On 12/05/2012 05:34 PM, Mr Dash Four wrote:
I'll be able to do a bit of testing after Tuesday.
This is what I was able to find out so far:
1.
action.my_log
~~~~~~~~~~~~~
$1
rules
~~~~~
my_log(LOG:info(uid,tcp_options,ip_options,macdecode,tcp_sequence)):debug(uid,tcp_options,ip_options,macdecode,tcp_sequence)
$FW net
gets me "ERROR: Invalid ACTION (LOG:info(uid)"
Patch PARAM.patch attached.
2.
action.my_log78901234567890
~~~~~~~~~~~~~~~~~~~~~~~~~~~
$1
3.
action.C_ACTION (inline)
~~~~~~~~~~~~~~~~~~~~~~~~
$1
rules
~~~~~
C_ACTION(dropBcast) $FW net
dropBcast $FW net
generates:
[...]
-A fw2net -j dropBcast -m comment --comment "C_ACTION"
-A fw2net -j dropBcast
[...]
Two issues here: 1. the above 2 statements are essentially the same, bar the
(auto-generated) comment (OPTIMIZE is set at 31); and 2. It would be nice if I could
disable the auto-generated comment by shorewall (new option in "actions"?) and
verify that OPTIMIZE works to remove the duplicate statements in inline actions (that
optimisation seems to work for normal actions).
Number 1 will have to wait for 4.5.11.
For number 2, have you tried simply placing an empty COMMENT line as the
first line of C_ACTION?
4.
rules
~~~~~
my_log78901234567890(LOG:debug):info $FW net
gets me (note the extra space after "678") WARNING: Log Prefix shortened to
"Shorewall:my_log789012345678 "
and then generates a rule containing (again, note the extra space) ... --log-prefix
"Shorewall:my_log789012345678 "
The space is there to separate the tag from the following 'IN=' in the
log message; without it, the log message reads
...Shorewall:my_log7890123456789IN=eth0....
5.
rules
~~~~~
circ1(NonSyn) $FW net
gets me "ERROR: Invalid Action (NonSyn) in inline action" (circ1 is indeed
inlined) - isn't that supposed to be (silently) ignored?
Looks like there is no target named 'nonSyn' (note that the standard
shorewall action is 'NotSyn').
rules
~~~~~
circ1(RST) $FW net
gives no error, but the following rule is produced:
-A fw2net -p 6 --tcp-flags RST RST, -j DROP -m comment --comment "circ1"
Is the comma after the second "RST" supposed to be there?
Obviously not. COMMA.patch attached.
-Tom
--
Tom Eastep \ When I die, I want to go like my Grandfather who
Shoreline, \ died peacefully in his sleep. Not screaming like
Washington, USA \ all of the passengers in his car
http://shorewall.net \________________________________________________
diff --git a/Shorewall/Perl/Shorewall/Config.pm b/Shorewall/Perl/Shorewall/Config.pm
index 9b261a4..add549e 100644
--- a/Shorewall/Perl/Shorewall/Config.pm
+++ b/Shorewall/Perl/Shorewall/Config.pm
@@ -1660,8 +1660,8 @@ sub split_list( $$;$ ) {
split /,/, $list;
}
-sub split_list1( $$ ) {
- my ($list, $type ) = @_;
+sub split_list1( $$;$ ) {
+ my ($list, $type, $keepparens ) = @_;
fatal_error "Invalid $type list ($list)" if $list =~ /^,|,$|,,|!,|,!$/;
@@ -1674,17 +1674,17 @@ sub split_list1( $$ ) {
if ( ( $count = tr/(/(/ ) > 0 ) {
fatal_error "Invalid $type list ($list)" if $element || $count > 1;
- s/\(//;
+ s/\(// unless $keepparens;
if ( ( $count = tr/)/)/ ) > 0 ) {
fatal_error "Invalid $type list ($list)" if $count > 1;
- s/\)//;
+ s/\)// unless $keepparens;
push @list2 , $_;
} else {
$element = $_;
}
} elsif ( ( $count = tr/)/)/ ) > 0 ) {
fatal_error "Invalid $type list ($list)" unless $element && $count == 1;
- s/\)//;
+ s/\)// unless $keepparens;
push @list2, join ',', $element, $_;
$element = '';
} elsif ( $element ) {
@@ -2510,7 +2510,7 @@ sub embedded_perl( $ ) {
# Push/pop action params
#
sub push_action_params( $$$$ ) {
- my @params = ( undef , split /,/, $_[1] );
+ my @params = ( undef , split_list1( $_[1], 'parameter', 1 ) );
my %oldparams = %actparms;
%actparms = ();
diff --git a/Shorewall/Perl/Shorewall/Rules.pm b/Shorewall/Perl/Shorewall/Rules.pm
index 8f7f3d2..086434f 100644
--- a/Shorewall/Perl/Shorewall/Rules.pm
+++ b/Shorewall/Perl/Shorewall/Rules.pm
@@ -1999,7 +1999,7 @@ sub process_rule1 ( $$$$$$$$$$$$$$$$$$ ) {
return $generated;
} elsif ( $actiontype & ( ACTION | INLINE ) ) {
- split_list $param, 'Action parameter';
+ split_list1 $param, 'Action parameter';
} elsif ( $actiontype & NFQ ) {
require_capability( 'NFQUEUE_TARGET', 'NFQUEUE Rules', '' );
my $paramval = $param eq '' ? 0 : numeric_value( $param );
diff --git a/Shorewall/action.RST b/Shorewall/action.RST
index 37aee7e..0f7641e 100644
--- a/Shorewall/action.RST
+++ b/Shorewall/action.RST
@@ -47,7 +47,7 @@ my ( $level, $tag ) = get_action_logging;
my $target = require_audit ( $action , $audit );
log_rule_limit $level, $chainref, 'RST' , $action, '', $tag, 'add', '-p 6 --tcp-flags RST RST ' if $level ne '';
-add_jump $chainref , $target, 0, '-p 6 --tcp-flags RST RST, ';
+add_jump $chainref , $target, 0, '-p 6 --tcp-flags RST RST ';
allow_optimize( $chainref );
------------------------------------------------------------------------------
LogMeIn Rescue: Anywhere, Anytime Remote support for IT. Free Trial
Remotely access PCs and mobile devices and provide instant support
Improve your efficiency, and focus on delivering more value-add services
Discover what IT Professionals Know. Rescue delivers
http://p.sf.net/sfu/logmein_12329d2d
_______________________________________________
Shorewall-devel mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/shorewall-devel
