From f55e34dd8bebc64e4a5c88437e01eff7466679d2 Mon Sep 17 00:00:00 2001
From: Tom Eastep <teastep@shorewall.net>
Date: Wed, 17 Apr 2013 17:18:01 -0700
Subject: [PATCH] Don't allow options on targets that don't accept them.

Signed-off-by: Tom Eastep <teastep@shorewall.net>
---
 Shorewall/Perl/Shorewall/Chains.pm | 36 +++++++++++++++++-------------
 Shorewall/Perl/Shorewall/Rules.pm  |  2 +-
 2 files changed, 22 insertions(+), 16 deletions(-)

diff --git a/Shorewall/Perl/Shorewall/Chains.pm b/Shorewall/Perl/Shorewall/Chains.pm
index 22a09db9d..eec1cb585 100644
--- a/Shorewall/Perl/Shorewall/Chains.pm
+++ b/Shorewall/Perl/Shorewall/Chains.pm
@@ -98,6 +98,7 @@ our @EXPORT = ( qw(
 		    STATEMATCH
 		    USERBUILTIN
 		    INLINERULE
+		    OPTIONS
 
 		    %chain_table
 		    %targets
@@ -406,6 +407,7 @@ use constant { STANDARD     =>     0x1,       #defined by Netfilter
 	       STATEMATCH   => 0x10000,       #action.Invalid, action.Related, etc.
 	       USERBUILTIN  => 0x20000,       #Builtin action from user's actions file.
 	       INLINERULE   => 0x40000,       #INLINE
+	       OPTIONS      => 0x80000,       #Target Accepts Options
 	   };
 #
 # Valid Targets -- value is a combination of one or more of the above
@@ -906,6 +908,10 @@ sub transform_rule( $;\$ ) {
 	$$completeref = 1 if $jump eq 'g' || $terminating{$target};
     }
 
+    if ( $ruleref->{targetopts} && $targets{$target} ) {
+	fatal_error "The $target target does not accept options" unless $targets{$target} & OPTIONS;
+    }
+
     $ruleref;
 }
 
@@ -2647,7 +2653,7 @@ sub initialize_chain_table($) {
 		    'A_ACCEPT+'       => STANDARD  + NONAT + AUDIT,
 		    'A_ACCEPT!'       => STANDARD  + AUDIT,
 		    'NONAT'           => STANDARD  + NONAT + NATONLY,
-		    'AUDIT'           => STANDARD  + AUDIT,
+		    'AUDIT'           => STANDARD  + AUDIT + OPTIONS,
 		    'DROP'            => STANDARD,
 		    'DROP!'           => STANDARD,
 		    'A_DROP'          => STANDARD + AUDIT,
@@ -2656,20 +2662,20 @@ sub initialize_chain_table($) {
 		    'REJECT!'         => STANDARD,
 		    'A_REJECT'        => STANDARD + AUDIT,
 		    'A_REJECT!'       => STANDARD + AUDIT,
-		    'DNAT'            => NATRULE,
+		    'DNAT'            => NATRULE  + OPTIONS,
 		    'DNAT-'           => NATRULE  + NATONLY,
-		    'REDIRECT'        => NATRULE  + REDIRECT,
+		    'REDIRECT'        => NATRULE  + REDIRECT + OPTIONS,
 		    'REDIRECT-'       => NATRULE  + REDIRECT + NATONLY,
-		    'LOG'             => STANDARD + LOGRULE,
+		    'LOG'             => STANDARD + LOGRULE  + OPTIONS,
 		    'CONTINUE'        => STANDARD,
 		    'CONTINUE!'       => STANDARD,
 		    'COUNT'           => STANDARD,
-		    'QUEUE'           => STANDARD,
+		    'QUEUE'           => STANDARD + OPTIONS,
 		    'QUEUE!'          => STANDARD,
-		    'NFLOG'           => STANDARD + LOGRULE + NFLOG,
-		    'NFQUEUE'         => STANDARD + NFQ,
+		    'NFLOG'           => STANDARD + LOGRULE + NFLOG + OPTIONS,
+		    'NFQUEUE'         => STANDARD + NFQ + OPTIONS,
 		    'NFQUEUE!'        => STANDARD + NFQ,
-		    'ULOG'            => STANDARD + LOGRULE + NFLOG,
+		    'ULOG'            => STANDARD + LOGRULE + NFLOG + OPTIONS,
 		    'ADD'             => STANDARD + SET,
 		    'DEL'             => STANDARD + SET,
 		    'WHITELIST'       => STANDARD,
@@ -2709,7 +2715,7 @@ sub initialize_chain_table($) {
 		    'ACCEPT!'         => STANDARD,
 		    'A_ACCEPT+'       => STANDARD  + NONAT + AUDIT,
 		    'A_ACCEPT!'       => STANDARD  + AUDIT,
-		    'AUDIT'           => STANDARD  + AUDIT,
+		    'AUDIT'           => STANDARD  + AUDIT + OPTIONS,
 		    'A_ACCEPT'        => STANDARD  + AUDIT,
 		    'NONAT'           => STANDARD  + NONAT + NATONLY,
 		    'DROP'            => STANDARD,
@@ -2720,18 +2726,18 @@ sub initialize_chain_table($) {
 		    'REJECT!'         => STANDARD,
 		    'A_REJECT'        => STANDARD + AUDIT,
 		    'A_REJECT!'       => STANDARD + AUDIT,
-		    'DNAT'            => NATRULE,
+		    'DNAT'            => NATRULE  + OPTIONS,
 		    'DNAT-'           => NATRULE  + NATONLY,
-		    'REDIRECT'        => NATRULE  + REDIRECT,
+		    'REDIRECT'        => NATRULE  + REDIRECT + OPTIONS,
 		    'REDIRECT-'       => NATRULE  + REDIRECT + NATONLY,
-		    'LOG'             => STANDARD + LOGRULE,
+		    'LOG'             => STANDARD + LOGRULE  + OPTIONS,
 		    'CONTINUE'        => STANDARD,
 		    'CONTINUE!'       => STANDARD,
 		    'COUNT'           => STANDARD,
-		    'QUEUE'           => STANDARD,
+		    'QUEUE'           => STANDARD + OPTIONS,
 		    'QUEUE!'          => STANDARD,
-		    'NFLOG'           => STANDARD + LOGRULE + NFLOG,
-		    'NFQUEUE'         => STANDARD + NFQ,
+		    'NFLOG'           => STANDARD + LOGRULE + NFLOG + OPTIONS,
+		    'NFQUEUE'         => STANDARD + NFQ + OPTIONS,
 		    'NFQUEUE!'        => STANDARD + NFQ,
 		    'ULOG'            => STANDARD + LOGRULE + NFLOG,
 		    'ADD'             => STANDARD + SET,
diff --git a/Shorewall/Perl/Shorewall/Rules.pm b/Shorewall/Perl/Shorewall/Rules.pm
index 6b38c1649..3b85a73b7 100644
--- a/Shorewall/Perl/Shorewall/Rules.pm
+++ b/Shorewall/Perl/Shorewall/Rules.pm
@@ -1664,7 +1664,7 @@ sub process_actions() {
 	    }
 
 	    if ( $builtin ) {
-		$targets{$action}         = USERBUILTIN;
+		$targets{$action}         = USERBUILTIN + OPTIONS;
 		$builtin_target{$action}  = 1;
 	    } else {
 		new_action $action, $type, $noinline, $nolog;