Make max zone name length dependent on LOGFORMAT

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@4627 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
teastep 2006-10-04 22:40:34 +00:00
parent 0369562e37
commit f6ecff2693
3 changed files with 51 additions and 3 deletions

View File

@ -4,6 +4,8 @@ Changes in 3.3.3
2) Add logical AND and OR support for tcrules. 2) Add logical AND and OR support for tcrules.
3) Make the maximum zone name length dependent on LOGFORMAT.
Changes in 3.3.1 Changes in 3.3.1
1) Load the proxyarp lib when 'proxyarp' option is specified. 1) Load the proxyarp lib when 'proxyarp' option is specified.

View File

@ -271,7 +271,7 @@ determine_zones()
list_search $parent $ZONES || startup_error "Parent zone not defined: $parent" list_search $parent $ZONES || startup_error "Parent zone not defined: $parent"
done done
[ ${#zone} -gt 5 ] && startup_error "Zone name longer than 5 characters: $zone" [ ${#zone} -gt $MAXZONENAMELENGTH ] && startup_error "Zone name longer than $MAXZONENAMELENGTH characters: $zone"
case "$zone" in case "$zone" in
[0-9*]) [0-9*])
@ -1899,20 +1899,25 @@ do_initialize() {
if [ -n "$LOGFORMAT" ]; then if [ -n "$LOGFORMAT" ]; then
if [ -n "$(echo $LOGFORMAT | grep '%d')" ]; then if [ -n "$(echo $LOGFORMAT | grep '%d')" ]; then
LOGRULENUMBERS=Yes LOGRULENUMBERS=Yes
temp=$(printf "$LOGFORMAT" fooxx 1 barxx 2> /dev/null) temp=$(printf "$LOGFORMAT" fooxx2barxx 1 ACCEPT 2> /dev/null)
if [ $? -ne 0 ]; then if [ $? -ne 0 ]; then
fatal_error "Invalid LOGFORMAT string: \"$LOGFORMAT\"" fatal_error "Invalid LOGFORMAT string: \"$LOGFORMAT\""
fi fi
else else
temp=$(printf "$LOGFORMAT" fooxx barxx 2> /dev/null) temp=$(printf "$LOGFORMAT" fooxx2barxx ACCEPT 2> /dev/null)
if [ $? -ne 0 ]; then if [ $? -ne 0 ]; then
fatal_error "Invalid LOGFORMAT string: \"$LOGFORMAT\"" fatal_error "Invalid LOGFORMAT string: \"$LOGFORMAT\""
fi fi
fi fi
[ ${#temp} -le 29 ] || fatal_error "LOGFORMAT string is longer than 29 characters: \"$LOGFORMAT\"" [ ${#temp} -le 29 ] || fatal_error "LOGFORMAT string is longer than 29 characters: \"$LOGFORMAT\""
MAXZONENAMELENGTH=$(( 5 + ( ( 29 - ${#temp}) / 2) ))
MAXZONENAMELENGTH=${MAXZONENAMELENGTH%.*}
echo "Maximum Zone Name Length = $MAXZONENAMELENGTH"
else else
LOGFORMAT="Shorewall:%s:%s:" LOGFORMAT="Shorewall:%s:%s:"
MAXZONENAMELENGTH=5
fi fi
ADMINISABSENTMINDED=$(added_param_value_no ADMINISABSENTMINDED $ADMINISABSENTMINDED) ADMINISABSENTMINDED=$(added_param_value_no ADMINISABSENTMINDED $ADMINISABSENTMINDED)

View File

@ -48,6 +48,23 @@ Other changes in 3.3.2
#MARK SOURCE #MARK SOURCE
|4 192.168.1.1 |4 192.168.1.1
2) Previously, zone names were restricted to five characters in
length. That length derives from the --log-prefix in Netfilter log
messages which must be 29 bytes or less in length. With the
standard Shorewall LOGFORMAT, 11 characters are left for the
chain name; since many chain names are of the form
<zone1>2<zone2>, we have a maximum zone name length of 5.
Beginning with this release, the maximum length of a zone name is
dependent on the LOGFORMAT (the maximum length may never be less
than 5 but it may be greater than 5). For example, setting
LOGFORMAT="FW:%s:%s:" will allow zone names of up to 8 characters.
As part of this change, /sbin/shorewall[-lite] no longer uses the
LOGFORMAT to select Shorewall messages from log files. Instead, it
uses the regular expression /IN=.* OUT=/ which will match any
netfilter-generated log message.
Migration Considerations: Migration Considerations:
1) Shorewall supports the notion of "default actions". A default 1) Shorewall supports the notion of "default actions". A default
@ -228,3 +245,27 @@ New Features:
# THE FOLLOWING POLICY MUST BE LAST # THE FOLLOWING POLICY MUST BE LAST
# #
all all REJECT:MyReject info all all REJECT:MyReject info
4) For users whose kernel and iptables have Extended MARK Target
support, it is now possible to logically AND or OR a value into the
current packet mark by preceding the mark value (and optional mask)
with an ampersand ("&") or vertical bar ("|") respectively.
Example: To logically OR the value 4 into the mark value for
packets from 192.168.1.1:
#MARK SOURCE
|4 192.168.1.1
5) Previously, zone names were restricted to five characters in
length. That length derives from the --log-prefix in Netfilter log
messages which must be 29 bytes or less in length. With the
standard Shorewall LOGFORMAT, that leaves 11 characters for the
chain name; given that many chain names are of the form
<zone1>2<zone2>, that gives a maximum zone name length of 11.
Beginning with this release, the maximum length of a zone name is
dependent on the LOGFORMAT (the maximum length may never be less
than 5 but it may be greater than 5). For example, setting
LOGFORMAT="FW:%s:%s:" will allow zone names of up to 8 characters.