Revise the unreachable warning stuff.

Signed-off-by: Tom Eastep <teastep@shorewall.net>
This commit is contained in:
Tom Eastep 2013-06-01 16:32:46 -07:00
parent 2d8078033c
commit adf51d0059
3 changed files with 40 additions and 15 deletions

View File

@ -125,6 +125,7 @@ our %EXPORT_TAGS = (
OPTIMIZE_RULESET_MASK OPTIMIZE_RULESET_MASK
OPTIMIZE_MASK OPTIMIZE_MASK
unreachable_warning
state_match state_match
state_imatch state_imatch
initialize_chain_table initialize_chain_table
@ -6518,6 +6519,22 @@ sub verify_address_variables() {
} }
} }
#
# Generate 'unreachable rule' message
#
sub unreachable_warning( $$ ) {
my ( $ignore, $chainref ) = @_;
unless ( $ignore ) {
if ( $chainref->{complete} ) {
warning_message "The rule(s) generated by this entry are unreachable and have been discarded";
return 1;
}
}
0;
}
############################################################################################ ############################################################################################
# Helpers for expand_rule() # Helpers for expand_rule()
############################################################################################ ############################################################################################
@ -7062,10 +7079,7 @@ sub expand_rule( $$$$$$$$$$$;$ )
$logname, # Name of chain to name in log messages $logname, # Name of chain to name in log messages
) = @_; ) = @_;
if ( $chainref->{complete} ) { return if $chainref->{complete};
# warning_message "The rule(s) generated by this entry are unreachable and have been discarded";
return '';
}
my ( $iiface, $diface, $inets, $dnets, $iexcl, $dexcl, $onets , $oexcl, $trivialiexcl, $trivialdexcl ) = my ( $iiface, $diface, $inets, $dnets, $iexcl, $dexcl, $onets , $oexcl, $trivialiexcl, $trivialdexcl ) =
( '', '', '', '', '', '', '', '', '', '' ); ( '', '', '', '', '', '', '', '', '', '' );

