From 798c44d2c231af106a9fd6f0bb7e324004d8dcad Mon Sep 17 00:00:00 2001
From: teastep <teastep@fbd18981-670d-0410-9b5c-8dc0c1a9a2bb>
Date: Wed, 18 Apr 2007 20:36:19 +0000
Subject: [PATCH] Fix dropInvalid

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@6005 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
---
 Shorewall-common/changelog.txt      | 4 ++++
 Shorewall-common/releasenotes.txt   | 6 ++++++
 Shorewall-perl/Shorewall/Actions.pm | 2 +-
 3 files changed, 11 insertions(+), 1 deletion(-)

diff --git a/Shorewall-common/changelog.txt b/Shorewall-common/changelog.txt
index 5f0eb2cab..f597848b3 100644
--- a/Shorewall-common/changelog.txt
+++ b/Shorewall-common/changelog.txt
@@ -10,6 +10,10 @@ Changes in 3.9.3
 
 5)  Make a number of interface options binary.
 
+6)  Add wildcard edits in interface processing.
+
+7)  Fix dropInvalid.
+
 Changes in 3.9.2
 
 1)  Implement '-C {shell|perl}'.
diff --git a/Shorewall-common/releasenotes.txt b/Shorewall-common/releasenotes.txt
index 650ec3538..dadc97943 100644
--- a/Shorewall-common/releasenotes.txt
+++ b/Shorewall-common/releasenotes.txt
@@ -37,6 +37,9 @@ Problems corrected in Shorewall 3.9.3
    - All addresses
    - Routed networks
 
+5) The 'dropInvalid' now correctly generates a DROP rule rather than a
+   REJECT rule.
+
 Other changes in Shorewall 3.9.3
 
 1)  An 'optional' option has been added to
@@ -70,6 +73,9 @@ Other changes in Shorewall 3.9.3
     interfaces for which the option is specified and will set the
     option to the given value.
 
+    A fatal compilation error is also generated if you specify one of
+    these options with a wildcard interface (one ending with '+').
+
 Migration Considerations:
 
 1)  You cannot simply upgrade your existing Shorewall package. You must
diff --git a/Shorewall-perl/Shorewall/Actions.pm b/Shorewall-perl/Shorewall/Actions.pm
index 4924b17a9..80df90b92 100644
--- a/Shorewall-perl/Shorewall/Actions.pm
+++ b/Shorewall-perl/Shorewall/Actions.pm
@@ -526,7 +526,7 @@ sub process_actions3 () {
 	my ($chainref, $level, $tag) = @_;
 
 	log_rule_limit $level, $chainref, 'dropInvalid' , 'DROP', '', $tag, 'add', '-m state --state INVALID ' if $level;
-	add_rule $chainref , '-m state --state INVALID -j REJECT';
+	add_rule $chainref , '-m state --state INVALID -j DROP';
     }
 
     sub allowInvalid ( $$$ ) {