mirror of
https://gitlab.com/shorewall/code.git
synced 2024-11-23 16:13:18 +01:00
More performance tweaks
This commit is contained in:
Tom Eastep
parent
787a1867a0
commit
90b0bedc43
@ -784,9 +784,12 @@ sub use_input_chain($) {
|
||||
my $interfaceref = find_interface($interface);
|
||||
my $nets = $interfaceref->{nets};
|
||||
#
|
||||
# We must use the interfaces's chain if the interface is associated with multiple zone nets or
|
||||
# if the interface has the 'upnpclient' option. In the latter case, the chain's rules will contain
|
||||
# run-time code which cannot currently be transferred to a zone-oriented chain by move_rules().
|
||||
# We must use the interfaces's chain if:
|
||||
#
|
||||
# - the interface is associated with multiple zone nets; or
|
||||
# - the interface has the 'upnpclient' option.
|
||||
#
|
||||
# In the latter case, the chain's rules will contain run-time code which cannot currently be transferred to a zone-oriented chain by move_rules().
|
||||
#
|
||||
return 1 if $nets > 1 || $interfaceref->{options}{upnpclient};
|
||||
#
|
||||
@ -1009,9 +1012,7 @@ sub ensure_mangle_chain($) {
|
||||
my $chain = $_[0];
|
||||
|
||||
my $chainref = ensure_chain 'mangle', $chain;
|
||||
|
||||
$chainref->{referenced} = 1;
|
||||
|
||||
$chainref;
|
||||
}
|
||||
|
||||
@ -1019,9 +1020,7 @@ sub ensure_nat_chain($) {
|
||||
my $chain = $_[0];
|
||||
|
||||
my $chainref = ensure_chain 'nat', $chain;
|
||||
|
||||
$chainref->{referenced} = 1;
|
||||
|
||||
$chainref;
|
||||
}
|
||||
|
||||
@ -1075,7 +1074,7 @@ sub ensure_manual_chain($) {
|
||||
}
|
||||
|
||||
#
|
||||
# Add all builtin chains to the chain table
|
||||
# Add all builtin chains to the chain table -- it is separate from initialize() for purely historical reasons.
|
||||
#
|
||||
#
|
||||
sub initialize_chain_table()
|
||||
@ -1357,6 +1356,8 @@ sub port_count( $ ) {
|
||||
#
|
||||
# Handle parsing of PROTO, DEST PORT(S) , SOURCE PORTS(S). Returns the appropriate match string.
|
||||
#
|
||||
# If the optional argument is true, port lists > 15 result in a fatal error.
|
||||
#
|
||||
sub do_proto( $$$;$ )
|
||||
{
|
||||
my ($proto, $ports, $sports, $restricted ) = @_;
|
||||
|
||||
@ -80,6 +80,12 @@ our $VERSION = '4.3_7';
|
||||
our @allipv4 = ( '0.0.0.0/0' );
|
||||
our @allipv6 = ( '::/0' );
|
||||
our $family;
|
||||
our $allip;
|
||||
our $valid_address;
|
||||
our $validate_address;
|
||||
our $validate_net;
|
||||
our $validate_range;
|
||||
our $validate_host;
|
||||
|
||||
use constant { ALLIPv4 => '0.0.0.0/0' ,
|
||||
ALLIPv6 => '::/0' ,
|
||||
@ -101,20 +107,10 @@ use constant { ALLIPv4 => '0.0.0.0/0' ,
|
||||
|
||||
our @rfc1918_networks = ( "10.0.0.0/8", "172.16.0.0/12", "192.168.0.0/16" );
|
||||
|
||||
#
|
||||
# Rather than initializing globals in an INIT block or during declaration,
|
||||
# we initialize them in a function. This is done for two reasons:
|
||||
#
|
||||
# 1. Proper initialization depends on the address family which isn't
|
||||
# known until the compiler has started.
|
||||
#
|
||||
# 2. The compiler can run multiple times in the same process so it has to be
|
||||
# able to re-initialize its dependent modules' state.
|
||||
#
|
||||
sub initialize( $ ) {
|
||||
$family = shift;
|
||||
}
|
||||
|
||||
#
|
||||
# Note: initialize() is declared at the bottom of the file
|
||||
#
|
||||
sub vlsm_to_mask( $ ) {
|
||||
my $vlsm = $_[0];
|
||||
|
||||
@ -626,31 +622,61 @@ sub validate_icmp6( $ ) {
|
||||
}
|
||||
|
||||
sub ALLIP() {
|
||||
$family == F_IPV4 ? ALLIPv4 : ALLIPv6;
|
||||
$allip;
|
||||
}
|
||||
|
||||
sub allip() {
|
||||
$family == F_IPV4 ? ALLIPv4 : ALLIPv6;
|
||||
$allip;
|
||||
}
|
||||
|
||||
sub valid_address ( $ ) {
|
||||
$family == F_IPV4 ? valid_4address( $_[0] ) : valid_6address( $_[0] );
|
||||
$valid_address->(@_);
|
||||
}
|
||||
|
||||
sub validate_address ( $$ ) {
|
||||
$family == F_IPV4 ? validate_4address( $_[0], $_[1] ) : validate_6address( $_[0], $_[1] );
|
||||
$validate_address->(@_);
|
||||
}
|
||||
|
||||
sub validate_net ( $$ ) {
|
||||
$family == F_IPV4 ? validate_4net( $_[0], $_[1] ) : validate_6net( $_[0], $_[1] );
|
||||
$validate_net->(@_);
|
||||
}
|
||||
|
||||
sub validate_range ($$ ) {
|
||||
$family == F_IPV4 ? validate_4range( $_[0], $_[1] ) : validate_6range( $_[0], $_[1] );
|
||||
$validate_range->(@_);
|
||||
}
|
||||
|
||||
sub validate_host ($$ ) {
|
||||
$family == F_IPV4 ? validate_4host( $_[0], $_[1] ) : validate_6host( $_[0], $_[1] );
|
||||
$validate_host->(@_);
|
||||
}
|
||||
|
||||
#
|
||||
# Rather than initializing globals in an INIT block or during declaration,
|
||||
# we initialize them in a function. This is done for two reasons:
|
||||
#
|
||||
# 1. Proper initialization depends on the address family which isn't
|
||||
# known until the compiler has started.
|
||||
#
|
||||
# 2. The compiler can run multiple times in the same process so it has to be
|
||||
# able to re-initialize its dependent modules' state.
|
||||
#
|
||||
sub initialize( $ ) {
|
||||
$family = shift;
|
||||
|
||||
if ( $family == F_IPV4 ) {
|
||||
$allip = ALLIPv4;
|
||||
$valid_address = \&valid_4address;
|
||||
$validate_address = \&validate_4address;
|
||||
$validate_net = \&validate_4net;
|
||||
$validate_range = \&validate_4range;
|
||||
$validate_host = \&validate_4host;
|
||||
} else {
|
||||
$allip = ALLIPv6;
|
||||
$valid_address = \&valid_6address;
|
||||
$validate_address = \&validate_6address;
|
||||
$validate_net = \&validate_6net;
|
||||
$validate_range = \&validate_6range;
|
||||
$validate_host = \&validate_6host;
|
||||
}
|
||||
}
|
||||
|
||||
1;
|
||||
|
||||
Loading…
Reference in New Issue
Block a user