View File

@ -332,7 +332,8 @@ sub process_one_masq1( $$$$$$$$$$ )
$target , $target ,
'' , '' ,
'' , '' ,
$exceptionrule ); $exceptionrule )
unless unreachable_warning( 0, $chainref );
conditional_rule_end( $chainref ) if $detectaddress || $conditional; conditional_rule_end( $chainref ) if $detectaddress || $conditional;
@ -614,7 +615,7 @@ sub setup_netmap() {
# #
# Called from process_rule1 to add a rule to the NAT table # Called from process_rule1 to add a rule to the NAT table
# #
sub handle_nat_rule( $$$$$$$$$$$$ ) { sub handle_nat_rule( $$$$$$$$$$$$$ ) {
my ( $dest, # <server>[:port] my ( $dest, # <server>[:port]
$proto, # Protocol $proto, # Protocol
$ports, # Destination port list $ports, # Destination port list
@ -627,6 +628,7 @@ sub handle_nat_rule( $$$$$$$$$$$$ ) {
$source, # Source Address $source, # Source Address
$loglevel, # [<level>[:<tag>]] $loglevel, # [<level>[:<tag>]]
$log_action, # Action name to include in the log message $log_action, # Action name to include in the log message
$wildcard # Part of a wildcard rule
) = @_; ) = @_;
my ( $server, $serverport , $origdstports ) = ( '', '', '' ); my ( $server, $serverport , $origdstports ) = ( '', '', '' );
@ -753,10 +755,11 @@ sub handle_nat_rule( $$$$$$$$$$$$ ) {
# #
my $firewallsource = $sourceref && ( $sourceref->{type} & ( FIREWALL | VSERVER ) ); my $firewallsource = $sourceref && ( $sourceref->{type} & ( FIREWALL | VSERVER ) );
expand_rule ( ensure_chain ('nat' , my $chainref = ensure_chain ('nat' ,
( $action_chain ? $action_chain : ( $action_chain ? $action_chain :
$firewallsource ? 'OUTPUT' : $firewallsource ? 'OUTPUT' :
dnat_chain $sourceref->{name} ) ) , dnat_chain $sourceref->{name} ) );
expand_rule ( $chainref,
$firewallsource ? OUTPUT_RESTRICT : PREROUTE_RESTRICT , $firewallsource ? OUTPUT_RESTRICT : PREROUTE_RESTRICT ,
'' , '' ,
$rule , $rule ,
@ -767,7 +770,8 @@ sub handle_nat_rule( $$$$$$$$$$$$ ) {
$loglevel , $loglevel ,
$log_action , $log_action ,
$serverport ? do_proto( $proto, '', '' ) : '', $serverport ? do_proto( $proto, '', '' ) : '',
); )
unless unreachable_warning( $wildcard, $chainref );
( $ports, $origdstports, $server ); ( $ports, $origdstports, $server );
} }
@ -775,8 +779,8 @@ sub handle_nat_rule( $$$$$$$$$$$$ ) {
# #
# Called from process_rule1() to handle the nat table part of the NONAT and ACCEPT+ actions # Called from process_rule1() to handle the nat table part of the NONAT and ACCEPT+ actions
# #
sub handle_nonat_rule( $$$$$$$$$$ ) { sub handle_nonat_rule( $$$$$$$$$$$ ) {
my ( $action, $source, $dest, $origdest, $sourceref, $inaction, $chain, $loglevel, $log_action, $rule ) = @_; my ( $action, $source, $dest, $origdest, $sourceref, $inaction, $chain, $loglevel, $log_action, $rule, $wildcard ) = @_;
my $sourcezone = $sourceref->{name}; my $sourcezone = $sourceref->{name};
# #
@ -837,7 +841,9 @@ sub handle_nonat_rule( $$$$$$$$$$ ) {
$loglevel, $loglevel,
$log_action, $log_action,
'', '',
dnat_chain( $sourcezone ) ); dnat_chain( $sourcezone ) )
unless unreachable_warning( $wildcard, $chn );
$loglevel = ''; $loglevel = '';
$tgt = $chn->{name}; $tgt = $chn->{name};
} else { } else {
@ -856,7 +862,8 @@ sub handle_nonat_rule( $$$$$$$$$$ ) {
$loglevel , $loglevel ,
$log_action , $log_action ,
'', '',
); )
unless unreachable_warning( $wildcard, $nonat_chain );
} }
sub add_addresses () { sub add_addresses () {

View File

@ -2636,6 +2636,7 @@ sub process_rule ( $$$$$$$$$$$$$$$$$$$ ) {
$source, $source,
( $actiontype & ACTION ) ? '' : $loglevel, ( $actiontype & ACTION ) ? '' : $loglevel,
$log_action, $log_action,
$wildcard
); );
# #
@ -2673,7 +2674,8 @@ sub process_rule ( $$$$$$$$$$$$$$$$$$$ ) {
$chain, $chain,
$loglevel, $loglevel,
$log_action, $log_action,
$rule $rule,
$wildcard
); );
} }
@ -2699,6 +2701,7 @@ sub process_rule ( $$$$$$$$$$$$$$$$$$$ ) {
verify_audit( $action ) if $actiontype & AUDIT; verify_audit( $action ) if $actiontype & AUDIT;
expand_rule( $chainref , expand_rule( $chainref ,
$restriction , $restriction ,
'' , '' ,
@ -2709,7 +2712,8 @@ sub process_rule ( $$$$$$$$$$$$$$$$$$$ ) {
$action , $action ,
$loglevel , $loglevel ,
$log_action , $log_action ,
'' ); '' )
unless unreachable_warning( $wildcard || $section == DEFAULTACTION_SECTION, $chainref );
} }
delete $usedactions{$normalized_target} if $delete_action; delete $usedactions{$normalized_target} if $delete_action;