From b4c812b6761f872658cf384b9e6eabc904b0f9a2 Mon Sep 17 00:00:00 2001 From: Tom Eastep Date: Sun, 5 Aug 2012 08:09:17 -0700 Subject: [PATCH] Correct helper parsing in the Raw module. - Require (...) around multiple ctevents - Detect invalid options Signed-off-by: Tom Eastep --- Shorewall/Perl/Shorewall/Raw.pm | 14 ++++++++------ Shorewall/manpages/shorewall-conntrack.xml | 5 ++++- Shorewall6/manpages/shorewall6-conntrack.xml | 5 ++++- 3 files changed, 16 insertions(+), 8 deletions(-) diff --git a/Shorewall/Perl/Shorewall/Raw.pm b/Shorewall/Perl/Shorewall/Raw.pm index 1713690ec..4a11c1a7c 100644 --- a/Shorewall/Perl/Shorewall/Raw.pm +++ b/Shorewall/Perl/Shorewall/Raw.pm @@ -87,24 +87,26 @@ sub process_notrack_rule( $$$$$$$ ) { $action = "CT --helper $args"; $exception_rule = do_proto( $proto, '-', '-' ); - for my $mod ( split ',', $modifiers ) { + for my $mod ( split_list1( $modifiers, 'ctevents' ) ) { fatal_error "Invalid helper option ($mod)" unless $mod =~ /^(\w+)=(.+)$/; - $mod = $1; - $args = $2; + $mod = $1; + my $val = $2; if ( $mod eq 'ctevents' ) { - for ( split ',', $args ) { + for ( split_list( $val, 'ctevents' ) ) { fatal_error "Invalid 'ctevents' event ($_)" unless $valid_ctevent{$_}; } - $action .= " --ctevents $args"; + $action .= " --ctevents $val"; } elsif ( $mod eq 'expevents' ) { - fatal_error "Invalid expevent argument ($args)" unless $args eq 'new'; + fatal_error "Invalid expevent argument ($val)" unless $val eq 'new'; $action .= ' --expevents new'; } else { fatal_error "Invalid helper option ($mod)"; } } + } else { + fatal_error "Invalid CT option ($option)"; } } } diff --git a/Shorewall/manpages/shorewall-conntrack.xml b/Shorewall/manpages/shorewall-conntrack.xml index 022acfebb..33289134e 100644 --- a/Shorewall/manpages/shorewall-conntrack.xml +++ b/Shorewall/manpages/shorewall-conntrack.xml @@ -199,7 +199,10 @@ role="bold">helper, mark (this is connection mark, not packet mark), natseqinfo, - and secmark. + and secmark. If more than + one event is listed, the + event list must be enclosed in + parentheses (e.g., ctevents=(new,related)). diff --git a/Shorewall6/manpages/shorewall6-conntrack.xml b/Shorewall6/manpages/shorewall6-conntrack.xml index a3cb5c4d5..a1eab9dd5 100644 --- a/Shorewall6/manpages/shorewall6-conntrack.xml +++ b/Shorewall6/manpages/shorewall6-conntrack.xml @@ -102,7 +102,10 @@ role="bold">helper, mark (this is connection mark, not packet mark), natseqinfo, - and secmark. + and secmark. If more than + one event is listed, the + event list must be enclosed in + parentheses (e.g., ctevents=(new,related)).