From 0e828626b8c8fcbfcbffe105ef61aca3b9818e0d Mon Sep 17 00:00:00 2001
From: Gaurav <gaurav.sinha@vyatta.com>
Date: Wed, 29 Feb 2012 13:44:55 -0800
Subject: fixing 7047

---
 lib/Vyatta/IpTables/Rule.pm         |  6 +++++-
 scripts/firewall/vyatta-firewall.pl | 22 +++++++++++++++++++++-
 2 files changed, 26 insertions(+), 2 deletions(-)

diff --git a/lib/Vyatta/IpTables/Rule.pm b/lib/Vyatta/IpTables/Rule.pm
index d3c11e0..72bd536 100755
--- a/lib/Vyatta/IpTables/Rule.pm
+++ b/lib/Vyatta/IpTables/Rule.pm
@@ -300,8 +300,12 @@ sub get_log_prefix {
   # want to include "[$chain-$rule_num-$action] " but that would require
   #                  1   29 1   4     1  1    11 = 39 
   # so truncate the chain name so that it'll all fit.
-  $chain = substr($chain, 0, 19) if length($chain) > 19;
   my $action_char = uc(substr($action, 0, 1));
+  if ( length($chain) > 19 ) { 
+    $chain = substr($chain, 0, 19);
+    printf STDERR 'Firewall config warning: '
+            . "rule $rule_num logging prefix will be truncated to [$chain-$rule_num-$action_char]\n";
+  }
   my $log_prefix  = "[$chain-$rule_num-$action_char] ";
   return $log_prefix;
 }
diff --git a/scripts/firewall/vyatta-firewall.pl b/scripts/firewall/vyatta-firewall.pl
index ae9f723..b5a2a9b 100755
--- a/scripts/firewall/vyatta-firewall.pl
+++ b/scripts/firewall/vyatta-firewall.pl
@@ -375,6 +375,13 @@ sub update_rules {
           . "Rule set name \"$name\" already used in \"$ctree\"\n");
       exit 1;
     }
+    #check for prefix length, iptables permits 29 as --log-prefix
+    if (($policy_log) and (length ($name) > 17)) {
+      my $action_char = uc(substr($policy, 0, 1));
+      my $chain_tr = substr($name, 0, 17);
+      printf STDERR 'Firewall config warning: '
+      . "default logging prefix will be truncated to \"[$chain_tr-default-$action_char]\" \n";
+    }
     setup_chain($table, "$name", $iptables_cmd, $policy, $policy_log);
     add_refcnt($fw_tree_file, "$tree $name");
     $policy_set = 1;
@@ -395,6 +402,13 @@ sub update_rules {
     goto end_of_rules;
   } elsif ($nodes{$name} eq 'changed') {
     log_msg "$tree $name = changed";
+    #check for prefix length, iptables permits 29 as --log-prefix
+    if (($policy_log) and (length ($name) > 17)) {
+      my $action_char = uc(substr($policy, 0, 1));
+      my $chain_tr = substr($name, 0, 17);
+      printf STDERR 'Firewall config warning: '
+      . "default logging prefix will be truncated to \"[$chain_tr-default-$action_char]\" \n";
+    }
     # handle the rules below.
   }
 
@@ -754,7 +768,13 @@ sub set_default_policy {
   my $comment = "-m comment --comment \"$chain-$max_rule default-action $policy\"";
   if ($log) {
     my $action_char = uc(substr($policy, 0, 1));
-    my $ltarget = "LOG --log-prefix \"[$chain-default-$action_char]\" ";
+    my $chain_tr = $chain;
+    if (length ("[$chain-default-$action_char]") > 29 ) {
+        # [ -default-a/r/d] 12 chars are always used here; iptables limits log-prefix to 29 chars
+        # truncate $chain and form the ltarget with truncated chain
+        $chain_tr = substr($chain, 0, 17);
+    }
+    my $ltarget = "LOG --log-prefix \"[$chain_tr-default-$action_char]\" ";
     run_cmd("$iptables_cmd -t $table -A $chain $comment -j $ltarget", 1);
   }
   run_cmd("$iptables_cmd -t $table -A $chain $comment -j $target", 1);
-- 
cgit v1.2.3