extern/shorewall_code
1
0
Fork 1
mirror of https://gitlab.com/shorewall/code.git synced 2025-02-23 05:01:34 +01:00
Code Issues Packages Projects Releases Wiki Activity

Unify 'dont_' chain flags

Browse Source 
Signed-off-by: Tom Eastep <teastep@shorewall.net>
This commit is contained in:
Tom Eastep 2012-02-19 14:20:09 -08:00
parent 1896e56894
commit 75d5957020
8 changed files with 93 additions and 64 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
Shorewall/Perl/Shorewall/Accounting.pm
View File

@ -322,7 +322,7 @@ sub process_accounting_rule( ) {
} }
} }
dont_optimize( $chainref ) if $target eq 'RETURN'; set_optflags( $chainref, DONT_OPTIMIZE ) if $target eq 'RETURN';
if ( $jumpchainref ) { if ( $jumpchainref ) {
if ( $asection ) { if ( $asection ) {
@ -407,7 +407,7 @@ sub setup_accounting() {
} }
if ( $tableref->{accounting} ) { if ( $tableref->{accounting} ) {
dont_optimize( 'accounting' ); set_optflags( 'accounting' , DONT_OPTIMIZE );
for my $chain ( qw/INPUT FORWARD/ ) { for my $chain ( qw/INPUT FORWARD/ ) {
insert_ijump( $tableref->{$chain}, j => 'accounting', 0 ); insert_ijump( $tableref->{$chain}, j => 'accounting', 0 );
} }
@ -429,7 +429,7 @@ sub setup_accounting() {
insert_ijump( $tableref->{POSTROUTING}, j => 'accountpost', 0 ); insert_ijump( $tableref->{POSTROUTING}, j => 'accountpost', 0 );
} }
} elsif ( $tableref->{accounting} ) { } elsif ( $tableref->{accounting} ) {
dont_optimize( 'accounting' ); set_optflags( 'accounting' , DONT_OPTIMIZE );
for my $chain ( qw/INPUT FORWARD OUTPUT/ ) { for my $chain ( qw/INPUT FORWARD OUTPUT/ ) {
insert_ijump( $tableref->{$chain}, j => 'accounting', 0 ); insert_ijump( $tableref->{$chain}, j => 'accounting', 0 );
} }

