mirror of
https://gitlab.com/shorewall/code.git
synced 2025-06-18 15:46:55 +02:00
Revise the unreachable warning stuff.
Signed-off-by: Tom Eastep <teastep@shorewall.net>
This commit is contained in:
Tom Eastep
parent
2d8078033c
commit
adf51d0059
@ -125,6 +125,7 @@ our %EXPORT_TAGS = (
|
||||
OPTIMIZE_RULESET_MASK
|
||||
OPTIMIZE_MASK
|
||||
|
||||
unreachable_warning
|
||||
state_match
|
||||
state_imatch
|
||||
initialize_chain_table
|
||||
@ -6518,6 +6519,22 @@ sub verify_address_variables() {
|
||||
}
|
||||
}
|
||||
|
||||
#
|
||||
# Generate 'unreachable rule' message
|
||||
#
|
||||
|
||||
sub unreachable_warning( $$ ) {
|
||||
my ( $ignore, $chainref ) = @_;
|
||||
unless ( $ignore ) {
|
||||
if ( $chainref->{complete} ) {
|
||||
warning_message "The rule(s) generated by this entry are unreachable and have been discarded";
|
||||
return 1;
|
||||
}
|
||||
}
|
||||
|
||||
0;
|
||||
}
|
||||
|
||||
############################################################################################
|
||||
# Helpers for expand_rule()
|
||||
############################################################################################
|
||||
@ -7062,10 +7079,7 @@ sub expand_rule( $$$$$$$$$$$;$ )
|
||||
$logname, # Name of chain to name in log messages
|
||||
) = @_;
|
||||
|
||||
if ( $chainref->{complete} ) {
|
||||
# warning_message "The rule(s) generated by this entry are unreachable and have been discarded";
|
||||
return '';
|
||||
}
|
||||
return if $chainref->{complete};
|
||||
|
||||
my ( $iiface, $diface, $inets, $dnets, $iexcl, $dexcl, $onets , $oexcl, $trivialiexcl, $trivialdexcl ) =
|
||||
( '', '', '', '', '', '', '', '', '', '' );
|
||||
|
||||
@ -332,7 +332,8 @@ sub process_one_masq1( $$$$$$$$$$ )
|
||||
$target ,
|
||||
'' ,
|
||||
'' ,
|
||||
$exceptionrule );
|
||||
$exceptionrule )
|
||||
unless unreachable_warning( 0, $chainref );
|
||||
|
||||
conditional_rule_end( $chainref ) if $detectaddress || $conditional;
|
||||
|
||||
@ -614,7 +615,7 @@ sub setup_netmap() {
|
||||
#
|
||||
# Called from process_rule1 to add a rule to the NAT table
|
||||
#
|
||||
sub handle_nat_rule( $$$$$$$$$$$$ ) {
|
||||
sub handle_nat_rule( $$$$$$$$$$$$$ ) {
|
||||
my ( $dest, # <server>[:port]
|
||||
$proto, # Protocol
|
||||
$ports, # Destination port list
|
||||
@ -627,6 +628,7 @@ sub handle_nat_rule( $$$$$$$$$$$$ ) {
|
||||
$source, # Source Address
|
||||
$loglevel, # [<level>[:<tag>]]
|
||||
$log_action, # Action name to include in the log message
|
||||
$wildcard # Part of a wildcard rule
|
||||
) = @_;
|
||||
|
||||
my ( $server, $serverport , $origdstports ) = ( '', '', '' );
|
||||
@ -753,10 +755,11 @@ sub handle_nat_rule( $$$$$$$$$$$$ ) {
|
||||
#
|
||||
my $firewallsource = $sourceref && ( $sourceref->{type} & ( FIREWALL | VSERVER ) );
|
||||
|
