From 8ccd1ab52bfed9599fed05762c2f18370b539bfe Mon Sep 17 00:00:00 2001 From: Tom Eastep Date: Fri, 18 Jan 2013 12:09:54 -0800 Subject: [PATCH] Handle exclusion correctly when DEFER_DNS_RESOLUTION=No Signed-off-by: Tom Eastep --- Shorewall/Perl/Shorewall/Chains.pm | 35 +++++++++++------- Shorewall/Perl/Shorewall/Rules.pm | 58 +++++++++++++++--------------- 2 files changed, 52 insertions(+), 41 deletions(-) diff --git a/Shorewall/Perl/Shorewall/Chains.pm b/Shorewall/Perl/Shorewall/Chains.pm index 6a3ecc6ba..c14328cf3 100644 --- a/Shorewall/Perl/Shorewall/Chains.pm +++ b/Shorewall/Perl/Shorewall/Chains.pm @@ -3716,6 +3716,8 @@ sub source_exclusion( $$ ) { reftype $target ? $chainref : $chainref->{name}; } +sub split_host_list( $;$ ); + sub source_iexclusion( $$$$$;@ ) { my $chainref = shift; my $jump = shift; @@ -5009,8 +5011,6 @@ sub load_isocodes() { $isocodes{substr(basename($_),0,2)} = 1 for @codes; } -sub split_host_list( $;$ ); - # # Match a Source. # @@ -5607,19 +5607,30 @@ sub split_host_list( $;$ ) { unless ( $config{DEFER_DNS_RESOLUTION} ) { my @result1; - for ( @result ) { - if ( m|[-\+\[~/^&]| ) { - push @result1, $_; - } elsif ( /^.+\..+\./ ) { - /^(!)?(.*)$/; - if ( valid_address( $2 ) ) { - push @result1, $_; + for my $element ( @result ) { + my @list = split '!', $element, 3; + + fatal_error "Invalid host list ($input)" if @list > 2; + + my @pair; + + for ( @list ) { + unless ( supplied $_ ) { + push @pair, ''; + } elsif ( m|[-\+\[~/^&]| ) { + push @pair, $_; + } elsif ( /^.+\..+\./ ) { + if ( valid_address( $_ ) ) { + push @pair, $_ + } else { + push @pair, resolve_dnsname( $2 ); + } } else { - push @result1, resolve_dnsname( $_ ); + push @pair, $_; } - } else { - push @result1, $_; } + + push @result1 , supplied $pair[1] ? join( '!', @pair ) : $pair[0] ; } return @result1; diff --git a/Shorewall/Perl/Shorewall/Rules.pm b/Shorewall/Perl/Shorewall/Rules.pm index e8df13852..ab5dd8369 100644 --- a/Shorewall/Perl/Shorewall/Rules.pm +++ b/Shorewall/Perl/Shorewall/Rules.pm @@ -2028,34 +2028,8 @@ sub process_rule1 ( $$$$$$$$$$$$$$$$$$ ) { # We can now dispense with the postfix character # fatal_error "The +, - and ! modifiers are not allowed in the blrules file" if $action =~ s/[-+!]$// && $blacklist; - # - # Handle actions - # - if ( $actiontype & ACTION ) { - # - # Create the action:level:tag:param tuple. - # - $normalized_target = normalize_action( $basictarget, $loglevel, $param ); - - fatal_error( "Action $basictarget invoked Recursively (" . join( '->', map( externalize( $_ ), @actionstack , $normalized_target ) ) . ')' ) if $active{$basictarget}; - - if ( my $ref = use_action( $normalized_target ) ) { - # - # First reference to this tuple - # - process_action( $ref ); - # - # Processing the action may determine that the action or one of it's dependents does NAT or HELPER, so: - # - # - Refresh $actiontype - # - Create the associated nat and/or table chain if appropriate. - # - ensure_chain( 'nat', $ref->{name} ) if ( $actiontype = $targets{$basictarget} ) & NATRULE; - ensure_chain( 'raw', $ref->{name} ) if ( $actiontype & HELPER ); - } - - $action = $basictarget; # Remove params, if any, from $action. - } else { + + unless ( $actiontype & ( ACTION | INLINE) ) { # # Catch empty parameter list # @@ -2299,8 +2273,34 @@ sub process_rule1 ( $$$$$$$$$$$$$$$$$$ ) { } } } + # + # Handle actions + # + if ( $actiontype & ACTION ) { + # + # Create the action:level:tag:param tuple. + # + $normalized_target = normalize_action( $basictarget, $loglevel, $param ); - if ( $actiontype & INLINE ) { + fatal_error( "Action $basictarget invoked Recursively (" . join( '->', map( externalize( $_ ), @actionstack , $normalized_target ) ) . ')' ) if $active{$basictarget}; + + if ( my $ref = use_action( $normalized_target ) ) { + # + # First reference to this tuple + # + process_action( $ref ); + # + # Processing the action may determine that the action or one of it's dependents does NAT or HELPER, so: + # + # - Refresh $actiontype + # - Create the associated nat and/or table chain if appropriate. + # + ensure_chain( 'nat', $ref->{name} ) if ( $actiontype = $targets{$basictarget} ) & NATRULE; + ensure_chain( 'raw', $ref->{name} ) if ( $actiontype & HELPER ); + } + + $action = $basictarget; # Remove params, if any, from $action. + } elsif ( $actiontype & INLINE ) { # # process_inline() will call process_rule1() recursively for each rule in the macro body #