120
Shorewall/Perl/Shorewall/Chains.pm
View File

@ -36,6 +36,10 @@ use strict;
our @ISA = qw(Exporter); our @ISA = qw(Exporter);
our @EXPORT = qw( our @EXPORT = qw(
DONT_OPTIMIZE
DONT_DELETE
DONT_MOVE
add_rule add_rule
add_irule add_irule
add_jump add_jump
@ -62,6 +66,11 @@ our @EXPORT = qw(
require_audit require_audit
newlogchain newlogchain
log_rule_limit log_rule_limit
allow_optimize
allow_delete
allow_move
set_optflags
reset_optflags
dont_optimize dont_optimize
dont_delete dont_delete
dont_move dont_move
@ -246,9 +255,7 @@ our $VERSION = 'MODULEVERSION';
# builtin => undef|1 -- If 1, one of Netfilter's built-in chains. # builtin => undef|1 -- If 1, one of Netfilter's built-in chains.
# manual => undef|1 -- If 1, a manual chain. # manual => undef|1 -- If 1, a manual chain.
# accounting => undef|1 -- If 1, an accounting chain # accounting => undef|1 -- If 1, an accounting chain
# dont_optimize=> undef|1 -- Don't optimize away if this chain is 'short' # optflags => <optimization flags>
# dont_delete => undef|1 -- Don't delete if this chain is not referenced
# dont_move => undef|1 -- Don't copy the rules of this chain somewhere else
# log => <logging rule number for use when LOGRULENUMBERS> # log => <logging rule number for use when LOGRULENUMBERS>
# policy => <policy> # policy => <policy>
# policychain => <name of policy chain> -- self-reference if this is a policy chain # policychain => <name of policy chain> -- self-reference if this is a policy chain
@ -360,6 +367,8 @@ use constant {
use constant { OPTIMIZE_MASK => OPTIMIZE_POLICY_MASK | OPTIMIZE_RULESET_MASK }; use constant { OPTIMIZE_MASK => OPTIMIZE_POLICY_MASK | OPTIMIZE_RULESET_MASK };
use constant { DONT_OPTIMIZE => 1 , DONT_DELETE => 2, DONT_MOVE => 4 };
# #
# These hashes hold the shell code to set shell variables. The key is the name of the variable; the value is the code to generate the variable's contents # These hashes hold the shell code to set shell variables. The key is the name of the variable; the value is the code to generate the variable's contents
# #
@ -1151,7 +1160,7 @@ sub push_matches {
} }
} }
$dont_optimize; DONT_OPTIMIZE if $dont_optimize;
} }
sub push_irule( $$$;@ ) { sub push_irule( $$$;@ ) {
@ -1180,7 +1189,7 @@ sub push_irule( $$$;@ ) {
$chainref->{referenced} = 1; $chainref->{referenced} = 1;
unless ( $ruleref->{simple} = ! @matches ) { unless ( $ruleref->{simple} = ! @matches ) {
$chainref->{dont_optimize} = 1 if push_matches( $ruleref, @matches ); $chainref->{optflags} |= push_matches( $ruleref, @matches );
} }
push @{$chainref->{rules}}, $ruleref; push @{$chainref->{rules}}, $ruleref;
@ -1294,7 +1303,7 @@ sub insert_irule( $$$$;@ ) {
} }
unless ( $ruleref->{simple} = ! @matches ) { unless ( $ruleref->{simple} = ! @matches ) {
$chainref->{dont_optimize} = 1 if push_matches( $ruleref, @matches ); $chainref->{optflags} |= push_matches( $ruleref, @matches );
} }
if ( $comment ) { if ( $comment ) {
@ -1867,7 +1876,8 @@ sub new_chain($$)
log => 1, log => 1,
cmdlevel => 0, cmdlevel => 0,
references => {}, references => {},
filtered => 0 filtered => 0,
optflags => 0,
}; };
trace( $chainref, 'N', undef, '' ) if $debug; trace( $chainref, 'N', undef, '' ) if $debug;
@ -1928,7 +1938,7 @@ sub add_jump( $$$;$$$ ) {
my $param = $goto_ok && $toref && have_capability( 'GOTO_TARGET' ) ? 'g' : 'j'; my $param = $goto_ok && $toref && have_capability( 'GOTO_TARGET' ) ? 'g' : 'j';
$fromref->{dont_optimize} = 1 if $predicate =~ /! -[piosd] /; $fromref->{optflags} |= DONT_OPTIMIZE if $predicate =~ /! -[piosd] /;
