mirror of
https://gitlab.com/shorewall/code.git
synced 2024-11-15 12:14:32 +01:00
Don't pass '-j' in target arg to expand_rule()
- use the target to locate chain for reference tracking Signed-off-by: Tom Eastep <teastep@shorewall.net>
This commit is contained in:
Tom Eastep
parent
15fbbdaac7
commit
12f48e1b97
@ -86,7 +86,7 @@ sub process_accounting_rule( ) {
|
||||
$jumpchainref = ensure_accounting_chain( $jumpchain, 0 );
|
||||
check_chain( $jumpchainref );
|
||||
$disposition = $jumpchain;
|
||||
"-j $jumpchain";
|
||||
$jumpchain;
|
||||
}
|
||||
|
||||
my $target = '';
|
||||
@ -101,7 +101,7 @@ sub process_accounting_rule( ) {
|
||||
|
||||
unless ( $action eq 'COUNT' ) {
|
||||
if ( $action eq 'DONE' ) {
|
||||
$target = '-j RETURN';
|
||||
$target = 'RETURN';
|
||||
} else {
|
||||
( $action, my $cmd ) = split /:/, $action;
|
||||
if ( $cmd ) {
|
||||
|
||||
@ -58,7 +58,7 @@ our @EXPORT = qw( merge_levels
|
||||
$macro_commands
|
||||
);
|
||||
our @EXPORT_OK = qw( initialize );
|
||||
our $VERSION = '4.4_12';
|
||||
our $VERSION = '4.4_13';
|
||||
|
||||
#
|
||||
# Used Actions. Each action that is actually used has an entry with value 1.
|
||||
@ -636,7 +636,7 @@ sub process_action( $$$$$$$$$$$ ) {
|
||||
$source ,
|
||||
$dest ,
|
||||
'', #Original Dest
|
||||
$action ? "-j $action" : '',
|
||||
$action ,
|
||||
$level ,
|
||||
$action ,
|
||||
'' );
|
||||
|
||||
@ -3161,7 +3161,7 @@ sub expand_rule( $$$$$$$$$$;$ )
|
||||
$source, # SOURCE
|
||||
$dest, # DEST
|
||||
$origdest, # ORIGINAL DEST
|
||||
$target, # Target ('-j' part of the rule)
|
||||
$target, # Target ('-j' part of the rule - may be empty)
|
||||
$loglevel , # Log level (and tag)
|
||||
$disposition, # Primtive part of the target (RETURN, ACCEPT, ...)
|
||||
$exceptionrule,# Caller's matches used in exclusion case
|
||||
@ -3170,6 +3170,7 @@ sub expand_rule( $$$$$$$$$$;$ )
|
||||
|
||||
my ($iiface, $diface, $inets, $dnets, $iexcl, $dexcl, $onets , $oexcl, $trivialiexcl, $trivialdexcl );
|
||||
my $chain = $chainref->{name};
|
||||
my $jump = $target ? '-j ' . $target : '';
|
||||
|
||||
our @ends = ();
|
||||
#
|
||||
@ -3533,7 +3534,7 @@ sub expand_rule( $$$$$$$$$$;$ )
|
||||
#
|
||||
# Generate Final Rule
|
||||
#
|
||||
add_rule( $fromref = $echainref, $exceptionrule . $target, 1 ) unless $disposition eq 'LOG';
|
||||
add_rule $fromref = $echainref, $exceptionrule . $jump , 1 unless $disposition eq 'LOG';
|
||||
} else {
|
||||
#
|
||||
# No exclusions
|
||||
@ -3552,13 +3553,13 @@ sub expand_rule( $$$$$$$$$$;$ )
|
||||
|
||||
if ( $loglevel ne '' ) {
|
||||
if ( $disposition ne 'LOG' ) {
|
||||
unless ( $logname || $target =~ /-j RETURN\b/ ) {
|
||||
unless ( $logname || $target =~ /^RETURN\b/ ) {
|
||||
#
|
||||
# Find/Create a chain that both logs and applies the target action
|
||||
# and jump to the log chain if all of the rule's conditions are met
|
||||
#
|
||||
add_jump( $chainref,
|
||||
logchain( $chainref, $loglevel, $logtag, $exceptionrule , $disposition, $target ),
|
||||
logchain( $chainref, $loglevel, $logtag, $exceptionrule , $disposition, $jump ),
|
||||
$builtin_target{$disposition},
|
||||
$matches,
|
||||
1 );
|
||||
@ -3573,7 +3574,7 @@ sub expand_rule( $$$$$$$$$$;$ )
|
||||
'add',
|
||||
$matches );
|
||||
|
||||
add_rule( $fromref = $chainref, $matches . $target, 1 );
|
||||
add_rule( $fromref = $chainref, $matches . $jump, 1 );
|
||||
}
|
||||
} else {
|
||||
#
|
||||
@ -3594,7 +3595,7 @@ sub expand_rule( $$$$$$$$$$;$ )
|
||||
#
|
||||
# No logging -- add the target rule with matches to the rule chain
|
||||
#
|
||||
add_rule( $fromref = $chainref, $matches . $target , 1 );
|
||||
add_rule( $fromref = $chainref, $matches . $jump , 1 );
|
||||
}
|
||||
}
|
||||
}
|
||||
@ -3603,8 +3604,8 @@ sub expand_rule( $$$$$$$$$$;$ )
|
||||
#
|
||||
# Mark Target as referenced, if it's a chain
|
