Centralize the validation of nfacct object names.

- Also correct a missing ' ' from the output generated by INLINE freeform input. Signed-off-by: Tom Eastep <teastep@shorewall.net>
2025-06-26 20:51:27 +02:00 · 2013-04-26 09:09:08 -07:00 · 2013-04-26 09:09:08 -07:00 · 20d38e8b52
commit 20d38e8b52
parent b57fd9f2a9
4 changed files with 29 additions and 28 deletions
--- a/Shorewall/Perl/Shorewall/Accounting.pm
+++ b/Shorewall/Perl/Shorewall/Accounting.pm
@ -235,14 +235,11 @@ sub process_accounting_rule1( $$$$$$$$$$$ ) {
 	    require_capability 'NFACCT_MATCH', 'The NFACCT action', 's';
 	    $target = '';
 	    for ( my @objects = split_nfacct_list $1 ) {
-	       if ( $_ =~ /^([\w%&@~]+)(!)?$/ ) {
+		validate_nfobject( $_, 1 );
-		   if ( $2 ) {
+		if ( s/!$// ) {
-		       $prerule .= "-m nfacct --nfacct-name $1 ";
+		    $prerule .= "-m nfacct --nfacct-name $_ ";
 		} else {
-		       $rule .= "-m nfacct --nfacct-name $1 ";
+		    $rule .= "-m nfacct --nfacct-name $_ ";
 		   }
 	       } else {
 		   fatal_error "Invalid nfacct object name ($_)";
 		}
 	    }
 	} elsif ( $action eq 'INLINE' ) {
--- a/Shorewall/Perl/Shorewall/Chains.pm
+++ b/Shorewall/Perl/Shorewall/Chains.pm
@ -248,6 +248,7 @@ our %EXPORT_TAGS = (
 				       set_global_variables
 				       save_dynamic_chains
 				       load_ipsets
 				       validate_nfobject
 				       create_nfobjects
 				       create_netfilter_load
 				       preview_netfilter_load
@ -780,6 +781,17 @@ sub record_nfobject( $ ) {
    $nfobjects{$value[-1]} = 1;
 }
 #
 # Validate and register an nfacct object name
 #
 sub validate_nfobject( $;$ ) {
    my ( $name, $allowbang ) = @_;
    fatal_error "Invalid nfacct object name ($name)" unless $name =~ /^[-\w%&@~]+(!)?$/ && ( $allowbang || ! $1 );
    $nfobjects{$_} = 1;
 }
 # # Next a helper for setting an individual option
 #
 sub set_rule_option( $$$ ) {
@ -5440,9 +5452,8 @@ sub match_source_net( $;$\$ ) {
 	if ( $3 ) {
 	    require_capability 'NFACCT_MATCH', "An nfacct object list ($3)", 's';
 	    for ( my @objects = split_list $3, 'nfacct' ) {
-		fatal_error "Invalid nfacct object name ($_)" unless /^[\w%&@~]+$/;
+		validate_nfobject( $_ );
 		$result .= "-m nfacct --nfacct-name $_ ";
 		$nfobjects{$_} = 1;
 	    }
 	}
@ -5461,9 +5472,8 @@ sub match_source_net( $;$\$ ) {
 	    if ( $3 ) {
 		require_capability 'NFACCT_MATCH', "An nfacct object list ($3)", 's';
 		for ( my @objects = split_list $3, 'nfacct' ) {
-		    fatal_error "Invalid nfacct object name ($_)" unless /^[\w%&@~]+$/;
+		    validate_nfobject( $_ );
 		    $result .= "-m nfacct --nfacct-name $_ ";
 		    $nfobjects{$_} = 1;
 		}
 	    }
 	}
@ -5531,9 +5541,8 @@ sub imatch_source_net( $;$\$ ) {
 	if ( $3 ) {
 	    require_capability 'NFACCT_MATCH', "An nfacct object list ($3)", 's';
 	    for ( my @objects = split_list $3, 'nfacct' ) {
-		fatal_error "Invalid nfacct object name ($_)" unless /^[\w%&@~]+$/;
+		validate_nfobject( $_ );
 		push( @result, ( nfacct => "--nfacct-name $_" ) );
