Restore correct REJECT behavior

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@1157 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
2004-02-20 21:50:33 +00:00 · 2004-02-20 21:50:33 +00:00 · 09bcf7c1ab
commit 09bcf7c1ab
parent f99779a27f
2 changed files with 21 additions and 23 deletions
--- a/Shorewall2/firewall
+++ b/Shorewall2/firewall
@ -3002,9 +3002,14 @@ process_rule() # $1 = target
 	target="${target%:*}"
 	expandv loglevel
    fi
-  
-    logtarget="$target"
-    dnat_only=
+    #
+    # Save the original target in 'logtarget' for logging rules
+    #
+    logtarget=${target%-}
+    #
+    # Targets ending in "-" only apply to the nat table
+    #
+    [ $target = $logtarget ] && dnat_only= || dnat_only=Yes

    # Tranform the rule:
    #
@ -3054,32 +3059,16 @@ process_rule() # $1 = target
 	    [ -n "$ratelimit" ] && fatal_error "Rate Limiting not available with DROP"
 	    ;;
 	REJECT)
+	    target=reject
 	    ;;
 	CONTINUE)
 	    ;;
-	DNAT)
+	DNAT*)
 	    target=ACCEPT
 	    address=${address:=detect}
 	    ;;
-	DNAT-)
+	REDIRECT*)
 	    target=ACCEPT
-	    logtarget=DNAT
-	    address=${address:=detect}
-	    dnat_only=Yes
-	    ;;
-	REDIRECT)
-	    target=ACCEPT
-	    address=${address:=all}
-	    if [ "x-" = "x$servers" ]; then
-		servers=$FW
-	    else
-		servers="$FW::$servers"
-	    fi
-	    ;;
-	REDIRECT-)
-	    target=ACCEPT
-	    logtarget=REDIRECT
-	    dnat_only=Yes
 	    address=${address:=all}
 	    if [ "x-" = "x$servers" ]; then
 		servers=$FW
--- a/Shorewall2/releasenotes.txt
+++ b/Shorewall2/releasenotes.txt
@ -1,4 +1,4 @@
-Shorewall 2.0.0-Beta3
+Shorewall 2.0.0-RC1

 ----------------------------------------------------------------------
 Problems Corrected since 1.4.10
@ -14,6 +14,11 @@ Problems Corrected since 1.4.10

 4) The 'detectnets' and 'routeback' options may now be used together
   with the intended effect.
+
+Problems Corrected since Beta 3
+
+1) The REJECT target now works correctly for TCP (sends an RST).
+   Previously, an ICMP reply was generated.
 -----------------------------------------------------------------------
 Issues when migrating from Shorewall 1.4.x to Shorewall 2.0.0:

@ -63,6 +68,10 @@ Issues when migrating from Shorewall 1.4.x to Shorewall 2.0.0:
   policies but does not specify such an action in the default
   configuration.

+   If for some reason, you don't wish to have a common DROP or REJECT
+   action, just include :DROP or :REJECT respectively in your
+   /etc/shorewall/actions file.
+
   The file /usr/share/shorewall/actions.std catalogs the standard 
   actions and is processed prior to /etc/shorewall/actions. This
   causes a large number of actions to be defined. The files which