||||
#
|
||||
if ( $fromref && $disposition ) {
|
||||
my $targetref = $chain_table{$chainref->{table}}{$disposition};
|
||||
if ( $fromref && $target ) {
|
||||
my $targetref = $chain_table{$chainref->{table}}{$target};
|
||||
if ( $targetref ) {
|
||||
$targetref->{referenced} = 1;
|
||||
add_reference $fromref, $targetref;
|
||||
|
||||
@ -125,7 +125,7 @@ sub process_one_masq( )
|
||||
|
||||
for my $fullinterface (split_list $interfacelist, 'interface' ) {
|
||||
my $rule = '';
|
||||
my $target = '-j MASQUERADE ';
|
||||
my $target = 'MASQUERADE ';
|
||||
#
|
||||
# Isolate and verify the interface part
|
||||
#
|
||||
@ -171,7 +171,7 @@ sub process_one_masq( )
|
||||
fatal_error "The SAME target is no longer supported";
|
||||
} elsif ( $addresses eq 'detect' ) {
|
||||
my $variable = get_interface_address $interface;
|
||||
$target = "-j SNAT --to-source $variable";
|
||||
$target = "SNAT --to-source $variable";
|
||||
|
||||
if ( interface_is_optional $interface ) {
|
||||
add_commands( $chainref,
|
||||
@ -181,13 +181,13 @@ sub process_one_masq( )
|
||||
$detectaddress = 1;
|
||||
}
|
||||
} elsif ( $addresses eq 'NONAT' ) {
|
||||
$target = '-j RETURN';
|
||||
$target = 'RETURN';
|
||||
$add_snat_aliases = 0;
|
||||
} else {
|
||||
my $addrlist = '';
|
||||
for my $addr ( split_list $addresses , 'address' ) {
|
||||
if ( $addr =~ /^.*\..*\..*\./ ) {
|
||||
$target = '-j SNAT ';
|
||||
$target = 'SNAT ';
|
||||
my ($ipaddr, $rest) = split ':', $addr;
|
||||
if ( $ipaddr =~ /^(.+)-(.+)$/ ) {
|
||||
validate_range( $1, $2 );
|
||||
|
||||
@ -64,7 +64,7 @@ sub process_notrack_rule( $$$$$$ ) {
|
||||
$source ,
|
||||
$dest ,
|
||||
'' ,
|
||||
'-j NOTRACK' ,
|
||||
'NOTRACK' ,
|
||||
'' ,
|
||||
'NOTRACK' ,
|
||||
'' ;
|
||||
|
||||
@ -148,7 +148,7 @@ sub process_tos() {
|
||||
$src ,
|
||||
$dst ,
|
||||
'' ,
|
||||
"-j TOS --set-tos $tos" ,
|
||||
"TOS --set-tos $tos" ,
|
||||
'' ,
|
||||
'TOS' ,
|
||||
'';
|
||||
@ -277,7 +277,7 @@ sub setup_blacklist() {
|
||||
$direction eq 'from' ? $networks : '',
|
||||
$direction eq 'to' ? $networks : '',
|
||||
'' ,
|
||||
"-j $target" ,
|
||||
$target ,
|
||||
'' ,
|
||||
$target ,
|
||||
'' );
|
||||
@ -1299,7 +1299,7 @@ sub process_rule1 ( $$$$$$$$$$$$$ ) {
|
||||
|
||||
if ( $actiontype & REDIRECT ) {
|
||||
fatal_error "A server IP address may not be specified in a REDIRECT rule" if $server;
|
||||
$target = '-j REDIRECT ';
|
||||
$target = 'REDIRECT ';
|
||||
$target .= "--to-port $serverport " if $serverport;
|
||||
if ( $origdest eq '' || $origdest eq '-' ) {
|
||||
$origdest = ALLIP;
|
||||
@ -1323,7 +1323,7 @@ sub process_rule1 ( $$$$$$$$$$$$$ ) {
|
||||
}
|
||||
|
||||
if ( $action eq 'DNAT' ) {
|
||||
$target = '-j DNAT ';
|
||||
$target = 'DNAT ';
|
||||
if ( $server ) {
|
||||
$serverport = ":$serverport" if $serverport;
|
||||
for my $serv ( split /,/, $server ) {
|
||||
@ -1429,7 +1429,7 @@ sub process_rule1 ( $$$$$$$$$$$$$ ) {
|
||||
'', # Source
|
||||
'', # Dest
|
||||
'', # Original dest
|
||||
'-j ACCEPT',
|
||||
'ACCEPT',
|
||||
$loglevel,
|
||||
$log_action,
|
||||
'',
|
||||
@ -1447,7 +1447,7 @@ sub process_rule1 ( $$$$$$$$$$$$$ ) {
|
||||
$source ,
|
||||
$dest ,
|
||||
$origdest ,
|
||||
"-j $tgt",
|
||||
$tgt,
|
||||
$loglevel ,
|
||||
$log_action ,
|
||||
'' ,
|
||||
@ -1493,7 +1493,7 @@ sub process_rule1 ( $$$$$$$$$$$$$ ) {
|
||||
$source ,
|
||||
$dest ,
|
||||
$origdest ,
|
||||
$action ? "-j $action " : '' ,
|
||||
$action ,
|
||||
$loglevel ,
|
||||
$log_action ,
|
||||
'' );
|
||||
|
||||
@ -391,9 +391,9 @@ sub process_tc_rule( ) {
|
||||
$source ,
|
||||
$dest ,
|
||||
'' ,
|
||||
"-j $target $mark" ,
|
||||
"$target $mark" ,
|
||||
'' ,
|
||||
'' ,
|
||||
$target ,
|
||||
'' ) )
|
||||
&& $device ) {
|
||||
#
|
||||
|
||||
Loading…
Reference in New Issue
Block a user