if ( defined $index ) { if ( defined $index ) {
assert( ! $expandports ); assert( ! $expandports );
@ -2052,49 +2062,70 @@ sub delete_jumps ( $$ ) {
} }
} }
# sub reset_optflags( $$ ) {
# Set the dont_optimize flag for a chain my ( $chain, $flags ) = @_;
#
sub dont_optimize( $ ) {
my $chain = shift;
my $chainref = reftype $chain ? $chain : $filter_table->{$chain}; my $chainref = reftype $chain ? $chain : $filter_table->{$chain};
$chainref->{dont_optimize} = 1; $chainref->{optflags} ^= $flags;
trace( $chainref, '!O', undef, '' ) if $debug;
$chainref;
}
sub set_optflags( $$ ) {
my ( $chain, $flags ) = @_;
my $chainref = reftype $chain ? $chain : $filter_table->{$chain};
$chainref->{optflags} |= $flags;
trace( $chainref, '!O', undef, '' ) if $debug; trace( $chainref, '!O', undef, '' ) if $debug;
$chainref; $chainref;
} }
#
# Reset the dont_optimize flag for a chain
#
sub allow_optimize( $ ) {
reset_optflags( shift, DONT_OPTIMIZE );
}
#
# Reset the dont_delete flags for a chain
#
sub allow_delete( $ ) {
reset_optflags( shift, DONT_DELETE );
}
#
# Reset the dont_move flag for a chain
#
sub allow_move( $ ) {
reset_optflags( shift, DONT_MOVE );
}
#
# Set the dont_optimize flag for a chain
#
sub dont_optimize( $ ) {
set_optflags( shift, DONT_OPTIMIZE );
}
# #
# Set the dont_optimize and dont_delete flags for a chain # Set the dont_optimize and dont_delete flags for a chain
# #
sub dont_delete( $ ) { sub dont_delete( $ ) {
my $chain = shift; set_optflags( shift, DONT_OPTIMIZE | DONT_DELETE );
my $chainref = reftype $chain ? $chain : $filter_table->{$chain};
$chainref->{dont_optimize} = $chainref->{dont_delete} = 1;
trace( $chainref, '!OD', undef, '' ) if $debug;
$chainref;
} }
# #
# Set the dont_move flag for a chain # Set the dont_move flag for a chain
# #
sub dont_move( $ ) { sub dont_move( $ ) {
my $chain = shift; set_optflags( shift, DONT_MOVE );
my $chainref = reftype $chain ? $chain : $filter_table->{$chain};
$chainref->{dont_move} = 1;
trace( $chainref, '!M', undef, '' ) if $debug;
$chainref;
} }
# #
@ -2136,7 +2167,7 @@ sub ensure_accounting_chain( $$$ )
$chainref->{restriction} = $restriction; $chainref->{restriction} = $restriction;
$chainref->{restricted} = NO_RESTRICT; $chainref->{restricted} = NO_RESTRICT;
$chainref->{ipsec} = $ipsec; $chainref->{ipsec} = $ipsec;
$chainref->{dont_optimize} = 1 unless $config{OPTIMIZE_ACCOUNTING}; $chainref->{optflags} |= DONT_OPTIMIZE unless $config{OPTIMIZE_ACCOUNTING};
unless ( $chain eq 'accounting' ) { unless ( $chain eq 'accounting' ) {
my $file = find_file $chain; my $file = find_file $chain;
@ -2208,7 +2239,7 @@ sub new_builtin_chain($$$)
$chainref->{referenced} = 1; $chainref->{referenced} = 1;
$chainref->{policy} = $policy; $chainref->{policy} = $policy;
$chainref->{builtin} = 1; $chainref->{builtin} = 1;
$chainref->{dont_delete} = 1; $chainref->{optflags} = DONT_DELETE;
$chainref; $chainref;
} }
@ -2636,7 +2667,7 @@ sub conditionally_copy_rules( $$ ) {
my $targetref = $chain_table{$chainref->{table}}{$basictarget}; my $targetref = $chain_table{$chainref->{table}}{$basictarget};
if ( $targetref && ! $targetref->{dont_move} ) { if ( $targetref && ! ( $targetref->{optflags} & DONT_MOVE ) ) {
# #
# Move is safe -- start with an empty rule list # Move is safe -- start with an empty rule list
# #
@ -2678,7 +2709,7 @@ sub optimize_level0() {
# #
# If the chain isn't branched to, then delete it # If the chain isn't branched to, then delete it
# #
unless ( $chainref->{dont_delete} || keys %{$chainref->{references}} ) { unless ( $chainref->{optflags} & DONT_DELETE || keys %{$chainref->{references}} ) {
