On 1/8/13 7:32 PM, "Mr Dash Four" <[email protected]> wrote:
>Tom Eastep wrote:
>> On 01/06/2013 10:39 AM, Mr Dash Four wrote:
>>>>> 1. ADD(setname:flags) (same with DEL) does not work with sets
>>>>> containing the "-" character (such sets are accepted by shorewall
>>>>> anywhere else):
>>>>>
>>>>> rules
>>>>> ~~~~~
>>>>> ADD(+mickey-mouse:dst,dst) $FW net
>>>>>
>>>>> Gives me "ERROR: Expected ipset name (mickey-mouse)".
>>>>>
>>>> Hmmm - That rule compiles error-free for me; git shows that bug was
>>>> corrected in a commit on October 2 of last year.
>>>>
>>> The patch I am attaching is how I fixed this particular issue when
>>> compiling shorewall.
>>>
>>>> Agreed. Change will be in Beta 4.
>>>>
>>> Thanks.
>>
>> My patch is backward-compatible so existing rules that include '+' will
>> not be rejected.
>As I indicated in my previous response to you, the reason for attaching
>the patch was to show you how I fixed that particular bug, which, lets
>not forget "was corrected in a commit on October 2 of last year", despite
>that rule compiling "error-free", apparently.
Your patch had nothing to do with dashes in ipset names. It rather removed
the requirement for the ipset name to be preceded by '+'. But it would
break every existing configuration that actually included a '+', which is
what I was pointing out.
>
>>>>> The above, though, gives me " ERROR: TARGET must be specified".
>>>>> "Joining" the lines in IELOG using "\" did not have any effect (still
>>>>> gives me an error).
>>>>>
>>>> If you code action.IELOG as follows, it works:
>>>>
>>> Damn, I tried every other conceivable (random) combination. Will test
>>> this later tonight. Out of interest though, if I use the alternative
>>> syntax in its entirety (with curly braces) would that still work?
>>
>> It should, yes.
>Nada. This is what I've tried:
>
>action.IELOG
>~~~~~~~~~~~~
>?IF $1
> AUDIT($1) \
> ?IF $5
> ; switch:@chain_$5
I haven't tried to reproduce this in detail, but "@chain_" expands to
nothing. You want "@{chain}_" there (which is behavior similar to the
shell with which you have considerable familiarity).
> ?ELSE
>
> ?ENDIF
>?ENDIF
>?IF $2
> LOG:info(tcp_options,ip_options,macdecode,tcp_sequence,uid)
>?ENDIF
>?IF $3
> NFLOG(1,0,1)
>?ENDIF
>?IF $4
> NFLOG($4,0,1)
>?ENDIF
>?IF $6
> $6
>?ENDIF
>
>
>rules
>~~~~~
>IELOG(accept,yep,yep,2,mamas,DROP) $FW net
>
>as a result, I get "ERROR: Invalid column/value pair (switch:)". In
>addition, I found yet another bug:
>
>action.IELOG
>~~~~~~~~~~~~
>#{ \
>?IF $1
> AUDIT($1) \
> ?IF $5
> ; switch:@chain_$5
> ?ELSE
>
> ?ENDIF
>?ENDIF
>#}
>?IF $2
> LOG:info(tcp_options,ip_options,macdecode,tcp_sequence,uid)
>?ENDIF
>?IF $3
> NFLOG(1,0,1)
>?ENDIF
>?IF $4
> NFLOG($4,0,1)
>?ENDIF
>?IF $6
> $6
>?ENDIF
>
>Passes without an error and closer inspection reveals that the AUDIT
>?IF/?ENDIF block has been completely ignored, which, I assume, is as a
>result of shorewall taking into account the slash (\) in the comment line
>above.
Yes -- Shorewall processes compiler directives before looking for
comments. Your example is so contrived that I see no reason to change the
code.
>I can't get the alternative syntax to get it to work either.
-Tom
You do not need a parachute to skydive. You only need a parachute to
skydive twice.
------------------------------------------------------------------------------
Master Java SE, Java EE, Eclipse, Spring, Hibernate, JavaScript, jQuery
and much more. Keep your Java skills current with LearnJavaNow -
200+ hours of step-by-step video tutorials by Java experts.
SALE $49.99 this month only -- learn more at:
http://p.sf.net/sfu/learnmore_122612
_______________________________________________
Shorewall-devel mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/shorewall-devel
