Shorewall 4.5.16 Beta 6

Tom Eastep wrote:
> On 4/22/13 5:07 PM, "Dash Four" <mr.dash.four@googlemail.com> wrote:
>
>
>> Anyway, I've just implemented individual "!" in the NFACCT statement by
>> hacking your Accounting.pm - I can attach a small patch for
>> review/inclusion if you are interested, but be aware that it does change
>> the syntax slightly in a sense that "!" needs to be specified for each
>> object within NFACCT() - "NFACCT(...)!" is no longer allowed.
>>
>
> Sure -- send it along.
>
Attached - the above caveat applies though.

Signed-off-by: Tom Eastep <teastep@shorewall.net>

Shorewall/Perl/Shorewall/Accounting.pm

@@ -138,6 +138,14 @@ sub process_section ($) {
     $asection = $newsect;
 }
 
+sub split_nfacct_list( $$;$ ) {
+    my ($list, $type, $origlist ) = @_;
+
+    fatal_error( "Invalid $type list (" . ( $origlist ? $origlist : $list ) . ')' ) if $list =~ /^,|,$|,,$/;
+
+    split /,/, $list;
+}
+
 #
 # Accounting
 #
@@ -223,14 +231,20 @@ sub process_accounting_rule1( $$$$$$$$$$$ ) {
 	    }
 	} elsif ( $action =~ /^NFLOG/ ) {
 	    $target = validate_level $action;
-	} elsif ( $action =~ /^NFACCT\(([\w,]+)\)(!)?$/ ) {
+	} elsif ( $action =~ /^NFACCT\(([\w,!]+)\)$/ ) {
 	    require_capability 'NFACCT_MATCH', 'The NFACCT action', 's';
 	    $target = '';
-	    my @objects = split_list $1, 'nfacct';
+	    my @objects = split_nfacct_list $1, 'nfacct';
+	    for ( @objects ) {
+	       if ( $_ =~ /^([\w]+)(!)?$/ ) {
 	    if ( $2 ) {
-		$prerule .= "-m nfacct --nfacct-name $_ " for @objects;
+		   $prerule .= "-m nfacct --nfacct-name $1 ";
 	    } else {
-		$rule .= "-m nfacct --nfacct-name $_ " for @objects;
+		   $rule .= "-m nfacct --nfacct-name $1 ";
+		 }
+	       } else {
+		accounting_error;
+	       }
 	    }
 	} elsif ( $action eq 'INLINE' ) {
 	    $rule .= get_inline_matches;