delete_chain $chainref if $chainref->{referenced}; delete_chain $chainref if $chainref->{referenced};
} }
} }
@ -2696,7 +2727,7 @@ sub optimize_level4( $$ ) {
# When a chain with a single entry is found, replace it's references by its contents # When a chain with a single entry is found, replace it's references by its contents
# #
# The search continues until no short chains remain # The search continues until no short chains remain
# Chains with 'dont_optimize = 1' are exempted from optimization # Chains with 'DONT_OPTIMIZE' are exempted from optimization
# #
while ( $progress ) { while ( $progress ) {
$progress = 0; $progress = 0;
@ -2708,15 +2739,16 @@ sub optimize_level4( $$ ) {
progress_message "\n Table $table pass $passes, $chains referenced chains, level 4a..."; progress_message "\n Table $table pass $passes, $chains referenced chains, level 4a...";
for my $chainref ( @chains ) { for my $chainref ( @chains ) {
my $optflags = $chainref->{optflags};
# #
# If the chain isn't branched to, then delete it # If the chain isn't branched to, then delete it
# #
unless ( $chainref->{dont_delete} || keys %{$chainref->{references}} ) { unless ( ( $optflags & DONT_DELETE ) || keys %{$chainref->{references}} ) {
delete_chain $chainref if $chainref->{referenced}; delete_chain $chainref if $chainref->{referenced};
next; next;
} }
unless ( $chainref->{dont_optimize} ) { unless ( $optflags & DONT_OPTIMIZE ) {
my $numrules = @{$chainref->{rules}}; my $numrules = @{$chainref->{rules}};
if ( $numrules == 0 ) { if ( $numrules == 0 ) {
@ -2727,7 +2759,7 @@ sub optimize_level4( $$ ) {
# #
# Built-in -- mark it 'dont_optimize' so we ignore it in follow-on passes # Built-in -- mark it 'dont_optimize' so we ignore it in follow-on passes
# #
$chainref->{dont_optimize} = 1; $chainref->{optflags} |= DONT_OPTIMIZE;
} else { } else {
# #
# Not a built-in -- we can delete it and it's references # Not a built-in -- we can delete it and it's references
@ -2758,7 +2790,7 @@ sub optimize_level4( $$ ) {
# #
# Target was a built-in. Ignore this chain in follow-on passes # Target was a built-in. Ignore this chain in follow-on passes
# #
$chainref->{dont_optimize} = 1; $chainref->{optflags} |= DONT_OPTIMIZE;
} }
} else { } else {
# #
@ -2774,9 +2806,9 @@ sub optimize_level4( $$ ) {
if ( $chainref->{builtin} || ! $globals{KLUDGEFREE} ) { if ( $chainref->{builtin} || ! $globals{KLUDGEFREE} ) {
# #
# This case requires a new rule merging algorithm. Ignore this chain for # This case requires a new rule merging algorithm. Ignore this chain for
# now. # now on.
# #
$chainref->{dont_optimize} = 1; $chainref->{optflags} |= DONT_OPTIMIZE;
} else { } else {
# #
# Replace references to this chain with the target and add the matches # Replace references to this chain with the target and add the matches
@ -2866,7 +2898,7 @@ sub optimize_level8( $$$ ) {
# #
for my $chainref1 ( @chains1 ) { for my $chainref1 ( @chains1 ) {
next unless @{$chainref1->{rules}}; next unless @{$chainref1->{rules}};
next if $chainref1->{dont_delete}; next if $chainref1->{optflags} & DONT_DELETE;
if ( $chainref->{digest} eq $chainref1->{digest} ) { if ( $chainref->{digest} eq $chainref1->{digest} ) {
progress_message " Chain $chainref1->{name} combined with $chainref->{name}"; progress_message " Chain $chainref1->{name} combined with $chainref->{name}";
replace_references $chainref1, $chainref->{name}, undef; replace_references $chainref1, $chainref->{name}, undef;

