More comprehensive fix for duplicate / -[piosd] /

Signed-off-by: Tom Eastep <teastep@shorewall.net>
This commit is contained in:
Tom Eastep 2010-05-01 09:29:12 -07:00
parent 8547b735f7
commit 8fb003476d
2 changed files with 30 additions and 8 deletions

View File

@ -645,6 +645,8 @@ sub add_jump( $$$;$$$ ) {
my $param = $goto_ok && $toref && have_capability( 'GOTO_TARGET' ) ? 'g' : 'j'; my $param = $goto_ok && $toref && have_capability( 'GOTO_TARGET' ) ? 'g' : 'j';
$fromref->{dont_optimize} = 1 if $predicate =~ /! -[piosd] /;
if ( defined $index ) { if ( defined $index ) {
assert( ! $expandports ); assert( ! $expandports );
insert_rule1( $fromref, $index, join( '', $predicate, "-$param $to" )); insert_rule1( $fromref, $index, join( '', $predicate, "-$param $to" ));
@ -1429,6 +1431,14 @@ sub replace_references1( $$$ ) {
my $table = $chainref->{table}; my $table = $chainref->{table};
my $count = 0; my $count = 0;
my $name = $chainref->{name}; my $name = $chainref->{name};
#
# The caller has ensured that $matches does not contain /! -[piosd] /
#
my $hasp = $matches =~ / -p /;
my $hasi = $matches =~ / -i /;
my $haso = $matches =~ / -o /;
my $hass = $matches =~ / -s /;
my $hasd = $matches =~ / -d /;
$name =~ s/\+/\\+/; $name =~ s/\+/\\+/;
# #
@ -1447,9 +1457,14 @@ sub replace_references1( $$$ ) {
for ( @{$fromref->{rules}} ) { for ( @{$fromref->{rules}} ) {
if ( defined && /^-A $fromname .*-[jg] $name\b/ ) { if ( defined && /^-A $fromname .*-[jg] $name\b/ ) {
# #
# Prevent multiple '-p' matches # Prevent multiple '-p', '-i', '-o', '-s' and '-d' matches
# #
s/ -p [^ ]+ / / if / -p / && $matches =~ / -p /; s/( !)? -p [^ ]+ / / if $hasp;
s/( !)? -i [^ ]+ / / if $hasi;
s/( !)? -o [^ ]+ / / if $haso;
s/( !)? -s [^ ]+ / / if $hass;
s/( !)? -d [^ ]+ / / if $hasd;
s/\s+-([jg]) $name(\b)/$matches -$1 ${target}$2/; s/\s+-([jg]) $name(\b)/$matches -$1 ${target}$2/;
add_reference( $fromref, $chain_table{$table}{$target} ); add_reference( $fromref, $chain_table{$table}{$target} );
$count++; $count++;
@ -1470,9 +1485,14 @@ sub replace_references1( $$$ ) {
for ( @{$fromref->{rules}} ) { for ( @{$fromref->{rules}} ) {
if ( defined && /^-A $fromname .*-[jg] $name\b/ ) { if ( defined && /^-A $fromname .*-[jg] $name\b/ ) {
# #
# Prevent multiple '-p' matches # Prevent multiple '-p', '-i', '-o', '-s' and '-d' matches
# #
s/ -p [^ ]+ / / if / -p / && $matches =~ / -p /; s/( !)? -p [^ ]+ / / if $hasp;
s/( !)? -i [^ ]+ / / if $hasi;
s/( !)? -o [^ ]+ / / if $haso;
s/( !)? -s [^ ]+ / / if $hass;
s/( !)? -d [^ ]+ / / if $hasd;
s/\s+-[jg] $name(\b)/$matches -j ${target}$1/; s/\s+-[jg] $name(\b)/$matches -j ${target}$1/;
$count++; $count++;
} }

View File

@ -229,11 +229,13 @@ I I I. P R O B L E M S C O R R E C T E D I N T H I S R E L E A S E
#ZONE INTERFACE BROADCAST OPTIONS #ZONE INTERFACE BROADCAST OPTIONS
vpn TUN+ - tun+ vpn TUN+ - tun+
/etc/shorewall/netmap: /etc/shorewall/masq:
#TYPE NET1 INTEFACE NET2 #INTERFACE SOURCE ADDRESS PROTO PORT
SNAT 1.2.3.0/24 TUN0 3.4.5.0/24 tun0 192.168.1.0/24
DNAT 3.4.5.0/24 TUN0 1.2.3.0/24
Use of tunN in the nat and netmap files also produced invalid
iptables-restore input.
4.4.8.4 4.4.8.4