Correct handling of SWITCH column

- Handle exclusion - Correctly detect CONDITION_MATCH at compile time - Include condition match in the filter part of a NAT rule Signed-off-by: Tom Eastep <teastep@shorewall.net>
2024-11-25 17:13:11 +01:00 · 2011-09-23 15:01:40 -07:00 · 2011-09-23 15:01:40 -07:00 · 40bc6df07a
commit 40bc6df07a
parent 12bfc14c5f
3 changed files with 8 additions and 4 deletions
--- a/Shorewall/Perl/Shorewall/Chains.pm
+++ b/Shorewall/Perl/Shorewall/Chains.pm
@ -3745,10 +3745,12 @@ sub do_condition( $ ) {

    return '' if $condition eq '-';

+    my $invert = $condition =~ s/^!// ? '! ' : '';
+
    require_capability 'CONDITION_MATCH', 'A non-empty SWITCH column', 's';
    fatal_error "Invalid switch name ($condition)" unless $condition =~ /^[a-zA-Z][-\w]*$/;

-    "-m condition --condition $condition "
+    "-m condition ${invert}--condition $condition "
 }

 #
--- a/Shorewall/Perl/Shorewall/Config.pm
+++ b/Shorewall/Perl/Shorewall/Config.pm
@ -2674,7 +2674,7 @@ sub Account_Target() {
 }

 sub Condition_Match() {
-    qt1( "$iptables -m condition --condition foo" );
+    qt1( "$iptables -A $sillyname -m condition --condition foo" );
 }

 sub Audit_Target() {
--- a/Shorewall/Perl/Shorewall/Rules.pm
+++ b/Shorewall/Perl/Shorewall/Rules.pm
@ -2087,8 +2087,10 @@ sub process_rule1 ( $$$$$$$$$$$$$$$$ $) {
 	    $rule = join( '',
 			  do_proto( $proto, $ports, $sports ),
 			  do_ratelimit( $ratelimit, 'ACCEPT' ),
-			  do_user $user ,
-			  do_test( $mark , $globals{TC_MASK} ) );
+			  do_user $user,
+			  do_test( $mark , $globals{TC_MASK} ),
+			  do_condition( $condition )
+			);
 	    $loglevel = '';
 	    $dest     = $server;
 	    $action   = 'ACCEPT';