mirror of
https://gitlab.com/shorewall/code.git
synced 2025-06-22 10:41:23 +02:00
Use -g when target is a terminating chain
Signed-off-by: Tom Eastep <teastep@shorewall.net>
This commit is contained in:
parent
293cd1d66a
commit
ecd7261365
@ -1539,6 +1539,7 @@ sub create_irule( $$$;@ ) {
|
|||||||
$ruleref->{jump} = $jump;
|
$ruleref->{jump} = $jump;
|
||||||
$ruleref->{target} = $target;
|
$ruleref->{target} = $target;
|
||||||
$chainref->{optflags} |= RETURNS_DONT_MOVE if $target eq 'RETURN';
|
$chainref->{optflags} |= RETURNS_DONT_MOVE if $target eq 'RETURN';
|
||||||
|
$chainref->{complete} ||= $terminating{$target} && ! @matches;
|
||||||
$ruleref->{targetopts} = $targetopts if $targetopts;
|
$ruleref->{targetopts} = $targetopts if $targetopts;
|
||||||
} else {
|
} else {
|
||||||
$ruleref->{target} = '';
|
$ruleref->{target} = '';
|
||||||
@ -7744,7 +7745,10 @@ sub expand_rule( $$$$$$$$$$$$;$ )
|
|||||||
# No logging or user-specified logging -- add the target rule with matches to the rule chain
|
# No logging or user-specified logging -- add the target rule with matches to the rule chain
|
||||||
#
|
#
|
||||||
if ( $targetref ) {
|
if ( $targetref ) {
|
||||||
add_expanded_jump( $chainref , $targetref , $targetref->{name} eq 'reject' , $prerule . $matches );
|
add_expanded_jump( $chainref ,
|
||||||
|
$targetref ,
|
||||||
|
$targetref->{complete} && ! ( $targetref->{optflags} & RETURNS ),
|
||||||
|
$prerule . $matches );
|
||||||
} else {
|
} else {
|
||||||
add_rule( $chainref, $prerule . $matches . $jump , 1 );
|
add_rule( $chainref, $prerule . $matches . $jump , 1 );
|
||||||
}
|
}
|
||||||
|
@ -867,10 +867,6 @@ sub compiler {
|
|||||||
#
|
#
|
||||||
complete_policy_chains;
|
complete_policy_chains;
|
||||||
#
|
#
|
||||||
# Reject Action
|
|
||||||
#
|
|
||||||
process_reject_action if $config{REJECT_ACTION};
|
|
||||||
#
|
|
||||||
# Accounting.
|
# Accounting.
|
||||||
#
|
#
|
||||||
setup_accounting if $config{ACCOUNTING};
|
setup_accounting if $config{ACCOUNTING};
|
||||||
|
@ -674,6 +674,49 @@ sub add_common_rules ( $ ) {
|
|||||||
my $level = $config{BLACKLIST_LOG_LEVEL};
|
my $level = $config{BLACKLIST_LOG_LEVEL};
|
||||||
my $tag = $globals{BLACKLIST_LOG_TAG};
|
my $tag = $globals{BLACKLIST_LOG_TAG};
|
||||||
my $rejectref = $filter_table->{reject};
|
my $rejectref = $filter_table->{reject};
|
||||||
|
|
||||||
|
if ( $config{REJECT_ACTION} ) {
|
||||||
|
process_reject_action;
|
||||||
|
} else {
|
||||||
|
if ( have_capability( 'ADDRTYPE' ) ) {
|
||||||
|
add_ijump $rejectref , j => 'DROP' , addrtype => '--src-type BROADCAST';
|
||||||
|
} else {
|
||||||
|
if ( $family == F_IPV4 ) {
|
||||||
|
add_commands $rejectref, 'for address in $ALL_BCASTS; do';
|
||||||
|
} else {
|
||||||
|
add_commands $rejectref, 'for address in $ALL_ACASTS; do';
|
||||||
|
}
|
||||||
|
|
||||||
|
incr_cmd_level $rejectref;
|
||||||
|
add_ijump $rejectref, j => 'DROP', d => '$address';
|
||||||
|
decr_cmd_level $rejectref;
|
||||||
|
add_commands $rejectref, 'done';
|
||||||
|
}
|
||||||
|
|
||||||
|
if ( $family == F_IPV4 ) {
|
||||||
|
