diff --git a/Shorewall/Perl/Shorewall/Chains.pm b/Shorewall/Perl/Shorewall/Chains.pm index 8cc1d91d2..c3d9d0f15 100644 --- a/Shorewall/Perl/Shorewall/Chains.pm +++ b/Shorewall/Perl/Shorewall/Chains.pm @@ -6242,7 +6242,7 @@ sub log_rule_limit( $$$$$$$$ ) { if ( $tag =~ /^,/ ) { ( $disposition = $tag ) =~ s/,//; } elsif ( $tag =~ /,/ ) { - ( $chain, $disposition ) = split ',', $tag; + ( $chain, $disposition ) = split ',', $tag, 2; } else { $chain = $tag; } @@ -6336,7 +6336,7 @@ sub log_irule_limit( $$$$$$$@ ) { if ( $tag =~ /^,/ ) { ( $disposition = $tag ) =~ s/,//; } elsif ( $tag =~ /,/ ) { - ( $chain, $disposition ) = split ',', $tag; + ( $chain, $disposition ) = split ',', $tag, 2; } else { $chain = $tag; } diff --git a/Shorewall/Perl/Shorewall/Rules.pm b/Shorewall/Perl/Shorewall/Rules.pm index dce4c555a..5a69b33a3 100644 --- a/Shorewall/Perl/Shorewall/Rules.pm +++ b/Shorewall/Perl/Shorewall/Rules.pm @@ -2477,13 +2477,21 @@ sub process_rule ( $$$$$$$$$$$$$$$$$$$$ ) { $actiontype |= HELPER; } elsif ( $actiontype & SET ) { my %xlate = ( ADD => 'add-set' , DEL => 'del-set' ); + my ( $setname, $flags, $timeout, $rest ) = split ':', $param, 4; - my ( $setname, $flags, $rest ) = split ':', $param, 3; fatal_error "Invalid ADD/DEL parameter ($param)" if $rest; $setname =~ s/^\+//; fatal_error "Expected ipset name ($setname)" unless $setname =~ /^(6_)?[a-zA-Z][-\w]*$/; - fatal_error "Invalid flags ($flags)" unless defined $flags && $flags =~ /^(dst|src)(,(dst|src)){0,5}$/; + fatal_error "Invalid flags ($flags)" unless defined $flags && $flags =~ /^(dst|src)(,(dst|src)){0,5}$/; + $action = join( ' ', 'SET --' . $xlate{$basictarget} , $setname , $flags ); + + if ( supplied $timeout ) { + fatal_error "A timeout may only be supplied in an ADD rule" unless $basictarget eq 'ADD'; + fatal_error "Invalid Timeout ($timeout)" unless $timeout && $timeout =~ /^\d+$/; + + $action .= " --timeout $timeout"; + } } } # diff --git a/Shorewall/manpages/shorewall-rules.xml b/Shorewall/manpages/shorewall-rules.xml index d001acd1c..91cff1f48 100644 --- a/Shorewall/manpages/shorewall-rules.xml +++ b/Shorewall/manpages/shorewall-rules.xml @@ -241,7 +241,7 @@ ADD(ipset:flags) + role="bold">ADD(ipset:flags[:timeout]) Added in Shorewall 4.4.12. Causes addresses and/or port @@ -256,6 +256,12 @@ role="bold">dst respectively (see the -A command in ipset (8)). + Beginning with Shorewall 5.0.3, an optional + timeout can be specified. This is + the number of seconds that the new entry in the ipset is to + remain valid and overrides any timeout specified when the + ipset was created. + ADD is non-terminating. Even if a packet matches the rule, it is passed on to the next rule. diff --git a/Shorewall6/manpages/shorewall6-rules.xml b/Shorewall6/manpages/shorewall6-rules.xml index 5d8b0a72b..85f750616 100644 --- a/Shorewall6/manpages/shorewall6-rules.xml +++ b/Shorewall6/manpages/shorewall6-rules.xml @@ -229,6 +229,12 @@ role="bold">dst respectively (see the -A command in ipset (8)). + Beginning with Shorewall 5.0.3, an optional + timeout can be specified. This is + the number of seconds that the new entry in the ipset is to + remain valid and overrides any timeout specified when the + ipset was created. + ADD is non-terminating. Even if a packet matches the rule, it is passed on to the next rule.