extern/shorewall_code
1
0
Fork 1
mirror of https://gitlab.com/shorewall/code.git synced 2025-06-20 09:47:51 +02:00
Code Issues Packages Projects Releases Wiki Activity

Allow OPTIMIZE=All

Browse Source 
- Remove use of literal 4096 from OPTIMIZATION checks.
- Moved constant declarations to the Config module.
- Documented that level 1 is ignored when level 4 is specified.

Signed-off-by: Tom Eastep <teastep@shorewall.net>
This commit is contained in:
Tom Eastep 2013-07-29 10:08:35 -07:00
parent e0a222938a
commit 83d1aa6682
13 changed files with 58 additions and 31 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

22
Shorewall/Perl/Shorewall/Chains.pm
View File

@ -123,10 +123,6 @@ our %EXPORT_TAGS = (
ALL_RESTRICT ALL_RESTRICT
ALL_COMMANDS ALL_COMMANDS
NOT_RESTORE NOT_RESTORE
OPTIMIZE_POLICY_MASK
OPTIMIZE_POLICY_MASK2n4
OPTIMIZE_RULESET_MASK
OPTIMIZE_MASK
unreachable_warning unreachable_warning
state_match state_match
@ -453,17 +449,6 @@ our $ipset_rules;
# #
use constant { ALL_COMMANDS => 1, NOT_RESTORE => 2 }; use constant { ALL_COMMANDS => 1, NOT_RESTORE => 2 };
#
# Optimization masks
#
use constant {
OPTIMIZE_POLICY_MASK => 0x02 , # Call optimize_policy_chains()
OPTIMIZE_POLICY_MASK2n4 => 0x06 ,
OPTIMIZE_RULESET_MASK => 0x1C , # Call optimize_ruleset()
};
use constant { OPTIMIZE_MASK => OPTIMIZE_POLICY_MASK | OPTIMIZE_RULESET_MASK };
use constant { DONT_OPTIMIZE => 1 , DONT_DELETE => 2, DONT_MOVE => 4, RETURNS => 8, RETURNS_DONT_MOVE => 12 }; use constant { DONT_OPTIMIZE => 1 , DONT_DELETE => 2, DONT_MOVE => 4, RETURNS => 8, RETURNS_DONT_MOVE => 12 };
our %dscpmap = ( CS0 => 0x00, our %dscpmap = ( CS0 => 0x00,
@ -1226,7 +1211,6 @@ sub push_rule( $$ ) {
my $ruleref = transform_rule( $_[1], $complete ); my $ruleref = transform_rule( $_[1], $complete );
$ruleref->{comment} = shortlineinfo($chainref->{origin}) || $comment; $ruleref->{comment} = shortlineinfo($chainref->{origin}) || $comment;
$ruleref->{mode} = CMD_MODE if $ruleref->{cmdlevel} = $chainref->{cmdlevel}; $ruleref->{mode} = CMD_MODE if $ruleref->{cmdlevel} = $chainref->{cmdlevel};
push @{$chainref->{rules}}, $ruleref; push @{$chainref->{rules}}, $ruleref;
@ -1957,7 +1941,7 @@ sub use_forward_chain($$) {
my $interfaceref = find_interface($interface); my $interfaceref = find_interface($interface);
my $nets = $interfaceref->{nets}; my $nets = $interfaceref->{nets};
return 1 if @{$chainref->{rules}} && ( $config{OPTIMIZE} & 4096 ); return 1 if @{$chainref->{rules}} && ( $config{OPTIMIZE} & OPTIMIZE_USE_FIRST );
# #
# Use it if we already have jumps to it # Use it if we already have jumps to it
# #
@ -2033,7 +2017,7 @@ sub use_input_chain($$) {
my $interfaceref = find_interface($interface); my $interfaceref = find_interface($interface);
my $nets = $interfaceref->{nets}; my $nets = $interfaceref->{nets};
return 1 if @{$chainref->{rules}} && ( $config{OPTIMIZE} & 4096 ); return 1 if @{$chainref->{rules}} && ( $config{OPTIMIZE} & OPTIMIZE_USE_FIRST );
# #
# We must use the interfaces's chain if the interface is associated with multiple Zones # We must use the interfaces's chain if the interface is associated with multiple Zones
# #
@ -2113,7 +2097,7 @@ sub use_output_chain($$) {
my $interfaceref = find_interface($interface); my $interfaceref = find_interface($interface);
my $nets = $interfaceref->{nets}; my $nets = $interfaceref->{nets};
return 1 if @{$chainref->{rules}} && ( $config{OPTIMIZE} & 4096 ); return 1 if @{$chainref->{rules}} && ( $config{OPTIMIZE} & OPTIMIZE_USE_FIRST );
# #
# We must use the interfaces's chain if the interface is associated with multiple Zones # We must use the interfaces's chain if the interface is associated with multiple Zones
# #

