extern/shorewall_code
1
0
Fork 1
mirror of https://gitlab.com/shorewall/code.git synced 2025-01-20 12:39:06 +01:00
Code Issues Packages Projects Releases Wiki Activity

Detect terminating chains

Browse Source 
- no RETURN Rules
- last rule is terminating

Signed-off-by: Tom Eastep <teastep@shorewall.net>
This commit is contained in:
Tom Eastep 2013-01-08 16:32:24 -08:00
parent 011dd2c901
commit 1fd3a6a522
1 changed files with 98 additions and 87 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

25
Shorewall/Perl/Shorewall/Chains.pm
View File

@ -667,9 +667,7 @@ sub initialize( $$$ ) {
%isocodes = (); %isocodes = ();
%nfobjects = (); %nfobjects = ();
%switches = (); %switches = ();
#
# Initialize this here so we can make it dynamic without moving the initialization
#
%terminating = ( ACCEPT => 1, %terminating = ( ACCEPT => 1,
DROP => 1, DROP => 1,
RETURN => 1, RETURN => 1,
@ -2854,6 +2852,7 @@ sub optimize_level4( $$ ) {
# The search continues until no short chains remain # The search continues until no short chains remain
# Chains with 'DONT_OPTIMIZE' are exempted from optimization # Chains with 'DONT_OPTIMIZE' are exempted from optimization
# #
while ( $progress ) { while ( $progress ) {
$progress = 0; $progress = 0;
$passes++; $passes++;
@ -2892,11 +2891,23 @@ sub optimize_level4( $$ ) {
delete_references $chainref; delete_references $chainref;
$progress = 1; $progress = 1;
} }
} elsif ( $numrules == 1) { } else {
my $firstrule = $chainref->{rules}[0]; #
# The chain has rules -- determine if it is terminating
#
my $name = $chainref->{name};
my $lastref = $chainref->{rules}[-1];
unless ( $terminating{$name} ) {
$progress = 1 if $terminating{$name} = ( ( $terminating{$lastref->{target} || ''} ) || ( $lastref->{jump} || '' ) eq 'g' );
}
if ( $numrules == 1) {
# #
# Chain has a single rule # Chain has a single rule
# #
my $firstrule = $lastref;
if ( $firstrule ->{simple} ) { if ( $firstrule ->{simple} ) {
# #
# Easy case -- the rule is a simple jump # Easy case -- the rule is a simple jump
@ -2952,7 +2963,6 @@ sub optimize_level4( $$ ) {
# all immediately preceding rules that have the same target # all immediately preceding rules that have the same target
# #
my $rulesref = $chainref->{rules}; my $rulesref = $chainref->{rules};
my $lastref = $rulesref->[-1];
if ( $lastref->{simple} && $lastref->{target} && ! $lastref->{targetopts} ) { if ( $lastref->{simple} && $lastref->{target} && ! $lastref->{targetopts} ) {
my $target = $lastref->{target}; my $target = $lastref->{target};
@ -2985,7 +2995,8 @@ sub optimize_level4( $$ ) {
$count++; $count++;
} }
progress_message " $count $target rules deleted from chain $chainref->{name}" if $count; progress_message " $count $target rules deleted from chain $name" if $count;
}
} }
} }
} }