Re: [Shorewall-devel] Shorewall 4.4.17 RC 1

Mon, 07 Feb 2011 17:13:11 -0800 

On 2/7/11 4:53 PM, Tom Eastep wrote:
> On 2/7/11 3:02 PM, Steven Jan Springl wrote:

>> The following accounting rule:
>>
>> ACCOUNT(net2lan,192.168.0.0/24)  -  eth0:~01-01-01-01-01-01  eth1
>>
>> produces the following error messages:
>>
>> iptables: Invalid argument. Run `dmesg' for more information.
>>
>> ERROR: Command "/usr/local/sbin/iptables -A accounting -i eth0 -o eth1 
>> --match 
>> mac --mac-source 01:01:01:01:01:01 -j ACCOUNT --addr 192.168.0.0/24 --tname 
>> net2lan" Failed
>>
>> dmesg produces the following message:
>>
>> [25368.580699] x_tables: ip_tables: mac match: used from hooks 
>> INPUT/FORWARD/OUTPUT, but only valid from PREROUTING/INPUT/FORWARD
>>

I've decided to take a big stick to this one. Patch attached.

Thanks, Steven

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________

diff --git a/Shorewall/Perl/Shorewall/Accounting.pm 
b/Shorewall/Perl/Shorewall/Accounting.pm
index 23ec1bf..8075c37 100644
--- a/Shorewall/Perl/Shorewall/Accounting.pm
+++ b/Shorewall/Perl/Shorewall/Accounting.pm
@@ -149,7 +149,11 @@ sub process_accounting_rule( ) {
 
     my $restriction = NO_RESTRICT;
 
-    $source = ALLIP if $source eq 'any' || $source eq 'all';
+    if ( $source eq 'any' || $source eq 'all' ) {
+       $source = ALLIP;
+    } else {
+       fatal_error "MAC addresses are not allowed in the accounting file" if 
$source =~ /~/;
+    }
 
     if ( have_bridges ) {
        my $fw = firewall_zone;

Attachment: signature.asc
Description: OpenPGP digital signature

------------------------------------------------------------------------------
The ultimate all-in-one performance toolkit: Intel(R) Parallel Studio XE:
Pinpoint memory and threading errors before they happen.
Find and fix more than 250 security defects in the development cycle.
Locate bottlenecks in serial and parallel code that limit performance.
http://p.sf.net/sfu/intel-dev2devfeb
_______________________________________________
Shorewall-devel mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/shorewall-devel

Reply via email to