Stop Accounting rule violations

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@8418 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
2024-12-17 11:51:20 +01:00 · 2008-04-11 01:01:12 +00:00 · 2008-04-11 01:01:12 +00:00 · adf068c510
commit adf068c510
parent b46bcd39a1
2 changed files with 23 additions and 1 deletions
--- a/Shorewall-perl/Shorewall/Accounting.pm
+++ b/Shorewall-perl/Shorewall/Accounting.pm
@ -69,6 +69,7 @@ sub process_accounting_rule( $$$$$$$$$ ) {
    sub check_for_builtin( $ ) {
 	my $chainref = shift;
 	fatal_error "A builtin Chain ($chainref->{name}) may not appear in the accounting file" if $chainref->{builtin};
+	fatal_error "A Shorewall-generated chain ($chainref->{name})  may not appear in the accounting file" if $chainref->{policy};
    }

    sub accounting_error() {
@ -77,7 +78,7 @@ sub process_accounting_rule( $$$$$$$$$ ) {

    sub jump_to_chain( $ ) {
 	my $jumpchain = $_[0];
-	$jumpchainref = ensure_chain( 'filter', $jumpchain );
+	$jumpchainref = ensure_accounting_chain( $jumpchain );
 	check_for_builtin( $jumpchainref );
 	$disposition = $jumpchain;
 	"-j $jumpchain";
--- a/Shorewall-perl/Shorewall/Chains.pm
+++ b/Shorewall-perl/Shorewall/Chains.pm
@ -101,6 +101,7 @@ our %EXPORT_TAGS = (
 				       ecn_chain
 				       first_chains
 				       ensure_chain
+				       ensure_accounting_chain
 				       ensure_mangle_chain
 				       ensure_nat_chain
 				       new_standard_chain
@ -161,6 +162,7 @@ our $VERSION = 4.1.5;
 #                                               referenced   => undef|1 -- If 1, will be written to the iptables-restore-input.
 #                                               builtin      => undef|1 -- If 1, one of Netfilter's built-in chains.
 #                                               manual       => undef|1 -- If 1, a manual chain.
+#                                               accounting   => undef|1 -- If 1, an accounting chain
 #                                               log          => <logging rule number for use when LOGRULENUMBERS>
 #                                               policy       => <policy>
 #                                               policychain  => <name of policy chain> -- self-reference if this is a policy chain
@ -854,6 +856,25 @@ sub ensure_filter_chain( $$ )
    $chainref;
 }

+#
+# Create an accounting chain if necessary. 
+#
+sub ensure_accounting_chain( $  )
+{
+    my ($chain) = @_;
+
+    my $chainref = $filter_table->{$chain};
+
+    if ( $chainref ) {
+	fatal_error "Non-accounting chain ($chain) used in accounting rule"  if ! $chainref->{accounting};
+    } else {
+	$chainref = new_chain 'filter' , $chain unless $chainref;
+	$chainref->{accounting} = 1;
+    }
+
+    $chainref;
+}
+
 sub ensure_mangle_chain($) {
    my $chain = $_[0];