On 2/13/11 12:36 PM, Steven Jan Springl wrote: > Accounting rules: > > SECTION INPUT > test > SECTION FORWARD > ACCOUNT(net2lan,192.168.0.0/24) test eth0 eth1 > > produce the following error messages: > > iptables v1.4.10: Can't use -o with INPUT > > ERROR: Command "/usr/local/sbin/iptables -A INPUT -i eth0 -o eth1 -j > ACCOUNT --addr 192.168.0.0/24 --tname new2lan" Failed > > --------------------------------------------------------------------------------------------------------- > > Similarly accounting rules: > > SECTION OUTPUT > test > SECTION FORWARD > ACCOUNT(net2lan,192.168.0.0/24) test eth0 eth1 > > produce the following error messages: > > iptables v1.4.10: Can't use -i with OUTPUT > > ERROR: Command "/usr/local/sbin/iptables -A OUTPUT -i eth0 -o eth1 -j > ACCOUNT --addr 192.168.0.0/24 --tname new2lan" Failed
The attached patch corrects both issues. Thanks, Steven! -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________
diff --git a/Shorewall/Perl/Shorewall/Accounting.pm
b/Shorewall/Perl/Shorewall/Accounting.pm
index 852918d..51f79df 100644
--- a/Shorewall/Perl/Shorewall/Accounting.pm
+++ b/Shorewall/Perl/Shorewall/Accounting.pm
@@ -147,7 +147,7 @@ sub process_accounting_rule( ) {
sub jump_to_chain( $ ) {
my $jumpchain = $_[0];
fatal_error "Jumps to the $jumpchain chain are not allowed" if
reserved_chain_name( $jumpchain );
- $jumpchainref = ensure_accounting_chain( $jumpchain, 0, $restriction );
+ $jumpchainref = ensure_accounting_chain( $jumpchain, 0,
$defaultrestriction );
check_chain( $jumpchainref );
$disposition = $jumpchain;
$jumpchain;
@@ -273,13 +273,15 @@ sub process_accounting_rule( ) {
$dir = $chainref->{ipsec};
fatal_error "Adding an IPSEC rule into a non-IPSEC chain is not
allowed" unless $dir;
$rule .= do_ipsec( $dir , $ipsec );
+ } elsif ( $asection ) {
+ $restriction |= $chainref->{restriction};
}
if ( $jumpchainref ) {
if ( $asection ) {
fatal_error "Chain $chain jumps to itself" if $chainref eq
$jumpchainref;
my $jumprestrict = $jumpchainref->{restriction} || $restriction;
- fatal_error "Chain $jumpchainref->{name} contains rules that are
incompatible with the $sectionname section" if $restriction && $jumprestrict ne
$restriction;
+ fatal_error "Chain $jumpchainref->{name} contains rules that are
incompatible with the $sectionname section" if $jumprestrict && $jumprestrict
ne $restriction;
}
$accountingjumps{$jumpchainref->{name}}{$chain} = 1;
diff --git a/Shorewall/Perl/Shorewall/Chains.pm
b/Shorewall/Perl/Shorewall/Chains.pm
index 35f024b..a7b0efa 100644
--- a/Shorewall/Perl/Shorewall/Chains.pm
+++ b/Shorewall/Perl/Shorewall/Chains.pm
@@ -1327,6 +1327,7 @@ sub ensure_accounting_chain( $$$ )
if ( $chainref ) {
fatal_error "Non-accounting chain ($chain) used in an accounting rule"
unless $chainref->{accounting};
+ $chainref->{restriction} |= $restriction;
} else {
fatal_error "Chain name ($chain) too long" if length $chain > 29;
fatal_error "Invalid Chain name ($chain)" unless $chain =~ /^[-\w]+$/;
@@ -3686,7 +3687,14 @@ sub expand_rule( $$$$$$$$$$;$ )
$rule .= '-s $source ';
} else {
- fatal_error "Source Interface ($iiface) not allowed when the SOURCE
is the firewall" if $restriction & OUTPUT_RESTRICT;
+ if ( $restriction & OUTPUT_RESTRICT ) {
+ if ( $chainref->{accounting} ) {
+ fatal_error "Source Interface ($iiface) not allowed in the
$chainref->{name} chain";
+ } else {
+ fatal_error "Source Interface ($iiface) not allowed when
the SOURCE is the firewall";
+ }
+ }
+
$chainref->{restriction} |= $restriction;
$rule .= match_source_dev( $iiface );
}
@@ -3773,7 +3781,13 @@ sub expand_rule( $$$$$$$$$$;$ )
} else {
fatal_error "Bridge Port ($diface) not allowed in OUTPUT or
POSTROUTING rules" if ( $restriction & ( POSTROUTE_RESTRICT + OUTPUT_RESTRICT )
) && port_to_bridge( $diface );
fatal_error "Destination Interface ($diface) not allowed when the
destination zone is the firewall" if $restriction & INPUT_RESTRICT;
- fatal_error "Destination Interface ($diface) not allowed in the
mangle OUTPUT chain" if $restriction & DESTIFACE_DISALLOW;
+ if ( $restriction & DESTIFACE_DISALLOW ) {
+ if ( $chainref->{accounting} ) {
+ fatal_error "Destination Interface ($diface) not allowed in
the $chainref->{name} chain";
+ } else {
+ fatal_error "Destination Interface ($diface) not allowed in
the mangle OUTPUT chain";
+ }
+ }
if ( $iiface ) {
my $bridge = port_to_bridge( $diface );
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------------ The ultimate all-in-one performance toolkit: Intel(R) Parallel Studio XE: Pinpoint memory and threading errors before they happen. Find and fix more than 250 security defects in the development cycle. Locate bottlenecks in serial and parallel code that limit performance. http://p.sf.net/sfu/intel-dev2devfeb
_______________________________________________ Shorewall-devel mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-devel