25
Shorewall/Perl/Shorewall/Config.pm
View File

@ -199,6 +199,12 @@ our %EXPORT_TAGS = ( internal => [ qw( create_temp_script
CONFIG_CONTINUATION CONFIG_CONTINUATION
DO_INCLUDE DO_INCLUDE
NORMAL_READ NORMAL_READ
OPTIMIZE_POLICY_MASK
OPTIMIZE_POLICY_MASK2n4
OPTIMIZE_RULESET_MASK
OPTIMIZE_USE_FIRST
OPTIMIZE_ALL
) , ] , ) , ] ,
protocols => [ qw ( protocols => [ qw (
TCP TCP
@ -411,6 +417,17 @@ use constant {
SCTP => 132, SCTP => 132,
UDPLITE => 136, UDPLITE => 136,
}; };
#
# Optimization masks
#
use constant {
OPTIMIZE_POLICY_MASK => 0x02 , # Call optimize_policy_chains()
OPTIMIZE_POLICY_MASK2n4 => 0x06 ,
OPTIMIZE_RULESET_MASK => 0x1C , # Call optimize_ruleset()
OPTIMIZE_ALL => 0x1F , # Maximum value for documented categories.
OPTIMIZE_USE_FIRST => 0x1000 # Always use interface 'first' chains -- undocumented
};
our %helpers = ( amanda => UDP, our %helpers = ( amanda => UDP,
ftp => TCP, ftp => TCP,
@ -5659,9 +5676,15 @@ sub get_configuration( $$$$ ) {
$config{$default} = 'none' if "\L$config{$default}" eq 'none'; $config{$default} = 'none' if "\L$config{$default}" eq 'none';
} }
if ( ( $val = $config{OPTIMIZE} ) =~ /^all$/i ) {
$config{OPTIMIZE} = $val = OPTIMIZE_ALL;
} elsif ( $val =~ /^none$/i ) {
$config{OPTIMIZE} = $val = 0;
} else {
$val = numeric_value $config{OPTIMIZE}; $val = numeric_value $config{OPTIMIZE};
fatal_error "Invalid OPTIMIZE value ($config{OPTIMIZE})" unless supplied( $val ) && $val >= 0 && ( $val & ( 4096 ^ -1 ) ) <= 31; fatal_error "Invalid OPTIMIZE value ($config{OPTIMIZE})" unless supplied( $val ) && $val >= 0 && ( $val & ~OPTIMIZE_USE_FIRST ) <= OPTIMIZE_ALL;
}
require_capability 'XMULTIPORT', 'OPTIMIZE level 16', 's' if $val & 16; require_capability 'XMULTIPORT', 'OPTIMIZE level 16', 's' if $val & 16;

2
Shorewall/Perl/Shorewall/Rules.pm
View File

@ -2434,7 +2434,7 @@ sub process_rule ( $$$$$$$$$$$$$$$$$$$ ) {
fatal_error "Rules may not override a NONE policy"; fatal_error "Rules may not override a NONE policy";
} }
# #
# Handle Optimization # Handle Optimization level 1 when specified alone
# #
if ( $optimize == 1 && $section == NEW_SECTION ) { if ( $optimize == 1 && $section == NEW_SECTION ) {
my $loglevel = $filter_table->{$chainref->{policychain}}{loglevel}; my $loglevel = $filter_table->{$chainref->{policychain}}{loglevel};

2
Shorewall/Samples/Universal/shorewall.conf
View File

@ -190,7 +190,7 @@ MUTEX_TIMEOUT=60
NULL_ROUTE_RFC1918=No NULL_ROUTE_RFC1918=No
OPTIMIZE=31 OPTIMIZE=All
OPTIMIZE_ACCOUNTING=No OPTIMIZE_ACCOUNTING=No

2
Shorewall/Samples/one-interface/shorewall.conf
View File

@ -201,7 +201,7 @@ MUTEX_TIMEOUT=60
NULL_ROUTE_RFC1918=No NULL_ROUTE_RFC1918=No
OPTIMIZE=31 OPTIMIZE=All
OPTIMIZE_ACCOUNTING=No OPTIMIZE_ACCOUNTING=No

2
Shorewall/Samples/three-interfaces/shorewall.conf
View File

@ -199,7 +199,7 @@ MUTEX_TIMEOUT=60
NULL_ROUTE_RFC1918=No NULL_ROUTE_RFC1918=No
OPTIMIZE=31 OPTIMIZE=All
OPTIMIZE_ACCOUNTING=No OPTIMIZE_ACCOUNTING=No

