Re: [Shorewall-users] SECMARK and CONNSECMARK support in Shorewall

Sun, 05 Sep 2010 10:54:44 -0700 

On 9/5/10 10:17 AM, Mr Dash Four wrote:
> 
>> Beginning with Shorewall 4.4.0, ipset names cannot contain "-".
>>   
> My previous (and working) version was 4.4.11.1 and it contained those
> same names including "-"!
> 

Here's a patch that allows '-'.

-Tom

-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________

diff --git a/Shorewall/Perl/Shorewall/Chains.pm 
b/Shorewall/Perl/Shorewall/Chains.pm
index 2d7ae72..4a6df26 100644
--- a/Shorewall/Perl/Shorewall/Chains.pm
+++ b/Shorewall/Perl/Shorewall/Chains.pm
@@ -2523,7 +2523,7 @@ sub match_source_net( $;$ ) {
     } elsif ( $net =~ /^!?~/ ) {
        fatal_error "MAC address cannot be used in this context" if 
$restriction >= OUTPUT_RESTRICT;
        mac_match $net;
-    } elsif ( $net =~ /^(!?)\+[a-zA-Z]\w*(\[.*\])?/ ) {
+    } elsif ( $net =~ /^(!?)\+[a-zA-Z][-\w]*(\[.*\])?/ ) {
        require_capability( 'IPSET_MATCH' , 'ipset names in Shorewall 
configuration files' , '' );
        join( '', '-m set ', $1 ? '! ' : '', get_set_flags( $net, 'src' ) );
     } elsif ( $net =~ s/^!// ) {
@@ -2547,7 +2547,7 @@ sub match_dest_net( $ ) {
        $net =~ s/!// if my $invert = $1 ? '! ' : '';
        validate_range $addr1, $addr2;
        iprange_match . "${invert}--dst-range $net ";
-    } elsif ( $net =~ /^(!?)\+[a-zA-Z]\w*(\[.*\])?$/ ) {
+    } elsif ( $net =~ /^(!?)\+[a-zA-Z][-\w]*(\[.*\])?$/ ) {
        require_capability( 'IPSET_MATCH' , 'ipset names in Shorewall 
configuration files' , '');
        join( '', '-m set ', $1 ? '! ' : '',  get_set_flags( $net, 'dst' ) );
     } elsif ( $net =~ /^!/ ) {

Attachment: signature.asc
Description: OpenPGP digital signature

------------------------------------------------------------------------------
This SF.net Dev2Dev email is sponsored by:

Show off your parallel programming skills.
Enter the Intel(R) Threading Challenge 2010.
http://p.sf.net/sfu/intel-thread-sfd
_______________________________________________
Shorewall-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/shorewall-users

Reply via email to