12
Shorewall/Perl/Shorewall/Misc.pm
View File

@ -216,8 +216,8 @@ sub setup_blacklist() {
# for 'refresh' to work properly. # for 'refresh' to work properly.
# #
if ( @$zones || @$zones1 ) { if ( @$zones || @$zones1 ) {
$chainref = dont_delete new_standard_chain 'blacklst' if @$zones; $chainref = set_optflags( new_standard_chain( 'blacklst' ), DONT_OPTIMIZE | DONT_DELETE ) if @$zones;
$chainref1 = dont_delete new_standard_chain 'blackout' if @$zones1; $chainref1 = set_optflags( new_standard_chain( 'blackout' ), DONT_OPTIMIZE | DONT_DELETE ) if @$zones1;
if ( supplied $level ) { if ( supplied $level ) {
$target = ensure_blacklog_chain ( $target, $disposition, $level, $audit ); $target = ensure_blacklog_chain ( $target, $disposition, $level, $audit );
@ -695,9 +695,9 @@ sub add_common_rules ( $ ) {
my $rejectref = $filter_table->{reject}; my $rejectref = $filter_table->{reject};
if ( $config{DYNAMIC_BLACKLIST} ) { if ( $config{DYNAMIC_BLACKLIST} ) {
add_rule_pair dont_delete( new_standard_chain( 'logdrop' ) ), '' , 'DROP' , $level ; add_rule_pair( set_optflags( new_standard_chain( 'logdrop' ) , DONT_OPTIMIZE | DONT_DELETE ), '' , 'DROP' , $level );
add_rule_pair dont_delete( new_standard_chain( 'logreject' ) ), '' , 'reject' , $level ; add_rule_pair( set_optflags( new_standard_chain( 'logreject' ), DONT_OPTIMIZE | DONT_DELETE ), '' , 'reject' , $level );
$dynamicref = dont_optimize( new_standard_chain( 'dynamic' ) ); $dynamicref = set_optflags( new_standard_chain( 'dynamic' ) , DONT_OPTIMIZE );
add_commands( $dynamicref, '[ -f ${VARDIR}/.dynamic ] && cat ${VARDIR}/.dynamic >&3' ); add_commands( $dynamicref, '[ -f ${VARDIR}/.dynamic ] && cat ${VARDIR}/.dynamic >&3' );
} }
@ -994,7 +994,7 @@ sub add_common_rules ( $ ) {
if ( @$list ) { if ( @$list ) {
progress_message2 "$doing UPnP"; progress_message2 "$doing UPnP";
$chainref = dont_optimize new_nat_chain( 'UPnP' ); $chainref = set_optflags( new_nat_chain( 'UPnP' ), DONT_OPTIMIZE );
add_commands( $chainref, '[ -s /${VARDIR}/.UPnP ] && cat ${VARDIR}/.UPnP >&3' ); add_commands( $chainref, '[ -s /${VARDIR}/.UPnP ] && cat ${VARDIR}/.UPnP >&3' );

4
Shorewall/Perl/Shorewall/Providers.pm
View File

@ -160,9 +160,7 @@ sub setup_route_marking() {
my $chainref2 = new_chain( 'mangle', load_chain( $physical ) ); my $chainref2 = new_chain( 'mangle', load_chain( $physical ) );
dont_optimize $chainref2; set_optflags( $chainref2, DONT_OPTIMIZE | DONT_MOVE | DONT_DELETE );
dont_move $chainref2;
dont_delete $chainref2;
add_ijump ( $chainref1, add_ijump ( $chainref1,
j => $chainref2 , j => $chainref2 ,