 		$nfobjects{$_} = 1;
 	    }
 	}
@ -5552,9 +5561,8 @@ sub imatch_source_net( $;$\$ ) {
 	    if ( $3 ) {
 		require_capability 'NFACCT_MATCH', "An nfacct object list ($3)", 's';
 		for ( my @objects = split_list $3, 'nfacct' ) {
-		    fatal_error "Invalid nfacct object name ($_)" unless /^[\w%&@~]+$/;
+		    validate_nfobject( $_ );
 		    push( @result, ( nfacct => "--nfacct-name $_" ) );
 		    $nfobjects{$_} = 1;
 		}
 	    }
 	}
@ -5618,9 +5626,8 @@ sub match_dest_net( $;$ ) {
 	if ( $3 ) {
 	    require_capability 'NFACCT_MATCH', "An nfacct object list ($3)", 's';
 	    for ( my @objects = split_list $3, 'nfacct' ) {
-		fatal_error "Invalid nfacct object name ($_)" unless /^[\w%&@~]+$/;
+		validate_nfobject( $_ );
 		$result .= "-m nfacct --nfacct-name $_ ";
 		$nfobjects{$_} = 1;
 	    }
 	}
@ -5641,9 +5648,8 @@ sub match_dest_net( $;$ ) {
 	if ( $3 ) {
 	    require_capability 'NFACCT_MATCH', "An nfacct object list ($3)", 's';
 	    for ( my @objects = split_list $3, 'nfacct' ) {
-		fatal_error "Invalid nfacct object name ($_)" unless /^[\w%&@~]+$/;
+		validate_nfobject( $_ );
 		$result .= "-m nfacct --nfacct-name $_ ";
 		$nfobjects{$_} = 1;
 	    }
 	}
@ -5704,9 +5710,8 @@ sub imatch_dest_net( $;$ ) {
 	if ( $3 ) {
 	    require_capability 'NFACCT_MATCH', "An nfacct object list ($3)", 's';
 	    for ( my @objects = split_list $3, 'nfacct' ) {
-		fatal_error "Invalid nfacct object name ($_)" unless /^[\w%&@~]+$/;
+		validate_nfobject( $_ );
 		push( @result, ( nfacct => "--nfacct-name $_" ) );
 		$nfobjects{$_} = 1;
 	    }
 	}
@ -5725,9 +5730,8 @@ sub imatch_dest_net( $;$ ) {
 	    if ( $3 ) {
 		require_capability 'NFACCT_MATCH', "An nfacct object list ($3)", 's';
 		for ( my @objects = split_list $3, 'nfacct' ) {
-		    fatal_error "Invalid nfacct object name ($_)" unless /^[\w%&@~]+$/;
+		    validate_nfobject( $_ );
 		    push( @result, ( nfacct => "--nfacct-name $_" ) );
 		    $nfobjects{$_} = 1;
 		}
 	    }
 	}
--- a/Shorewall/Perl/Shorewall/Config.pm
+++ b/Shorewall/Perl/Shorewall/Config.pm
@ -2853,7 +2853,7 @@ sub embedded_perl( $ ) {
 # Return inline matches
 #
 sub get_inline_matches() {
-    $inline_matches;
+    "$inline_matches ";
 }
 #
--- a/Shorewall/Perl/Shorewall/Rules.pm
+++ b/Shorewall/Perl/Shorewall/Rules.pm
@ -2097,14 +2097,14 @@ sub process_rule ( $$$$$$$$$$$$$$$$$$$ ) {
    if ( $basictarget eq 'INLINE' ) {
 	my $inline_matches = get_inline_matches;
-	if ( $inline_matches =~ /^(.*\s+)-j\s+(.+)$/ ) {
+	if ( $inline_matches =~ /^(.*\s+)-j\s+(.+) $/ ) {
 	    $raw_matches .= $1;
 	    $action = $2;
 	    my ( $target ) = split ' ', $action;
 	    fatal_error "Unknown jump target ($action)" unless $targets{$target};
 	    fatal_error "INLINE may not have a parameter when '-j' is specified in the free-form area" if $param ne '';
 	} else {
-	    $raw_matches .= "$inline_matches ";
+	    $raw_matches .= $inline_matches;
 	    if ( $param eq '' ) {
 		$action = $loglevel ? 'LOG' : '';