On 04/25/2013 08:30 AM, Dash Four wrote: > > Dash Four wrote: >> The only thing I could suggest is what you've already done - altering >> the email, but as I already pointed out above - I am not really that >> bothered if I am shown to be "the author" or not. > I hope it is not too late to request one minor correction, as far as > nfacct object name matching is concerned (that will affect all NFACCT > statements): Currently shorewall only matches/accepts a "word" character > (i.e. [a-zA-Z_0-9]), but I would like to use other characters, like "%", > "&", "@" and "~" (the latter two being particularly important as this is > how I split my traffic into "sub-classes"). Would that be possible?
Please give the attached patch a try. It also corrects a problem where not all nfacct objects were created by the generated script. Thanks, -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________
diff --git a/Shorewall/Perl/Shorewall/Accounting.pm b/Shorewall/Perl/Shorewall/Accounting.pm
index 2025b1c..3197bd0 100644
--- a/Shorewall/Perl/Shorewall/Accounting.pm
+++ b/Shorewall/Perl/Shorewall/Accounting.pm
@@ -231,19 +231,19 @@ sub process_accounting_rule1( $$$$$$$$$$$ ) {
}
} elsif ( $action =~ /^NFLOG/ ) {
$target = validate_level $action;
- } elsif ( $action =~ /^NFACCT\(([\w,!]+)\)$/ ) {
+ } elsif ( $action =~ /^NFACCT\((.+)\)$/ ) {
require_capability 'NFACCT_MATCH', 'The NFACCT action', 's';
$target = '';
my @objects = split_nfacct_list $1;
for ( @objects ) {
- if ( $_ =~ /^([\w]+)(!)?$/ ) {
+ if ( $_ =~ /^([\w%&@~]+)(!)?$/ ) {
if ( $2 ) {
$prerule .= "-m nfacct --nfacct-name $1 ";
} else {
$rule .= "-m nfacct --nfacct-name $1 ";
}
} else {
- accounting_error;
+ fatal_error "Invalid nfacct object name ($_)";
}
}
} elsif ( $action eq 'INLINE' ) {
diff --git a/Shorewall/Perl/Shorewall/Chains.pm b/Shorewall/Perl/Shorewall/Chains.pm
index 6c16377..b4be0db 100644
--- a/Shorewall/Perl/Shorewall/Chains.pm
+++ b/Shorewall/Perl/Shorewall/Chains.pm
@@ -5439,8 +5439,11 @@ sub match_source_net( $;$\$ ) {
my $result = join( '', '-m set ', $1 ? '! ' : '', get_set_flags( $2, 'src' ) );
if ( $3 ) {
require_capability 'NFACCT_MATCH', "An nfacct object list ($3)", 's';
- my @objects = split_list $3, 'nfacct';
- $result .= "-m nfacct --nfacct-name $_ " for @objects;
+ for ( my @objects = split_list $3, 'nfacct' ) {
+ fatal_error "Invalid nfacct object name ($_)" unless /^[\w%&@~]+$/;
+ $result .= "-m nfacct --nfacct-name $_ ";
+ $nfobjects{$_} = 1;
+ }
}
return $result;
@@ -5457,8 +5460,11 @@ sub match_source_net( $;$\$ ) {
$result .= join( '', '-m set ', $1 ? '! ' : '', get_set_flags( $2, 'src' ) );
if ( $3 ) {
require_capability 'NFACCT_MATCH', "An nfacct object list ($3)", 's';
- my @objects = split_list $3, 'nfacct';
- $result .= "-m nfacct --nfacct-name $_ " for @objects;
+ for ( my @objects = split_list $3, 'nfacct' ) {
+ fatal_error "Invalid nfacct object name ($_)" unless /^[\w%&@~]+$/;
+ $result .= "-m nfacct --nfacct-name $_ ";
+ $nfobjects{$_} = 1;
+ }
}
}
@@ -5524,8 +5530,11 @@ sub imatch_source_net( $;$\$ ) {
my @result = ( set => join( '', $1 ? '! ' : '', get_set_flags( $2, 'src' ) ) );
if ( $3 ) {
require_capability 'NFACCT_MATCH', "An nfacct object list ($3)", 's';
- my @objects = split_list $3, 'nfacct';
- push( @result, ( nfacct => "--nfacct-name $_" ) ), $nfobjects{$_} = 1 for @objects;