10
Shorewall/Perl/Shorewall/Rules.pm
View File

@ -963,7 +963,7 @@ sub createlogactionchain( $$$$$ ) {
unless ( $targets{$action} & BUILTIN ) { unless ( $targets{$action} & BUILTIN ) {
dont_optimize $chainref; set_optflags( $chainref, DONT_OPTIMIZE );
my $file = find_file $chain; my $file = find_file $chain;
@ -997,7 +997,7 @@ sub createsimpleactionchain( $ ) {
unless ( $targets{$action} & BUILTIN ) { unless ( $targets{$action} & BUILTIN ) {
dont_optimize $chainref; set_optflags( $chainref, DONT_OPTIMIZE );
my $file = find_file $action; my $file = find_file $action;
@ -1306,7 +1306,7 @@ sub allowInvalid ( $$$$ ) {
} }
sub forwardUPnP ( $$$$ ) { sub forwardUPnP ( $$$$ ) {
my $chainref = dont_optimize 'forwardUPnP'; my $chainref = set_optflags( 'forwardUPnP', DONT_OPTIMIZE );
add_commands( $chainref , '[ -f ${VARDIR}/.forwardUPnP ] && cat ${VARDIR}/.forwardUPnP >&3' ); add_commands( $chainref , '[ -f ${VARDIR}/.forwardUPnP ] && cat ${VARDIR}/.forwardUPnP >&3' );
} }
@ -2238,7 +2238,7 @@ sub process_rule1 ( $$$$$$$$$$$$$$$$ $) {
} }
} }
dont_move( dont_optimize( $nonat_chain ) ) if $tgt eq 'RETURN'; set_optflags( $nonat_chain, DONT_MOVE | DONT_OPTIMIZE ) if $tgt eq 'RETURN';
expand_rule( $nonat_chain , expand_rule( $nonat_chain ,
PREROUTE_RESTRICT , PREROUTE_RESTRICT ,
@ -2262,7 +2262,7 @@ sub process_rule1 ( $$$$$$$$$$$$$$$$ $) {
$action = $usedactions{$normalized_target}{name}; $action = $usedactions{$normalized_target}{name};
$loglevel = ''; $loglevel = '';
} else { } else {
dont_move( dont_optimize ( $chainref ) ) if $action eq 'RETURN'; set_optflags( $chainref , DONT_MOVE | DONT_OPTIMIZE ) if $action eq 'RETURN';
} }
if ( $origdest ) { if ( $origdest ) {

1
Shorewall/Perl/Shorewall/Zones.pm
View File

@ -1915,7 +1915,6 @@ sub validate_hosts_file()
$have_ipsec = $ipsec || haveipseczones; $have_ipsec = $ipsec || haveipseczones;
$_->{options}{complex} ||= ( keys %{$_->{interfaces}} > 1 ) for values %zones; $_->{options}{complex} ||= ( keys %{$_->{interfaces}} > 1 ) for values %zones;
} }
# #

2
Shorewall/action.Invalid
View File

@ -49,7 +49,7 @@ my $target = require_audit ( $action , $audit );
log_rule_limit $level, $chainref, 'Invalid' , $action, '', $tag, 'add', "$globals{STATEMATCH} INVALID " if $level ne ''; log_rule_limit $level, $chainref, 'Invalid' , $action, '', $tag, 'add', "$globals{STATEMATCH} INVALID " if $level ne '';
add_jump $chainref , $target, 0, "$globals{STATEMATCH} INVALID "; add_jump $chainref , $target, 0, "$globals{STATEMATCH} INVALID ";
$chainref->{dont_optimize} = 0; allow_optimize( $chainref );
1; 1;

2
Shorewall/action.NotSyn
View File

@ -49,7 +49,7 @@ my $target = require_audit ( $action , $audit );
log_rule_limit $level, $chainref, 'NotSyn' , $action, '', $tag, 'add', '-p 6 ! --syn ' if $level ne ''; log_rule_limit $level, $chainref, 'NotSyn' , $action, '', $tag, 'add', '-p 6 ! --syn ' if $level ne '';
add_jump $chainref , $target, 0, '-p 6 ! --syn '; add_jump $chainref , $target, 0, '-p 6 ! --syn ';
$chainref->{dont_optimize} = 0; allow_optimize( $chainref );
1; 1;