On 2/19/11 6:45 AM, Steven Jan Springl wrote: > When the accounting file contains: > > COUNT - - - - - - - 0/ > > The following error messages are produced: > > iptables v1.4.10: mark: Bad value for "--mark" option: "0/" > > ERROR: Command "/usr/local/sbin/iptables -A accounting -m mark --mark 0/" > Failed > > ----------------------------------------------------------------------------------------------------------- > > When the accounting file contains: > > COUNT - - - - - - - :C > > The following error messages are produced: > > iptables v1.4.10: connmark: Bad value for "--mark" option: "/0xffff" > > ERROR: Command "/usr/local/sbin/iptables -A accounting -m > connmark --mark /0xffff" Failed > > ----------------------------------------------------------------------------------------------------------- > > When the accounting file contains: > > COUNT - - - - - - - ! > > The following error messages are produced: > > iptables v1.4.10: mark: Bad value for "--mark" option: "/0xffff" > > ERROR: Command "/usr/local/sbin/iptables -A accounting -m > mark ! --mark /0xffff" Failed > > ----------------------------------------------------------------------------------------------------------- > > When the accounting file contains: > > COUNT - - - - - - - !:C > > The following error messages are produced: > > iptables v1.4.10: connmark: Bad value for "--mark" option: "/0xffff" > > ERROR: Command "/usr/local/sbin/iptables -A accounting -m > connmark ! --mark /0xffff" Failed >
These issues are not restricted to the accounting file -- the same parser is used for the MARK column in all files containing that column. At any rate, the attached patch tightens the editing of that column. Thanks Steven! -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________
diff --git a/Shorewall/Perl/Shorewall/Chains.pm
b/Shorewall/Perl/Shorewall/Chains.pm
index 6aa8090..70dba4c 100644
--- a/Shorewall/Perl/Shorewall/Chains.pm
+++ b/Shorewall/Perl/Shorewall/Chains.pm
@@ -2394,8 +2394,15 @@ sub verify_small_mark( $ ) {
}
sub validate_mark( $ ) {
- for ( split '/', $_[0] ) {
- verify_mark $_;
+ my $mark = shift;
+ fatal_error "Missing MARK" unless defined $mark && $mark ne '';
+
+ if ( $mark =~ '/' ) {
+ my @marks = split '/', $mark;
+ fatal_error "Invalid MARK ($mark)" unless @marks == 2;
+ verify_mark $_ for @marks;
+ } else {
+ verify_mark $mark;
}
}
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------------ The ultimate all-in-one performance toolkit: Intel(R) Parallel Studio XE: Pinpoint memory and threading errors before they happen. Find and fix more than 250 security defects in the development cycle. Locate bottlenecks in serial and parallel code that limit performance. http://p.sf.net/sfu/intel-dev2devfeb
_______________________________________________ Shorewall-devel mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-devel
