Back out changes for reject processing

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@589 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
2024-11-27 01:53:27 +01:00 · 2003-06-11 23:57:35 +00:00 · 2003-06-11 23:57:35 +00:00 · 4e26bb4ba4
commit 4e26bb4ba4
parent 3bb2d171ae
3 changed files with 8 additions and 48 deletions
--- a/Shorewall/changelog.txt
+++ b/Shorewall/changelog.txt
@ -8,8 +8,6 @@ Changes since 1.4.4b
   rule will take effect only if the original destination address in
   the connection request does not match any of the addresses listed.

-3) Create two reject chains -- one for use from INPUT and the other for
-   use from FORWARD and OUTPUT.



--- a/Shorewall/firewall
+++ b/Shorewall/firewall
@ -749,10 +749,6 @@ validate_policy()
 	eval ${chain}_policy=$policy
 	eval ${chain}_loglevel=$loglevel
 	eval ${chain}_synparams=$synparams
-	
-	if [ $server = $FW ]; then
-	    eval ${chain}_is_input=Yes
-	fi

 	if [ -n "${clientwild}" ]; then
 	    if [ -n "${serverwild}" ]; then
@ -1968,7 +1964,6 @@ add_nat_rule() {
 add_a_rule()
 {
    local natrule=
-    local is_input=

    # Set source variables. The 'cli' variable will hold the client match predicate(s).

@ -2063,8 +2058,7 @@ add_a_rule()

    case "$logtarget" in
 	REJECT)
-	    eval is_input=\$${chain}_is_input
-	    [ -z "$is_input" ] && target=reject || target=rejecti
+	    target=reject
 	    [ -n "$servport" ] && \
 		fatal_error "Server port may not be specified in a REJECT rule;"\
                            "rule: \"$rule\""
@ -2297,10 +2291,6 @@ process_rule() # $1 = target
 	[ $command = check ] || ensurechain $chain
    fi

-    if [ $dest = $FW ]; then
-	eval ${chain}_is_input=Yes
-    fi
-
    # Generate Netfilter rule(s)

    if [ -n "$MULTIPORT" -a \
@ -2641,7 +2631,6 @@ policy_rules() # $1 = chain to add rules to
 	       # $3 = loglevel
 {
    local target="$2"
-    local is_input

    case "$target" in
    ACCEPT)
@ -2652,8 +2641,7 @@ policy_rules() # $1 = chain to add rules to
 	;;
    REJECT)
 	run_iptables -A $1 -j common
-	eval is_input=\$${1}_is_input
-	[ -z "$is_input" ] && target=reject || target=rejecti
+	target=reject
 	;;
    CONTINUE)
 	target=
@ -3329,23 +3317,17 @@ initialize_netfilter () {

    createchain icmpdef no
    createchain common	no
-    createchain reject  no
-    createchain rejecti	no
+    createchain reject	no
    createchain dynamic no

-    INPUT_is_input=Yes
-
    if [ -f /var/lib/shorewall/save ]; then
 	echo "Restoring dynamic rules..."

 	while read target ignore1 ignore2 address rest; do
 	    case $target in
-	    DROP)
+	    DROP|reject)
 		run_iptables2 -A dynamic -s $address -j $target
 		;;
-	    reject*)
-		run_iptables2 -A dynamic -s $address -j $reject
-		;;
 	    *)
 		;;
 	esac
@ -3402,20 +3384,7 @@ add_common_rules() {
    #
    # Reject Rules
    #
-    run_iptables -A rejecti -p tcp -j REJECT --reject-with tcp-reset
-    run_iptables -A rejecti -p udp  -j REJECT
-    #
-    # Not all versions of iptables support these so don't complain if they don't work
-    #
-    qt iptables  -A rejecti -p icmp -j REJECT --reject-with icmp-host-unreachable
-    if ! qt iptables -A rejecti -j REJECT --reject-with icmp-host-prohibited; then
-	#
-	# In case the above doesn't work
-	#
-	run_iptables -A rejecti -j REJECT
-    fi
-
-    run_iptables -A reject -p tcp  -j REJECT
+    run_iptables -A reject -p tcp  -j REJECT --reject-with tcp-reset
    run_iptables -A reject -p udp  -j REJECT
    #
    # Not all versions of iptables support these so don't complain if they don't work
@ -3582,7 +3551,7 @@ add_common_rules() {
 	    
 	    case $TCP_FLAGS_DISPOSITION in
 		REJECT)
-		    run_iptables -A logflags -p tcp -j REJECT --reject-with tcp-reset
+		    run_iptables -A logflags -j REJECT --reject-with tcp-reset
 		    ;;
 		*)
 		    run_iptables -A logflags -j $TCP_FLAGS_DISPOSITION
@ -4535,11 +4504,11 @@ do_initialize() {

    NEWNOTSYN=`added_param_value_yes NEWNOTSYN $NEWNOTSYN`

+    maclist_target=reject

    if [ -n "$MACLIST_DISPOSITION" ] ; then
 	case $MACLIST_DISPOSITION in
 	    REJECT)
-		maclist_target=reject
 		;;
 	    ACCEPT|DROP)
 		maclist_target=$MACLIST_DISPOSITION
@ -4549,7 +4518,7 @@ do_initialize() {
 		;;
 	esac
    else
-	MACLIST_DISPOSITION=reject
+	MACLIST_DISPOSITION=REJECT
    fi

    if [ -n "$TCP_FLAGS_DISPOSITION" ] ; then
--- a/Shorewall/releasenotes.txt
+++ b/Shorewall/releasenotes.txt
@ -5,13 +5,6 @@ Problems Corrected:
 1) The command "shorewall debug try <directory>" now correctly traces
   the attempt.

-2) Shorewall now works properly with RedHat errata kernels and
-   2.4.21-rc1. In these kernels, the REJECT target with "--reject-with
-   tcp-reset" behaves like DROP when invoked on a packet that is being
-   forwarded by the firewall. Shorewall now only uses that target when
-   it is certain that the run will not be invoked on packets whose
-   destination is another host.
-
 New Features:

 1) The ORIGINAL DEST column in a DNAT[-] or REDIRECT[-] rule may now