Compare commits

..

5 Commits

Author SHA1 Message Date
Tom Eastep
dd3c0daa08 Handle inline matches correctly in the mangle file
Signed-off-by: Tom Eastep <teastep@shorewall.net>
2016-03-29 13:33:47 -07:00
Tom Eastep
4fddfcfba0 More complete fix for inline matches
Signed-off-by: Tom Eastep <teastep@shorewall.net>
2016-03-29 13:15:01 -07:00
Tom Eastep
382ab380a2 Merge branch 'master' of ssh://git.code.sf.net/p/shorewall/code 2016-03-29 07:36:49 -07:00
Tuomo Soini
2342c7cd9c Perl/Shorewall/Chains.pm: Fix warning with older perl 2016-03-29 09:58:33 +03:00
Roberto C. Sánchez
899a317c95 Fix typos 2016-03-26 22:25:30 -04:00
8 changed files with 26 additions and 21 deletions

View File

@@ -8627,12 +8627,12 @@ sub preview_netfilter_load() {
print( '[ -n "$g_docker" ] && echo ":DOCKER - [0:0]" >&3' ); print( '[ -n "$g_docker" ] && echo ":DOCKER - [0:0]" >&3' );
print "\n"; print "\n";
} elsif ( $name eq 'DOCKER-ISOLATION' ) { } elsif ( $name eq 'DOCKER-ISOLATION' ) {
enter_cmd_mode1 unless $mode = CMD_MODE; enter_cmd_mode1 unless $mode == CMD_MODE;
print( '[ -n "$g_dockernetwork" ] && echo ":DOCKER-ISOLATION - [0:0]" >&3' ); print( '[ -n "$g_dockernetwork" ] && echo ":DOCKER-ISOLATION - [0:0]" >&3' );
print "\n"; print "\n";
enter_cat_mode1; enter_cat_mode1;
} else { } else {
enter_cmd_mode1 unless $mode = CMD_MODE; enter_cmd_mode1 unless $mode == CMD_MODE;
print( ":$name - [0:0]\n" ); print( ":$name - [0:0]\n" );
} }
} else { } else {

View File

@@ -1798,6 +1798,7 @@ sub process_action(\$\$$) {
my ( $action, $level, $tag, undef, $param ) = split /:/, $wholeaction, ACTION_TUPLE_ELEMENTS; my ( $action, $level, $tag, undef, $param ) = split /:/, $wholeaction, ACTION_TUPLE_ELEMENTS;
my $type = $targets{$action}; my $type = $targets{$action};
my $actionref = $actions{$action}; my $actionref = $actions{$action};
my $matches = fetch_inline_matches;
if ( $type & BUILTIN ) { if ( $type & BUILTIN ) {
$level = '' if $level =~ /none!?/; $level = '' if $level =~ /none!?/;
@@ -1910,6 +1911,7 @@ sub process_action(\$\$$) {
$dscp , $dscp ,
$state, $state,
$time ); $time );
set_inline_matches( $matches );
} }
} else { } else {
my ($target, $source, $dest, $proto, $ports, $sports, $origdest, $rate, $user, $mark, $connlimit, $time, $headers, $condition, $helper ); my ($target, $source, $dest, $proto, $ports, $sports, $origdest, $rate, $user, $mark, $connlimit, $time, $headers, $condition, $helper );
@@ -1961,6 +1963,8 @@ sub process_action(\$\$$) {
$condition, $condition,
$helper, $helper,
0 ); 0 );
set_inline_matches( $matches );
} }
} }
@@ -2199,6 +2203,7 @@ sub process_macro ($$$$$$$$$$$$$$$$$$$$$) {
my $macrofile = $macros{$macro}; my $macrofile = $macros{$macro};
my $save_matches = fetch_inline_matches;
progress_message "..Expanding Macro $macrofile..."; progress_message "..Expanding Macro $macrofile...";
@@ -2306,13 +2311,11 @@ sub process_macro ($$$$$$$$$$$$$$$$$$$$$) {
); );
progress_message " Rule \"$currentline\" $done"; progress_message " Rule \"$currentline\" $done";
set_inline_matches( $save_matches );
} }
pop_open; pop_open;
#
# Clear the inline matches if we are the lowest level macro/inline invocation
#
set_inline_matches( '' ) if $macro_nest_level == 1;
progress_message "..End Macro $macrofile"; progress_message "..End Macro $macrofile";
@@ -2341,6 +2344,7 @@ sub process_inline ($$$$$$$$$$$$$$$$$$$$$$) {
my $inlinefile = $actionref->{file}; my $inlinefile = $actionref->{file};
my $options = $actionref->{options}; my $options = $actionref->{options};
my $nolog = $options & NOLOG_OPT; my $nolog = $options & NOLOG_OPT;
my $save_matches = fetch_inline_matches;
setup_audit_action( $inline ) if $options & AUDIT_OPT; setup_audit_action( $inline ) if $options & AUDIT_OPT;
@@ -2448,6 +2452,8 @@ sub process_inline ($$$$$$$$$$$$$$$$$$$$$$) {
); );
progress_message " Rule \"$currentline\" $done"; progress_message " Rule \"$currentline\" $done";
set_inline_matches( $save_matches );
} }
pop_comment( $save_comment ); pop_comment( $save_comment );
@@ -2457,10 +2463,6 @@ sub process_inline ($$$$$$$$$$$$$$$$$$$$$$) {
progress_message "..End inline action $inlinefile"; progress_message "..End inline action $inlinefile";
pop_action_params( $oldparms ); pop_action_params( $oldparms );
#
# Clear the inline matches if we are the lowest level macro/inline invocation
#
set_inline_matches( '' ) if $macro_nest_level == 1;
return $generated; return $generated;
} }
@@ -3791,6 +3793,7 @@ sub process_mangle_inline( $$$$$$$$$$$$$$$$$$$ ) {
$chainref->{name} ); $chainref->{name} );
my $inlinefile = $actions{$inline}{file}; my $inlinefile = $actions{$inline}{file};
my $matches = fetch_inline_matches;
progress_message "..Expanding inline action $inlinefile..."; progress_message "..Expanding inline action $inlinefile...";
@@ -3885,6 +3888,8 @@ sub process_mangle_inline( $$$$$$$$$$$$$$$$$$$ ) {
} }
progress_message " Rule \"$currentline\" $done"; progress_message " Rule \"$currentline\" $done";
set_inline_matches( $matches );
} }
pop_comment( $save_comment ); pop_comment( $save_comment );

