firewall: make invalid redirects and duplicate zones non-fatal, print a notice and discard them
SVN-Revision: 23080
This commit is contained in:
parent
4df10391ba
commit
f90328f26e
@ -9,7 +9,7 @@ include $(TOPDIR)/rules.mk
|
|||||||
PKG_NAME:=firewall
|
PKG_NAME:=firewall
|
||||||
|
|
||||||
PKG_VERSION:=2
|
PKG_VERSION:=2
|
||||||
PKG_RELEASE:=15
|
PKG_RELEASE:=16
|
||||||
|
|
||||||
include $(INCLUDE_DIR)/package.mk
|
include $(INCLUDE_DIR)/package.mk
|
||||||
|
|
||||||
|
@ -107,10 +107,8 @@ fw_die() {
|
|||||||
|
|
||||||
fw_log() {
|
fw_log() {
|
||||||
local level="$1"
|
local level="$1"
|
||||||
[ -n "$2" ] || {
|
[ -n "$2" ] && shift || level=notice
|
||||||
shift
|
[ "$level" != error ] || echo "Error: $@" >&2
|
||||||
level=notice
|
|
||||||
}
|
|
||||||
logger -t firewall -p user.$level "$@"
|
logger -t firewall -p user.$level "$@"
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -42,7 +42,7 @@ fw_load_defaults() {
|
|||||||
boolean disable_ipv6 0 \
|
boolean disable_ipv6 0 \
|
||||||
} || return
|
} || return
|
||||||
[ -n "$FW_DEFAULTS_APPLIED" ] && {
|
[ -n "$FW_DEFAULTS_APPLIED" ] && {
|
||||||
echo "Error: multiple defaults sections detected"
|
fw_log error "duplicate defaults section detected, skipping"
|
||||||
return 1
|
return 1
|
||||||
}
|
}
|
||||||
FW_DEFAULTS_APPLIED=1
|
FW_DEFAULTS_APPLIED=1
|
||||||
@ -159,7 +159,8 @@ fw_load_zone() {
|
|||||||
fw_config_get_zone "$1"
|
fw_config_get_zone "$1"
|
||||||
|
|
||||||
list_contains FW_ZONES $zone_name && {
|
list_contains FW_ZONES $zone_name && {
|
||||||
fw_die "zone ${zone_name}: duplicated zone"
|
fw_log error "zone ${zone_name}: duplicated zone, skipping"
|
||||||
|
return 0
|
||||||
}
|
}
|
||||||
append FW_ZONES $zone_name
|
append FW_ZONES $zone_name
|
||||||
|
|
||||||
|
@ -30,7 +30,8 @@ fw_load_redirect() {
|
|||||||
local fwdchain natchain natopt nataddr natports srcdaddr srcdports
|
local fwdchain natchain natopt nataddr natports srcdaddr srcdports
|
||||||
if [ "$redirect_target" == "DNAT" ]; then
|
if [ "$redirect_target" == "DNAT" ]; then
|
||||||
[ -n "$redirect_src" -a -n "$redirect_dest_ip$redirect_dest_port" ] || {
|
[ -n "$redirect_src" -a -n "$redirect_dest_ip$redirect_dest_port" ] || {
|
||||||
fw_die "DNAT redirect ${redirect_name}: needs src and dest_ip or dest_port"
|
fw_log error "DNAT redirect ${redirect_name}: needs src and dest_ip or dest_port, skipping"
|
||||||
|
return 0
|
||||||
}
|
}
|
||||||
|
|
||||||
fwdchain="zone_${redirect_src}_forward"
|
fwdchain="zone_${redirect_src}_forward"
|
||||||
@ -48,7 +49,8 @@ fw_load_redirect() {
|
|||||||
|
|
||||||
elif [ "$redirect_target" == "SNAT" ]; then
|
elif [ "$redirect_target" == "SNAT" ]; then
|
||||||
[ -n "$redirect_dest" -a -n "$redirect_src_dip" ] || {
|
[ -n "$redirect_dest" -a -n "$redirect_src_dip" ] || {
|
||||||
fw_die "SNAT redirect ${redirect_name}: needs dest and src_dip"
|
fw_log error "SNAT redirect ${redirect_name}: needs dest and src_dip, skipping"
|
||||||
|
return 0
|
||||||
}
|
}
|
||||||
|
|
||||||
fwdchain="${redirect_src:+zone_${redirect_src}_forward}"
|
fwdchain="${redirect_src:+zone_${redirect_src}_forward}"
|
||||||
@ -65,7 +67,8 @@ fw_load_redirect() {
|
|||||||
append FW_CONNTRACK_ZONES $redirect_dest
|
append FW_CONNTRACK_ZONES $redirect_dest
|
||||||
|
|
||||||
else
|
else
|
||||||
fw_die "redirect ${redirect_name}: target must be either DNAT or SNAT"
|
fw_log error "redirect ${redirect_name}: target must be either DNAT or SNAT, skipping"
|
||||||
|
return 0
|
||||||
fi
|
fi
|
||||||
|
|
||||||
local mode
|
local mode
|
||||||
|
Loading…
Reference in New Issue
Block a user