Ensure that the REJECT_ACTION is terminating

Signed-off-by: Tom Eastep <teastep@shorewall.net>
2024-11-23 08:03:11 +01:00 · 2016-04-07 09:34:38 -07:00 · 2016-04-07 09:34:38 -07:00 · 70bbd21b35
commit 70bbd21b35
parent 87a9b95f73
3 changed files with 19 additions and 3 deletions
--- a/Shorewall/Perl/Shorewall/Chains.pm
+++ b/Shorewall/Perl/Shorewall/Chains.pm
@ -286,6 +286,7 @@ our %EXPORT_TAGS = (
 				       create_chainlist_reload
 				       create_stop_load
 				       initialize_switches
+				       terminating
 				       %targets
 				       %builtin_target
 				       %dscpmap
@ -808,14 +809,13 @@ sub initialize( $$$ ) {
 		     NETMAP       => 1,
 		     NFQUEUE      => 1,
 		     NOTRACK      => 1,
-		     REDIRECT     => 1,
 		     RAWDNAT      => 1,
+		     REDIRECT     => 1,
 		     RAWSNAT      => 1,
 		     REJECT       => 1,
 		     SAME         => 1,
 		     SNAT         => 1,
 		     TPROXY       => 1,
-		     reject       => 1,
 		   );
    #
    # The chain table is initialized via a call to initialize_chain_table() after the configuration and capabilities have been determined.
@ -842,6 +842,15 @@ sub make_terminating( $ ) {
    $terminating{$_[0]} = 1;
 }

+#
+# Determine if a chain is terminating
+#
+sub terminating( $ ) {
+    my ( $chainref ) = @_;
+
+    return $chainref->{complete} && ! ( $chainref->{optflags} & RETURNS );
+}
+
 #
 # Transform the passed iptables rule into an internal-form hash reference.
 # Most of the compiler has been converted to use the new form natively.
@ -7749,7 +7758,7 @@ sub expand_rule( $$$$$$$$$$$$;$ )
 			if ( $targetref ) {
 			    add_expanded_jump( $chainref ,
 					       $targetref ,
-					       $targetref->{complete} && ! ( $targetref->{optflags} & RETURNS ),
+					       terminating( $targetref ) ,
 					       $prerule . $matches );
 			} else {
 			    add_rule( $chainref, $prerule . $matches . $jump , 1 );
--- a/Shorewall/Perl/Shorewall/Misc.pm
+++ b/Shorewall/Perl/Shorewall/Misc.pm
@ -677,6 +677,7 @@ sub add_common_rules ( $ ) {

    if ( $config{REJECT_ACTION} ) {
 	process_reject_action;
+	fatal_eror( "The REJECT_ACTION ($config{REJECT_ACTION}) is not terminating" ) unless terminating( $rejectref );
    } else {
 	if ( have_capability( 'ADDRTYPE' ) ) {
 	    add_ijump $rejectref , j => 'DROP' , addrtype => '--src-type BROADCAST';
--- a/Shorewall/Perl/Shorewall/Rules.pm
+++ b/Shorewall/Perl/Shorewall/Rules.pm
@ -2193,6 +2193,10 @@ sub use_policy_action( $$ ) {
 sub process_reject_action() {
    my $rejectref = $filter_table->{reject};
    my $action    = $config{REJECT_ACTION};
+    #
+    # This gets called very early in the compilation process so we fake the section
+    #
+    $section = NEW_SECTION;

    if ( ( $targets{$action} || 0 ) == ACTION ) {
 	add_ijump $rejectref, j => use_policy_action( $action, $rejectref->{name} );
@ -2221,6 +2225,8 @@ sub process_reject_action() {
 			0,            #Wildcard
 	    );
    }
+
+    $section = '';
 }

 ################################################################################