forked from extern/shorewall_code
Revise the unreachable warning stuff.
Signed-off-by: Tom Eastep <teastep@shorewall.net>
This commit is contained in:
parent
2d8078033c
commit
adf51d0059
@ -125,6 +125,7 @@ our %EXPORT_TAGS = (
|
|||||||
OPTIMIZE_RULESET_MASK
|
OPTIMIZE_RULESET_MASK
|
||||||
OPTIMIZE_MASK
|
OPTIMIZE_MASK
|
||||||
|
|
||||||
|
unreachable_warning
|
||||||
state_match
|
state_match
|
||||||
state_imatch
|
state_imatch
|
||||||
initialize_chain_table
|
initialize_chain_table
|
||||||
@ -6518,6 +6519,22 @@ sub verify_address_variables() {
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
#
|
||||||
|
# Generate 'unreachable rule' message
|
||||||
|
#
|
||||||
|
|
||||||
|
sub unreachable_warning( $$ ) {
|
||||||
|
my ( $ignore, $chainref ) = @_;
|
||||||
|
unless ( $ignore ) {
|
||||||
|
if ( $chainref->{complete} ) {
|
||||||
|
warning_message "The rule(s) generated by this entry are unreachable and have been discarded";
|
||||||
|
return 1;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
0;
|
||||||
|
}
|
||||||
|
|
||||||
############################################################################################
|
############################################################################################
|
||||||
# Helpers for expand_rule()
|
# Helpers for expand_rule()
|
||||||
############################################################################################
|
############################################################################################
|
||||||
@ -7062,10 +7079,7 @@ sub expand_rule( $$$$$$$$$$$;$ )
|
|||||||
$logname, # Name of chain to name in log messages
|
$logname, # Name of chain to name in log messages
|
||||||
) = @_;
|
) = @_;
|
||||||
|
|
||||||
if ( $chainref->{complete} ) {
|
return if $chainref->{complete};
|
||||||
# warning_message "The rule(s) generated by this entry are unreachable and have been discarded";
|
|
||||||
return '';
|
|
||||||
}
|
|
||||||
|
|
||||||
my ( $iiface, $diface, $inets, $dnets, $iexcl, $dexcl, $onets , $oexcl, $trivialiexcl, $trivialdexcl ) =
|
my ( $iiface, $diface, $inets, $dnets, $iexcl, $dexcl, $onets , $oexcl, $trivialiexcl, $trivialdexcl ) =
|
||||||
( '', '', '', '', '', '', '', '', '', '' );
|
( '', '', '', '', '', '', '', '', '', '' );
|
||||||
|
@ -332,7 +332,8 @@ sub process_one_masq1( $$$$$$$$$$ )
|
|||||||
$target ,
|
$target ,
|
||||||
'' ,
|
'' ,
|
||||||
'' ,
|
'' ,
|
||||||
$exceptionrule );
|
$exceptionrule )
|
||||||
|
unless unreachable_warning( 0, $chainref );
|
||||||
|
|
||||||
conditional_rule_end( $chainref ) if $detectaddress || $conditional;
|
conditional_rule_end( $chainref ) if $detectaddress || $conditional;
|
||||||
|
|
||||||
@ -614,7 +615,7 @@ sub setup_netmap() {
|
|||||||
#
|
#
|
||||||
# Called from process_rule1 to add a rule to the NAT table
|
# Called from process_rule1 to add a rule to the NAT table
|
||||||
#
|
#
|
||||||
sub handle_nat_rule( $$$$$$$$$$$$ ) {
|
sub handle_nat_rule( $$$$$$$$$$$$$ ) {
|
||||||
my ( $dest, # <server>[:port]
|
my ( $dest, # <server>[:port]
|
||||||
$proto, # Protocol
|
$proto, # Protocol
|
||||||
$ports, # Destination port list
|
$ports, # Destination port list
|
||||||
@ -627,6 +628,7 @@ sub handle_nat_rule( $$$$$$$$$$$$ ) {
|
|||||||
$source, # Source Address
|
$source, # Source Address
|
||||||
$loglevel, # [<level>[:<tag>]]
|
$loglevel, # [<level>[:<tag>]]
|
||||||
$log_action, # Action name to include in the log message
|
$log_action, # Action name to include in the log message
|
||||||
|
$wildcard # Part of a wildcard rule
|
||||||
) = @_;
|
) = @_;
|
||||||
|
|
||||||
my ( $server, $serverport , $origdstports ) = ( '', '', '' );
|
my ( $server, $serverport , $origdstports ) = ( '', '', '' );
|
||||||
@ -753,10 +755,11 @@ sub handle_nat_rule( $$$$$$$$$$$$ ) {
|
|||||||
#
|
#
|
||||||
my $firewallsource = $sourceref && ( $sourceref->{type} & ( FIREWALL | VSERVER ) );
|
