Additional refinements of check_state()

Signed-off-by: Tom Eastep <teastep@shorewall.net>
This commit is contained in:
Tom Eastep 2013-02-06 08:16:42 -08:00
parent 11b976fb36
commit a66256b25b

View File

@ -1508,6 +1508,8 @@ sub dropNotSyn ( $$$$ ) {
sub rejNotSyn ( $$$$ ) {
my ($chainref, $level, $tag, $audit) = @_;
warning_message "rejNotSyn is deprecated in favor of NotSyn(REJECT)";
my $target = 'REJECT --reject-with tcp-reset';
if ( supplied $audit ) {
@ -1521,6 +1523,8 @@ sub rejNotSyn ( $$$$ ) {
sub dropInvalid ( $$$$ ) {
my ($chainref, $level, $tag, $audit) = @_;
warning_message "dropInvalid is deprecated in favor of Invalid(DROP)";
my $target = require_audit( 'DROP', $audit );
log_rule_limit $level, $chainref, 'dropInvalid' , 'DROP', '', $tag, 'add', "$globals{STATEMATCH} INVALID " if $level ne '';
@ -1530,6 +1534,8 @@ sub dropInvalid ( $$$$ ) {
sub allowInvalid ( $$$$ ) {
my ($chainref, $level, $tag, $audit) = @_;
warning_message "allowInvalid is deprecated in favor of Invalid(ACCEPT)";
my $target = require_audit( 'ACCEPT', $audit );
log_rule_limit $level, $chainref, 'allowInvalid' , 'ACCEPT', '', $tag, 'add', "$globals{STATEMATCH} INVALID " if $level ne '';
@ -2670,10 +2676,14 @@ sub process_rule ( $$$$$$$$$$$$$$$$$$$$ ) {
}
sub check_state( $ );
#
# Check the passed connection state for conflict with the current section
#
# Returns true of the state is compatible with the section
# Returns non-zero value if the state is compatible with the section:
#
# 1: Emit the rule with state match
# 2: Emit the rule without
#
sub check_state( $ ) {
my $state = $_[0];
@ -2689,8 +2699,22 @@ sub check_state( $ ) {
return 0;
}
my $chainref = $actparms{0};
my $name = $chainref->{name};
my $statechainref;
if ( $name =~ /^([+_&])/ ) {
#
# This is a state chain
#
return $state eq 'RELATED' ? 2 : 0 if $_ eq '+';
return $state eq 'INVALID' ? 2 : 0 if $_ eq '_';
return $state eq 'UNTRACKED' ? 2 : 0;
}
my $sectionref = $chainref->{sections};
if ( $state eq 'ESTABLISHED' ) {
my $sectionref = $actparms{0}->{sections};
return ( $sectionref && $sectionref->{$state} ) ? 0 : $section == ESTABLISHED_SECTION ? 2 : 1;
}
@ -2698,32 +2722,37 @@ sub check_state( $ ) {
#
# One of the states that has its own state chain -- get the current action's chain
#
my $chainref = $actparms{0};
#
# See if we've passed the section associated with this STATE
#
if ( my $sectionref = $chainref->{sections} ) {
if ( $sectionref->{$state} ) {
if ( $sectionref && $sectionref->{$state} ) {
#
# We're past that section -- see if there was a separate state chain
#
if ( my $statechainref = $filter_table->{"$statetable{$state}[0]$chainref->{name}"} ) {
#
# We're past that section -- see if there was a separate state chain
# There was -- if the chain had a RETURN then we will emit the current rule; otherwise we won't
#
if ( my $statechainref = $filter_table->{"$statetable{$state}[0]$chainref->{name}"} ) {
#
# There was -- if the chain had a RETURN then we will emit the current rule; otherwise we won't
#
return has_return( $statechainref ) ? 1 : 0;
} else {
#
# There wasn't -- suppress the current rule
#
return 0;
}
return has_return( $statechainref ) ? 1 : 0;
} else {
#
# There wasn't -- suppress the current rule
#
return 0;
}
}
}
if ( $section & ( NEW_SECTION | DEFAULTACTION_SECTION ) ) {
$state =~ /^(?:INVALID|UNTRACKED|NEW)$/;
if ( $state eq 'NEW' ) {
#
# If an INVALID or UNTRACKED rule would be emitted then we must include the state match
#
for ( qw/INVALID UNTRACKED/ ) {
return 1 if check_state( $_ );
}
2;
} else {
$state =~ /^(?:INVALID|UNTRACKED)$/;
}
} else {
$state eq $section_rmap{$section} ? 2 : 1;
}