From 03610181fd23f7c76951f6aa1bbf0cecf4deaaa4 Mon Sep 17 00:00:00 2001
From: Tom Eastep <teastep@shorewall.net>
Date: Thu, 29 Dec 2011 07:47:57 -0800
Subject: [PATCH] Disallow :P in CLASSIFY rules and complain if :F is used when
 the SOURCE or DEST is $FW.

Signed-off-by: Tom Eastep <teastep@shorewall.net>
---
 Shorewall/Perl/Shorewall/Tc.pm | 18 +++++++++++++-----
 1 file changed, 13 insertions(+), 5 deletions(-)

diff --git a/Shorewall/Perl/Shorewall/Tc.pm b/Shorewall/Perl/Shorewall/Tc.pm
index df7c7e17f..6bf0cc20b 100644
--- a/Shorewall/Perl/Shorewall/Tc.pm
+++ b/Shorewall/Perl/Shorewall/Tc.pm
@@ -210,7 +210,8 @@ sub process_tc_rule( ) {
 
     fatal_error "Invalid MARK ($originalmark)" unless supplied $mark;
 
-    my $chain  = $globals{MARKING_CHAIN};
+    my $chain    = $globals{MARKING_CHAIN};
+    my $classid  = 0;
 
     if ( $remainder ) { 
 	if ( $originalmark =~ /^\w+\(?.*\)$/ ) {
@@ -220,21 +221,26 @@ sub process_tc_rule( ) {
 		unless ( $mark =~ /^([0-9a-fA-F]+)$/ &&
 			 $designator =~ /^([0-9a-fA-F]+)$/ && 
 			 ( $chain = $designator{$remainder} ) );
-	    $mark  = join( ':', $mark, $designator );
+	    $mark    = join( ':', $mark, $designator );
+	    $classid = 1;
 	}
     }
 
     my $target = 'MARK --set-mark';
     my $tcsref;
     my $connmark = 0;
-    my $classid  = 0;
     my $device   = '';
     my $fw       = firewall_zone;
     my $list;
 
     if ( $source ) {
 	if ( $source eq $fw ) {
-	    $chain = 'tcout';
+	    if ( $classid ) {
+		fatal_error ":F is not allowed when the SOURCE is the firewall" if $chain eq 'tcfor';
+	    } else {
+		$chain = 'tcout';
+	    }
+
 	    $source = '';
 	} else {
 	    $chain = 'tcout' if $source =~ s/^($fw)://;
@@ -243,6 +249,7 @@ sub process_tc_rule( ) {
 
     if ( $dest ) {
 	if ( $dest eq $fw ) {
+	    fatal_error 'A CLASSIFY rule may not have $FW as the DEST' if $classify;
 	    $chain = 'tcin';
 	    $dest  = '';
 	} else {
@@ -267,8 +274,9 @@ sub process_tc_rule( ) {
 	    require_capability ('CONNMARK' , "CONNMARK Rules", '' ) if $connmark;
 
 	} else {
-	    unless ( $remainder ) {
+	    unless ( $classid ) {
 		fatal_error "Invalid MARK ($originalmark)" unless $mark =~ /^([0-9a-fA-F]+)$/ and $designator =~ /^([0-9a-fA-F]+)$/;
+		fatal_error 'A CLASSIFY rule may not have $FW as the DEST' if $chain eq 'tcin';
 		$chain = 'tcpost';
 		$mark  = $originalmark;
 	    }