mirror of
https://gitlab.com/shorewall/code.git
synced 2024-12-20 05:11:03 +01:00
Eliminate duplicate rules in raw-table chains when optimize level 16.
Signed-off-by: Tom Eastep <teastep@shorewall.net>
This commit is contained in:
parent
ad818c071a
commit
50dfffec94
@ -3282,6 +3282,62 @@ sub combine_dports {
|
||||
\@rules;
|
||||
}
|
||||
|
||||
#
|
||||
# Delete duplicate rules from the passed chain.
|
||||
#
|
||||
# The arguments are a reference to the chain followed by references to each
|
||||
# of its rules.
|
||||
#
|
||||
sub delete_duplicates {
|
||||
my @rules;
|
||||
my $chainref = shift;
|
||||
my $lastrule = @_;
|
||||
my $baseref = pop;
|
||||
my $ruleref;
|
||||
my $duplicate = 0;
|
||||
|
||||
while ( @_ && ! $duplicate ) {
|
||||
{
|
||||
my $ports1;
|
||||
my @keys1 = sort( keys( %$baseref ) );
|
||||
my $rulenum = @_;
|
||||
my $duplicate = 0;
|
||||
|
||||
RULE:
|
||||
|
||||
while ( --$rulenum >= 0 ) {
|
||||
$ruleref = $_[$rulenum];
|
||||
|
||||
my @keys2 = sort(keys( %$ruleref ) );
|
||||
|
||||
next unless @keys1 == @keys2 ;
|
||||
|
||||
my $keynum = 0;
|
||||
|
||||
for my $key ( @keys1 ) {
|
||||
next RULE unless $key eq $keys2[$keynum++];
|
||||
next RULE unless compare_values( $baseref->{$key}, $ruleref->{$key} );
|
||||
}
|
||||
|
||||
$duplicate = 1;
|
||||
}
|
||||
|
||||
if ( $duplicate ) {
|
||||
trace( $chainref, 'D', $lastrule, $baseref ) if $debug;
|
||||
} else {
|
||||
unshift @rules, $baseref;
|
||||
}
|
||||
|
||||
$baseref = pop @_;
|
||||
$lastrule--;
|
||||
}
|
||||
}
|
||||
|
||||
unshift @rules, $baseref if $baseref;
|
||||
|
||||
\@rules;
|
||||
}
|
||||
|
||||
sub optimize_level16( $$$ ) {
|
||||
my ( $table, $tableref , $passes ) = @_;
|
||||
my @chains = ( grep $_->{referenced}, values %{$tableref} );
|
||||
@ -3290,11 +3346,23 @@ sub optimize_level16( $$$ ) {
|
||||
|
||||
progress_message "\n Table $table pass $passes, $chains referenced user chains, level 16...";
|
||||
|
||||
if ( $table eq 'raw' ) {
|
||||
#
|
||||
# Helpers in rules have the potential for generating lots of duplicate iptables rules
|
||||
# in the raw table. This step eliminates those duplicates
|
||||
#
|
||||
for my $chainref ( @chains ) {
|
||||
$chainref->{rules} = delete_duplicates( $chainref, @{$chainref->{rules}} );
|
||||
}
|
||||
|
||||
$passes++;
|
||||
}
|
||||
|
||||
for my $chainref ( @chains ) {
|
||||
$chainref->{rules} = combine_dports( $chainref, @{$chainref->{rules}} );
|
||||
}
|
||||
|
||||
$passes++;
|
||||
++$passes;
|
||||
}
|
||||
|
||||
#
|
||||
|
Loading…
Reference in New Issue
Block a user