forked from extern/shorewall_code
Ensure that the REJECT_ACTION is terminating
Signed-off-by: Tom Eastep <teastep@shorewall.net>
This commit is contained in:
parent
87a9b95f73
commit
70bbd21b35
@ -286,6 +286,7 @@ our %EXPORT_TAGS = (
|
||||
create_chainlist_reload
|
||||
create_stop_load
|
||||
initialize_switches
|
||||
terminating
|
||||
%targets
|
||||
%builtin_target
|
||||
%dscpmap
|
||||
@ -808,14 +809,13 @@ sub initialize( $$$ ) {
|
||||
NETMAP => 1,
|
||||
NFQUEUE => 1,
|
||||
NOTRACK => 1,
|
||||
REDIRECT => 1,
|
||||
RAWDNAT => 1,
|
||||
REDIRECT => 1,
|
||||
RAWSNAT => 1,
|
||||
REJECT => 1,
|
||||
SAME => 1,
|
||||
SNAT => 1,
|
||||
TPROXY => 1,
|
||||
reject => 1,
|
||||
);
|
||||
#
|
||||
# The chain table is initialized via a call to initialize_chain_table() after the configuration and capabilities have been determined.
|
||||
@ -842,6 +842,15 @@ sub make_terminating( $ ) {
|
||||
$terminating{$_[0]} = 1;
|
||||
}
|
||||
|
||||
#
|
||||
# Determine if a chain is terminating
|
||||
#
|
||||
sub terminating( $ ) {
|
||||
my ( $chainref ) = @_;
|
||||
|
||||
return $chainref->{complete} && ! ( $chainref->{optflags} & RETURNS );
|
||||
}
|
||||
|
||||
#
|
||||
# Transform the passed iptables rule into an internal-form hash reference.
|
||||
# Most of the compiler has been converted to use the new form natively.
|
||||
@ -7749,7 +7758,7 @@ sub expand_rule( $$$$$$$$$$$$;$ )
|
||||
if ( $targetref ) {
|
||||
add_expanded_jump( $chainref ,
|
||||
$targetref ,
|
||||
$targetref->{complete} && ! ( $targetref->{optflags} & RETURNS ),
|
||||
terminating( $targetref ) ,
|
||||
$prerule . $matches );
|
||||
} else {
|
||||
add_rule( $chainref, $prerule . $matches . $jump , 1 );
|
||||
|
@ -677,6 +677,7 @@ sub add_common_rules ( $ ) {
|
||||
|
||||
if ( $config{REJECT_ACTION} ) {
|
||||
process_reject_action;
|
||||
fatal_eror( "The REJECT_ACTION ($config{REJECT_ACTION}) is not terminating" ) unless terminating( $rejectref );
|
||||
} else {
|
||||
if ( have_capability( 'ADDRTYPE' ) ) {
|
||||
add_ijump $rejectref , j => 'DROP' , addrtype => '--src-type BROADCAST';
|
||||
|
@ -2193,6 +2193,10 @@ sub use_policy_action( $$ ) {
|
||||
sub process_reject_action() {
|
||||
my $rejectref = $filter_table->{reject};
|
||||
my $action = $config{REJECT_ACTION};
|
||||
#
|
||||
# This gets called very early in the compilation process so we fake the section
|
||||
#
|
||||
$section = NEW_SECTION;
|
||||
|
||||
if ( ( $targets{$action} || 0 ) == ACTION ) {
|
||||
add_ijump $rejectref, j => use_policy_action( $action, $rejectref->{name} );
|
||||
@ -2221,6 +2225,8 @@ sub process_reject_action() {
|
||||
0, #Wildcard
|
||||
);
|
||||
}
|
||||
|
||||
$section = '';
|
||||
}
|
||||
|
||||
################################################################################
|
||||
|
Loading…
Reference in New Issue
Block a user