Re: [Shorewall-devel] Shorewall 4.4.18 Beta 1

Fri, 18 Feb 2011 16:39:57 -0800 

On 2/18/11 3:52 PM, Steven Jan Springl wrote:

> When the accounting file contains:
> 
> SECTION INPUT
> COUNT -  -  -  -  -  -  root
> 
> The following messages are produced:
> 
> iptables: Invalid argument. Run `dmesg' for more information.
> 
> ERROR: Command "/usr/local/sbin/iptables -A accountin -m owner --uid-owner 
> root" Failed
> 
> dmesg produces:
> 
> ip_tables: owner match: used from hooks INPUT, but only valid from 
> OUTPUT/POSTROUTING
> 

Steven,

The attached should correct this problem as well as the one with a MAC
address.

Thanks Steve,
-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________

diff --git a/Shorewall/Perl/Shorewall/Accounting.pm 
b/Shorewall/Perl/Shorewall/Accounting.pm
index d7e501a..f1e2f02 100644
--- a/Shorewall/Perl/Shorewall/Accounting.pm
+++ b/Shorewall/Perl/Shorewall/Accounting.pm
@@ -159,6 +159,10 @@ sub process_accounting_rule( ) {
     $ports  = ''    if $ports  eq 'any' || $ports  eq 'all';
     $sports = ''    if $sports eq 'any' || $sports eq 'all';
 
+    if ( $asection ) {
+       fatal_error "USER/GROUP may only be specified in the OUTPUT section" 
unless $user eq '-' || $asection == OUTPUT; 
+    }
+
     my $rule = do_proto( $proto, $ports, $sports ) . do_user ( $user ) . 
do_test ( $mark, $globals{TC_MASK} ) . do_headers( $headers );
     my $rule2 = 0;
     my $jump  = 0;
@@ -209,6 +213,8 @@ sub process_accounting_rule( ) {
 
     if ( $source eq 'any' || $source eq 'all' ) {
         $source = ALLIP;
+    } else { 
+       fatal_error "MAC addresses only allowed in the INPUT and FORWARD 
sections" if $source =~ /~/ && ( $asection == OUTPUT || ! $asection );
     }
 
     if ( have_bridges && ! $asection ) {

Attachment: signature.asc
Description: OpenPGP digital signature

------------------------------------------------------------------------------
The ultimate all-in-one performance toolkit: Intel(R) Parallel Studio XE:
Pinpoint memory and threading errors before they happen.
Find and fix more than 250 security defects in the development cycle.
Locate bottlenecks in serial and parallel code that limit performance.
http://p.sf.net/sfu/intel-dev2devfeb
_______________________________________________
Shorewall-devel mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/shorewall-devel

Reply via email to