This is somewhat related to the issue from PATCH 4; I corrected it before work this morning.
Consider the following: shorewall.conf: INVALID_DISPOSITION=DROP rules: SECTION INVALID CONTINUE ... SECTION NEW Invalid(...) ... Because the INVALID_DISPOSITION is DROP, the RC 2 compiler suppresses the rule(s) generated by the Invalid(...) invocation. The attached patch causes the rule(s) to be emitted. Note that the compiler only keeps track of the fact that a chain contains at least one RETURN rule (that's needed for the optimizer to work correctly). So the rule(s) generated by Invalid(...) may still not be capable of being matched. Patch attached. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________
commit 615df6ab8fe9a1d451db58191b1995a60cfda638
Author: Tom Eastep <teas...@shorewall.net>
Date: Mon Feb 4 15:08:20 2013 -0800
Handle 'RETURN' in state chain with terminating disposition.
Signed-off-by: Tom Eastep <teas...@shorewall.net>
diff --git a/Shorewall/Perl/Shorewall/Chains.pm b/Shorewall/Perl/Shorewall/Chains.pm
index 8c7b0ee..52b965a 100644
--- a/Shorewall/Perl/Shorewall/Chains.pm
+++ b/Shorewall/Perl/Shorewall/Chains.pm
@@ -72,6 +72,7 @@ our @EXPORT = ( qw(
allow_move
set_optflags
reset_optflags
+ has_return
dont_optimize
dont_delete
dont_move
@@ -2212,6 +2213,14 @@ sub set_optflags( $$ ) {
}
#
+# Return true if the passed chain has a RETURN rule.
+#
+
+sub has_return( $ ) {
+ $_[0]->{optflags} & RETURNS;
+}
+
+#
# Reset the dont_optimize flag for a chain
#
sub allow_optimize( $ ) {
diff --git a/Shorewall/Perl/Shorewall/Rules.pm b/Shorewall/Perl/Shorewall/Rules.pm
index 9e00dd8..4e75f6d 100644
--- a/Shorewall/Perl/Shorewall/Rules.pm
+++ b/Shorewall/Perl/Shorewall/Rules.pm
@@ -2685,21 +2685,47 @@ sub check_state( $ ) {
for ( split ',', $blacklist_states ) {
return 1 if $_ eq $state;
}
- } else {
- if ( ( $state eq 'ESTABLISHED' ) ||
- ( $state =~ /^(?:INVALID|UNTRACKED|RELATED)$/ && $globals{"${state}_TARGET"} ) ) {
- my $sectionref = $actparms{0}->{sections};
- if ( $sectionref ) {
- return 0 if $sectionref->{$state};
+ return 0;
+ }
+
+ if ( $state eq 'ESTABLISHED' ) {
+ my $sectionref = $actparms{0}->{sections};
+ return ( $sectionref && $sectionref->{$state} ) ? 0 : $section == ESTABLISHED_SECTION ? 2 : 1;
+ }
+
+ if ( $state =~ /^(?:INVALID|UNTRACKED|RELATED)$/ && $globals{"${state}_TARGET"} ) {
+ #
+ # One of the states that has its own state chain -- get the current action's chain
+ #
+ my $chainref = $actparms{0};
+ #
+ # See if we've passed the section associated with this STATE
+ #
+ if ( my $sectionref = $chainref->{sections} ) {
+ if ( $sectionref->{$state} ) {
+ #
+ # We're past that section -- see if there was a separate state chain
+ #
+ if ( my $statechainref = $filter_table->{"$statetable{$state}{char}$chainref->{name}"} ) {
+ #
+ # There was -- if the chain had a RETURN then we will emit the current rule; otherwise we won't
+ #
+ return has_return( $statechainref ) ? 1 : 0;
+ } else {
+ #
+ # There wasn't -- suppress the current rule
+ #
+ return 0;
+ }
}
}
+ }
- if ( $section & ( NEW_SECTION | DEFAULTACTION_SECTION ) ) {
- return ( $state =~ /^(?:INVALID|UNTRACKED|NEW)$/ );
- } else {
- return $state eq $section_rmap{$section} ? 2 : 1;
- }
+ if ( $section & ( NEW_SECTION | DEFAULTACTION_SECTION ) ) {
+ $state =~ /^(?:INVALID|UNTRACKED|NEW)$/;
+ } else {
+ $state eq $section_rmap{$section} ? 2 : 1;
}
}
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------------ Free Next-Gen Firewall Hardware Offer Buy your Sophos next-gen firewall before the end March 2013 and get the hardware for free! Learn more. http://p.sf.net/sfu/sophos-d2d-feb
_______________________________________________ Shorewall-devel mailing list Shorewall-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-devel