2
Shorewall/Samples/two-interfaces/shorewall.conf
View File

@ -202,7 +202,7 @@ MUTEX_TIMEOUT=60
NULL_ROUTE_RFC1918=No NULL_ROUTE_RFC1918=No
OPTIMIZE=31 OPTIMIZE=All
OPTIMIZE_ACCOUNTING=No OPTIMIZE_ACCOUNTING=No

10
Shorewall/manpages/shorewall.conf.xml
View File

@ -1755,6 +1755,10 @@ LOG:info:,bar net fw</programlisting>
of two. To enable multiple optimization categories, simply add their of two. To enable multiple optimization categories, simply add their
corresponding numbers together.</para> corresponding numbers together.</para>
<para>Beginning with Shorewall 4.5.20, you may specify OPTIMIZE=All
to enable all optimization categories, and you may also specify
OPTIMIZE=None to disable optimization.</para>
<itemizedlist> <itemizedlist>
<listitem> <listitem>
<para>Optimization category 1 - Traditionally, Shorewall has <para>Optimization category 1 - Traditionally, Shorewall has
@ -1774,6 +1778,12 @@ LOG:info:,bar net fw</programlisting>
or DEST column). A wildcard rule is considered to be redundant or DEST column). A wildcard rule is considered to be redundant
when it has the same ACTION and Log Level as the applicable when it has the same ACTION and Log Level as the applicable
policy.</para> policy.</para>
<note>
<para>Optimization level 1 is ignored when optimization level
4 is also selected, since level 4 performs similar
optimizations in a more robust way.</para>
</note>
</listitem> </listitem>
<listitem> <listitem>

2
Shorewall6/Samples6/Universal/shorewall6.conf
View File

@ -173,7 +173,7 @@ MODULE_SUFFIX=ko
MUTEX_TIMEOUT=60 MUTEX_TIMEOUT=60
OPTIMIZE=31 OPTIMIZE=All
OPTIMIZE_ACCOUNTING=No OPTIMIZE_ACCOUNTING=No

2
Shorewall6/Samples6/one-interface/shorewall6.conf
View File

@ -173,7 +173,7 @@ MODULE_SUFFIX=ko
MUTEX_TIMEOUT=60 MUTEX_TIMEOUT=60
OPTIMIZE=31 OPTIMIZE=All
OPTIMIZE_ACCOUNTING=No OPTIMIZE_ACCOUNTING=No

2
Shorewall6/Samples6/three-interfaces/shorewall6.conf
View File

@ -173,7 +173,7 @@ MODULE_SUFFIX=ko
MUTEX_TIMEOUT=60 MUTEX_TIMEOUT=60
OPTIMIZE=31 OPTIMIZE=All
OPTIMIZE_ACCOUNTING=No OPTIMIZE_ACCOUNTING=No

2
Shorewall6/Samples6/two-interfaces/shorewall6.conf
View File

@ -173,7 +173,7 @@ MODULE_SUFFIX=ko
MUTEX_TIMEOUT=60 MUTEX_TIMEOUT=60
OPTIMIZE=31 OPTIMIZE=All
OPTIMIZE_ACCOUNTING=No OPTIMIZE_ACCOUNTING=No

10
Shorewall6/manpages/shorewall6.conf.xml
View File

@ -1516,6 +1516,10 @@ LOG:info:,bar net fw</programlisting>
of two. To enable multiple optimization categories, simply add their of two. To enable multiple optimization categories, simply add their
corresponding numbers together.</para> corresponding numbers together.</para>
<para>Beginning with Shorewall 4.5.20, you may specify OPTIMIZE=All
to enable all optimization categories, and you may also specify
OPTIMIZE=None to disable optimization.</para>
<itemizedlist> <itemizedlist>
<listitem> <listitem>
<para>Optimization category 1 - Traditionally, Shorewall has <para>Optimization category 1 - Traditionally, Shorewall has
@ -1535,6 +1539,12 @@ LOG:info:,bar net fw</programlisting>
or DEST column). A wildcard rule is considered to be redundant or DEST column). A wildcard rule is considered to be redundant
when it has the same ACTION and Log Level as the applicable when it has the same ACTION and Log Level as the applicable
policy.</para> policy.</para>
<note>
<para>Optimization level 1 is ignored when optimization level
4 is also selected, since level 4 performs similar
optimizations in a more robust way.</para>
</note>
</listitem> </listitem>
<listitem> <listitem>