From d13c794a7dec44725fae7ecb04ddd99c604558a1 Mon Sep 17 00:00:00 2001
From: teastep <teastep@fbd18981-670d-0410-9b5c-8dc0c1a9a2bb>
Date: Fri, 27 Jul 2007 22:34:53 +0000
Subject: [PATCH] Fix builtin action logging

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@6975 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
---
 Shorewall-common/releasenotes.txt   | 15 ++++++++++-----
 Shorewall-perl/Shorewall/Actions.pm | 18 ++++++++++--------
 2 files changed, 20 insertions(+), 13 deletions(-)

diff --git a/Shorewall-common/releasenotes.txt b/Shorewall-common/releasenotes.txt
index 4ad12a5b8..6884c8cff 100644
--- a/Shorewall-common/releasenotes.txt
+++ b/Shorewall-common/releasenotes.txt
@@ -73,11 +73,10 @@ Problems corrected in 4.0.1.
     4.0.0. Previously, Shorewall was not started automatically at
     reboot after an upgrade using the RPM.
 
-9)  Shorewall-perl now detects dead policy file entries that result
-    when an entry is masked by an earlier entry. Example:
-
-	 all	 all	  REJECT    info
-	 loc	 net	  ACCEPT
+9)  Shorewall-perl was generating invalid iptables-restore input when a
+    log level was specified with the dropBcast and allowBcast builtin
+    actions and when a log level followed by '!' was used with any
+    builtin actions.
 
 Other changes in Shorewall 4.0.1.
 
@@ -106,6 +105,12 @@ Other changes in Shorewall 4.0.1.
     capability has been relaxed. This allows Shorewall 4.0.1 to be used
     on releases like RHEL4 that con's support that capability.
 
+3)  Shorewall-perl now detects dead policy file entries that result
+    when an entry is masked by an earlier entry. Example:
+
+	 all	 all	  REJECT    info
+	 loc	 net	  ACCEPT
+
 Migration Considerations:
 
 1)  Beginning with Shorewall 4.0.0, there is no single 'shorewall'
diff --git a/Shorewall-perl/Shorewall/Actions.pm b/Shorewall-perl/Shorewall/Actions.pm
index d323bbb6b..be1483a5b 100644
--- a/Shorewall-perl/Shorewall/Actions.pm
+++ b/Shorewall-perl/Shorewall/Actions.pm
@@ -658,20 +658,20 @@ sub process_actions3 () {
 
 	if ( $capabilities{ADDRTYPE} ) {
 	    if ( $level ne '' ) {
-		log_rule_limit $level, $chainref, 'dropBcast' , 'DROP', '', $tag, 'add', ' -m addrtype --dst-type BROADCAST';
-		log_rule_limit $level, $chainref, 'dropBcast' , 'DROP', '', $tag, 'add', ' -d 224.0.0.0/4';
+		log_rule_limit $level, $chainref, 'dropBcast' , 'DROP', '', $tag, 'add', ' -m addrtype --dst-type BROADCAST ';
+		log_rule_limit $level, $chainref, 'dropBcast' , 'DROP', '', $tag, 'add', ' -d 224.0.0.0/4 ';
 	    }
 
 	    add_rule $chainref, '-m addrtype --dst-type BROADCAST -j DROP';
 	} else {
 	    add_command $chainref, 'for address in $ALL_BCASTS; do';
 	    push_cmd_mode $chainref;
-	    log_rule_limit $level, $chainref, 'dropBcast' , 'DROP', '', $tag, 'add', ' -d $address' if $level ne '';
+	    log_rule_limit $level, $chainref, 'dropBcast' , 'DROP', '', $tag, 'add', ' -d $address ' if $level ne '';
 	    add_rule $chainref, '-d $address -j DROP';
 	    pop_cmd_mode $chainref;
 	    add_command $chainref, 'done';
 
-	    log_rule_limit $level, $chainref, 'dropBcast' , 'DROP', '', $tag, 'add', ' -d 224.0.0.0/4' if $level ne '';
+	    log_rule_limit $level, $chainref, 'dropBcast' , 'DROP', '', $tag, 'add', ' -d 224.0.0.0/4 ' if $level ne '';
 	}
 
 	add_rule $chainref, '-d 224.0.0.0/4 -j DROP';
@@ -682,20 +682,20 @@ sub process_actions3 () {
 
 	if ( $capabilities{ADDRTYPE} ) {
 	    if ( $level ne '' ) {
-		log_rule_limit $level, $chainref, 'allowBcast' , 'ACCEPT', '', $tag, 'add', ' -m addrtype --dst-type BROADCAST';
-		log_rule_limit $level, $chainref, 'allowBcast' , 'ACCEPT', '', $tag, 'add', ' -d 224.0.0.0/4';
+		log_rule_limit $level, $chainref, 'allowBcast' , 'ACCEPT', '', $tag, 'add', ' -m addrtype --dst-type BROADCAST ';
+		log_rule_limit $level, $chainref, 'allowBcast' , 'ACCEPT', '', $tag, 'add', ' -d 224.0.0.0/4 ';
 	    }
 
 	    add_rule $chainref, '-m addrtype --dst-type BROADCAST -j ACCEPT';
 	} else {
 	    add_command $chainref, 'for address in $ALL_BCASTS; do';
 	    push_cmd_mode $chainref;
-	    log_rule_limit $level, $chainref, 'allowBcast' , 'ACCEPT', '', $tag, 'add', ' -d $address' if $level ne '';
+	    log_rule_limit $level, $chainref, 'allowBcast' , 'ACCEPT', '', $tag, 'add', ' -d $address ' if $level ne '';
 	    add_rule $chainref, '-d $address -j ACCEPT';
 	    pop_cmd_mode $chainref;
 	    add_command $chainref, 'done';
 
-	    log_rule_limit $level, $chainref, 'allowBcast' , 'ACCEPT', '', $tag, 'add', ' -d 224.0.0.0/4' if $level ne '';
+	    log_rule_limit $level, $chainref, 'allowBcast' , 'ACCEPT', '', $tag, 'add', ' -d 224.0.0.0/4 ' if $level ne '';
 	}
 	    add_rule $chainref, '-d 224.0.0.0/4 -j ACCEPT';
     }
@@ -792,6 +792,8 @@ sub process_actions3 () {
 	$level = '' unless defined $level;
 	$tag   = '' unless defined $tag;
 
+	$level =~ s/!$//;
+
 	if ( $targets{$action} & BUILTIN ) {
 	    $level = '' if $level =~ /none!?/;
 	    $builtinops{$action}->($chainref, $level, $tag);