Make log action inheritence work

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@1505 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
2025-02-25 22:20:49 +01:00 · 2004-07-29 16:41:40 +00:00 · 2004-07-29 16:41:40 +00:00 · 9ef51b3ae7
commit 9ef51b3ae7
parent 97ae6f3f5d
1 changed files with 29 additions and 16 deletions
--- a/Shorewall2/firewall
+++ b/Shorewall2/firewall
@ -2786,6 +2786,8 @@ createlogactionchain() # $1 = Action Name, $2 = Log Level [: Log Tag ]
    eval ${action}_chains=\"\$${action}_chains $level $CHAIN\"
    echo "   *** Action $1:$2 is $CHAIN ***"
 }
 #
@ -2819,6 +2821,13 @@ find_logactionchain() # $1 = Action, including log level and tag if any
 {
    local fullaction=$1 action=${1%%:*} level= chains=
    case $action in 
 	ACCEPT|DROP|REJECT|LOG|QUEUE|CONTINUE)
 	    echo $fullaction
 	    return
 	    ;;
    esac
    case $fullaction in
 	*:*)
 	    level=${fullaction#*:}
@ -3056,12 +3065,13 @@ process_actions2() {
 	changed=
 	for xaction in $USEDACTIONS; do
-	    eval required=\"\$requiredby_${xaction#*:}\"
+	    eval required=\"\$requiredby_${xaction%%:*}\"
 	    for action in $required; do
-		if ! list_search $action $USEDACTIONS; then
+		action1=$(evaluate_levels $xaction $action)
-		    USEDACTIONS="$USEDACTIONS $action"
+		if ! list_search $action1 $USEDACTIONS; then
-		    createactionchain $action
+		    USEDACTIONS="$USEDACTIONS $action1"
 		    createactionchain $action1
 		    changed=Yes
 		fi
 	    done
@ -3070,15 +3080,15 @@ process_actions2() {
    #
    # Now process the relevant action files -- they were already stripped in process_actions1() above.
    #
-    for xaction in $USEDACTIONS; do
+    for xaction1 in $USEDACTIONS; do
-	xchain=$(find_logactionchain $xaction)
+	xchain=$(find_logactionchain $xaction1)
-        set -- $(split $xaction)
+        set -- $(split $xaction1)
 	xlevel=$2
 	xtag=$3
-	case ${xaction%%:*} in
+	case ${xaction1%%:*} in
 	    dropBcast)
 		if [ "$COMMAND" != check ]; then
 		    if [ -n "$PKTTYPE" ]; then
@ -3095,9 +3105,9 @@ process_actions2() {
 			run_iptables -A dropBcast -m pkttype --pkt-type broadcast -j DROP
 			run_iptables -A dropBcast -m pkttype --pkt-type multicast -j DROP
 		    else
 			drop_broadcasts
 		    fi
 		else
 		    drop_broadcasts
 		fi
 		;;
@ -3106,7 +3116,7 @@ process_actions2() {
 		if [ "$COMMAND" != check ]; then
 		    [ -n "$xlevel" ] && \
-			log_rule_limit ${xlevel%\!} $xchain dropBcast $2 "" "$xtag" -p tcp ! -- syn
+			log_rule_limit ${xlevel%\!} $xchain dropBcast $2 "" "$xtag" -p tcp ! --syn
 		    run_iptables -A $xchain -p tcp ! --syn -j DROP
 		fi
@ -3115,14 +3125,14 @@ process_actions2() {
 	    dropNotSyn)
 		if [ "$COMMAND" != check ]; then
 		    [ -n "$xlevel" ] && \
-			log_rule_limit ${xlevel%\!} $xchain dropNotSyn $2 "" "$xtag" -p tcp ! -- syn
+			log_rule_limit ${xlevel%\!} $xchain dropNotSyn $2 "" "$xtag" -p tcp ! --syn
 		    run_iptables -A dropNotSyn -p tcp ! --syn -j DROP
 		fi
 		;;
 	    rejNotSyn)
 		if [ "$COMMAND" != check ]; then
 		    [ -n "$xlevel" ] && \
-			log_rule_limit ${xlevel%\!} $xchain rejNotSyn $2 "" "$xtag" -p tcp ! -- syn
+			log_rule_limit ${xlevel%\!} $xchain rejNotSyn $2 "" "$xtag" -p tcp ! --syn
 		    run_iptables -A rejectNotSyn -p tcp ! --syn -j REJECT --reject-with tcp-reset
 		fi
 		;;
@ -3134,13 +3144,16 @@ process_actions2() {
 		fi
 		;;
 	    *)
-		f=action.${xaction%%:*}
+		f=action.${xaction1%%:*}
 		fn=$(find_file $f)
 		xaction=$(find_logactionchain $xaction1)
 		echo "Processing $fn..."
 		while read xtarget xclients xservers xprotocol xports xcports xratelimit $xuserspec; do
-		    xtarget=$(evaluate_levels $xaction $xtarget)
+		    xtarget=$(evaluate_levels $xaction1 $xtarget)
-		    xaction=$(find_logactionchain $xaction)
+		    xtarget=$(find_logactionchain $xtarget)
 		    do_it
 		done < $TMP_DIR/$f
 		;;