From 70bbd21b35d4325755985485395f4a3faabd177a Mon Sep 17 00:00:00 2001 From: Tom Eastep Date: Thu, 7 Apr 2016 09:34:38 -0700 Subject: [PATCH] Ensure that the REJECT_ACTION is terminating Signed-off-by: Tom Eastep --- Shorewall/Perl/Shorewall/Chains.pm | 15 ++++++++++++--- Shorewall/Perl/Shorewall/Misc.pm | 1 + Shorewall/Perl/Shorewall/Rules.pm | 6 ++++++ 3 files changed, 19 insertions(+), 3 deletions(-) diff --git a/Shorewall/Perl/Shorewall/Chains.pm b/Shorewall/Perl/Shorewall/Chains.pm index a8341354d..7ad8f0cc7 100644 --- a/Shorewall/Perl/Shorewall/Chains.pm +++ b/Shorewall/Perl/Shorewall/Chains.pm @@ -286,6 +286,7 @@ our %EXPORT_TAGS = ( create_chainlist_reload create_stop_load initialize_switches + terminating %targets %builtin_target %dscpmap @@ -808,14 +809,13 @@ sub initialize( $$$ ) { NETMAP => 1, NFQUEUE => 1, NOTRACK => 1, - REDIRECT => 1, RAWDNAT => 1, + REDIRECT => 1, RAWSNAT => 1, REJECT => 1, SAME => 1, SNAT => 1, TPROXY => 1, - reject => 1, ); # # The chain table is initialized via a call to initialize_chain_table() after the configuration and capabilities have been determined. @@ -842,6 +842,15 @@ sub make_terminating( $ ) { $terminating{$_[0]} = 1; } +# +# Determine if a chain is terminating +# +sub terminating( $ ) { + my ( $chainref ) = @_; + + return $chainref->{complete} && ! ( $chainref->{optflags} & RETURNS ); +} + # # Transform the passed iptables rule into an internal-form hash reference. # Most of the compiler has been converted to use the new form natively. @@ -7749,7 +7758,7 @@ sub expand_rule( $$$$$$$$$$$$;$ ) if ( $targetref ) { add_expanded_jump( $chainref , $targetref , - $targetref->{complete} && ! ( $targetref->{optflags} & RETURNS ), + terminating( $targetref ) , $prerule . $matches ); } else { add_rule( $chainref, $prerule . $matches . $jump , 1 ); diff --git a/Shorewall/Perl/Shorewall/Misc.pm b/Shorewall/Perl/Shorewall/Misc.pm index e74d313ee..4aede92d0 100644 --- a/Shorewall/Perl/Shorewall/Misc.pm +++ b/Shorewall/Perl/Shorewall/Misc.pm @@ -677,6 +677,7 @@ sub add_common_rules ( $ ) { if ( $config{REJECT_ACTION} ) { process_reject_action; + fatal_eror( "The REJECT_ACTION ($config{REJECT_ACTION}) is not terminating" ) unless terminating( $rejectref ); } else { if ( have_capability( 'ADDRTYPE' ) ) { add_ijump $rejectref , j => 'DROP' , addrtype => '--src-type BROADCAST'; diff --git a/Shorewall/Perl/Shorewall/Rules.pm b/Shorewall/Perl/Shorewall/Rules.pm index bff533997..6437639d2 100644 --- a/Shorewall/Perl/Shorewall/Rules.pm +++ b/Shorewall/Perl/Shorewall/Rules.pm @@ -2193,6 +2193,10 @@ sub use_policy_action( $$ ) { sub process_reject_action() { my $rejectref = $filter_table->{reject}; my $action = $config{REJECT_ACTION}; + # + # This gets called very early in the compilation process so we fake the section + # + $section = NEW_SECTION; if ( ( $targets{$action} || 0 ) == ACTION ) { add_ijump $rejectref, j => use_policy_action( $action, $rejectref->{name} ); @@ -2221,6 +2225,8 @@ sub process_reject_action() { 0, #Wildcard ); } + + $section = ''; } ################################################################################