/Shorewall/Perl/Shorewall/Config.pm b/Shorewall/Perl/Shorewall/Config.pm
index 3252751..c3bfabf 100644
--- a/Shorewall/Perl/Shorewall/Config.pm
+++ b/Shorewall/Perl/Shorewall/Config.pm
@@ -2674,7 +2674,7 @@ sub Account_Target() {
}
sub Condition_Match() {
- qt1( "$iptables -m condition --condition foo" );
+ qt1( "$iptables -A $sillyname -m condition --condition foo" );
}
sub Audit_Target() {
diff --git a/Shorewall/Perl/Shorewall/Rules.pm b/Shorewall/Perl/Shorewall/Rules.pm
index fee53ca..cc4a94b 100644
--- a/Shorewall/Perl/Shorewall/Rules.pm
+++ b/Shorewall/Perl/Shorewall/Rules.pm
@@ -2087,8 +2087,10 @@ sub process_rule1 ( $$$$$$$$$$$$$$$$ $) {
$rule = join( '',
do_proto( $proto, $ports, $sports ),
do_ratelimit( $ratelimit, 'ACCEPT' ),
- do_user $user ,
- do_test( $mark , $globals{TC_MASK} ) );
+ do_user $user,
+ do_test( $mark , $globals{TC_MASK} ),
+ do_condition( $condition )
+ );
$loglevel = '';
$dest = $server;
$action = 'ACCEPT';
signature.asc
Description: This is a digitally signed message part
------------------------------------------------------------------------------ All of the data generated in your IT infrastructure is seriously valuable. Why? It contains a definitive record of application performance, security threats, fraudulent activity, and more. Splunk takes this data and makes sense of it. IT sense. And common sense. http://p.sf.net/sfu/splunk-d2dcopy2
_______________________________________________ Shorewall-devel mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-devel
