mirror of
https://gitlab.com/shorewall/code.git
synced 2025-01-11 08:08:12 +01:00
Handle 'RETURN' in state chain with terminating disposition.
Signed-off-by: Tom Eastep <teastep@shorewall.net>
This commit is contained in:
parent
3757607356
commit
615df6ab8f
@ -72,6 +72,7 @@ our @EXPORT = ( qw(
|
|||||||
allow_move
|
allow_move
|
||||||
set_optflags
|
set_optflags
|
||||||
reset_optflags
|
reset_optflags
|
||||||
|
has_return
|
||||||
dont_optimize
|
dont_optimize
|
||||||
dont_delete
|
dont_delete
|
||||||
dont_move
|
dont_move
|
||||||
@ -2211,6 +2212,14 @@ sub set_optflags( $$ ) {
|
|||||||
$chainref;
|
$chainref;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
#
|
||||||
|
# Return true if the passed chain has a RETURN rule.
|
||||||
|
#
|
||||||
|
|
||||||
|
sub has_return( $ ) {
|
||||||
|
$_[0]->{optflags} & RETURNS;
|
||||||
|
}
|
||||||
|
|
||||||
#
|
#
|
||||||
# Reset the dont_optimize flag for a chain
|
# Reset the dont_optimize flag for a chain
|
||||||
#
|
#
|
||||||
|
@ -2685,21 +2685,47 @@ sub check_state( $ ) {
|
|||||||
for ( split ',', $blacklist_states ) {
|
for ( split ',', $blacklist_states ) {
|
||||||
return 1 if $_ eq $state;
|
return 1 if $_ eq $state;
|
||||||
}
|
}
|
||||||
} else {
|
|
||||||
if ( ( $state eq 'ESTABLISHED' ) ||
|
|
||||||
( $state =~ /^(?:INVALID|UNTRACKED|RELATED)$/ && $globals{"${state}_TARGET"} ) ) {
|
|
||||||
my $sectionref = $actparms{0}->{sections};
|
|
||||||
|
|
||||||
if ( $sectionref ) {
|
return 0;
|
||||||
return 0 if $sectionref->{$state};
|
}
|
||||||
|
|
||||||
|
if ( $state eq 'ESTABLISHED' ) {
|
||||||
|
my $sectionref = $actparms{0}->{sections};
|
||||||
|
return ( $sectionref && $sectionref->{$state} ) ? 0 : $section == ESTABLISHED_SECTION ? 2 : 1;
|
||||||
|
}
|
||||||
|
|
||||||
|
if ( $state =~ /^(?:INVALID|UNTRACKED|RELATED)$/ && $globals{"${state}_TARGET"} ) {
|
||||||
|
#
|
||||||
|
# One of the states that has its own state chain -- get the current action's chain
|
||||||
|
#
|
||||||
|
my $chainref = $actparms{0};
|
||||||
|
#
|
||||||
|
# See if we've passed the section associated with this STATE
|
||||||
|
#
|
||||||
|
if ( my $sectionref = $chainref->{sections} ) {
|
||||||
|
if ( $sectionref->{$state} ) {
|
||||||
|
#
|
||||||
|
# We're past that section -- see if there was a separate state chain
|
||||||
|
#
|
||||||
|
if ( my $statechainref = $filter_table->{"$statetable{$state}{char}$chainref->{name}"} ) {
|
||||||
|
#
|
||||||
|
# There was -- if the chain had a RETURN then we will emit the current rule; otherwise we won't
|
||||||
|
#
|
||||||
|
return has_return( $statechainref ) ? 1 : 0;
|
||||||
|
} else {
|
||||||
|
#
|
||||||
|
# There wasn't -- suppress the current rule
|
||||||
|
#
|
||||||
|
return 0;
|
||||||
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
}
|
||||||
|
|
||||||
if ( $section & ( NEW_SECTION | DEFAULTACTION_SECTION ) ) {
|
if ( $section & ( NEW_SECTION | DEFAULTACTION_SECTION ) ) {
|
||||||
return ( $state =~ /^(?:INVALID|UNTRACKED|NEW)$/ );
|
$state =~ /^(?:INVALID|UNTRACKED|NEW)$/;
|
||||||
} else {
|
} else {
|
||||||
return $state eq $section_rmap{$section} ? 2 : 1;
|
$state eq $section_rmap{$section} ? 2 : 1;
|
||||||
}
|
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
Loading…
Reference in New Issue
Block a user