diff --git a/Shorewall/Perl/Shorewall/Chains.pm b/Shorewall/Perl/Shorewall/Chains.pm index 6afeb88ec..c7d21b4a6 100644 --- a/Shorewall/Perl/Shorewall/Chains.pm +++ b/Shorewall/Perl/Shorewall/Chains.pm @@ -116,7 +116,6 @@ our %EXPORT_TAGS = ( new_nat_chain ensure_filter_chain finish_section - prepare_for_optimization optimize_chain check_optimization optimize_ruleset @@ -594,6 +593,22 @@ sub add_reference ( $$ ) { $toref->{references}{$fromref->{name}}++; } +# +# Compress out undefined elements in rules +# +sub compress_rules( $ ) { + my $chainref = shift; + my @rules; + + for ( @{$chainref->{rules}} ) { + push @rules, $_ if defined; + } + + $chainref->{rules} = \@rules; + + trace( $chainref, 'C', undef, '' ) if $debug; +} + # # Purge jumps previously added via add_jump. If the target chain is empty, reset its # referenced flag @@ -602,15 +617,20 @@ sub purge_jump ( $$ ) { my ( $fromref, $toref ) = @_; my $to = $toref->{name}; my $rule = 0; + my $rules = @{$fromref->{rules}}; + my $deleted = 0; for ( @{$fromref->{rules}} ) { $rule++; if ( defined && / -[gj] ${to}\b/ ) { trace( $fromref, 'D', $rule, $_ ) if $debug; $_ = undef; + $deleted = 1 unless $rule == $rules; } } + compress_rules( $fromref ) if $deleted; + unless ( @{$toref->{rules}} ) { $toref->{referenced} = 0; trace ( $toref, 'X', undef, '' ) if $debug; @@ -1365,36 +1385,6 @@ sub finish_section ( $ ) { } } -# -# Compress out undefined elements in rules -# -sub compress_rules( $ ) { - my $chainref = shift; - my @rules; - - for ( @{$chainref->{rules}} ) { - push @rules, $_ if defined; - } - - $chainref->{rules} = \@rules; -} - -# -# Prepare chain table for optimization by squeezing out undefined rules array entries -# -sub prepare_for_optimization() { - for my $table ( qw/raw mangle nat filter/ ) { - - next if $family == F_IPV6 && $table eq 'nat'; - - for my $chainref ( grep $_->{referenced}, values %{$chain_table{$table}} ) { - for ( @{$chainref->{rules}} ) { - compress_rules( $chainref ), last unless defined; - } - } - } -} - # # Delete redundant ACCEPT rules from the end of a policy chain whose policy is ACCEPT # @@ -1449,6 +1439,7 @@ sub delete_references( $ ) { for my $fromref ( map $chain_table{$table}{$_} , keys %{$chainref->{references}} ) { my $rule = 0; my $deleted = 0; + my $rules = @{$fromref->{rules}}; for ( @{$fromref->{rules}} ) { $rule++; @@ -1457,7 +1448,7 @@ sub delete_references( $ ) { trace( $fromref, 'D', $rule, $_ ) if $debug; $_ = undef; $count++; - $deleted = 1; + $deleted = 1 unless $rule == $rules; } } diff --git a/Shorewall/Perl/Shorewall/Compiler.pm b/Shorewall/Perl/Shorewall/Compiler.pm index 3e3fad6e6..a8573d5f1 100644 --- a/Shorewall/Perl/Shorewall/Compiler.pm +++ b/Shorewall/Perl/Shorewall/Compiler.pm @@ -833,10 +833,6 @@ sub compiler { if ( $config{OPTIMIZE} & 6 ) { progress_message2 'Optimizing Ruleset...'; # - # Prepare table for optimization - # - prepare_for_optimization; - # # Optimize Policy Chains # optimize_policy_chains if $config{OPTIMIZE} & 2; diff --git a/Shorewall/releasenotes.txt b/Shorewall/releasenotes.txt index 9e3d723da..fc21e855f 100644 --- a/Shorewall/releasenotes.txt +++ b/Shorewall/releasenotes.txt @@ -282,6 +282,8 @@ None. T - Shell source text appended/inserted into a chain -- converted into rules at run-time. D - Deleted Rule from a chain + C - Compressed the rules array for a chain to remove deleted + rules. This renumbers the remaining rules. X - Deleted a chain Netfilter trace records indicate the table and chain being @@ -299,13 +301,6 @@ None. NF-(X)-> mangle:tcpost - The compiler keeps the rules for each chain in a Perl array. When - deleting a rule, the corresponding array entry is set to - 'undef'. So when a rule is deleted, the rule numbers of the - remaining rules do not change. If the last rule in an array is - deleted, then the array itself is truncated back to the last valid - rule and subsequent append operations grow the array from there. - 3) Thanks to Vincent Smeets, there is now an IPv6 mDNS macro. ----------------------------------------------------------------------------