Make max zone name length dependent on LOGFORMAT

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@4627 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb

Shorewall/changelog.txt

@@ -4,6 +4,8 @@ Changes in 3.3.3
 
 2)  Add logical AND and OR support for tcrules.
 
+3)  Make the maximum zone name length dependent on LOGFORMAT.
+
 Changes in 3.3.1
 
 1)  Load the proxyarp lib when 'proxyarp' option is specified.

Shorewall/lib.config

@@ -271,7 +271,7 @@ determine_zones()
 	    list_search $parent $ZONES || startup_error "Parent zone not defined: $parent"
 	done
 
-	[ ${#zone} -gt 5 ] && startup_error "Zone name longer than 5 characters: $zone"
+	[ ${#zone} -gt $MAXZONENAMELENGTH ] && startup_error "Zone name longer than $MAXZONENAMELENGTH characters: $zone"
 
 	case "$zone" in
 	    [0-9*])
@@ -1899,20 +1899,25 @@ do_initialize() {
     if [ -n "$LOGFORMAT" ]; then
 	if [ -n "$(echo $LOGFORMAT | grep '%d')" ]; then
 	    LOGRULENUMBERS=Yes
-	    temp=$(printf "$LOGFORMAT" fooxx 1 barxx 2> /dev/null)
+	    temp=$(printf "$LOGFORMAT" fooxx2barxx 1 ACCEPT 2> /dev/null)
 	    if [ $? -ne 0 ]; then
 		fatal_error "Invalid LOGFORMAT string: \"$LOGFORMAT\""
 	    fi
 	else
-	    temp=$(printf "$LOGFORMAT" fooxx barxx 2> /dev/null)
+	    temp=$(printf "$LOGFORMAT" fooxx2barxx ACCEPT 2> /dev/null)
 	    if [ $? -ne 0 ]; then
 		fatal_error "Invalid LOGFORMAT string: \"$LOGFORMAT\""
 	    fi
 	fi
 
 	[ ${#temp} -le 29 ] || fatal_error "LOGFORMAT string is longer than 29 characters: \"$LOGFORMAT\""
+
+	MAXZONENAMELENGTH=$(( 5 + ( ( 29 - ${#temp}) / 2) ))
+	MAXZONENAMELENGTH=${MAXZONENAMELENGTH%.*}
+	echo "Maximum Zone Name Length = $MAXZONENAMELENGTH"
     else
 	LOGFORMAT="Shorewall:%s:%s:"
+	MAXZONENAMELENGTH=5
     fi
 
     ADMINISABSENTMINDED=$(added_param_value_no ADMINISABSENTMINDED $ADMINISABSENTMINDED)

Shorewall/releasenotes.txt

@@ -48,6 +48,23 @@ Other changes in 3.3.2
     #MARK   SOURCE
     |4	    192.168.1.1
 
+2)  Previously, zone names were restricted to five characters in
+    length. That length derives from the --log-prefix in Netfilter log
+    messages which must be 29 bytes or less in length. With the
+    standard Shorewall LOGFORMAT, 11 characters are left for the
+    chain name; since many chain names are of the form
+    <zone1>2<zone2>, we have a maximum zone name length of 5.
+
+    Beginning with this release, the maximum length of a zone name is
+    dependent on the LOGFORMAT (the maximum length may never be less
+    than 5 but it may be greater than 5). For example, setting
+    LOGFORMAT="FW:%s:%s:" will allow zone names of up to 8 characters.
+
+    As part of this change, /sbin/shorewall[-lite] no longer uses the
+    LOGFORMAT to select Shorewall messages from log files. Instead, it
+    uses the regular expression /IN=.* OUT=/ which will match any
+    netfilter-generated log message.
+
 Migration Considerations:
 
 1)  Shorewall supports the notion of "default actions". A default
@@ -228,3 +245,27 @@ New Features:
 	# THE FOLLOWING POLICY MUST BE LAST
 	#
 	all		all		REJECT:MyReject	info
+
+4)  For users whose kernel and iptables have Extended MARK Target
+    support, it is now possible to logically AND or OR a value into the
+    current packet mark by preceding the mark value (and optional mask)
+    with an ampersand ("&") or vertical bar ("|") respectively.
+
+    Example: To logically OR the value 4 into the mark value for
+    packets from 192.168.1.1:
+
+    #MARK   SOURCE
+    |4	    192.168.1.1
+
+5)  Previously, zone names were restricted to five characters in
+    length. That length derives from the --log-prefix in Netfilter log
+    messages which must be 29 bytes or less in length. With the
+    standard Shorewall LOGFORMAT, that leaves 11 characters for the
+    chain name; given that many chain names are of the form
+    <zone1>2<zone2>, that gives a maximum zone name length of 11.
+
+    Beginning with this release, the maximum length of a zone name is
+    dependent on the LOGFORMAT (the maximum length may never be less
+    than 5 but it may be greater than 5). For example, setting
+    LOGFORMAT="FW:%s:%s:" will allow zone names of up to 8 characters.
+