diff --git a/Shorewall/Perl/Shorewall/Chains.pm b/Shorewall/Perl/Shorewall/Chains.pm index 0d6f6f6a5..63e2a5fbd 100644 --- a/Shorewall/Perl/Shorewall/Chains.pm +++ b/Shorewall/Perl/Shorewall/Chains.pm @@ -4624,14 +4624,20 @@ sub do_probability( $ ) { # # Generate a -m condition match # -sub do_condition( $ ) { - my $condition = shift; +sub do_condition( $$ ) { + my ( $condition, $chain ) = @_; return '' if $condition eq '-'; my $invert = $condition =~ s/^!// ? '! ' : ''; require_capability 'CONDITION_MATCH', 'A non-empty SWITCH column', 's'; + + if ( $condition =~ /@/ ) { + $chain =~ s/[^\w-]//g; + $condition =~ s/@/$chain/g; + } + fatal_error "Invalid switch name ($condition)" unless $condition =~ /^[a-zA-Z][-\w]*$/ && length $condition <= 30; "-m condition ${invert}--condition $condition " diff --git a/Shorewall/Perl/Shorewall/Nat.pm b/Shorewall/Perl/Shorewall/Nat.pm index 0401b6a8c..edb557cd9 100644 --- a/Shorewall/Perl/Shorewall/Nat.pm +++ b/Shorewall/Perl/Shorewall/Nat.pm @@ -123,7 +123,7 @@ sub process_one_masq( ) # # Handle Protocol, Ports and Condition # - $baserule .= do_proto( $proto, $ports, '' ) . do_condition( $condition ); + $baserule .= do_proto( $proto, $ports, '' ); # # Handle Mark # @@ -158,6 +158,8 @@ sub process_one_masq( ) my $chainref = ensure_chain('nat', $pre_nat ? snat_chain $interface : masq_chain $interface); + $baserule .= do_condition( $condition , $chainref->{name} ); + my $detectaddress = 0; my $exceptionrule = ''; my $randomize = ''; diff --git a/Shorewall/Perl/Shorewall/Raw.pm b/Shorewall/Perl/Shorewall/Raw.pm index d129a5d1d..32f13a86b 100644 --- a/Shorewall/Perl/Shorewall/Raw.pm +++ b/Shorewall/Perl/Shorewall/Raw.pm @@ -74,7 +74,7 @@ sub process_conntrack_rule( $$$$$$$$$$ ) { my $target = $action; my $exception_rule = ''; - my $rule = do_proto( $proto, $ports, $sports ) . do_user ( $user ) . do_condition( $switch ); + my $rule = do_proto( $proto, $ports, $sports ) . do_user ( $user ) . do_condition( $switch , $chainref->{name} ); if ( $action eq 'NOTRACK' ) { # diff --git a/Shorewall/Perl/Shorewall/Rules.pm b/Shorewall/Perl/Shorewall/Rules.pm index 1e5ecb642..8ac717069 100644 --- a/Shorewall/Perl/Shorewall/Rules.pm +++ b/Shorewall/Perl/Shorewall/Rules.pm @@ -2142,7 +2142,7 @@ sub process_rule1 ( $$$$$$$$$$$$$$$$$$ ) { do_connlimit( $connlimit ), do_time( $time ) , do_headers( $headers ) , - do_condition( $condition ) , + do_condition( $condition , $chain ) , ); } elsif ( $section eq 'RELATED' ) { $rule = join( '', @@ -2153,7 +2153,7 @@ sub process_rule1 ( $$$$$$$$$$$$$$$$$$ ) { do_connlimit( $connlimit ), do_time( $time ) , do_headers( $headers ) , - do_condition( $condition ) , + do_condition( $condition , $chain ) , do_helper( $helper ) , ); } else { @@ -2165,7 +2165,7 @@ sub process_rule1 ( $$$$$$$$$$$$$$$$$$ ) { do_connlimit( $connlimit ), do_time( $time ) , do_headers( $headers ) , - do_condition( $condition ) , + do_condition( $condition , $chain ) , ); } @@ -2235,7 +2235,7 @@ sub process_rule1 ( $$$$$$$$$$$$$$$$$$ ) { do_ratelimit( $ratelimit, 'ACCEPT' ), do_user $user, do_test( $mark , $globals{TC_MASK} ), - do_condition( $condition ) + do_condition( $condition , $chain ) ); $loglevel = ''; $action = 'ACCEPT';