extern/shorewall_code
1
0
Fork 1
mirror of https://gitlab.com/shorewall/code.git synced 2025-06-22 10:41:23 +02:00
Code Issues Packages Projects Releases Wiki Activity

Use -g when target is a terminating chain

Browse Source 
Signed-off-by: Tom Eastep <teastep@shorewall.net>
This commit is contained in:
Tom Eastep 2016-04-07 08:48:36 -07:00
parent 293cd1d66a
commit ecd7261365
3 changed files with 48 additions and 45 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
Shorewall/Perl/Shorewall/Chains.pm
View File

@ -1539,6 +1539,7 @@ sub create_irule( $$$;@ ) {
$ruleref->{jump} = $jump; $ruleref->{jump} = $jump;
$ruleref->{target} = $target; $ruleref->{target} = $target;
$chainref->{optflags} |= RETURNS_DONT_MOVE if $target eq 'RETURN'; $chainref->{optflags} |= RETURNS_DONT_MOVE if $target eq 'RETURN';
$chainref->{complete} ||= $terminating{$target} && ! @matches;
$ruleref->{targetopts} = $targetopts if $targetopts; $ruleref->{targetopts} = $targetopts if $targetopts;
} else { } else {
$ruleref->{target} = ''; $ruleref->{target} = '';
@ -7744,7 +7745,10 @@ sub expand_rule( $$$$$$$$$$$$;$ )
# No logging or user-specified logging -- add the target rule with matches to the rule chain # No logging or user-specified logging -- add the target rule with matches to the rule chain
# #
if ( $targetref ) { if ( $targetref ) {
add_expanded_jump( $chainref , $targetref , $targetref->{name} eq 'reject' , $prerule . $matches ); add_expanded_jump( $chainref ,
$targetref ,
$targetref->{complete} && ! ( $targetref->{optflags} & RETURNS ),
$prerule . $matches );
} else { } else {
add_rule( $chainref, $prerule . $matches . $jump , 1 ); add_rule( $chainref, $prerule . $matches . $jump , 1 );
} }

4
Shorewall/Perl/Shorewall/Compiler.pm
View File

@ -867,10 +867,6 @@ sub compiler {
# #
complete_policy_chains; complete_policy_chains;
# #
# Reject Action
#
process_reject_action if $config{REJECT_ACTION};
#
# Accounting. # Accounting.
# #
setup_accounting if $config{ACCOUNTING}; setup_accounting if $config{ACCOUNTING};

83
Shorewall/Perl/Shorewall/Misc.pm
View File

@ -674,6 +674,49 @@ sub add_common_rules ( $ ) {
my $level = $config{BLACKLIST_LOG_LEVEL}; my $level = $config{BLACKLIST_LOG_LEVEL};
my $tag = $globals{BLACKLIST_LOG_TAG}; my $tag = $globals{BLACKLIST_LOG_TAG};
my $rejectref = $filter_table->{reject}; my $rejectref = $filter_table->{reject};
if ( $config{REJECT_ACTION} ) {
process_reject_action;
} else {
if ( have_capability( 'ADDRTYPE' ) ) {
add_ijump $rejectref , j => 'DROP' , addrtype => '--src-type BROADCAST';
} else {
if ( $family == F_IPV4 ) {
add_commands $rejectref, 'for address in $ALL_BCASTS; do';
} else {
add_commands $rejectref, 'for address in $ALL_ACASTS; do';
}
incr_cmd_level $rejectref;
add_ijump $rejectref, j => 'DROP', d => '$address';
decr_cmd_level $rejectref;
add_commands $rejectref, 'done';
}
if ( $family == F_IPV4 ) {
add_ijump $rejectref , j => 'DROP', s => '224.0.0.0/4';
} else {
add_ijump $rejectref , j => 'DROP', s => IPv6_MULTICAST;
}
add_ijump $rejectref , j => 'DROP', p => 2;
add_ijump $rejectref , j => 'REJECT', targetopts => '--reject-with tcp-reset', p => 6;
if ( have_capability( 'ENHANCED_REJECT' ) ) {
add_ijump $rejectref , j => 'REJECT', p => 17;
if ( $family == F_IPV4 ) {
add_ijump $rejectref, j => 'REJECT --reject-with icmp-host-unreachable', p => 1;
add_ijump $rejectref, j => 'REJECT --reject-with icmp-host-prohibited';
} else {
add_ijump $rejectref, j => 'REJECT --reject-with icmp6-addr-unreachable', p => 58;
add_ijump $rejectref, j => 'REJECT --reject-with icmp6-adm-prohibited';
}
} else {
add_ijump $rejectref , j => 'REJECT';
}
}
# #
# Insure that Docker jumps are early in the builtin chains # Insure that Docker jumps are early in the builtin chains
# #
@ -947,46 +990,6 @@ sub add_common_rules ( $ ) {
} }
} }
unless ( $config{REJECT_ACTION} ) {
if ( have_capability( 'ADDRTYPE' ) ) {
add_ijump $rejectref , j => 'DROP' , addrtype => '--src-type BROADCAST';
} else {
if ( $family == F_IPV4 ) {
add_commands $rejectref, 'for address in $ALL_BCASTS; do';
} else {
add_commands $rejectref, 'for address in $ALL_ACASTS; do';
}
incr_cmd_level $rejectref;
add_ijump $rejectref, j => 'DROP', d => '$address';
decr_cmd_level $rejectref;
add_commands $rejectref, 'done';
}
if ( $family == F_IPV4 ) {
add_ijump $rejectref , j => 'DROP', s => '224.0.0.0/4';
} else {
add_ijump $rejectref , j => 'DROP', s => IPv6_MULTICAST;
}
add_ijump $rejectref , j => 'DROP', p => 2;
add_ijump $rejectref , j => 'REJECT', targetopts => '--reject-with tcp-reset', p => 6;
if ( have_capability( 'ENHANCED_REJECT' ) ) {
add_ijump $rejectref , j => 'REJECT', p => 17;
if ( $family == F_IPV4 ) {
add_ijump $rejectref, j => 'REJECT --reject-with icmp-host-unreachable', p => 1;
add_ijump $rejectref, j => 'REJECT --reject-with icmp-host-prohibited';
} else {
add_ijump $rejectref, j => 'REJECT --reject-with icmp6-addr-unreachable', p => 58;
add_ijump $rejectref, j => 'REJECT --reject-with icmp6-adm-prohibited';
}
} else {
add_ijump $rejectref , j => 'REJECT';
}
}
$list = find_interfaces_by_option 'dhcp'; $list = find_interfaces_by_option 'dhcp';
if ( @$list ) { if ( @$list ) {