parse single-quotes

[jnorell]

Need to add the ability to handle single quotes in custom rules so you can use logging, eg. -j LOG --log-prefix 'iptables denied: '. Right now the custom rule parser doesn't handle the single quotes, vzfirewall just prints an error, eg. here's my actual attempt:

# vzfirewall -a
--DIFF--
42a43
> -A ntpblackhole -m limit --limit 5/min -j LOG --log-prefix 'iptables ntp blackhole: ' --log-level 7
Testing new rules...
Bad argument `ntp'
Error occurred at line: 43
Try `iptables-restore -h' or 'iptables-restore --help' for more information.
Test failed. Apply nothing.

Using double-quotes breaks the parser entirely (of course). An alternative to understanding single quotes would be allow escaping the space chars with backslashes, or could even implement variable definition/substitution. Whatever is easiest...

Thanks

[dimikot]

If I understand your correctly, iptables-restore < /etc/sysconfig/iptables (for example) does not recognize single quotes and requires to use double quotes only in /etc/sysconfig/iptables?

If yes, why not to s/'/"/sg in vzfirewall code immediately after reading the FIREWALL="..." section in *.conf?

[jnorell]

That appears to be correct, iptables-save will write such a line with double-quotes, and iptables-restore can read that; change the double quotes to single and it breaks.

Your idea there may work, possibly with some caveats such as "don't use single quotes inside your log messages" (eg. -j LOG --log-prefix 'this isn't going to work' (note the ' in isn't)). I don't know if quotes are used anywhere else... nothing comes to mind offhand.

[dimikot]

I think we may ignore the case with "isn't", because it's very rare. So, will you add this patch to your pull request as well?..

[jnorell]

That substitution was added to my most recent commit. It tests out fine with my original rule (above).