diff --git a/Shorewall/Perl/Shorewall/Accounting.pm b/Shorewall/Perl/Shorewall/Accounting.pm index 30bd34363..c06b1ce06 100644 --- a/Shorewall/Perl/Shorewall/Accounting.pm +++ b/Shorewall/Perl/Shorewall/Accounting.pm @@ -243,7 +243,7 @@ sub process_accounting_rule1( $$$$$$$$$$$ ) { } } } elsif ( $action eq 'INLINE' ) { - $rule .= get_inline_matches; + $rule .= get_inline_matches(1); } else { ( $action, my $cmd ) = split /:/, $action; diff --git a/Shorewall/Perl/Shorewall/Chains.pm b/Shorewall/Perl/Shorewall/Chains.pm index 2ffb66278..0206f9100 100644 --- a/Shorewall/Perl/Shorewall/Chains.pm +++ b/Shorewall/Perl/Shorewall/Chains.pm @@ -80,6 +80,10 @@ our @EXPORT = ( qw( add_interface_options state_match state_imatch + split_action + get_target_param + get_inline_matches + handle_inline STANDARD NATRULE @@ -8397,4 +8401,71 @@ sub initialize_switches() { } } +# +# Return ( action, level[:tag] ) from passed full action +# +sub split_action ( $ ) { + my $action = $_[0]; + + my @list = split_list2( $action, 'ACTION' ); + + fatal_error "Invalid ACTION ($action)" if @list > 3; + + ( shift @list, join( ':', @list ) ); +} + +# +# Get inline matches and conditionally verify the absense of -j +# +sub get_inline_matches( $ ) { + if ( $_[0] ) { + fetch_inline_matches; + } else { + my $inline_matches = fetch_inline_matches; + + fatal_error "-j is only allowed when the ACTION is INLINE with no parameter" if $inline_matches =~ /\s-j\s/; + + $inline_matches; + } +} + +# +# Split the passed target into the basic target and parameter (previously duplicated in this file) +# +sub get_target_param( $ ) { + my ( $target, $param ) = split '/', $_[0]; + + unless ( defined $param ) { + ( $target, $param ) = ( $1, $2 ) if $target =~ /^(.*?)[(](.*)[)]$/; + } + + ( $target, $param ); +} + +sub handle_inline( $$$$ ) { + my ( $action, $basictarget, $param, $loglevel ) = @_; + my $inline_matches = get_inline_matches(1); + my $raw_matches = ''; + + if ( $inline_matches =~ /^(.*\s+)?-j\s+(.+) $/ ) { + $raw_matches .= $1 if supplied $1; + $action = $2; + my ( $target ) = split ' ', $action; + fatal_error "Unknown jump target ($action)" unless $targets{$target} || $target eq 'MARK'; + fatal_error "INLINE may not have a parameter when '-j' is specified in the free-form area" if $param ne ''; + } else { + $raw_matches .= $inline_matches; + + if ( $param eq '' ) { + $action = $loglevel ? 'LOG' : ''; + } else { + ( $action, $loglevel ) = split_action $param; + ( $basictarget, $param ) = get_target_param $action; + $param = '' unless defined $param; + } + } + + return ( $action, $basictarget, $param, $loglevel, $raw_matches ); +} + 1; diff --git a/Shorewall/Perl/Shorewall/Config.pm b/Shorewall/Perl/Shorewall/Config.pm index adc87b50c..5e09e4b19 100644 --- a/Shorewall/Perl/Shorewall/Config.pm +++ b/Shorewall/Perl/Shorewall/Config.pm @@ -70,7 +70,7 @@ our @EXPORT = qw( get_action_disposition set_action_disposition set_action_param - get_inline_matches + fetch_inline_matches set_inline_matches set_comment @@ -3071,7 +3071,7 @@ sub embedded_perl( $ ) { # # Return inline matches # -sub get_inline_matches() { +sub fetch_inline_matches() { "$inline_matches "; } @@ -5197,7 +5197,8 @@ sub convert_to_directives() { # writeable regular file # my $result = system << "EOF"; - perl -pi.bak -e '/^\\s*FORMAT\\s*/ && s/FORMAT/?FORMAT/; + perl -pi.bak -e '/^\\s*FORMAT\\s+/ && s/FORMAT/?FORMAT/; + /^\\s*SECTION\\s+/ && s/SECTION/?SECTION/; if ( /^\\s*COMMENT\\s+/ ) { s/COMMENT/?COMMENT/; } elsif ( /^\\s*COMMENT\\s*\$/ ) { diff --git a/Shorewall/Perl/Shorewall/Nat.pm b/Shorewall/Perl/Shorewall/Nat.pm index 3b5d70790..2c85d3d0d 100644 --- a/Shorewall/Perl/Shorewall/Nat.pm +++ b/Shorewall/Perl/Shorewall/Nat.pm @@ -77,9 +77,9 @@ sub process_one_masq1( $$$$$$$$$$ ) # if ( $interfacelist =~ /^INLINE\((.