View File

@@ -390,7 +390,7 @@ DIVERTHA - - tcp</programlisting>
<para>Allows you to place your own ip[6]tables matches at the <para>Allows you to place your own ip[6]tables matches at the
end of the line following a semicolon (";"). If an end of the line following a semicolon (";"). If an
<replaceable>action</replaceable> is specified, the compiler <replaceable>action</replaceable> is specified, the compiler
procedes as if that <replaceable>action</replaceable> had been proceeds as if that <replaceable>action</replaceable> had been
specified in this column. If no action is specified, then you specified in this column. If no action is specified, then you
may include your own jump ("-j may include your own jump ("-j
<replaceable>target</replaceable> <replaceable>target</replaceable>

View File

@@ -1441,7 +1441,7 @@
<para>When <option>s:</option> or <option>d:</option> is specified, <para>When <option>s:</option> or <option>d:</option> is specified,
the rate applies per source IP address or per destination IP address the rate applies per source IP address or per destination IP address
respectively. The <replaceable>name</replaceable>s may be chosen by respectively. The <replaceable>name</replaceable>s may be chosen by
the user and specifiy a hash table to be used to count matching the user and specify a hash table to be used to count matching
connections. If not given, the name <emphasis connections. If not given, the name <emphasis
role="bold">shorewallN</emphasis> (where N is a unique integer) is role="bold">shorewallN</emphasis> (where N is a unique integer) is
assumed. Where more than one rule or POLICY specifies the same name, assumed. Where more than one rule or POLICY specifies the same name,

View File

@@ -998,7 +998,7 @@ net all DROP info</programlisting>then the chain name is 'net-all'
iptables text in a rule. You may simply preface that text with a iptables text in a rule. You may simply preface that text with a
pair of semicolons (";;"). If alternate input is also specified in pair of semicolons (";;"). If alternate input is also specified in
the rule, it should appear before the semicolons and may be the rule, it should appear before the semicolons and may be
seperated from normal column input by a single semicolon.</para> separated from normal column input by a single semicolon.</para>
</listitem> </listitem>
</varlistentry> </varlistentry>

View File

@@ -401,7 +401,7 @@ DIVERTHA - - tcp</programlisting>
<para>Allows you to place your own ip[6]tables matches at the <para>Allows you to place your own ip[6]tables matches at the
end of the line following a semicolon (";"). If an end of the line following a semicolon (";"). If an
<replaceable>action</replaceable> is specified, the compiler <replaceable>action</replaceable> is specified, the compiler
procedes as if that <replaceable>action</replaceable> had been proceeds as if that <replaceable>action</replaceable> had been
specified in this column. If no action is specified, then you specified in this column. If no action is specified, then you
may include your own jump ("-j may include your own jump ("-j
<replaceable>target</replaceable> <replaceable>target</replaceable>

View File

@@ -1306,7 +1306,7 @@
<para>When <option>s:</option> or <option>d:</option> is specified, <para>When <option>s:</option> or <option>d:</option> is specified,
the rate applies per source IP address or per destination IP address the rate applies per source IP address or per destination IP address
respectively. The <replaceable>name</replaceable>s may be chosen by respectively. The <replaceable>name</replaceable>s may be chosen by
the user and specifiy a hash table to be used to count matching the user and specify a hash table to be used to count matching
connections. If not given, the name <emphasis connections. If not given, the name <emphasis
role="bold">shorewallN</emphasis> (where N is a unique integer) is role="bold">shorewallN</emphasis> (where N is a unique integer) is
assumed. Where more than one rule or POLICY specifies the same name, assumed. Where more than one rule or POLICY specifies the same name,

View File

@@ -846,7 +846,7 @@ net all DROP info</programlisting>then the chain name is 'net-all'
iptables text in a rule. You may simply preface that text with a iptables text in a rule. You may simply preface that text with a
pair of semicolons (";;"). If alternate input is also specified in pair of semicolons (";;"). If alternate input is also specified in
the rule, it should appear before the semicolons and may be the rule, it should appear before the semicolons and may be
seperated from normal column input by a single semicolon.</para> separated from normal column input by a single semicolon.</para>
</listitem> </listitem>
</varlistentry> </varlistentry>