-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
On 10/22/2016 02:35 PM, Steven Jan Springl wrote:
> Tom
>
> The attached config. produces the following messages:
>
> Compiling /etc/shorewall92/mangle...
>
> Use of uninitialized value in bitwise and (&) at
> /usr/share/shorewall/Shorewall/Rules.pm line 4826, <$currentfile>
> line 6.
>
> Use of uninitialized value in concatenation (.) or string at
> /usr/share/shorewall/Shorewall/Rules.pm line 4826, <$currentfile>
> line 6.
>
With the attached patch, the compiler correctly flags the presence of
an output interface in a PREROUTING rule.
Thanks, Steven.
- -Tom
- --
Tom Eastep \ When I die, I want to go like my Grandfather who
Shoreline, \ died peacefully in his sleep. Not screaming like
Washington, USA \ all of the passengers in his car
http://shorewall.net \________________________________________________
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
Comment: GPGTools - http://gpgtools.org
iQIcBAEBCAAGBQJYDO+wAAoJEJbms/JCOk0QvZIP/3bVz9XkDiBQsnK7kVqbnuBM
eUkJhykLURK2YIz8yZsFJk6DLQHwDlGSwFP25yMTWz1kDiHIw9GKqq5o2p/gnWhs
Ge90iXZHHPzYZeaqYqtFORmpQ8+OAVuf46vTv/Nya0anrQuQ7q6jRqDABP2poaFl
OLGn/ruwg0wcjqtVF2JCAV+EZqlDqaQWSNuJYyH6Savq93AsbwRvLgjlPt78rqdt
ynJYzA7+BkMNTvhz4PaJ0hJxZ52YeuMpBlGYRY/M4cBl5eZ66fjiCOMOvMYdVRGU
wuJuZFqMWqOlyKGnEhrsCrKtQqs882lDfTCeo00aBAsctM6Sf8AtFPrfaS+OoqR/
uDKL238jLXh94xudnajwpf4iAQ/nsXke1aOSoKvz26zrEi66ElOhGLK80XYwL31+
MaJfT0c87umlfpHmC5J+xOkmFxzDQTxcMBkqPkl95GYoyr1dlZZJ6519xYqe/1jk
uwgoVeN/Q4O3zTMtQ/07m5RImLvUd+TXGcUZkfbsTcKQmE1sq3Te3SwgPjI52f7A
HbVndoKak/WptDG9GiTg1GMjW6pvdryCAb/wQkXHrhheATWeOCiEAAJviaRicrky
JEb7jrPaCI2aOQzAgYwPu4B77tuTvJlNF3ncHSP3wN6GQLE25HbFHQ7/VjbQMmlT
wtL+VgfzcQWsfLKAVuf2
=t/sk
-----END PGP SIGNATURE-----
diff --git a/Shorewall/Perl/Shorewall/Chains.pm b/Shorewall/Perl/Shorewall/Chains.pm
index 947ac30..85ed160 100644
--- a/Shorewall/Perl/Shorewall/Chains.pm
+++ b/Shorewall/Perl/Shorewall/Chains.pm
@@ -2747,11 +2747,13 @@ sub accounting_chainrefs() {
grep $_->{accounting} , values %$filter_table;
}
-sub ensure_mangle_chain($) {
- my $chain = $_[0];
+sub ensure_mangle_chain($;$$) {
+ my ( $chain, $number, $restriction ) = @_;
my $chainref = ensure_chain 'mangle', $chain;
- $chainref->{referenced} = 1;
+ $chainref->{referenced} = 1;
+ $chainref->{chainnumber} = $number if $number;
+ $chainref->{restriction} = $restriction if $restriction;
$chainref;
}
@@ -7722,7 +7724,7 @@ sub expand_rule( $$$$$$$$$$$$;$ )
$onets = ALLIP unless $onets;
fatal_error "SOURCE interface may not be specified with a source IP address in the POSTROUTING chain" if $restriction == POSTROUTE_RESTRICT && $iiface && ( $inets ne ALLIP || $iexcl || $trivialiexcl);
- fatal_error "DEST interface may not be specified with a destination IP address in the PREROUTING chain" if $restriction == PREROUTE_RESTRICT && $diface && ( $dnets ne ALLIP || $dexcl || $trivialdexcl);
+ fatal_error "DEST interface may not be specfied in the PREROUTING chain" if $restriction == PREROUTE_RESTRICT && $diface;
my $done;
diff --git a/Shorewall/Perl/Shorewall/Rules.pm b/Shorewall/Perl/Shorewall/Rules.pm
index ceb8571..0070bdf 100644
--- a/Shorewall/Perl/Shorewall/Rules.pm
+++ b/Shorewall/Perl/Shorewall/Rules.pm
@@ -4102,7 +4102,7 @@ sub process_mangle_rule1( $$$$$$$$$$$$$$$$$$ ) {
my $match = "-m statistic --mode nth --every $marks --packet $packet ";
expand_rule( $chainref,
- $restrictions{$chain} | $restriction,
+ $restriction,
$prerule ,
$match .
do_user( $user ) .
@@ -4835,6 +4835,7 @@ sub process_mangle_rule1( $$$$$$$$$$$$$$$$$$ ) {
fatal_error 'A USER/GROUP may only be specified when the SOURCE is $FW' unless $user eq '-';
}
}
+
} else {
$resolve_chain->();
fatal_error "$cmd rules are not allowed in the $chainlabels{$chain} chain" unless $commandref->{allowedchains} & $chain;
@@ -4845,8 +4846,10 @@ sub process_mangle_rule1( $$$$$$$$$$$$$$$$$$ ) {
$chainref = ensure_chain( 'mangle', $chainnames{$chain} );
}
+ $restriction |= $chainref->{restriction} if defined $chainref->{restriction};
+
if ( ( my $result = expand_rule( $chainref ,
- ( $restrictions{$chain} || 0 ) | $restriction,
+ $restriction,
$prerule,
do_proto( $proto, $ports, $sports) . $matches .
do_user( $user ) .
diff --git a/Shorewall/Perl/Shorewall/Tc.pm b/Shorewall/Perl/Shorewall/Tc.pm
index f87d7f7..28ae169 100644
--- a/Shorewall/Perl/Shorewall/Tc.pm
+++ b/Shorewall/Perl/Shorewall/Tc.pm
@@ -2276,13 +2276,13 @@ sub setup_tc( $ ) {
$convert = $_[0];
if ( $config{MANGLE_ENABLED} ) {
- ensure_mangle_chain 'tcpre';
- ensure_mangle_chain 'tcout';
+ ensure_mangle_chain( 'tcpre', PREROUTING, PREROUTE_RESTRICT );
+ ensure_mangle_chain( 'tcout', OUTPUT , OUTPUT_RESTRICT );
if ( have_capability( 'MANGLE_FORWARD' ) ) {
- ensure_mangle_chain 'tcfor';
- ensure_mangle_chain 'tcpost';
- ensure_mangle_chain 'tcin';
+ ensure_mangle_chain( 'tcfor', FORWARD );
+ ensure_mangle_chain( 'tcpost', POSTROUTING, POSTROUTE_RESTRICT );
+ ensure_mangle_chain( 'tcin', INPUT , INPUT_RESTRICT );
}
my @mark_part;
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
_______________________________________________
Shorewall-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/shorewall-users