+ for ( my @objects = split_list $3, 'nfacct' ) {
+ fatal_error "Invalid nfacct object name ($_)" unless /^[\w%&@~]+$/;
+ push( @result, ( nfacct => "--nfacct-name $_" ) );
+ $nfobjects{$_} = 1;
+ }
}
return @result;
@@ -5542,8 +5551,11 @@ sub imatch_source_net( $;$\$ ) {
push @result , ( set => join( '', $1 ? '! ' : '', get_set_flags( $2, 'src' ) ) );
if ( $3 ) {
require_capability 'NFACCT_MATCH', "An nfacct object list ($3)", 's';
- my @objects = split_list $3, 'nfacct';
- push( @result, ( nfacct => "--nfacct-name $_" ) ), $nfobjects{$_} = 1 for @objects;
+ for ( my @objects = split_list $3, 'nfacct' ) {
+ fatal_error "Invalid nfacct object name ($_)" unless /^[\w%&@~]+$/;
+ push( @result, ( nfacct => "--nfacct-name $_" ) );
+ $nfobjects{$_} = 1;
+ }
}
}
@@ -5605,8 +5617,11 @@ sub match_dest_net( $;$ ) {
my $result = join( '', '-m set ', $1 ? '! ' : '', get_set_flags( $2, 'dst' ) );
if ( $3 ) {
require_capability 'NFACCT_MATCH', "An nfacct object list ($3)", 's';
- my @objects = split_list $3, 'nfacct';
- $result .= "-m nfacct --nfacct-name $_ " for @objects;
+ for ( my @objects = split_list $3, 'nfacct' ) {
+ fatal_error "Invalid nfacct object name ($_)" unless /^[\w%&@~]+$/;
+ $result .= "-m nfacct --nfacct-name $_ ";
+ $nfobjects{$_} = 1;
+ }
}
return $result;
@@ -5625,8 +5640,11 @@ sub match_dest_net( $;$ ) {
if ( $3 ) {
require_capability 'NFACCT_MATCH', "An nfacct object list ($3)", 's';
- my @objects = split_list $3, 'nfacct';
- $result .= "-m nfacct --nfacct-name $_ " for @objects;
+ for ( my @objects = split_list $3, 'nfacct' ) {
+ fatal_error "Invalid nfacct object name ($_)" unless /^[\w%&@~]+$/;
+ $result .= "-m nfacct --nfacct-name $_ ";
+ $nfobjects{$_} = 1;
+ }
}
return $result;
@@ -5685,8 +5703,11 @@ sub imatch_dest_net( $;$ ) {
my @result = ( set => join( '', $1 ? '! ' : '', get_set_flags( $2, 'dst' ) ) );
if ( $3 ) {
require_capability 'NFACCT_MATCH', "An nfacct object list ($3)", 's';
- my @objects = split_list $3, 'nfacct';
- push( @result, ( nfacct => "--nfacct-name $_" ) ), $nfobjects{$_} = 1 for @objects;
+ for ( my @objects = split_list $3, 'nfacct' ) {
+ fatal_error "Invalid nfacct object name ($_)" unless /^[\w%&@~]+$/;
+ push( @result, ( nfacct => "--nfacct-name $_" ) );
+ $nfobjects{$_} = 1;
+ }
}
return @result;
@@ -5703,8 +5724,11 @@ sub imatch_dest_net( $;$ ) {
push @result , ( set => join( '', $1 ? '! ' : '', get_set_flags( $2, 'dst' ) ) );
if ( $3 ) {
require_capability 'NFACCT_MATCH', "An nfacct object list ($3)", 's';
- my @objects = split_list $3, 'nfacct';
- push( @result, ( nfacct => "--nfacct-name $_" ) ), $nfobjects{$_} = 1 for @objects;
+ for ( my @objects = split_list $3, 'nfacct' ) {
+ fatal_error "Invalid nfacct object name ($_)" unless /^[\w%&@~]+$/;
+ push( @result, ( nfacct => "--nfacct-name $_" ) );
+ $nfobjects{$_} = 1;
+ }
}
}
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------------ Try New Relic Now & We'll Send You this Cool Shirt New Relic is the only SaaS-based application performance monitoring service that delivers powerful full stack analytics. Optimize and monitor your browser, app, & servers with just a few lines of code. Try New Relic and get this awesome Nerd Life shirt! http://p.sf.net/sfu/newrelic_d2d_apr
_______________________________________________ Shorewall-devel mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-devel
