Keep rules arrays compressed throughout the compilation process

Signed-off-by: Tom Eastep <teastep@shorewall.net>

Shorewall/Perl/Shorewall/Chains.pm

@@ -116,7 +116,6 @@ our %EXPORT_TAGS = (
 				       new_nat_chain
 				       ensure_filter_chain
 				       finish_section
-				       prepare_for_optimization
 				       optimize_chain
 				       check_optimization
 				       optimize_ruleset
@@ -594,6 +593,22 @@ sub add_reference ( $$ ) {
     $toref->{references}{$fromref->{name}}++;
 }
 
+#
+# Compress out undefined elements in rules
+#
+sub compress_rules( $ ) {
+    my $chainref = shift;
+    my @rules;
+
+    for ( @{$chainref->{rules}} ) {
+	push @rules, $_ if defined;
+    }
+
+    $chainref->{rules} = \@rules;
+
+    trace( $chainref, 'C', undef, '' ) if $debug;
+}  
+
 #
 # Purge jumps previously added via add_jump. If the target chain is empty, reset its
 # referenced flag
@@ -602,15 +617,20 @@ sub purge_jump ( $$ ) {
     my ( $fromref, $toref ) = @_;
     my $to = $toref->{name};
     my $rule = 0;
+    my $rules = @{$fromref->{rules}};
+    my $deleted = 0;
 
     for ( @{$fromref->{rules}} ) {
 	$rule++;
 	if ( defined && / -[gj] ${to}\b/ ) {
 	    trace( $fromref, 'D', $rule, $_ ) if $debug;
 	    $_ = undef;
+	    $deleted = 1 unless $rule == $rules;
 	}
     }
 
+    compress_rules( $fromref ) if $deleted;
+
     unless ( @{$toref->{rules}} ) {
 	$toref->{referenced} = 0;
 	trace ( $toref, 'X', undef, '' ) if $debug;
@@ -1365,36 +1385,6 @@ sub finish_section ( $ ) {
     }
 }
 
-#
-# Compress out undefined elements in rules
-#
-sub compress_rules( $ ) {
-    my $chainref = shift;
-    my @rules;
-
-    for ( @{$chainref->{rules}} ) {
-	push @rules, $_ if defined;
-    }
-
-    $chainref->{rules} = \@rules;
-}  
-
-#
-# Prepare chain table for optimization by squeezing out undefined rules array entries
-#
-sub prepare_for_optimization() {
-    for my $table ( qw/raw mangle nat filter/ ) {
-
-	next if $family == F_IPV6 && $table eq 'nat';
-    
-	for my $chainref ( grep $_->{referenced}, values %{$chain_table{$table}} ) {
-	    for ( @{$chainref->{rules}} ) {
-		compress_rules( $chainref ), last unless defined;
-	    }
-	}
-    }
-}
-	
 #
 # Delete redundant ACCEPT rules from the end of a policy chain whose policy is ACCEPT
 #
@@ -1449,6 +1439,7 @@ sub delete_references( $ ) {
     for my $fromref ( map $chain_table{$table}{$_} , keys %{$chainref->{references}} ) {
 	my $rule = 0;
 	my $deleted = 0;
+	my $rules = @{$fromref->{rules}};
 
 	for ( @{$fromref->{rules}} ) {
 	    $rule++;
@@ -1457,7 +1448,7 @@ sub delete_references( $ ) {
 		trace( $fromref, 'D', $rule, $_ ) if $debug;
 		$_ = undef;
 		$count++;
-		$deleted = 1;
+		$deleted = 1 unless $rule == $rules;
 	    }
 	}
 	    

Shorewall/Perl/Shorewall/Compiler.pm

@@ -833,10 +833,6 @@ sub compiler {
 	if ( $config{OPTIMIZE} & 6 ) {
 	    progress_message2 'Optimizing Ruleset...';
 	    #
-	    # Prepare table for optimization
-	    #
-	    prepare_for_optimization;
-	    #
 	    # Optimize Policy Chains
 	    #
 	    optimize_policy_chains if $config{OPTIMIZE} & 2;

Shorewall/releasenotes.txt

@@ -282,6 +282,8 @@ None.
 	T - Shell source text appended/inserted into a chain --
             converted into rules at run-time.
 	D - Deleted Rule from a chain
+	C - Compressed the rules array for a chain to remove deleted
+   	    rules. This renumbers the remaining rules.
 	X - Deleted a chain
 
     Netfilter trace records indicate the table and chain being
@@ -299,13 +301,6 @@ None.
 
 	NF-(X)-> mangle:tcpost
 
-    The compiler keeps the rules for each chain in a Perl array. When
-    deleting a rule, the corresponding array entry is set to
-    'undef'. So when a rule is deleted, the rule numbers of the
-    remaining rules do not change. If the last rule in an array is
-    deleted, then the array itself is truncated back to the last valid
-    rule and subsequent append operations grow the array from there.
-
 3)  Thanks to Vincent Smeets, there is now an IPv6 mDNS macro. 
 
 ----------------------------------------------------------------------------