From 739013f248f3fed91f442442a13d2683a55830c4 Mon Sep 17 00:00:00 2001 From: Tom Eastep Date: Mon, 22 Apr 2013 07:56:56 -0700 Subject: [PATCH] Handle nfacct object lists in parens following an ipset name. Signed-off-by: Tom Eastep --- Shorewall/Perl/Shorewall/Chains.pm | 31 ++++++++++++++++++++++++++++-- 1 file changed, 29 insertions(+), 2 deletions(-) diff --git a/Shorewall/Perl/Shorewall/Chains.pm b/Shorewall/Perl/Shorewall/Chains.pm index b99e6c1e2..9f37703ac 100644 --- a/Shorewall/Perl/Shorewall/Chains.pm +++ b/Shorewall/Perl/Shorewall/Chains.pm @@ -6016,8 +6016,8 @@ sub addnatjump( $$;@ ) { } # -# Split a comma-separated source or destination host list but keep [...] together. Used for spliting address lists -# where an element of the list might be +ipset[flag,...] or +[ipset[flag,...],...]. The second argument ($deferresolve) +# Split a comma-separated source or destination host list but keep [...] and (...) together. Used for spliting address lists +# where an element of the list might be +ipset[flag,...](obj) or +[ipset[flag,...](obj),...]. The second argument ($deferresolve) # should be 'true' when the passed input list may include exclusion. # sub split_host_list( $$;$ ) { @@ -6056,6 +6056,33 @@ sub split_host_list( $$;$ ) { @result = @input; } + if ( $input =~ /\(/ ) { + @input = @result; + @result = (); + + while ( @input ) { + my $element = shift @input; + + if ( $element =~ /\(/ ) { + while ( $element =~ tr/(/(/ > $element =~ tr/)/)/ ) { + fatal_error "Missing ')' ($element)" unless @input; + $element .= ( ',' . shift @input ); + } + + unless ( $loose ) { + fatal_error "Invalid host list ($input)" if $exclude && $element =~ /!/; + $exclude ||= $element =~ /^!/ || $element =~ /\)!/; + } + + fatal_error "Mismatched (...) ($element)" unless $element =~ tr/(/(/ == $element =~ tr/)/)/; + } else { + $exclude ||= $element =~ /!/ unless $loose; + } + + push @result, $element; + } + } + unless ( $deferresolve ) { my @result1;