On 05/22/2013 07:34 AM, Tom Eastep wrote: > On 05/17/2013 04:28 PM, Dash Four wrote: >> >>> accounting >>> ~~~~~~~~~~ >>> NFACCT(acc1,acc2) net2fw +test1 !+test2[src] >>> >>> produces >>> >>> -A net2fw -m set --match-set test1 src -m nfacct --nfacct-name acc1 -m >>> nfacct --nfacct-name acc2 -m set ! --match-set test2 src >>> >>> which is wrong. >> The alternative syntax of "NFACCT(acc1,acc2) net2fw +[test1,!test2]", >> which should be the same as the above statement, works and produces what >> is expected. > > Patch attached.
And here is a second patch to apply on top of the first. It insures that the source and dest matches are in the proper order. -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________
diff --git a/Shorewall/Perl/Shorewall/Chains.pm b/Shorewall/Perl/Shorewall/Chains.pm
index 7d16c7a..0313b47 100644
--- a/Shorewall/Perl/Shorewall/Chains.pm
+++ b/Shorewall/Perl/Shorewall/Chains.pm
@@ -6876,10 +6876,12 @@ sub handle_original_dest( $$$ ) {
#
# Handles non-trivial exclusion. Updates the passed rule and returns ( $rule, $done )
#
-sub handle_exclusion( $$$$$$$$$$$$$$$$$$$ ) {
+sub handle_exclusion( $$$$$$$$$$$$$$$$$$$$$ ) {
my ( $disposition,
$table,
$prerule,
+ $sprerule,
+ $dprerule,
$rule,
$restriction,
$inets,
@@ -6961,7 +6963,7 @@ sub handle_exclusion( $$$$$$$$$$$$$$$$$$$ ) {
for my $dnet ( split_host_list( $dnets, $config{DEFER_DNS_RESOLUTION} ) ) {
$source_match = match_source_net( $inet, $restriction, $mac ) unless $globals{KLUDGEFREE};
- add_expanded_jump( $chainref, $echainref, 0, join( '', $prerule, $source_match, match_dest_net( $dnet, $restriction ), $onet, $rule ) );
+ add_expanded_jump( $chainref, $echainref, 0, join( '', $prerule, $source_match, $sprerule, match_dest_net( $dnet, $restriction ), $dprerule, $onet, $rule ) );
}
conditional_rule_end( $chainref ) if $cond;
@@ -7109,13 +7111,15 @@ sub expand_rule( $$$$$$$$$$$;$ )
#
# Determine if there is Source Exclusion
#
+ my ( $sprerule, $dprerule ) = ( '', '' );
+
if ( $inets ) {
( $inets, $iexcl ) = handle_network_list( $inets, 'SOURCE' );
unless ( $inets || $iexcl =~ /^\+\[/ || ( $iiface && $restriction & POSTROUTE_RESTRICT ) ) {
my @iexcl = split_host_list( $iexcl, $deferdns, 1 );
if ( @iexcl == 1 ) {
- $prerule .= match_source_net "!$iexcl" , $restriction;
+ $sprerule = match_source_net "!$iexcl" , $restriction;
$iexcl = '';
$trivialiexcl = 1;
}
@@ -7130,7 +7134,7 @@ sub expand_rule( $$$$$$$$$$$;$ )
unless ( $dnets || $dexcl =~ /^\+\[/ ) {
my @dexcl = split_host_list( $dexcl, $deferdns, 1 );
if ( @dexcl == 1 ) {
- $prerule .= match_dest_net "!$dexcl", $restriction;
+ $dprerule = match_dest_net "!$dexcl", $restriction;
$dexcl = '';
$trivialdexcl = 1;
}
@@ -7153,6 +7157,8 @@ sub expand_rule( $$$$$$$$$$$;$ )
( $rule, $done ) = handle_exclusion( $disposition,
$table,
$prerule,
+ $sprerule,
+ $dprerule,
$rule,
$restriction,
$inets,
@@ -7190,7 +7196,7 @@ sub expand_rule( $$$$$$$$$$$;$ )
for my $dnet ( split_host_list( $dnets, $deferdns ) ) {
$source_match = match_source_net( $inet, $restriction, $mac ) unless $globals{KLUDGEFREE};
my $dest_match = match_dest_net( $dnet, $restriction );
- my $matches = join( '', $source_match, $dest_match, $onet, $rule );
+ my $matches = join( '', $source_match, $sprerule, $dest_match, $dprerule, $onet, $rule );
my $cond3 = conditional_rule( $chainref, $dnet );
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------------ Try New Relic Now & We'll Send You this Cool Shirt New Relic is the only SaaS-based application performance monitoring service that delivers powerful full stack analytics. Optimize and monitor your browser, app, & servers with just a few lines of code. Try New Relic and get this awesome Nerd Life shirt! http://p.sf.net/sfu/newrelic_d2d_may
_______________________________________________ Shorewall-devel mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-devel
