extern/shorewall_code
1
0
Fork 1
mirror of https://gitlab.com/shorewall/code.git synced 2024-11-26 17:43:15 +01:00
Code Issues Packages Projects Releases Wiki Activity

Emit 'expensive' matches last unless there are '-m nfacct' matches in the rule.

Browse Source 
Signed-off-by: Tom Eastep <teastep@shorewall.net>
This commit is contained in:
Tom Eastep 2013-05-26 08:03:54 -07:00
parent 31f9ea5b93
commit 0b5a316cfc
1 changed files with 24 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

25
Shorewall/Perl/Shorewall/Chains.pm
View File

@ -613,6 +613,7 @@ use constant { UNIQUE => 1,
CONTROL => 16,
COMPLEX => 32,
NFACCT => 64,
EXPENSIVE => 128,
};
our %opttype = ( rule => CONTROL,
@ -645,6 +646,9 @@ our %opttype = ( rule => CONTROL,
nfacct => NFACCT,
set => EXPENSIVE,
geoip => EXPENSIVE,
conntrack => COMPLEX,
jump => TARGET,
@ -827,7 +831,7 @@ sub set_rule_option( $$$ ) {
if ( exists $ruleref->{$option} ) {
assert( defined( my $value1 = $ruleref->{$option} ) , $ruleref );
if ( $opttype & ( MATCH | NFACCT ) ) {
if ( $opttype & ( MATCH | NFACCT | EXPENSIVE ) ) {
if ( $globals{KLUDGEFREE} ) {
unless ( reftype $value1 ) {
unless ( reftype $value ) {
@ -1013,6 +1017,8 @@ sub format_rule( $$;$ ) {
# The code the follows can be destructive of the rule so we clone it
#
my $ruleref = $rulerefp->{complex} ? clone_rule( $rulerefp ) : $rulerefp;
my $nfacct = $rulerefp->{nfacct};
my $expensive;
for ( @{$ruleref->{matches}} ) {
my $type = $opttype{$_} || 0;
@ -1031,10 +1037,27 @@ sub format_rule( $$;$ ) {
}
next;
} elsif ( $type == EXPENSIVE ) {
#
# Only emit expensive matches now if there are '-m nfacct' matches in the rule
#
if ( $nfacct ) {
$rule .= format_option( $_, pop_match( $ruleref, $_ ) );
} else {
$expensive = 1;
}
} else {
$rule .= format_option( $_, pop_match( $ruleref, $_ ) );
}
}
#
# Emit expensive matches last unless we had '-m nfacct' matches in the rule.
#
if ( $expensive ) {
for ( grep( ( $opttype{$_} || 0 ) == EXPENSIVE, @{$ruleref->{matches}} ) ) {
$rule .= format_option( $_, pop_match( $ruleref, $_ ) );
}
}
if ( $ruleref->{target} ) {
$rule .= join( ' ', " -$ruleref->{jump}", $ruleref->{target} );