From 42f75f7ba22a66ed480a5297f3f1d5292627cdf0 Mon Sep 17 00:00:00 2001 From: Tom Eastep Date: Sat, 25 Apr 2015 12:56:36 -0700 Subject: [PATCH] Correct SetEvent and ResetEvent Signed-off-by: Tom Eastep --- Shorewall/Perl/Shorewall/Rules.pm | 45 ++++++++++++++++++++++--------- Shorewall/action.ResetEvent | 4 +-- Shorewall/action.SetEvent | 4 +-- 3 files changed, 36 insertions(+), 17 deletions(-) diff --git a/Shorewall/Perl/Shorewall/Rules.pm b/Shorewall/Perl/Shorewall/Rules.pm index a45aeb78e..9ab41cdd5 100644 --- a/Shorewall/Perl/Shorewall/Rules.pm +++ b/Shorewall/Perl/Shorewall/Rules.pm @@ -712,7 +712,7 @@ sub process_policies() # # Policy Rule application # -sub process_inline ($$$$$$$$$$$$$$$$$$$$$); +sub process_inline ($$$$$$$$$$$$$$$$$$$$$$); sub add_policy_rules( $$$$$ ) { my ( $chainref , $target, $loglevel, $default, $dropmulticast ) = @_; @@ -737,6 +737,7 @@ sub add_policy_rules( $$$$$ ) { process_inline( $action, #Inline $chainref, #Chain '', #Matches + '', #Matches1 $loglevel, #Log Level and Tag $default, #Target $param || '', #Param @@ -1622,7 +1623,7 @@ my %builtinops = ( 'dropBcast' => \&dropBcast, 'Limit' => \&Limit, ); -sub process_rule ( $$$$$$$$$$$$$$$$$$$ ); +sub process_rule ( $$$$$$$$$$$$$$$$$$$$ ); # # Populate an action invocation chain. As new action tuples are encountered, @@ -1686,6 +1687,7 @@ sub process_action($$) { } process_rule( $chainref, + '', '', $nolog ? $target : merge_levels( join(':', @actparms{'chain','loglevel','logtag'}), $target ), '', @@ -1874,6 +1876,7 @@ sub process_reject_action() { process_inline( $action, #Inline $rejectref, #Chain '', #Matches + '', #Matches1 '', #Log Level and Tag $action, #Target '', #Param @@ -1902,8 +1905,8 @@ sub process_reject_action() { # # Expand a macro rule from the rules file # -sub process_macro ($$$$$$$$$$$$$$$$$$$$) { - my ($macro, $chainref, $matches, $target, $param, $source, $dest, $proto, $ports, $sports, $origdest, $rate, $user, $mark, $connlimit, $time, $headers, $condition, $helper, $wildcard ) = @_; +sub process_macro ($$$$$$$$$$$$$$$$$$$$$) { + my ($macro, $chainref, $matches, $matches1, $target, $param, $source, $dest, $proto, $ports, $sports, $origdest, $rate, $user, $mark, $connlimit, $time, $headers, $condition, $helper, $wildcard ) = @_; my $generated = 0; @@ -2002,7 +2005,8 @@ sub process_macro ($$$$$$$$$$$$$$$$$$$$) { $generated |= process_rule( $chainref, - $matches, + $matches, + $matches1, $mtarget, $param, $msource, @@ -2035,8 +2039,8 @@ sub process_macro ($$$$$$$$$$$$$$$$$$$$) { # # Expand an inline action rule from the rules file # -sub process_inline ($$$$$$$$$$$$$$$$$$$$$) { - my ($inline, $chainref, $matches, $loglevel, $target, $param, $source, $dest, $proto, $ports, $sports, $origdest, $rate, $user, $mark, $connlimit, $time, $headers, $condition, $helper, $wildcard ) = @_; +sub process_inline ($$$$$$$$$$$$$$$$$$$$$$) { + my ($inline, $chainref, $matches, $matches1, $loglevel, $target, $param, $source, $dest, $proto, $ports, $sports, $origdest, $rate, $user, $mark, $connlimit, $time, $headers, $condition, $helper, $wildcard ) = @_; my $generated = 0; @@ -2126,7 +2130,8 @@ sub process_inline ($$$$$$$$$$$$$$$$$$$$$) { $generated |= process_rule( $chainref, - $matches, + $matches, + $matches1, $mtarget, $param, $msource, @@ -2179,9 +2184,10 @@ sub verify_audit($;$$) { # reference is also passed when rules are being generated during processing of a macro used as a default action. # -sub process_rule ( $$$$$$$$$$$$$$$$$$$ ) { +sub process_rule ( $$$$$$$$$$$$$$$$$$$$ ) { my ( $chainref, #reference to Action Chain if we are being called from process_action(); undef otherwise $rule, #Matches + $matches1, #Matches after the ones generated by the columns $target, $current_param, $source, @@ -2246,6 +2252,7 @@ sub process_rule ( $$$$$$$$$$$$$$$$$$$ ) { my $generated = process_macro( $basictarget, $chainref, $rule . $raw_matches, + $matches1, $target, $current_param, $source, @@ -2649,6 +2656,7 @@ sub process_rule ( $$$$$$$$$$$$$$$$$$$ ) { my $generated = process_inline( $basictarget, $chainref, $rule . $raw_matches, + $matches1, $loglevel, $target, $current_param, @@ -2703,7 +2711,7 @@ sub process_rule ( $$$$$$$$$$$$$$$$$$$ ) { do_headers( $headers ) , do_condition( $condition , $chain ) , do_helper( $helper ) , - $raw_matches , + $matches1 . $raw_matches , ); } else { $rule .= join( '', @@ -2715,7 +2723,7 @@ sub process_rule ( $$$$$$$$$$$$$$$$$$$ ) { do_time( $time ) , do_headers( $headers ) , do_condition( $condition , $chain ) , - $raw_matches , + $matches1 . $raw_matches , ); } @@ -2960,8 +2968,8 @@ sub merge_target( $$ ) { # # May be called by Perl code in action bodies (regular and inline) to generate a rule. # -sub perl_action_helper($$;$) { - my ( $target, $matches, $isstatematch ) = @_; +sub perl_action_helper($$;$$) { + my ( $target, $matches, $isstatematch , $matches1 ) = @_; my $action = $actparms{action}; my $chainref = $actparms{0}; my $result; @@ -2970,6 +2978,12 @@ sub perl_action_helper($$;$) { $matches .= ' ' unless $matches =~ /^(?:.+\s)?$/; + if ( $matches1 ) { + $matches1 .= ' ' unless $matches1 =~ /^(?:.+\s)?$/; + } else { + $matches1 = ''; + } + set_inline_matches( $target =~ /^INLINE(?::.*)?$/ ? $matches : '' ); if ( $isstatematch ) { @@ -2993,6 +3007,7 @@ sub perl_action_helper($$;$) { if ( my $ref = $inlines{$action} ) { $result = &process_rule( $chainref, $matches, + $matches1, merge_target( $ref, $target ), '', # CurrentParam @columns ); @@ -3001,6 +3016,7 @@ sub perl_action_helper($$;$) { $result = process_rule( $chainref, $matches, + $matches1, merge_target( $actions{$action}, $target ), '', # Current Param '-', # Source @@ -3052,6 +3068,7 @@ sub perl_action_tcp_helper($$) { if ( my $ref = $inlines{$action} ) { $result = &process_rule( $chainref, $proto, + '', merge_target( $ref, $target ), '', @columns[0,1], @@ -3061,6 +3078,7 @@ sub perl_action_tcp_helper($$) { } else { $result = process_rule( $chainref, $proto, + '', merge_target( $actions{$action}, $target ), '', # Current Param '-', # Source @@ -3254,6 +3272,7 @@ sub process_raw_rule ( ) { for my $proto ( @protos ) { for my $user ( @users ) { if ( process_rule( undef, + '', '', $target, '', diff --git a/Shorewall/action.ResetEvent b/Shorewall/action.ResetEvent index d983cfdde..95b908d83 100644 --- a/Shorewall/action.ResetEvent +++ b/Shorewall/action.ResetEvent @@ -41,9 +41,9 @@ set_action_disposition( $disposition) if supplied $disposition; set_action_name_to_caller; if ( $destination eq 'dst' ) { - perl_action_helper( $action, "-m recent --name $event --remove --rdest" ); + perl_action_helper( $action, '', '', "-m recent --name $event --remove --rdest" ); } else { - perl_action_helper( $action, "-m recent --name $event --remove --rsource" ); + perl_action_helper( $action, '', '', "-m recent --name $event --remove --rsource" ); } 1; diff --git a/Shorewall/action.SetEvent b/Shorewall/action.SetEvent index 24a073927..46d6862a0 100644 --- a/Shorewall/action.SetEvent +++ b/Shorewall/action.SetEvent @@ -41,9 +41,9 @@ set_action_disposition( $disposition) if supplied $disposition; set_action_name_to_caller; if ( $destination eq 'dst' ) { - perl_action_helper( $action, "-m recent --name $event --set --rdest" ); + perl_action_helper( $action, '', '', "-m recent --name $event --set --rdest" ); } else { - perl_action_helper( $action, "-m recent --name $event --set --rsource" ); + perl_action_helper( $action, '', '', "-m recent --name $event --set --rsource" ); } 1;