+)\)$/ ) { $interfacelist = $1; - $inlinematches = get_inline_matches; + $inlinematches = get_inline_matches(0); } elsif ( $config{INLINE_MATCHES} ) { - $inlinematches = get_inline_matches; + $inlinematches = get_inline_matches(0); } # # Parse the remaining part of the INTERFACE column diff --git a/Shorewall/Perl/Shorewall/Rules.pm b/Shorewall/Perl/Shorewall/Rules.pm index 1444e9e58..39bcb56cd 100644 --- a/Shorewall/Perl/Shorewall/Rules.pm +++ b/Shorewall/Perl/Shorewall/Rules.pm @@ -299,19 +299,6 @@ sub new_rules_chain( $ ) { ############################################################################### # Functions moved from the former Policy Module ############################################################################### -# -# Split the passed target into the basic target and parameter (previously duplicated in this file) -# -sub get_target_param( $ ) { - my ( $target, $param ) = split '/', $_[0]; - - unless ( defined $param ) { - ( $target, $param ) = ( $1, $2 ) if $target =~ /^(.*?)[(](.*)[)]$/; - } - - ( $target, $param ); -} - # # Convert a chain into a policy chain. # @@ -1104,19 +1091,6 @@ sub finish_section ( $ ) { ################################################################################ # Functions moved from the Actions module in 4.4.16 ################################################################################ -# -# Return ( action, level[:tag] ) from passed full action -# -sub split_action ( $ ) { - my $action = $_[0]; - - my @list = split_list2( $action, 'ACTION' ); - - fatal_error "Invalid ACTION ($action)" if @list > 3; - - ( shift @list, join( ':', @list ) ); -} - # # Create a normalized action name from the passed pieces. # @@ -2179,7 +2153,7 @@ sub process_rule ( $$$$$$$$$$$$$$$$$$$ ) { my ( $basictarget, $param ) = get_target_param $action; my $optimize = $wildcard ? ( $basictarget =~ /!$/ ? 0 : $config{OPTIMIZE} & 5 ) : 0; my $actiontype; - my $inaction = ''; # Set to true when we are process rules in an action file + my $inaction = ''; # Set to true when we are processing rules in an action file my $inchain = ''; # Set to true when a chain reference is passed. my $normalized_target; my $normalized_action; @@ -2194,27 +2168,9 @@ sub process_rule ( $$$$$$$$$$$$$$$$$$$ ) { $param = '' unless defined $param; if ( $basictarget eq 'INLINE' ) { - my $inline_matches = get_inline_matches; - - if ( $inline_matches =~ /^(.*\s+)?-j\s+(.+) $/ ) { - $raw_matches .= $1 if supplied $1; - $action = $2; - my ( $target ) = split ' ', $action; - fatal_error "Unknown jump target ($action)" unless $targets{$target} || $target eq 'MARK'; - fatal_error "INLINE may not have a parameter when '-j' is specified in the free-form area" if $param ne ''; - } else { - $raw_matches .= $inline_matches; - - if ( $param eq '' ) { - $action = $loglevel ? 'LOG' : ''; - } else { - ( $action, $loglevel ) = split_action $param; - ( $basictarget, $param ) = get_target_param $action; - $param = '' unless defined $param; - } - } + ( $action, $basictarget, $param, $loglevel, $raw_matches ) = handle_inline( $action, $basictarget, $param, $loglevel ); } elsif ( $config{INLINE_MATCHES} ) { - $raw_matches = get_inline_matches; + $raw_matches = get_inline_matches(0); } # # Determine the validity of the action diff --git a/Shorewall/Perl/Shorewall/Tc.pm b/Shorewall/Perl/Shorewall/Tc.pm index 4c07ddf52..99db00408 100644 --- a/Shorewall/Perl/Shorewall/Tc.pm +++ b/Shorewall/Perl/Shorewall/Tc.pm @@ -321,9 +321,9 @@ sub process_tc_rule1( $$$$$$$$$$$$$$$$ ) { if ( $originalmark =~ /^INLINE\((.+)\)(:.*)?$/ ) { $originalmark = $1; $originalmark .= $2 if $2; - $raw = get_inline_matches; + $raw = get_inline_matches(0); } elsif ( $config{INLINE_MATCHES} ) { - $raw = get_inline_matches; + $raw = get_inline_matches(0); } my ( $mark, $designator, $remainder ) = split( /:/, $originalmark, 3 ); @@ -565,7 +565,7 @@ sub process_tc_rule1( $$$$$$$$$$$$$$$$ ) { INLINE => sub() { assert ( $cmd eq 'INLINE' ); - $matches = get_inline_matches; + $matches = get_inline_matches(1); if ( $matches =~ /^(.*\s+)-j\s+(.+)$/ ) { $matches = $1;