On 04/26/2013 08:52 AM, Steven Jan Springl wrote: > Tom > > Accounting file entry: > > INLINE - eth1 eth0 tcp 99 ; -m length --length 255 > > Generates iptables rule: > > -A accounting -p 6 --dport 99 -m length --length 255-i eth1 -o eth0 > > Which produces error message: > > iptables-restore v1.4.18: length: Argument to "--length" has unexpected > characters near "-i". > > Note, I have applied NFACCTNAMES.patch from Beta 6.
Attached is a patch that corrects this issue. It also centralizes validation of nfacct names. I would appreciate it if all who are testing nfacct would apply this patch. Thanks, -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________
diff --git a/Shorewall/Perl/Shorewall/Accounting.pm b/Shorewall/Perl/Shorewall/Accounting.pm
index 7327e0f..8c14df9 100644
--- a/Shorewall/Perl/Shorewall/Accounting.pm
+++ b/Shorewall/Perl/Shorewall/Accounting.pm
@@ -235,15 +235,12 @@ sub process_accounting_rule1( $$$$$$$$$$$ ) {
require_capability 'NFACCT_MATCH', 'The NFACCT action', 's';
$target = '';
for ( my @objects = split_nfacct_list $1 ) {
- if ( $_ =~ /^([\w%&@~]+)(!)?$/ ) {
- if ( $2 ) {
- $prerule .= "-m nfacct --nfacct-name $1 ";
- } else {
- $rule .= "-m nfacct --nfacct-name $1 ";
- }
- } else {
- fatal_error "Invalid nfacct object name ($_)";
- }
+ validate_nfobject( $_, 1 );
+ if ( s/!$// ) {
+ $prerule .= "-m nfacct --nfacct-name $_ ";
+ } else {
+ $rule .= "-m nfacct --nfacct-name $_ ";
+ }
}
} elsif ( $action eq 'INLINE' ) {
$rule .= get_inline_matches;
diff --git a/Shorewall/Perl/Shorewall/Chains.pm b/Shorewall/Perl/Shorewall/Chains.pm
index b4be0db..165bb6b 100644
--- a/Shorewall/Perl/Shorewall/Chains.pm
+++ b/Shorewall/Perl/Shorewall/Chains.pm
@@ -248,6 +248,7 @@ our %EXPORT_TAGS = (
set_global_variables
save_dynamic_chains
load_ipsets
+ validate_nfobject
create_nfobjects
create_netfilter_load
preview_netfilter_load
@@ -780,6 +781,17 @@ sub record_nfobject( $ ) {
$nfobjects{$value[-1]} = 1;
}
+#
+# Validate and register an nfacct object name
+#
+
+sub validate_nfobject( $;$ ) {
+ my ( $name, $allowbang ) = @_;
+
+ fatal_error "Invalid nfacct object name ($name)" unless $name =~ /^[-\w%&@~]+(!)?$/ && ( $allowbang || ! $1 );
+ $nfobjects{$_} = 1;
+}
+
# # Next a helper for setting an individual option
#
sub set_rule_option( $$$ ) {
@@ -5440,9 +5452,8 @@ sub match_source_net( $;$\$ ) {
if ( $3 ) {
require_capability 'NFACCT_MATCH', "An nfacct object list ($3)", 's';
for ( my @objects = split_list $3, 'nfacct' ) {
- fatal_error "Invalid nfacct object name ($_)" unless /^[\w%&@~]+$/;
+ validate_nfobject( $_ );
$result .= "-m nfacct --nfacct-name $_ ";
- $nfobjects{$_} = 1;
}
}
@@ -5461,9 +5472,8 @@ sub match_source_net( $;$\$ ) {
if ( $3 ) {
require_capability 'NFACCT_MATCH', "An nfacct object list ($3)", 's';
for ( my @objects = split_list $3, 'nfacct' ) {
- fatal_error "Invalid nfacct object name ($_)" unless /^[\w%&@~]+$/;
+ validate_nfobject( $_ );
$result .= "-m nfacct --nfacct-name $_ ";
- $nfobjects{$_} = 1;
}
}
}
@@ -5531,9 +5541,8 @@ sub imatch_source_net( $;$\$ ) {
if ( $3 ) {
require_capability 'NFACCT_MATCH', "An nfacct object list ($3)", 's';
for ( my @objects = split_list $3, 'nfacct' ) {
- fatal_error "Invalid nfacct object name ($_)" unless /^[\w%&@~]+$/;
+ validate_nfobject( $_ );
push( @result, ( nfacct => "--nfacct-name $_" ) );
- $nfobjects{$_} = 1;
}
}
@@ -5552,9 +5561,8 @@ sub imatch_source_net( $;$\$ ) {