my $firewallsource = $sourceref && ( $sourceref->{type} & ( FIREWALL | VSERVER ) );
|
||||||
|
|
||||||
expand_rule ( ensure_chain ('nat' ,
|
my $chainref = ensure_chain ('nat' ,
|
||||||
( $action_chain ? $action_chain :
|
( $action_chain ? $action_chain :
|
||||||
$firewallsource ? 'OUTPUT' :
|
$firewallsource ? 'OUTPUT' :
|
||||||
dnat_chain $sourceref->{name} ) ) ,
|
dnat_chain $sourceref->{name} ) );
|
||||||
|
expand_rule ( $chainref,
|
||||||
$firewallsource ? OUTPUT_RESTRICT : PREROUTE_RESTRICT ,
|
$firewallsource ? OUTPUT_RESTRICT : PREROUTE_RESTRICT ,
|
||||||
'' ,
|
'' ,
|
||||||
$rule ,
|
$rule ,
|
||||||
@ -767,7 +770,8 @@ sub handle_nat_rule( $$$$$$$$$$$$ ) {
|
|||||||
$loglevel ,
|
$loglevel ,
|
||||||
$log_action ,
|
$log_action ,
|
||||||
$serverport ? do_proto( $proto, '', '' ) : '',
|
$serverport ? do_proto( $proto, '', '' ) : '',
|
||||||
);
|
)
|
||||||
|
unless unreachable_warning( $wildcard, $chainref );
|
||||||
|
|
||||||
( $ports, $origdstports, $server );
|
( $ports, $origdstports, $server );
|
||||||
}
|
}
|
||||||
@ -775,8 +779,8 @@ sub handle_nat_rule( $$$$$$$$$$$$ ) {
|
|||||||
#
|
#
|
||||||
# Called from process_rule1() to handle the nat table part of the NONAT and ACCEPT+ actions
|
# Called from process_rule1() to handle the nat table part of the NONAT and ACCEPT+ actions
|
||||||
#
|
#
|
||||||
sub handle_nonat_rule( $$$$$$$$$$ ) {
|
sub handle_nonat_rule( $$$$$$$$$$$ ) {
|
||||||
my ( $action, $source, $dest, $origdest, $sourceref, $inaction, $chain, $loglevel, $log_action, $rule ) = @_;
|
my ( $action, $source, $dest, $origdest, $sourceref, $inaction, $chain, $loglevel, $log_action, $rule, $wildcard ) = @_;
|
||||||
|
|
||||||
my $sourcezone = $sourceref->{name};
|
my $sourcezone = $sourceref->{name};
|
||||||
#
|
#
|
||||||
@ -837,7 +841,9 @@ sub handle_nonat_rule( $$$$$$$$$$ ) {
|
|||||||
$loglevel,
|
$loglevel,
|
||||||
$log_action,
|
$log_action,
|
||||||
'',
|
'',
|
||||||
dnat_chain( $sourcezone ) );
|
dnat_chain( $sourcezone ) )
|
||||||
|
unless unreachable_warning( $wildcard, $chn );
|
||||||
|
|
||||||
$loglevel = '';
|
$loglevel = '';
|
||||||
$tgt = $chn->{name};
|
$tgt = $chn->{name};
|
||||||
} else {
|
} else {
|
||||||
@ -856,7 +862,8 @@ sub handle_nonat_rule( $$$$$$$$$$ ) {
|
|||||||
$loglevel ,
|
$loglevel ,
|
||||||
$log_action ,
|
$log_action ,
|
||||||
'',
|
'',
|
||||||
);
|
)
|
||||||
|
unless unreachable_warning( $wildcard, $nonat_chain );
|
||||||
}
|
}
|
||||||
|
|
||||||
sub add_addresses () {
|
sub add_addresses () {
|
||||||
|
@ -2636,6 +2636,7 @@ sub process_rule ( $$$$$$$$$$$$$$$$$$$ ) {
|
|||||||
$source,
|
$source,
|
||||||
( $actiontype & ACTION ) ? '' : $loglevel,
|
( $actiontype & ACTION ) ? '' : $loglevel,
|
||||||
$log_action,
|
$log_action,
|
||||||
|
$wildcard
|
||||||
);
|
);
|
||||||
|
|
||||||
#
|
#
|
||||||
@ -2673,7 +2674,8 @@ sub process_rule ( $$$$$$$$$$$$$$$$$$$ ) {
|
|||||||
$chain,
|
$chain,
|
||||||
$loglevel,
|
$loglevel,
|
||||||
$log_action,
|
$log_action,
|
||||||
$rule
|
$rule,
|
||||||
|
$wildcard
|
||||||
);
|
);
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -2699,6 +2701,7 @@ sub process_rule ( $$$$$$$$$$$$$$$$$$$ ) {
|
|||||||
|
|
||||||
verify_audit( $action ) if $actiontype & AUDIT;
|
verify_audit( $action ) if $actiontype & AUDIT;
|
||||||
|
|
||||||
|
|
||||||
expand_rule( $chainref ,
|
expand_rule( $chainref ,
|
||||||
$restriction ,
|
$restriction ,
|
||||||
'' ,
|
'' ,
|
||||||
@ -2709,7 +2712,8 @@ sub process_rule ( $$$$$$$$$$$$$$$$$$$ ) {
|
|||||||
$action ,
|
$action ,
|
||||||
$loglevel ,
|
$loglevel ,
|
||||||
$log_action ,
|
$log_action ,
|
||||||
'' );
|
'' )
|
||||||
|
unless unreachable_warning( $wildcard || $section == DEFAULTACTION_SECTION, $chainref );
|
||||||
}
|
}
|
||||||
|
|
||||||
delete $usedactions{$normalized_target} if $delete_action;
|
delete $usedactions{$normalized_target} if $delete_action;
|
||||||
|
Loading…
x
Reference in New Issue
Block a user