@@ -104,6 +104,8 @@ alloc_rule(struct fw3_state *state)
static bool
check_rule(struct fw3_state *state, struct fw3_rule *r, struct uci_element *e)
{
+ int guessed = 0;
+
if (!r->enabled)
return false;
@@ -194,23 +196,35 @@ check_rule(struct fw3_state *state, struct fw3_rule *r, struct uci_element *e)
{
warn_section("rule", r, e, "has neither a source nor a destination zone assigned "
"- assuming an output rule");
+ guessed++;
}
if (list_empty(&r->proto))
{
warn_section("rule", r, e, "does not specify a protocol, assuming TCP+UDP");
fw3_parse_protocol(&r->proto, "tcpudp", true);
+ guessed++;
}
if (r->target == FW3_FLAG_UNSPEC)
{
warn_section("rule", r, e, "has no target specified, defaulting to REJECT");
r->target = FW3_FLAG_REJECT;
+ guessed++;
}
else if (r->target > FW3_FLAG_DSCP)
{
warn_section("rule", r, e, "has invalid target specified, defaulting to REJECT");
r->target = FW3_FLAG_REJECT;
+ guessed++;
+ }
+
+ if (guessed > 2)
+ {
+ /* empty config rule would reject all output TCP+UDP */
+ warn_section("rule", r, e, "must specify at least one valid value of "
+ "source/destination zone, protocol and target");
+ return false;
}
/* NB: r family... */
The sender domain has a DMARC Reject/Quarantine policy which disallows sending mailing list messages using the original "From" header. To mitigate this problem, the original message has been wrapped automatically by the mailing list software. Previously if the config file contained any empty rule (like a duplicate 'config rule' line), the firewall understood it as rejecting all output traffic (TCP+UDP). The router was therefore functioning properly, but was unable to answer DHCP requests (because they are not ESTABLISHED nor RELATED) nor send any upstream packets, which was hard to diagnose. The change now requires every rule to contain at least one of zone, protocol or target. Signed-off-by: Arkadiusz Kozdra <floss@arusekk.pl> --- rules.c | 14 ++++++++++++++ 1 file changed, 14 insertions(+)