if ( $3 ) {
require_capability 'NFACCT_MATCH', "An nfacct object list ($3)", 's';
for ( my @objects = split_list $3, 'nfacct' ) {
- fatal_error "Invalid nfacct object name ($_)" unless /^[\w%&@~]+$/;
+ validate_nfobject( $_ );
push( @result, ( nfacct => "--nfacct-name $_" ) );
- $nfobjects{$_} = 1;
}
}
}
@@ -5618,9 +5626,8 @@ sub match_dest_net( $;$ ) {
if ( $3 ) {
require_capability 'NFACCT_MATCH', "An nfacct object list ($3)", 's';
for ( my @objects = split_list $3, 'nfacct' ) {
- fatal_error "Invalid nfacct object name ($_)" unless /^[\w%&@~]+$/;
+ validate_nfobject( $_ );
$result .= "-m nfacct --nfacct-name $_ ";
- $nfobjects{$_} = 1;
}
}
@@ -5641,9 +5648,8 @@ sub match_dest_net( $;$ ) {
if ( $3 ) {
require_capability 'NFACCT_MATCH', "An nfacct object list ($3)", 's';
for ( my @objects = split_list $3, 'nfacct' ) {
- fatal_error "Invalid nfacct object name ($_)" unless /^[\w%&@~]+$/;
+ validate_nfobject( $_ );
$result .= "-m nfacct --nfacct-name $_ ";
- $nfobjects{$_} = 1;
}
}
@@ -5704,9 +5710,8 @@ sub imatch_dest_net( $;$ ) {
if ( $3 ) {
require_capability 'NFACCT_MATCH', "An nfacct object list ($3)", 's';
for ( my @objects = split_list $3, 'nfacct' ) {
- fatal_error "Invalid nfacct object name ($_)" unless /^[\w%&@~]+$/;
+ validate_nfobject( $_ );
push( @result, ( nfacct => "--nfacct-name $_" ) );
- $nfobjects{$_} = 1;
}
}
@@ -5725,9 +5730,8 @@ sub imatch_dest_net( $;$ ) {
if ( $3 ) {
require_capability 'NFACCT_MATCH', "An nfacct object list ($3)", 's';
for ( my @objects = split_list $3, 'nfacct' ) {
- fatal_error "Invalid nfacct object name ($_)" unless /^[\w%&@~]+$/;
+ validate_nfobject( $_ );
push( @result, ( nfacct => "--nfacct-name $_" ) );
- $nfobjects{$_} = 1;
}
}
}
diff --git a/Shorewall/Perl/Shorewall/Config.pm b/Shorewall/Perl/Shorewall/Config.pm
index c4e0736..6a26546 100644
--- a/Shorewall/Perl/Shorewall/Config.pm
+++ b/Shorewall/Perl/Shorewall/Config.pm
@@ -2853,7 +2853,7 @@ sub embedded_perl( $ ) {
# Return inline matches
#
sub get_inline_matches() {
- $inline_matches;
+ "$inline_matches ";
}
#
diff --git a/Shorewall/Perl/Shorewall/Rules.pm b/Shorewall/Perl/Shorewall/Rules.pm
index c0ffaae..8c902fe 100644
--- a/Shorewall/Perl/Shorewall/Rules.pm
+++ b/Shorewall/Perl/Shorewall/Rules.pm
@@ -2097,14 +2097,14 @@ sub process_rule ( $$$$$$$$$$$$$$$$$$$ ) {
if ( $basictarget eq 'INLINE' ) {
my $inline_matches = get_inline_matches;
- if ( $inline_matches =~ /^(.*\s+)-j\s+(.+)$/ ) {
+ if ( $inline_matches =~ /^(.*\s+)-j\s+(.+) $/ ) {
$raw_matches .= $1;
$action = $2;
my ( $target ) = split ' ', $action;
fatal_error "Unknown jump target ($action)" unless $targets{$target};
fatal_error "INLINE may not have a parameter when '-j' is specified in the free-form area" if $param ne '';
} else {
- $raw_matches .= "$inline_matches ";
+ $raw_matches .= $inline_matches;
if ( $param eq '' ) {
$action = $loglevel ? 'LOG' : '';
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------------ Try New Relic Now & We'll Send You this Cool Shirt New Relic is the only SaaS-based application performance monitoring service that delivers powerful full stack analytics. Optimize and monitor your browser, app, & servers with just a few lines of code. Try New Relic and get this awesome Nerd Life shirt! http://p.sf.net/sfu/newrelic_d2d_apr
_______________________________________________ Shorewall-devel mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-devel
