extern/shorewall_code
1
0
Fork 1
mirror of https://gitlab.com/shorewall/code.git synced 2025-06-20 09:47:51 +02:00
Code Issues Packages Projects Releases Wiki Activity

A more comprehensive solution to multiple -[piosd] matches.

Browse Source 
- eliminate duplicate -[piosd] matches in merged rules
- avoid tracing !* unconditionally

Signed-off-by: Tom Eastep <teastep@shorewall.net>
This commit is contained in:
Tom Eastep 2010-05-01 07:26:25 -07:00
parent 16161d9cfc
commit 219b2e0761
2 changed files with 24 additions and 15 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

33
Shorewall/Perl/Shorewall/Chains.pm
View File

@ -1096,7 +1096,7 @@ sub dont_optimize( $ ) {
$chainref->{dont_optimize} = 1; $chainref->{dont_optimize} = 1;
trace( $chainref, '!O', undef, '' ); trace( $chainref, '!O', undef, '' ) if $debug;
$chainref; $chainref;
} }
@ -1111,7 +1111,7 @@ sub dont_delete( $ ) {
$chainref->{dont_optimize} = $chainref->{dont_delete} = 1; $chainref->{dont_optimize} = $chainref->{dont_delete} = 1;
trace( $chainref, '!OD', undef, '' ); trace( $chainref, '!OD', undef, '' ) if $debug;
$chainref; $chainref;
} }
@ -1126,7 +1126,7 @@ sub dont_move( $ ) {
$chainref->{dont_move} = 1; $chainref->{dont_move} = 1;
trace( $chainref, '!M', undef, '' ); trace( $chainref, '!M', undef, '' ) if $debug;
$chainref; $chainref;
} }
@ -1542,6 +1542,11 @@ sub replace_references1( $$$ ) {
my $tableref = $chain_table{$chainref->{table}}; my $tableref = $chain_table{$chainref->{table}};
my $count = 0; my $count = 0;
my $name = $chainref->{name}; my $name = $chainref->{name};
my $hasp = $matches =~ / -p /;
my $hasi = $matches =~ / -i /;
my $haso = $matches =~ / -o /;
my $hass = $matches =~ / -s /;
my $hasd = $matches =~ / -d /;
$name =~ s/\+/\\+/; $name =~ s/\+/\\+/;
# #
@ -1558,9 +1563,13 @@ sub replace_references1( $$$ ) {
$rule++; $rule++;
if ( /^-A .*-[jg] $name(?:$|\s)/ ) { if ( /^-A .*-[jg] $name(?:$|\s)/ ) {
# #
# Prevent multiple '-p' matches # Prevent multiple '-p', '-i', '-o', '-s' and '-d' matches
# #
s/ -p [^ ]+ / / if / -p / && $matches =~ / -p /; s/ -p [^ ]+ / / if $hasp;
s/ -i [^ ]+ / / if $hasi;
s/ -o [^ ]+ / / if $haso;
s/ -s [^ ]+ / / if $hass;
s/ -d [^ ]+ / / if $hasd;
s/\s+-([jg]) $name($|\s)/$matches -$1 ${target}$2/; s/\s+-([jg]) $name($|\s)/$matches -$1 ${target}$2/;
add_reference ( $fromref, $tableref->{$target} ); add_reference ( $fromref, $tableref->{$target} );
$count++; $count++;
@ -1582,9 +1591,13 @@ sub replace_references1( $$$ ) {
$rule++; $rule++;
if ( /^-A .*-[jg] $name(?:$|\s)/ ) { if ( /^-A .*-[jg] $name(?:$|\s)/ ) {
# #
# Prevent multiple '-p' matches # Prevent multiple '-p', '-i', '-o', '-s' and '-d' matches
# #
s/ -p [^ ]+ / / if / -p / && $matches =~ / -p /; s/ -p [^ ]+ / / if $hasp;
s/ -i [^ ]+ / / if $hasi;
s/ -o [^ ]+ / / if $haso;
s/ -s [^ ]+ / / if $hass;
s/ -d [^ ]+ / / if $hasd;
s/\s+-[jg] $name($|\s)/$matches -j ${target}$1/; s/\s+-[jg] $name($|\s)/$matches -j ${target}$1/;
$count++; $count++;
trace( $fromref, 'R', $rule, $_ ) if $debug; trace( $fromref, 'R', $rule, $_ ) if $debug;
@ -1734,7 +1747,9 @@ sub optimize_ruleset() {
# #
# Not so easy -- the rule contains matches # Not so easy -- the rule contains matches
# #
if ( $chainref->{builtin} || ! have_capability 'KLUDGEFREE' ) { my ($target, $matches ) = ( $1, $2 );
if ( $chainref->{builtin} || ! have_capability 'KLUDGEFREE' || $matches =~ /! -[piosd] / ) {
# #
# This case requires a new rule merging algorithm. Ignore this chain for # This case requires a new rule merging algorithm. Ignore this chain for
# now. # now.
@ -1744,7 +1759,7 @@ sub optimize_ruleset() {
# #
# Replace references to this chain with the target and add the predicates # Replace references to this chain with the target and add the predicates
# #
replace_references1 $chainref, $2, $1; replace_references1 $chainref, $matches, $target;
$progress = 1; $progress = 1;
} }
} }

