Shorewall devel - Oct 2008 - shorewall-perl ignores 'length' parameter in tcrules

I found out today that using shorewall-perl any length specified in
tcrules is completely ignored and ends up creating a bogus rule that
just marks a packet no matter what.

shorewall-shell does the right thing however.

This was in shorewall 4.0.11, but by the looks of it shorewall 4.2.0 has
the same problem as well.

The fix is pretty simple of course:  (patch against 4.0.14)

--- Shorewall/Tc.pm	2008-06-10 13:36:01.000000000 -0400
+++ Shorewall/Tc.pm	2008-10-15 14:35:20.000000000 -0400
@@ -271,7 +271,7 @@
 
     if ( ( my $result = expand_rule( ensure_chain( ''mangle'' ,
$chain ) ,
 				     $restrictions{$chain} ,
-				     do_proto( $proto, $ports, $sports) . do_user( $user ) . do_test(
$testval, $mask ) . do_tos( $tos ) ,
+				     do_proto( $proto, $ports, $sports) . do_user( $user ) . do_test(
$testval, $mask ) . do_length( $length ) . do_tos( $tos ) ,
 				     $source ,
 				     $dest ,
 				     '''' ,
--- Shorewall/Chains.pm	2008-06-13 20:23:36.000000000 -0400
+++ Shorewall/Chains.pm	2008-10-15 14:35:19.000000000 -0400
@@ -110,6 +110,7 @@
 				       do_test
 				       do_ratelimit
 				       do_user
+				       do_length
 				       do_tos
 				       match_source_dev
 				       match_dest_dev
@@ -1212,6 +1213,16 @@
 }
 
 #
+# Create a "-m length" match for the passed TOS
+#
+sub do_length( $ ) {
+    my $length = $_[0];
+
+    require_capability( ''LENGTH_MATCH'' , ''Your
kernel and/or iptables does not have length match support.'' ,
'''' );
+    $length ne ''-'' ? "-m length --length $length "
: '''';
+}
+
+#
 # Match Source Interface
 #
 sub match_source_dev( $ ) {

I have no idea how the $length argument ended up never getting
implemented in shorewall-perl, but stuff happens.

-- 
Len Sorensen

-------------------------------------------------------------------------
This SF.Net email is sponsored by the Moblin Your Move Developer''s
challenge
Build the coolest Linux based applications with Moblin SDK & win great
prizes
Grand prize is a trip for two to an Open Source event anywhere in the world
http://moblin-contest.org/redirect.php?banner_id=100&url=/

Lennart Sorensen wrote:
> I have no idea how the $length argument ended up never getting
> implemented in shorewall-perl, but stuff happens.
> 
Ooops...

Thanks,
-Tom
-- 
Tom Eastep        \ The ultimate result of shielding men from the
Shoreline,         \ effects of folly is to fill the world with fools.
Washington, USA     \                                 -Herbert Spencer
http://shorewall.net \________________________________________________



-------------------------------------------------------------------------
This SF.Net email is sponsored by the Moblin Your Move Developer''s
challenge
Build the coolest Linux based applications with Moblin SDK & win great
prizes
Grand prize is a trip for two to an Open Source event anywhere in the world
http://moblin-contest.org/redirect.php?banner_id=100&url=/