diff --git a/Shorewall/Perl/Shorewall/Zones.pm b/Shorewall/Perl/Shorewall/Zones.pm index d625fe263..2ce12af60 100644 --- a/Shorewall/Perl/Shorewall/Zones.pm +++ b/Shorewall/Perl/Shorewall/Zones.pm @@ -1764,9 +1764,9 @@ sub process_host( ) { } else { fatal_error "Invalid HOST(S) column contents: $hosts"; } - } elsif ( $hosts =~ /^([\w.@%-]+\+?):<(.*)>$/ || - $hosts =~ /^([\w.@%-]+\+?):\[(.*)\]$/ || - $hosts =~ /^([\w.@%-]+\+?):(!?\+.*)$/ || + } elsif ( $hosts =~ /^([\w.@%-]+\+?):<(.*)>$/ || + $hosts =~ /^([\w.@%-]+\+?):\[(.*)\]$/ || + $hosts =~ /^([\w.@%-]+\+?):(\[.+\](?:\/\d+)?)$/ || $hosts =~ /^([\w.@%-]+\+?):(dynamic)$/ ) { $interface = $1; $hosts = $2; @@ -1776,10 +1776,20 @@ sub process_host( ) { fatal_error "Invalid HOST(S) column contents: $hosts" } - if ( $hosts =~ /^!?\+/ ) { - $zoneref->{complex} = 1; - fatal_error "ipset name qualification is disallowed in this file" if $hosts =~ /[\[\]]/; - fatal_error "Invalid ipset name ($hosts)" unless $hosts =~ /^!?\+[a-zA-Z][-\w]*$/; + unless ( $hosts eq 'dynamic' ) { + my @hosts = split_list1( $hosts , 'host' ); + + for ( @hosts ) { + if ( $_ =~ /^!?\+/ ) { + $zoneref->{complex} = 1; + fatal_error "ipset name qualification is disallowed in this file" if /[\[\]]/; + fatal_error "Invalid ipset name ($hosts)" unless /^!?\+[a-zA-Z][-\w]*$/; + } else { + $_ = validate_net( $_, 1 ); + } + } + + $hosts = join( ',', @hosts ); } if ( $type & BPORT ) {