On 2/13/11 3:56 PM, Steven Jan Springl wrote: > When the accounting file contains: > > SECTION INPUT > test > test2 test > SECTION OUTPUT > test test2 > > The following error messages are produced: > > iptables v1.4.10: Couldn't load target > `test2':/usr/local/libexec/xtables/libipt_test2.so: cannot open shared object > file: No such file or directory > > ERROR: Command "/usr/local/sbin/iptables -A INPUT -j test2" Failed > > ------------------------------------------------------------------------------------------------------- > > When the accounting file contains: > > SECTION INPUT > test > test2 test > SECTION OUTPUT > test test2 > SECTION FORWARD > ACCOUNT(net2lan,192.168.0.0/24) test > > The following error messages are produced: > > iptables: Too many levels of symbolic links. > ERROR: Command "/usr/local/sbin/iptables -A test -j test" Failed
You're right -- my removal of loop detection for sectioned accounting rules was the result of a brain cramp. I've restored that logic in the attached patch. Thanks, Steven -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________
diff --git a/Shorewall/Perl/Shorewall/Accounting.pm
b/Shorewall/Perl/Shorewall/Accounting.pm
index 51f79df..3aa7a0b 100644
--- a/Shorewall/Perl/Shorewall/Accounting.pm
+++ b/Shorewall/Perl/Shorewall/Accounting.pm
@@ -279,7 +279,6 @@ sub process_accounting_rule( ) {
if ( $jumpchainref ) {
if ( $asection ) {
- fatal_error "Chain $chain jumps to itself" if $chainref eq
$jumpchainref;
my $jumprestrict = $jumpchainref->{restriction} || $restriction;
fatal_error "Chain $jumpchainref->{name} contains rules that are
incompatible with the $sectionname section" if $jumprestrict && $jumprestrict
ne $restriction;
}
@@ -396,29 +395,29 @@ sub setup_accounting() {
for ( accounting_chainrefs ) {
warning_message "Accounting chain $_->{name} has no
references" unless keys %{$_->{references}};
}
+ }
+
+ if ( my $chainswithjumps = keys %accountingjumps ) {
+ my $progress = 1;
- if ( my $chainswithjumps = keys %accountingjumps ) {
- my $progress = 1;
-
- while ( $chainswithjumps && $progress ) {
- $progress = 0;
- for my $chain1 ( keys %accountingjumps ) {
- if ( keys %{$accountingjumps{$chain1}} ) {
- for my $chain2 ( keys
%{$accountingjumps{$chain1}} ) {
- delete $accountingjumps{$chain1}{$chain2},
$progress = 1 unless $accountingjumps{$chain2};
- }
- } else {
- delete $accountingjumps{$chain1};
- $chainswithjumps--;
- $progress = 1;
+ while ( $chainswithjumps && $progress ) {
+ $progress = 0;
+ for my $chain1 ( keys %accountingjumps ) {
+ if ( keys %{$accountingjumps{$chain1}} ) {
+ for my $chain2 ( keys %{$accountingjumps{$chain1}}
) {
+ delete $accountingjumps{$chain1}{$chain2},
$progress = 1 unless $accountingjumps{$chain2};
}
+ } else {
+ delete $accountingjumps{$chain1};
+ $chainswithjumps--;
+ $progress = 1;
}
}
+ }
- if ( $chainswithjumps ) {
- my @chainswithjumps = keys %accountingjumps;
- fatal_error "Jump loop involving the following chains:
@chainswithjumps";
- }
+ if ( $chainswithjumps ) {
+ my @chainswithjumps = keys %accountingjumps;
+ fatal_error "Jump loop involving the following chains:
@chainswithjumps";
}
}
}
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------------ The ultimate all-in-one performance toolkit: Intel(R) Parallel Studio XE: Pinpoint memory and threading errors before they happen. Find and fix more than 250 security defects in the development cycle. Locate bottlenecks in serial and parallel code that limit performance. http://p.sf.net/sfu/intel-dev2devfeb
_______________________________________________ Shorewall-devel mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-devel
