From 49050e61de2fdd3a8681dd8ec9746ee3014cc2b4 Mon Sep 17 00:00:00 2001 From: Tom Eastep Date: Wed, 6 Jun 2012 10:50:16 -0700 Subject: [PATCH] Fix multiple iprange matches without kludgefree. Signed-off-by: Tom Eastep --- Shorewall/Perl/Shorewall/Chains.pm | 14 ++++++++++---- 1 file changed, 10 insertions(+), 4 deletions(-) diff --git a/Shorewall/Perl/Shorewall/Chains.pm b/Shorewall/Perl/Shorewall/Chains.pm index b124f6d24..6f533ad7b 100644 --- a/Shorewall/Perl/Shorewall/Chains.pm +++ b/Shorewall/Perl/Shorewall/Chains.pm @@ -747,6 +747,7 @@ sub set_rule_option( $$$ ) { push @{$ruleref->{$option}}, ( reftype $value ? @$value : $value ); } else { + assert( ! reftype $value ); $ruleref->{$option} = join(' ', $value1, $value ) unless $value1 eq $value; } } elsif ( $opttype == EXCLUSIVE ) { @@ -1194,12 +1195,16 @@ sub push_matches { while ( @_ ) { my ( $option, $value ) = ( shift, shift ); - assert( defined $value ); + assert( defined $value && ! reftype $value ); if ( exists $ruleref->{$option} ) { my $curvalue = $ruleref->{$option}; - $ruleref->{$option} = [ $curvalue ] unless reftype $curvalue; - push @{$ruleref->{$option}}, reftype $value ? @$value : $value; + if ( $globals{KLUDGEFREE} ) { + $ruleref->{$option} = [ $curvalue ] unless reftype $curvalue; + push @{$ruleref->{$option}}, reftype $value ? @$value : $value; + } else { + $ruleref->{$option} = join( '', $curvalue, $value ); + } } else { $ruleref->{$option} = $value; $dont_optimize ||= $option =~ /^[piosd]$/ && $value =~ /^!/; @@ -4799,7 +4804,8 @@ sub imatch_source_net( $;$\$ ) { ( $family == F_IPV6 && $net =~ /^(!?)(.*:.*)-(.*:.*)$/ ) ) { my ($addr1, $addr2) = ( $2, $3 ); $net =~ s/!// if my $invert = $1 ? '! ' : ''; - fatal_error "Address Ranges require the Multiple Match capability in your kernel and iptables" unless $globals{KLUDGEFREE}; + validate_range $addr1, $addr2; + require_capability( 'IPRANGE_MATCH' , 'Address Ranges' , '' ); return ( iprange => "${invert}--src-range $net" ); }