extern/shorewall_code
1
0
Fork 1
mirror of https://gitlab.com/shorewall/code.git synced 2024-12-01 12:03:40 +01:00
Code Issues Packages Projects Releases Wiki Activity

A little reorg to prepare for moving long port list remediation to the new chain structure.

Browse Source 
Signed-off-by: Tom Eastep <teastep@shorewall.net>
This commit is contained in:
Tom Eastep 2011-07-20 18:52:20 -07:00
parent 705ffbca49
commit 4eeb233d95
1 changed files with 21 additions and 11 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

32
Shorewall/Perl/Shorewall/Chains.pm
View File

@ -611,7 +611,7 @@ sub decr_cmd_level( $ ) {
sub set_rule_option( $$$ ) { sub set_rule_option( $$$ ) {
my ( $ruleref, $option, $value ) = @_; my ( $ruleref, $option, $value ) = @_;
assert( defined $value ); assert( defined $value && reftype $ruleref );
$ruleref->{simple} = 0; $ruleref->{simple} = 0;
@ -790,7 +790,11 @@ sub merge_rules( $$$ ) {
my ( $tableref, $toref, $fromref ) = @_; my ( $tableref, $toref, $fromref ) = @_;
my $target = $fromref->{target}; my $target = $fromref->{target};
#
# Since the 'to' rule is a jump to a chain containing the 'from' rule, we
# assume that common unique option values are compatible (such as 'tcp' and
# 'tcp ! syn').
#
for my $option ( @unique_options ) { for my $option ( @unique_options ) {
$toref->{$option} = $fromref->{$option} if exists $fromref->{$option}; $toref->{$option} = $fromref->{$option} if exists $fromref->{$option};
} }
@ -800,7 +804,7 @@ sub merge_rules( $$$ ) {
} }
unless ( $toref->{state} ) { unless ( $toref->{state} ) {
set_rule_option ( $toref, 'state', $fromref->{state} ) if $fromref->{state}; set_rule_option ( $toref, 'state', $fromref->{state} ) if $fromref->{state};
} }
set_rule_option( $toref, 'policy', $fromref->{policy} ) if exists $fromref->{policy}; set_rule_option( $toref, 'policy', $fromref->{policy} ) if exists $fromref->{policy};
@ -1055,22 +1059,28 @@ sub push_irule( $$$;@ ) {
$ruleref->{targetopts} = $targetopts if $targetopts; $ruleref->{targetopts} = $targetopts if $targetopts;
} }
unless ( $ruleref->{simple} = ! @matches ) {
$chainref->{dont_optimize} = 1 if push_matches( $ruleref, @matches );
}
if ( $comment ) { if ( $comment ) {
$ruleref->{comment} = $comment unless $ruleref->{comment}; $ruleref->{comment} = $comment unless $ruleref->{comment};
} }
push @{$chainref->{rules}}, $ruleref;
trace( $chainref, 'A', @{$chainref->{rules}}, format_rule( $chainref, $ruleref ) ) if $debug;
$iprangematch = 0; $iprangematch = 0;
$chainref->{referenced} = 1; $chainref->{referenced} = 1;
if ( $ruleref->{simple} = ! @matches ) {
push @{$chainref->{rules}}, $ruleref;
} else {
#
# In the future, we can expand port lists here
#
$chainref->{dont_optimize} = 1 if push_matches( $ruleref, @matches );
push @{$chainref->{rules}}, $ruleref;
}
trace( $chainref, 'A', @{$chainref->{rules}}, format_rule( $chainref, $ruleref ) ) if $debug;
$ruleref; $ruleref;
} }