Allow inline matches in the conntrack file.

Signed-off-by: Tom Eastep <teastep@shorewall.net>
2019-01-07 17:47:05 -08:00 · 2019-01-07 17:47:05 -08:00 · cf330afbd9
commit cf330afbd9
parent 49731da807
2 changed files with 16 additions and 7 deletions
--- a/Shorewall/Perl/Shorewall/Raw.pm
+++ b/Shorewall/Perl/Shorewall/Raw.pm
@ -3,7 +3,7 @@
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-#     (c) 2009-2018 - Tom Eastep (teastep@shorewall.net)
+#     (c) 2009-2019 - Tom Eastep (teastep@shorewall.net)
 #
 #       Complete documentation is available at http://shorewall.net
 #
@ -70,6 +70,13 @@ sub process_conntrack_rule( $$$$$$$$$$ ) {

    my $zone;
    my $restriction = PREROUTE_RESTRICT;
+    my $raw_matches = get_inline_matches(0);
+    my $prerule = '';
+
+    if ( $raw_matches =~ /s*+/ ) {
+	$prerule = $raw_matches;
+	$raw_matches = '';
+    }

    if ( $chainref ) {
 	$restriction = OUTPUT_RESTRICT if $chainref->{name} eq 'OUTPUT';
@ -206,10 +213,11 @@ sub process_conntrack_rule( $$$$$$$$$$ ) {

    expand_rule( $chainref ,
 		 $restriction ,
-		 '',
+		 $prerule,
 		 do_proto( $proto, $ports, $sports ) . 
 		 do_user ( $user ) . 
-		 do_condition( $switch , $chainref->{name} ),
+		 do_condition( $switch , $chainref->{name} ) .
+		 $raw_matches ,
 		 $source ,
 		 $dest ,
 		 '' ,
@ -316,7 +324,7 @@ sub setup_conntrack($) {
 				     { source => 0, dest => 1, proto => 2, dport => 3, sport => 4, user => 5, switch => 6 } );
 		    $action = 'NOTRACK';
 		} else {
-		    ( $action, $source, $dest, $protos, $ports, $sports, $user, $switch ) = split_line1 'Conntrack File', { action => 0, source => 1, dest => 2, proto => 3, dport => 4, sport => 5, user => 6, switch => 7 };
+		    ( $action, $source, $dest, $protos, $ports, $sports, $user, $switch ) = split_line2( 'Conntrack File', { action => 0, source => 1, dest => 2, proto => 3, dport => 4, sport => 5, user => 6, switch => 7 }, undef, undef, 1 );
 		}

 		$empty = 0;
--- a/docs/configuration_file_basics.xml
+++ b/docs/configuration_file_basics.xml
@ -18,7 +18,7 @@
    <pubdate><?dbtimestamp format="Y/m/d"?></pubdate>

    <copyright>
-      <year>2001-2017</year>
+      <year>2001-2019</year>

      <holder>Thomas M. Eastep</holder>
    </copyright>
@ -56,7 +56,7 @@
    Shorewall</ulink> is required reading for being able to use this article
    effectively. For information about setting up your first Shorewall-based
    firewall, see the <ulink url="GettingStarted.html">Quickstart
-    Guides</ulink>.</para>
+    Guides</ulink>.in</para>
  </section>

  <section id="Files">
@ -852,7 +852,8 @@ INLINE               net              $FW ;; -m recent --rcheck 10 --hitcount 5
          column=value specifications. In Shorewall 5.0.0 and later, inline
          matches are allowed in mangle, masq and rules following two adjacent
          semicolons (";;"). If alternate input is present, the adjacent
-          semicolons should follow that input.</para>
+          semicolons should follow that input. In Shorewall 5.2.2, this
+          support was extended to the conntrack file.</para>

          <caution>
            <para>INLINE_MATCHES=Yes is deprecated and will no longer be