Tom Eastep wrote:
RC 2 is now available for testing.
This version corrects a problem with INLINE handling in the accounting
and tcrules files as well as centralizing the validation and
registration of nfacct object names.
I am enclosing another minor (cosmetic) patch - see attached. I also
have a question:
Lets assume that I have the following:
actions
~~~~~~~
FLOG
action.FLOG
~~~~~~~~~~~
?IF $1
?SET @chain $2 ? $2 : " "
?SET @disposition $3 ? $3 : " "
LOG:info(tcp_options,ip_options,macdecode,tcp_sequence,uid)
?END IF
?IF $4
$4
?END IF
rules
~~~~~
SECTION NEW
FLOG(log,@chain,ACCEPT,ACCEPT) $FW net:+dmz-net
With the above setup, FLOG is not inline and shorewall creates a new
chain (called FLOG) and then executes everything there. So far, so good.
However, the "@chain" variable, which I passed as a parameter to FLOG is
*not*, as I expected, set to "fw2net", but assumes a value of "FLOG"
(the chain in which FLOG executes). It is obvious that shorewall does
not differentiate between the "@chain" passed as a parameter to a
specific action in "rules", "blrules" and the like, and the "@chain"
parameter value inside that action. The two are very different. I
presume the exact same thing exists with @disposition as well.
Is it possible to get shorewall to recognise the "@chain" variable to
assume a value of the chain in which the statement occurs ("fw2net" in
the above case), instead of assuming the value of the chain in which the
actual action executes?
I know there are currently 2 workarounds to this: either use an inline
"wrapper" action, which calls FLOG, or, hardcode the chain value and
then call FLOG (i.e. "FLOG(log,fw2net,ACCEPT,ACCEPT) $FW net"), but I
don't like any of these.
--- a/Shorewall/Perl/Shorewall/Config.pm
+++ b/Shorewall/Perl/Shorewall/Config.pm
@@ -64,6 +64,7 @@
get_action_disposition
set_action_param
get_inline_matches
+ get_nfacct_match
have_capability
require_capability
@@ -2857,6 +2858,13 @@
}
#
+# Return nfacct match
+#
+sub get_nfacct_match( $ ) {
+ "-m nfacct --nfacct-name @_ ";
+}
+
+#
# Push/pop acton params
#
sub push_action_params( $$$$$$ ) {
--- a/Shorewall/Perl/Shorewall/Accounting.pm
+++ b/Shorewall/Perl/Shorewall/Accounting.pm
@@ -237,9 +237,9 @@
for ( my @objects = split_nfacct_list $1 ) {
validate_nfobject( $_, 1 );
if ( s/!$// ) {
- $prerule .= "-m nfacct --nfacct-name $_ ";
+ $prerule .= get_nfacct_match( $_ );
} else {
- $rule .= "-m nfacct --nfacct-name $_ ";
+ $rule .= get_nfacct_match( $_ );
}
}
} elsif ( $action eq 'INLINE' ) {
--- a/Shorewall/Perl/Shorewall/Chains.pm
+++ b/Shorewall/Perl/Shorewall/Chains.pm
@@ -5453,7 +5453,7 @@
require_capability 'NFACCT_MATCH', "An nfacct object list ($3)",
's';
for ( my @objects = split_list $3, 'nfacct' ) {
validate_nfobject( $_ );
- $result .= "-m nfacct --nfacct-name $_ ";
+ $result .= get_nfacct_match( $_ );
}
}
@@ -5473,7 +5473,7 @@
require_capability 'NFACCT_MATCH', "An nfacct object list
($3)", 's';
for ( my @objects = split_list $3, 'nfacct' ) {
validate_nfobject( $_ );
- $result .= "-m nfacct --nfacct-name $_ ";
+ $result .= get_nfacct_match( $_ );
}
}
}
@@ -5627,7 +5627,7 @@
require_capability 'NFACCT_MATCH', "An nfacct object list ($3)",
's';
for ( my @objects = split_list $3, 'nfacct' ) {
validate_nfobject( $_ );
- $result .= "-m nfacct --nfacct-name $_ ";
+ $result .= get_nfacct_match( $_ );
}
}
@@ -5649,7 +5649,7 @@
require_capability 'NFACCT_MATCH', "An nfacct object list ($3)",
's';
for ( my @objects = split_list $3, 'nfacct' ) {
validate_nfobject( $_ );
- $result .= "-m nfacct --nfacct-name $_ ";
+ $result .= get_nfacct_match( $_ );
}
}
------------------------------------------------------------------------------
Try New Relic Now & We'll Send You this Cool Shirt
New Relic is the only SaaS-based application performance monitoring service
that delivers powerful full stack analytics. Optimize and monitor your
browser, app, & servers with just a few lines of code. Try New Relic
and get this awesome Nerd Life shirt! http://p.sf.net/sfu/newrelic_d2d_apr
_______________________________________________
Shorewall-devel mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/shorewall-devel
