From 68c7782e7d3540cdeae9c8ce474ca654a42a032a Mon Sep 17 00:00:00 2001 From: Dash Four Date: Tue, 23 Apr 2013 02:27:57 +0100 Subject: [PATCH] Shorewall 4.5.16 Beta 6 Tom Eastep wrote: > On 4/22/13 5:07 PM, "Dash Four" wrote: > > >> Anyway, I've just implemented individual "!" in the NFACCT statement by >> hacking your Accounting.pm - I can attach a small patch for >> review/inclusion if you are interested, but be aware that it does change >> the syntax slightly in a sense that "!" needs to be specified for each >> object within NFACCT() - "NFACCT(...)!" is no longer allowed. >> > > Sure -- send it along. > Attached - the above caveat applies though. Signed-off-by: Tom Eastep --- Shorewall/Perl/Shorewall/Accounting.pm | 22 ++++++++++++++++++---- 1 file changed, 18 insertions(+), 4 deletions(-) diff --git a/Shorewall/Perl/Shorewall/Accounting.pm b/Shorewall/Perl/Shorewall/Accounting.pm index fe9203eed..6e6d2d178 100644 --- a/Shorewall/Perl/Shorewall/Accounting.pm +++ b/Shorewall/Perl/Shorewall/Accounting.pm @@ -138,6 +138,14 @@ sub process_section ($) { $asection = $newsect; } +sub split_nfacct_list( $$;$ ) { + my ($list, $type, $origlist ) = @_; + + fatal_error( "Invalid $type list (" . ( $origlist ? $origlist : $list ) . ')' ) if $list =~ /^,|,$|,,$/; + + split /,/, $list; +} + # # Accounting # @@ -223,14 +231,20 @@ sub process_accounting_rule1( $$$$$$$$$$$ ) { } } elsif ( $action =~ /^NFLOG/ ) { $target = validate_level $action; - } elsif ( $action =~ /^NFACCT\(([\w,]+)\)(!)?$/ ) { + } elsif ( $action =~ /^NFACCT\(([\w,!]+)\)$/ ) { require_capability 'NFACCT_MATCH', 'The NFACCT action', 's'; $target = ''; - my @objects = split_list $1, 'nfacct'; + my @objects = split_nfacct_list $1, 'nfacct'; + for ( @objects ) { + if ( $_ =~ /^([\w]+)(!)?$/ ) { if ( $2 ) { - $prerule .= "-m nfacct --nfacct-name $_ " for @objects; + $prerule .= "-m nfacct --nfacct-name $1 "; } else { - $rule .= "-m nfacct --nfacct-name $_ " for @objects; + $rule .= "-m nfacct --nfacct-name $1 "; + } + } else { + accounting_error; + } } } elsif ( $action eq 'INLINE' ) { $rule .= get_inline_matches;