forked from extern/shorewall_code
Handle 'RETURN' in state chain with terminating disposition.
Signed-off-by: Tom Eastep <teastep@shorewall.net>
This commit is contained in:
Tom Eastep
parent
3757607356
commit
615df6ab8f
@ -72,6 +72,7 @@ our @EXPORT = ( qw(
|
||||
allow_move
|
||||
set_optflags
|
||||
reset_optflags
|
||||
has_return
|
||||
dont_optimize
|
||||
dont_delete
|
||||
dont_move
|
||||
@ -2211,6 +2212,14 @@ sub set_optflags( $$ ) {
|
||||
$chainref;
|
||||
}
|
||||
|
||||
#
|
||||
# Return true if the passed chain has a RETURN rule.
|
||||
#
|
||||
|
||||
sub has_return( $ ) {
|
||||
$_[0]->{optflags} & RETURNS;
|
||||
}
|
||||
|
||||
#
|
||||
# Reset the dont_optimize flag for a chain
|
||||
#
|
||||
|
||||
@ -2685,21 +2685,47 @@ sub check_state( $ ) {
|
||||
for ( split ',', $blacklist_states ) {
|
||||
return 1 if $_ eq $state;
|
||||
}
|
||||
} else {
|
||||
if ( ( $state eq 'ESTABLISHED' ) ||
|
||||
( $state =~ /^(?:INVALID|UNTRACKED|RELATED)$/ && $globals{"${state}_TARGET"} ) ) {
|
||||
my $sectionref = $actparms{0}->{sections};
|
||||
|
||||
if ( $sectionref ) {
|
||||
return 0 if $sectionref->{$state};
|
||||
return 0;
|
||||
}
|
||||
|
||||
if ( $state eq 'ESTABLISHED' ) {
|
||||
my $sectionref = $actparms{0}->{sections};
|
||||
return ( $sectionref && $sectionref->{$state} ) ? 0 : $section == ESTABLISHED_SECTION ? 2 : 1;
|
||||
}
|
||||
|
||||
if ( $state =~ /^(?:INVALID|UNTRACKED|RELATED)$/ && $globals{"${state}_TARGET"} ) {
|
||||
#
|
||||
# One of the states that has its own state chain -- get the current action's chain
|
||||
#
|
||||
my $chainref = $actparms{0};
|
||||
#
|
||||
# See if we've passed the section associated with this STATE
|
||||
#
|
||||
if ( my $sectionref = $chainref->{sections} ) {
|
||||
if ( $sectionref->{$state} ) {
|
||||
#
|
||||
# We're past that section -- see if there was a separate state chain
|
||||
#
|
||||
if ( my $statechainref = $filter_table->{"$statetable{$state}{char}$chainref->{name}"} ) {
|
||||
#
|
||||
# There was -- if the chain had a RETURN then we will emit the current rule; otherwise we won't
|
||||
#
|
||||
return has_return( $statechainref ) ? 1 : 0;
|
||||
} else {
|
||||
#
|
||||
# There wasn't -- suppress the current rule
|
||||
#
|
||||
return 0;
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
if ( $section & ( NEW_SECTION | DEFAULTACTION_SECTION ) ) {
|
||||
return ( $state =~ /^(?:INVALID|UNTRACKED|NEW)$/ );
|
||||
} else {
|
||||
return $state eq $section_rmap{$section} ? 2 : 1;
|
||||
}
|
||||
if ( $section & ( NEW_SECTION | DEFAULTACTION_SECTION ) ) {
|
||||
$state =~ /^(?:INVALID|UNTRACKED|NEW)$/;
|
||||
} else {
|
||||
$state eq $section_rmap{$section} ? 2 : 1;
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
Loading…
Reference in New Issue
Block a user