||||
expand_rule ( ensure_chain ('nat' ,
|
||||
my $chainref = ensure_chain ('nat' ,
|
||||
( $action_chain ? $action_chain :
|
||||
$firewallsource ? 'OUTPUT' :
|
||||
dnat_chain $sourceref->{name} ) ) ,
|
||||
dnat_chain $sourceref->{name} ) );
|
||||
expand_rule ( $chainref,
|
||||
$firewallsource ? OUTPUT_RESTRICT : PREROUTE_RESTRICT ,
|
||||
'' ,
|
||||
$rule ,
|
||||
@ -767,7 +770,8 @@ sub handle_nat_rule( $$$$$$$$$$$$ ) {
|
||||
$loglevel ,
|
||||
$log_action ,
|
||||
$serverport ? do_proto( $proto, '', '' ) : '',
|
||||
);
|
||||
)
|
||||
unless unreachable_warning( $wildcard, $chainref );
|
||||
|
||||
( $ports, $origdstports, $server );
|
||||
}
|
||||
@ -775,8 +779,8 @@ sub handle_nat_rule( $$$$$$$$$$$$ ) {
|
||||
#
|
||||
# Called from process_rule1() to handle the nat table part of the NONAT and ACCEPT+ actions
|
||||
#
|
||||
sub handle_nonat_rule( $$$$$$$$$$ ) {
|
||||
my ( $action, $source, $dest, $origdest, $sourceref, $inaction, $chain, $loglevel, $log_action, $rule ) = @_;
|
||||
sub handle_nonat_rule( $$$$$$$$$$$ ) {
|
||||
my ( $action, $source, $dest, $origdest, $sourceref, $inaction, $chain, $loglevel, $log_action, $rule, $wildcard ) = @_;
|
||||
|
||||
my $sourcezone = $sourceref->{name};
|
||||
#
|
||||
@ -837,7 +841,9 @@ sub handle_nonat_rule( $$$$$$$$$$ ) {
|
||||
$loglevel,
|
||||
$log_action,
|
||||
'',
|
||||
dnat_chain( $sourcezone ) );
|
||||
dnat_chain( $sourcezone ) )
|
||||
unless unreachable_warning( $wildcard, $chn );
|
||||
|
||||
$loglevel = '';
|
||||
$tgt = $chn->{name};
|
||||
} else {
|
||||
@ -856,7 +862,8 @@ sub handle_nonat_rule( $$$$$$$$$$ ) {
|
||||
$loglevel ,
|
||||
$log_action ,
|
||||
'',
|
||||
);
|
||||
)
|
||||
unless unreachable_warning( $wildcard, $nonat_chain );
|
||||
}
|
||||
|
||||
sub add_addresses () {
|
||||
|
||||
@ -2636,6 +2636,7 @@ sub process_rule ( $$$$$$$$$$$$$$$$$$$ ) {
|
||||
$source,
|
||||
( $actiontype & ACTION ) ? '' : $loglevel,
|
||||
$log_action,
|
||||
$wildcard
|
||||
);
|
||||
|
||||
#
|
||||
@ -2673,7 +2674,8 @@ sub process_rule ( $$$$$$$$$$$$$$$$$$$ ) {
|
||||
$chain,
|
||||
$loglevel,
|
||||
$log_action,
|
||||
$rule
|
||||
$rule,
|
||||
$wildcard
|
||||
);
|
||||
}
|
||||
|
||||
@ -2699,6 +2701,7 @@ sub process_rule ( $$$$$$$$$$$$$$$$$$$ ) {
|
||||
|
||||
verify_audit( $action ) if $actiontype & AUDIT;
|
||||
|
||||
|
||||
expand_rule( $chainref ,
|
||||
$restriction ,
|
||||
'' ,
|
||||
@ -2709,7 +2712,8 @@ sub process_rule ( $$$$$$$$$$$$$$$$$$$ ) {
|
||||
$action ,
|
||||
$loglevel ,
|
||||
$log_action ,
|
||||
'' );
|
||||
'' )
|
||||
unless unreachable_warning( $wildcard || $section == DEFAULTACTION_SECTION, $chainref );
|
||||
}
|
||||
|
||||
delete $usedactions{$normalized_target} if $delete_action;
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user