Improve NFQUEUE handling

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@7705 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
2025-01-11 16:18:13 +01:00 · 2007-11-20 20:47:19 +00:00 · 2007-11-20 20:47:19 +00:00 · 4cd8450ce8
commit 4cd8450ce8
parent a83fbadf98
4 changed files with 16 additions and 13 deletions
--- a/Shorewall-perl/Shorewall/Actions.pm
+++ b/Shorewall-perl/Shorewall/Actions.pm
@ -548,9 +548,15 @@ sub process_action( $$$$$$$$$$ ) {

    my ( $action , $level ) = split_action $target;

+    if ( $action eq 'REJECT' ) {
+	$action = 'reject';
+    } elsif ( $action eq 'CONTINUE' ) {
+	$action = 'RETURN';
+    } elsif ( $action =~ /^NFQUEUE/ ) {
 	( $action, my $param ) = get_target_param $action;
-
 	$param = 1 unless defined $param;
+	$action = "NFQUEUE --queue-num $param";
+    }

    expand_rule ( $chainref ,
 		  NO_RESTRICT ,
@ -558,7 +564,7 @@ sub process_action( $$$$$$$$$$ ) {
 		  $source ,
 		  $dest ,
 		  '', #Original Dest
-		  '-j ' . ($action eq 'REJECT' ? 'reject' : $action eq 'CONTINUE' ? 'RETURN' : $action eq 'NFQUEUE' ? "NFQUEUE --queue-num $param" : $action),
+		  "-j $action" ,
 		  $level ,
 		  $action ,
 		  '' );
--- a/Shorewall-perl/Shorewall/Chains.pm
+++ b/Shorewall-perl/Shorewall/Chains.pm
@ -1409,6 +1409,8 @@ sub log_rule_limit( $$$$$$$$ ) {
 	$tag = '' unless defined $tag;
    }

+    $disposition =~ s/\s+.*//;
+
    if ( $globals{LOGRULENUMBERS} ) {
 	$prefix = (sprintf $config{LOGFORMAT} , $chain , $chainref->{log}++, $disposition ) . $tag;
    } else {
--- a/Shorewall-perl/Shorewall/Policy.pm
+++ b/Shorewall-perl/Shorewall/Policy.pm
@ -256,7 +256,7 @@ sub validate_policy()
 	    require_capability( 'NFQUEUE_TARGET', 'An NFQUEUE Policy', 's' ); 
 	    $queue = numeric_value( $queue );
 	    fatal_error "Invalid NFQUEUE queue number ($queue)" if $queue > 65535;
-	    $policy = "$policy/$queue";
+	    $policy = "NFQUEUE --queue-num $queue";
 	} elsif ( $policy eq 'NONE' ) {
 	    fatal_error "NONE policy not allowed with \"all\""
 		if $clientwild || $serverwild;
@ -347,12 +347,7 @@ sub policy_rules( $$$$$ ) {
 	add_rule $chainref, "-j $default" if $default && $default ne 'none';
 	log_rule $loglevel , $chainref , $target , '' if $loglevel ne '';
 	fatal_error "Null target in policy_rules()" unless $target;
-	if ( $target eq 'REJECT' ) {
-	    $target = 'reject';
-	} elsif ( $target =~ /^NFQUEUE/ ) {
-	    my $queue = ( split( '/', $target) )[1] || 0;
-	    $target = "NFQUEUE --queue-num $queue";
-	}
+	$target = 'reject' if $target eq 'REJECT';

 	add_rule( $chainref , "-j $target" ) unless $target eq 'CONTINUE';
    }
--- a/Shorewall-perl/Shorewall/Rules.pm
+++ b/Shorewall-perl/Shorewall/Rules.pm
@ -943,7 +943,7 @@ sub process_rule1 ( $$$$$$$$$$$ ) {
 	require_capability( 'NFQUEUE_TARGET', 'NFQUEUE Rules', '' ); 
 	$param = $param eq '' ? 0 : numeric_value( $param );
 	fatal_error "Invalid value ($param) for NFQUEUE queue number" if $param > 65535;
-	$action = "NFQUEUE/$param";
+	$action = "NFQUEUE --queue-num $param";
    } else {
 	fatal_error "The $basictarget TARGET does not accept a parameter" unless $param eq '';
    }
@ -1236,7 +1236,7 @@ sub process_rule1 ( $$$$$$$$$$$ ) {
 		     $source ,
 		     $dest ,
 		     $origdest ,
-		     $actiontype & NFQ ? "-j NFQUEUE --queue-num $param " : "-j $action " ,
+		     "-j $action " ,
 		     $loglevel ,
 		     $action ,
 		     '' );