On 04/21/2013 07:37 PM, Dash Four wrote: > > > Tom Eastep wrote: >> On 4/21/13 7:14 PM, "Dash Four" <[email protected]> wrote: >> >> >>>> OK, the main thing I've found so far is that shorewall does not touch >>>> the order of statements after ";" this time (compared to "rules"), so >>>> if I specify "INLINE ; -m nfacct --nfacct-name test -p 6 -m set >>>> --match-set test src --dport 1234" that passes as-is (that, obviously, >>>> won't pass iptables, but I am pleased that the order is preserved in >>>> whatever I throw after ";"). >>>> >>> No issues to report, except one or two suggestions: >>> >>> 1. It would be nice if you could extend the nfacct syntax for ipsets to >>> specify more than one nfacct object, separated by commas - in the way >>> NFACCT(...) syntax currently is. For example: "+dmz-net(dmz,dmz_in)". >>> >> >> Isn't that already there? >> > Nope, I am getting an error if I try that... "NFACCT(all,all_in) - > +dmz-net(dmz,dmz_in)" gives me "ERROR: Invalid ipset name > (+dmz-net(dmz)". Specifying "+dmz-net(dmz_in)" is OK.
Patch attached. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________
diff --git a/Shorewall/Perl/Shorewall/Chains.pm b/Shorewall/Perl/Shorewall/Chains.pm
index b99e6c1..64974c2 100644
--- a/Shorewall/Perl/Shorewall/Chains.pm
+++ b/Shorewall/Perl/Shorewall/Chains.pm
@@ -6056,6 +6056,33 @@ sub split_host_list( $$;$ ) {
@result = @input;
}
+ if ( $input =~ /\(/ ) {
+ @input = @result;
+ @result = ();
+
+ while ( @input ) {
+ my $element = shift @input;
+
+ if ( $element =~ /\(/ ) {
+ while ( $element =~ tr/(/(/ > $element =~ tr/)/)/ ) {
+ fatal_error "Missing ')' ($element)" unless @input;
+ $element .= ( ',' . shift @input );
+ }
+
+ unless ( $loose ) {
+ fatal_error "Invalid host list ($input)" if $exclude && $element =~ /!/;
+ $exclude ||= $element =~ /^!/ || $element =~ /\)!/;
+ }
+
+ fatal_error "Mismatched (...) ($element)" unless $element =~ tr/(/(/ == $element =~ tr/)/)/;
+ } else {
+ $exclude ||= $element =~ /!/ unless $loose;
+ }
+
+ push @result, $element;
+ }
+ }
+
unless ( $deferresolve ) {
my @result1;
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------------ Precog is a next-generation analytics platform capable of advanced analytics on semi-structured data. The platform includes APIs for building apps and a phenomenal toolset for data science. Developers can use our toolset for easy data analysis & visualization. Get a free account! http://www2.precog.com/precogplatform/slashdotnewsletter
_______________________________________________ Shorewall-devel mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-devel
