Re: [Shorewall-devel] Shorewall 4.5.16 Beta 4

Thu, 18 Apr 2013 14:00:55 -0700 

On 04/18/2013 01:40 PM, Dash Four wrote:
> 
> On a completely unrelated note to this discussion, I've just found a 
> bug, which, I think is quite major:
> 
> accounting
> ~~~~~~~~~~
> SECTION INPUT
> NFACCT(test) - +test-set
> 
> produces
> 
> -A accountin -m nfacct --nfacct-name test -m set --match-set test src
> 
> The above rule will *not* work as expected, simply because the nfacct 
> match always returns true (i.e. always "matches") and since we all know 
> that iptables matches are evaluated from left to right, packets/bytes 
> will *always* be counted regardless since the set match follows after 
> that nfacct match.
> 
> The right thing to do is to have the nfacct match *last* regardless of 
> what else is specified.


Patch attached.

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________

diff --git a/Shorewall/Perl/Shorewall/Chains.pm b/Shorewall/Perl/Shorewall/Chains.pm
index eec1cb5..63172d1 100644
--- a/Shorewall/Perl/Shorewall/Chains.pm
+++ b/Shorewall/Perl/Shorewall/Chains.pm
@@ -610,7 +610,8 @@ use constant { UNIQUE      => 1,
 	       EXCLUSIVE   => 4,
 	       MATCH       => 8,
 	       CONTROL     => 16,
-	       COMPLEX     => 32
+	       COMPLEX     => 32,
+	       LAST        => 64,
 	   };
 
 our %opttype = ( rule          => CONTROL,
@@ -646,6 +647,8 @@ our %opttype = ( rule          => CONTROL,
 		 jump          => TARGET,
 		 target        => TARGET,
 		 targetopts    => TARGET,
+
+		 nfacct        => LAST,
 	       );
 
 our %aliases = ( protocol        => 'p',
@@ -1014,6 +1017,10 @@ sub format_rule( $$;$ ) {
 	$rule .= format_option( $_, pop_match( $ruleref, $_ ) );
     }
 
+    for ( grep( ( $opttype{$_} || 0 ) == LAST , @{$ruleref->{matches}} ) ) {
+	$rule .= format_option( $_, pop_match( $ruleref, $_ ) );
+    }    
+
     if ( $ruleref->{target} ) {
 	$rule .= join( ' ', " -$ruleref->{jump}", $ruleref->{target} );
 	$rule .= join( '', ' ', $ruleref->{targetopts} ) if $ruleref->{targetopts};

Attachment: signature.asc
Description: OpenPGP digital signature

------------------------------------------------------------------------------
Precog is a next-generation analytics platform capable of advanced
analytics on semi-structured data. The platform includes APIs for building
apps and a phenomenal toolset for data science. Developers can use
our toolset for easy data analysis & visualization. Get a free account!
http://www2.precog.com/precogplatform/slashdotnewsletter
_______________________________________________
Shorewall-devel mailing list
Shorewall-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-devel

Reply via email to