mirror of
https://gitlab.com/shorewall/code.git
synced 2025-01-07 05:58:49 +01:00
Avoid recent problems by not padding $target in process_tc_rule()
This commit is contained in:
parent
d9ced1051a
commit
e93a7fe9df
@ -278,7 +278,7 @@ sub process_tc_rule( ) {
|
|||||||
|
|
||||||
require_capability ('CONNMARK' , "SAVE/RESTORE Rules", '' ) if $tccmd->{connmark};
|
require_capability ('CONNMARK' , "SAVE/RESTORE Rules", '' ) if $tccmd->{connmark};
|
||||||
|
|
||||||
$target = "$tccmd->{target} ";
|
$target = $tccmd->{target};
|
||||||
my $marktype = $tccmd->{mark};
|
my $marktype = $tccmd->{mark};
|
||||||
|
|
||||||
if ( $marktype == NOMARK ) {
|
if ( $marktype == NOMARK ) {
|
||||||
@ -287,21 +287,17 @@ sub process_tc_rule( ) {
|
|||||||
$mark =~ s/^[|&]//;
|
$mark =~ s/^[|&]//;
|
||||||
}
|
}
|
||||||
|
|
||||||
if ( $target eq 'sticky ' ) {
|
if ( $target eq 'sticky' ) {
|
||||||
if ( $chain eq 'tcout' ) {
|
if ( $chain eq 'tcout' ) {
|
||||||
$target = 'sticko';
|
$target = 'sticko';
|
||||||
} else {
|
} else {
|
||||||
fatal_error "SAME rules are only allowed in the PREROUTING and OUTPUT chains" if $chain ne 'tcpre';
|
fatal_error "SAME rules are only allowed in the PREROUTING and OUTPUT chains" if $chain ne 'tcpre';
|
||||||
}
|
}
|
||||||
|
|
||||||
my $chain1 = $target;
|
ensure_mangle_chain($target);
|
||||||
|
|
||||||
$chain1 =~ s/ +$//;
|
|
||||||
|
|
||||||
ensure_mangle_chain($chain1);
|
|
||||||
|
|
||||||
$sticky++;
|
$sticky++;
|
||||||
} elsif ( $target eq 'IPMARK ' ) {
|
} elsif ( $target eq 'IPMARK' ) {
|
||||||
my ( $srcdst, $mask1, $mask2, $shift ) = ('src', 255, 0, 0 );
|
my ( $srcdst, $mask1, $mask2, $shift ) = ('src', 255, 0, 0 );
|
||||||
|
|
||||||
require_capability 'IPMARK_TARGET', 'IPMARK', 's';
|
require_capability 'IPMARK_TARGET', 'IPMARK', 's';
|
||||||
@ -338,7 +334,7 @@ sub process_tc_rule( ) {
|
|||||||
}
|
}
|
||||||
|
|
||||||
$target = "IPMARK --addr $srcdst --and-mask $mask1 --or-mask $mask2 --shift $shift";
|
$target = "IPMARK --addr $srcdst --and-mask $mask1 --or-mask $mask2 --shift $shift";
|
||||||
} elsif ( $target eq 'TPROXY ' ) {
|
} elsif ( $target eq 'TPROXY' ) {
|
||||||
require_capability( 'TPROXY_TARGET', 'Use of TPROXY', 's');
|
require_capability( 'TPROXY_TARGET', 'Use of TPROXY', 's');
|
||||||
|
|
||||||
fatal_error "Invalid TPROXY specification( $cmd/$rest )" if $rest;
|
fatal_error "Invalid TPROXY specification( $cmd/$rest )" if $rest;
|
||||||
@ -404,8 +400,6 @@ sub process_tc_rule( ) {
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
$target =~ s/ +$// if $mark eq '';
|
|
||||||
|
|
||||||
if ( ( my $result = expand_rule( ensure_chain( 'mangle' , $chain ) ,
|
if ( ( my $result = expand_rule( ensure_chain( 'mangle' , $chain ) ,
|
||||||
$restrictions{$chain} ,
|
$restrictions{$chain} ,
|
||||||
do_proto( $proto, $ports, $sports) .
|
do_proto( $proto, $ports, $sports) .
|
||||||
@ -1527,7 +1521,7 @@ sub setup_tc() {
|
|||||||
mark => HIGHMARK ,
|
mark => HIGHMARK ,
|
||||||
mask => '' } ,
|
mask => '' } ,
|
||||||
{ match => sub ( $ ) { $_[0] =~ '&.*' },
|
{ match => sub ( $ ) { $_[0] =~ '&.*' },
|
||||||
target => 'MARK --and-mark ' ,
|
target => 'MARK --and-mark' ,
|
||||||
mark => HIGHMARK ,
|
mark => HIGHMARK ,
|
||||||
mask => '' ,
|
mask => '' ,
|
||||||
connmark => 0
|
connmark => 0
|
||||||
|
Loading…
Reference in New Issue
Block a user