On 2/9/11 12:54 PM, Steven Jan Springl wrote: > > When the following accounting rules are specified: > > test - > test test > > A shorewall debug restart produces the following error messages: > > iptables: Too many levels of symbolic links. > ERROR: Command "/usr/local/sbin/iptables -A test -j test" Failed >
This was non-trivial to fix in the general case where the loop involves an indefinite number of chains. Patch attached. Thanks, Steven -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________
diff --git a/Shorewall/Perl/Shorewall/Accounting.pm
b/Shorewall/Perl/Shorewall/Accounting.pm
index 8075c37..110f247 100644
--- a/Shorewall/Perl/Shorewall/Accounting.pm
+++ b/Shorewall/Perl/Shorewall/Accounting.pm
@@ -46,9 +46,9 @@ our %tables;
# Called by the compiler to [re-]initialize this module's state
#
sub initialize() {
- our $jumpchainref;
- $jumpchainref = undef;
- %tables = ();
+ our $jumpchainref = undef;
+ %tables = ();
+ our %accountingjumps = ();
}
#
@@ -56,7 +56,8 @@ sub initialize() {
#
sub process_accounting_rule( ) {
- our $jumpchainref;
+ our $jumpchainref = 0;
+ our %accountingjumps;
my ($action, $chain, $source, $dest, $proto, $ports, $sports, $user,
$mark, $ipsec, $headers ) = split_line1 1, 11, 'Accounting File';
@@ -208,6 +209,8 @@ sub process_accounting_rule( ) {
$rule .= do_ipsec( $dir , $ipsec );
}
+ $accountingjumps{$jumpchainref->{name}}{$chain} = 1 if $jumpchainref;
+
fatal_error "$chain is not an accounting chain" unless
$chainref->{accounting};
$restriction = $dir eq 'in' ? INPUT_RESTRICT : OUTPUT_RESTRICT if $dir;
@@ -259,6 +262,8 @@ sub process_accounting_rule( ) {
sub setup_accounting() {
+ our %accountingjumps;
+
if ( my $fn = open_file 'accounting' ) {
first_entry "$doing $fn...";
@@ -300,6 +305,30 @@ sub setup_accounting() {
for ( accounting_chainrefs ) {
warning_message "Accounting chain $_->{name} has no references"
unless keys %{$_->{references}};
}
+
+ if ( my $chainswithjumps = keys %accountingjumps ) {
+ my $progress = 1;
+
+ while ( $chainswithjumps && $progress ) {
+ $progress = 0;
+ for my $chain1 ( keys %accountingjumps ) {
+ if ( keys %{$accountingjumps{$chain1}} ) {
+ for my $chain2 ( keys %{$accountingjumps{$chain1}} ) {
+ delete $accountingjumps{$chain1}{$chain2},
$progress = 1 unless $accountingjumps{$chain2};
+ }
+ } else {
+ delete $accountingjumps{$chain1};
+ $chainswithjumps--;
+ $progress = 1;
+ }
+ }
+ }
+
+ if ( $chainswithjumps ) {
+ my @chainswithjumps = keys %accountingjumps;
+ fatal_error "Jump loop involving the following chains:
@chainswithjumps";
+ }
+ }
}
}
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------------ The ultimate all-in-one performance toolkit: Intel(R) Parallel Studio XE: Pinpoint memory and threading errors before they happen. Find and fix more than 250 security defects in the development cycle. Locate bottlenecks in serial and parallel code that limit performance. http://p.sf.net/sfu/intel-dev2devfeb
_______________________________________________ Shorewall-devel mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-devel