add_ijump $rejectref , j => 'DROP', s => '224.0.0.0/4';
|
||||||
|
} else {
|
||||||
|
add_ijump $rejectref , j => 'DROP', s => IPv6_MULTICAST;
|
||||||
|
}
|
||||||
|
|
||||||
|
add_ijump $rejectref , j => 'DROP', p => 2;
|
||||||
|
add_ijump $rejectref , j => 'REJECT', targetopts => '--reject-with tcp-reset', p => 6;
|
||||||
|
|
||||||
|
if ( have_capability( 'ENHANCED_REJECT' ) ) {
|
||||||
|
add_ijump $rejectref , j => 'REJECT', p => 17;
|
||||||
|
|
||||||
|
if ( $family == F_IPV4 ) {
|
||||||
|
add_ijump $rejectref, j => 'REJECT --reject-with icmp-host-unreachable', p => 1;
|
||||||
|
add_ijump $rejectref, j => 'REJECT --reject-with icmp-host-prohibited';
|
||||||
|
} else {
|
||||||
|
add_ijump $rejectref, j => 'REJECT --reject-with icmp6-addr-unreachable', p => 58;
|
||||||
|
add_ijump $rejectref, j => 'REJECT --reject-with icmp6-adm-prohibited';
|
||||||
|
}
|
||||||
|
} else {
|
||||||
|
add_ijump $rejectref , j => 'REJECT';
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
#
|
#
|
||||||
# Insure that Docker jumps are early in the builtin chains
|
# Insure that Docker jumps are early in the builtin chains
|
||||||
#
|
#
|
||||||
@ -947,46 +990,6 @@ sub add_common_rules ( $ ) {
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
unless ( $config{REJECT_ACTION} ) {
|
|
||||||
if ( have_capability( 'ADDRTYPE' ) ) {
|
|
||||||
add_ijump $rejectref , j => 'DROP' , addrtype => '--src-type BROADCAST';
|
|
||||||
} else {
|
|
||||||
if ( $family == F_IPV4 ) {
|
|
||||||
add_commands $rejectref, 'for address in $ALL_BCASTS; do';
|
|
||||||
} else {
|
|
||||||
add_commands $rejectref, 'for address in $ALL_ACASTS; do';
|
|
||||||
}
|
|
||||||
|
|
||||||
incr_cmd_level $rejectref;
|
|
||||||
add_ijump $rejectref, j => 'DROP', d => '$address';
|
|
||||||
decr_cmd_level $rejectref;
|
|
||||||
add_commands $rejectref, 'done';
|
|
||||||
}
|
|
||||||
|
|
||||||
if ( $family == F_IPV4 ) {
|
|
||||||
add_ijump $rejectref , j => 'DROP', s => '224.0.0.0/4';
|
|
||||||
} else {
|
|
||||||
add_ijump $rejectref , j => 'DROP', s => IPv6_MULTICAST;
|
|
||||||
}
|
|
||||||
|
|
||||||
add_ijump $rejectref , j => 'DROP', p => 2;
|
|
||||||
add_ijump $rejectref , j => 'REJECT', targetopts => '--reject-with tcp-reset', p => 6;
|
|
||||||
|
|
||||||
if ( have_capability( 'ENHANCED_REJECT' ) ) {
|
|
||||||
add_ijump $rejectref , j => 'REJECT', p => 17;
|
|
||||||
|
|
||||||
if ( $family == F_IPV4 ) {
|
|
||||||
add_ijump $rejectref, j => 'REJECT --reject-with icmp-host-unreachable', p => 1;
|
|
||||||
add_ijump $rejectref, j => 'REJECT --reject-with icmp-host-prohibited';
|
|
||||||
} else {
|
|
||||||
add_ijump $rejectref, j => 'REJECT --reject-with icmp6-addr-unreachable', p => 58;
|
|
||||||
add_ijump $rejectref, j => 'REJECT --reject-with icmp6-adm-prohibited';
|
|
||||||
}
|
|
||||||
} else {
|
|
||||||
add_ijump $rejectref , j => 'REJECT';
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
$list = find_interfaces_by_option 'dhcp';
|
$list = find_interfaces_by_option 'dhcp';
|
||||||
|
|
||||||
if ( @$list ) {
|
if ( @$list ) {
|
||||||
|
Loading…
x
Reference in New Issue
Block a user