Replace '@' by the chain name in SWITCH columns.

Signed-off-by: Tom Eastep <teastep@shorewall.net>
2024-12-18 20:30:43 +01:00 · 2012-11-26 13:28:23 -08:00 · 2012-11-26 13:28:23 -08:00 · 78ba8bac50
commit 78ba8bac50
parent bf75b2b919
4 changed files with 16 additions and 8 deletions
--- a/Shorewall/Perl/Shorewall/Chains.pm
+++ b/Shorewall/Perl/Shorewall/Chains.pm
@ -4624,14 +4624,20 @@ sub do_probability( $ ) {
 #
 # Generate a -m condition match
 #
-sub do_condition( $ ) {
-    my $condition = shift;
+sub do_condition( $$ ) {
+    my ( $condition, $chain ) = @_;

    return '' if $condition eq '-';

    my $invert = $condition =~ s/^!// ? '! ' : '';

    require_capability 'CONDITION_MATCH', 'A non-empty SWITCH column', 's';
+
+    if ( $condition =~ /@/ ) {
+	$chain     =~ s/[^\w-]//g;
+	$condition =~ s/@/$chain/g;
+    }
+
    fatal_error "Invalid switch name ($condition)" unless $condition =~ /^[a-zA-Z][-\w]*$/ && length $condition <= 30;

    "-m condition ${invert}--condition $condition "
--- a/Shorewall/Perl/Shorewall/Nat.pm
+++ b/Shorewall/Perl/Shorewall/Nat.pm
@ -123,7 +123,7 @@ sub process_one_masq( )
    #
    # Handle Protocol, Ports and Condition
    #
-    $baserule .= do_proto( $proto, $ports, '' ) . do_condition( $condition );
+    $baserule .= do_proto( $proto, $ports, '' );
    #
    # Handle Mark
    #
@ -158,6 +158,8 @@ sub process_one_masq( )

 	my $chainref = ensure_chain('nat', $pre_nat ? snat_chain $interface : masq_chain $interface);

+	$baserule .= do_condition( $condition , $chainref->{name} );
+
 	my $detectaddress = 0;
 	my $exceptionrule = '';
 	my $randomize     = '';
--- a/Shorewall/Perl/Shorewall/Raw.pm
+++ b/Shorewall/Perl/Shorewall/Raw.pm
@ -74,7 +74,7 @@ sub process_conntrack_rule( $$$$$$$$$$ ) {

    my $target = $action;
    my $exception_rule = '';
-    my $rule = do_proto( $proto, $ports, $sports ) . do_user ( $user ) . do_condition( $switch );
+    my $rule = do_proto( $proto, $ports, $sports ) . do_user ( $user ) . do_condition( $switch , $chainref->{name} );

    if ( $action eq 'NOTRACK' ) {
 	#
--- a/Shorewall/Perl/Shorewall/Rules.pm
+++ b/Shorewall/Perl/Shorewall/Rules.pm
@ -2142,7 +2142,7 @@ sub process_rule1 ( $$$$$$$$$$$$$$$$$$ ) {
 		      do_connlimit( $connlimit ),
 		      do_time( $time ) ,
 		      do_headers( $headers ) ,
-		      do_condition( $condition ) ,
+		      do_condition( $condition , $chain ) ,
 		    );
    } elsif ( $section eq 'RELATED' ) {
 	$rule = join( '',
@ -2153,7 +2153,7 @@ sub process_rule1 ( $$$$$$$$$$$$$$$$$$ ) {
 		      do_connlimit( $connlimit ),
 		      do_time( $time ) ,
 		      do_headers( $headers ) ,
-		      do_condition( $condition ) ,
+		      do_condition( $condition , $chain ) ,
 		      do_helper( $helper ) ,
 		    );
    } else {
@ -2165,7 +2165,7 @@ sub process_rule1 ( $$$$$$$$$$$$$$$$$$ ) {
 		      do_connlimit( $connlimit ),
 		      do_time( $time ) ,
 		      do_headers( $headers ) ,
-		      do_condition( $condition ) ,
+		      do_condition( $condition , $chain ) ,
 		    );
    }

@ -2235,7 +2235,7 @@ sub process_rule1 ( $$$$$$$$$$$$$$$$$$ ) {
 			  do_ratelimit( $ratelimit, 'ACCEPT' ),
 			  do_user $user,
 			  do_test( $mark , $globals{TC_MASK} ),
-			  do_condition( $condition )
+			  do_condition( $condition , $chain )
 			);
 	    $loglevel = '';
 	    $action   = 'ACCEPT';