6
Shorewall/Perl/Shorewall/Nat.pm
View File

@ -201,8 +201,6 @@ sub process_one_masq( )
my $chainref = ensure_chain('nat', $pre_nat ? snat_chain $interface : masq_chain $interface); my $chainref = ensure_chain('nat', $pre_nat ? snat_chain $interface : masq_chain $interface);
dont_optimize $chainref unless $interfaceref->{name};
my $detectaddress = 0; my $detectaddress = 0;
my $exceptionrule = ''; my $exceptionrule = '';
my $randomize = ''; my $randomize = '';
@ -393,10 +391,8 @@ sub do_one_nat( $$$$$ )
add_nat_rule 'nat_out' , "-s $internal $policyout -j SNAT --to-source $external"; add_nat_rule 'nat_out' , "-s $internal $policyout -j SNAT --to-source $external";
} else { } else {
my $chainref = input_chain( $interface ); my $chainref = input_chain( $interface );
dont_optimize $chainref if $rulein;
add_nat_rule $chainref , $rulein . "-d $external $policyin -j DNAT --to-destination $internal"; add_nat_rule $chainref , $rulein . "-d $external $policyin -j DNAT --to-destination $internal";
$chainref = output_chain( $interface ); $chainref = output_chain( $interface );
dont_optimize $chainref if $ruleout;
add_nat_rule $chainref , $ruleout . "-s $internal $policyout -j SNAT --to-source $external"; add_nat_rule $chainref , $ruleout . "-s $internal $policyout -j SNAT --to-source $external";
} }
@ -472,11 +468,9 @@ sub setup_netmap() {
if ( $type eq 'DNAT' ) { if ( $type eq 'DNAT' ) {
my $chainref = ensure_chain( 'nat' , input_chain $interface ); my $chainref = ensure_chain( 'nat' , input_chain $interface );
dont_optimize $chainref if $rulein;
add_rule $chainref , $rulein . "-d $net1 -j NETMAP --to $net2"; add_rule $chainref , $rulein . "-d $net1 -j NETMAP --to $net2";
} elsif ( $type eq 'SNAT' ) { } elsif ( $type eq 'SNAT' ) {
my $chainref = ensure_chain( 'nat' , output_chain $interface ); my $chainref = ensure_chain( 'nat' , output_chain $interface );
dont_optimize $chainref if $ruleout;
add_rule $chainref , $ruleout . "-s $net1 -j NETMAP --to $net2"; add_rule $chainref , $ruleout . "-s $net1 -j NETMAP --to $net2";
} else { } else {
fatal_error "Invalid type ($type)"; fatal_error "Invalid type ($type)";