diff options
| author | Gaurav <gaurav.sinha@vyatta.com> | 2012-02-29 13:44:55 -0800 |
|---|---|---|
| committer | Gaurav <gaurav.sinha@vyatta.com> | 2012-02-29 13:44:55 -0800 |
| commit | 0e828626b8c8fcbfcbffe105ef61aca3b9818e0d (patch) | |
| tree | d2271205145d873933cfe36217b4fc381e925995 | |
| parent | 2ddf45aff7672525f66bbf2e642b85cbca25b0a3 (diff) | |
| download | vyatta-cfg-firewall-0e828626b8c8fcbfcbffe105ef61aca3b9818e0d.tar.gz vyatta-cfg-firewall-0e828626b8c8fcbfcbffe105ef61aca3b9818e0d.zip | |
fixing 7047
| -rwxr-xr-x | lib/Vyatta/IpTables/Rule.pm | 6 | ||||
| -rwxr-xr-x | scripts/firewall/vyatta-firewall.pl | 22 |
2 files changed, 26 insertions, 2 deletions
diff --git a/lib/Vyatta/IpTables/Rule.pm b/lib/Vyatta/IpTables/Rule.pm index d3c11e0..72bd536 100755 --- a/lib/Vyatta/IpTables/Rule.pm +++ b/lib/Vyatta/IpTables/Rule.pm @@ -300,8 +300,12 @@ sub get_log_prefix { # want to include "[$chain-$rule_num-$action] " but that would require # 1 29 1 4 1 1 11 = 39 # so truncate the chain name so that it'll all fit. - $chain = substr($chain, 0, 19) if length($chain) > 19; my $action_char = uc(substr($action, 0, 1)); + if ( length($chain) > 19 ) { + $chain = substr($chain, 0, 19); + printf STDERR 'Firewall config warning: ' + . "rule $rule_num logging prefix will be truncated to [$chain-$rule_num-$action_char]\n"; + } my $log_prefix = "[$chain-$rule_num-$action_char] "; return $log_prefix; } diff --git a/scripts/firewall/vyatta-firewall.pl b/scripts/firewall/vyatta-firewall.pl index ae9f723..b5a2a9b 100755 --- a/scripts/firewall/vyatta-firewall.pl +++ b/scripts/firewall/vyatta-firewall.pl @@ -375,6 +375,13 @@ sub update_rules { . "Rule set name \"$name\" already used in \"$ctree\"\n"); exit 1; } + #check for prefix length, iptables permits 29 as --log-prefix + if (($policy_log) and (length ($name) > 17)) { + my $action_char = uc(substr($policy, 0, 1)); + my $chain_tr = substr($name, 0, 17); + printf STDERR 'Firewall config warning: ' + . "default logging prefix will be truncated to \"[$chain_tr-default-$action_char]\" \n"; + } setup_chain($table, "$name", $iptables_cmd, $policy, $policy_log); add_refcnt($fw_tree_file, "$tree $name"); $policy_set = 1; @@ -395,6 +402,13 @@ sub update_rules { goto end_of_rules; } elsif ($nodes{$name} eq 'changed') { log_msg "$tree $name = changed"; + #check for prefix length, iptables permits 29 as --log-prefix + if (($policy_log) and (length ($name) > 17)) { + my $action_char = uc(substr($policy, 0, 1)); + my $chain_tr = substr($name, 0, 17); + printf STDERR 'Firewall config warning: ' + . "default logging prefix will be truncated to \"[$chain_tr-default-$action_char]\" \n"; + } # handle the rules below. } @@ -754,7 +768,13 @@ sub set_default_policy { my $comment = "-m comment --comment \"$chain-$max_rule default-action $policy\""; if ($log) { my $action_char = uc(substr($policy, 0, 1)); - my $ltarget = "LOG --log-prefix \"[$chain-default-$action_char]\" "; + my $chain_tr = $chain; + if (length ("[$chain-default-$action_char]") > 29 ) { + # [ -default-a/r/d] 12 chars are always used here; iptables limits log-prefix to 29 chars + # truncate $chain and form the ltarget with truncated chain + $chain_tr = substr($chain, 0, 17); + } + my $ltarget = "LOG --log-prefix \"[$chain_tr-default-$action_char]\" "; run_cmd("$iptables_cmd -t $table -A $chain $comment -j $ltarget", 1); } run_cmd("$iptables_cmd -t $table -A $chain $comment -j $target", 1); |