From bc08ff1e36c9b3b467f715a764fa2615b2da8ae2 Mon Sep 17 00:00:00 2001 From: Tom Eastep Date: Mon, 23 Aug 2010 15:59:09 -0700 Subject: [PATCH] Fix a couple of optimization bugs --- Shorewall/Perl/Shorewall/Chains.pm | 31 +++++++++++++++--------------- Shorewall/changelog.txt | 4 ++++ Shorewall/releasenotes.txt | 20 +++++++++++++++++-- 3 files changed, 38 insertions(+), 17 deletions(-) diff --git a/Shorewall/Perl/Shorewall/Chains.pm b/Shorewall/Perl/Shorewall/Chains.pm index 91f6cf047..853451373 100644 --- a/Shorewall/Perl/Shorewall/Chains.pm +++ b/Shorewall/Perl/Shorewall/Chains.pm @@ -687,7 +687,7 @@ sub delete_jumps ( $$ ) { # deleting elements from the array over which we are iterating. # for ( my $rule = 0; $rule <= $#{$rules}; $rule++ ) { - if ( $rules->[$rule] =~ / -[gj] ${to}\s*$/ ) { + if ( $rules->[$rule] =~ / -[gj] ${to}( -m comment .*)?\s*$/ ) { trace( $fromref, 'D', $rule + 1, $rules->[$rule] ) if $debug; splice( @$rules, $rule, 1 ); last unless --$refs > 0; @@ -3117,17 +3117,6 @@ sub expand_rule( $$$$$$$$$$;$ ) } elsif ( $disposition eq 'LOG' ) { fatal_error "LOG requires a level"; } - # - # Mark Target as referenced, if it's a chain - # - if ( $target =~ /-[jg]\s+([^\s]+)/ ) { - my $targetref = $chain_table{$chainref->{table}}{$1}; - if ( $targetref ) { - $targetref->{referenced} = 1; - add_reference $chainref, $targetref; - } - } - # # Isolate Source Interface, if any # @@ -3397,6 +3386,8 @@ sub expand_rule( $$$$$$$$$$;$ ) fatal_error "SOURCE interface may not be specified with a source IP address in the POSTROUTING chain" if $restriction == POSTROUTE_RESTRICT && $iiface && ( $inets ne ALLIP || $iexcl || $trivialiexcl); fatal_error "DEST interface may not be specified with a destination IP address in the PREROUTING chain" if $restriction == PREROUTE_RESTRICT && $diface && ( $dnets ne ALLIP || $dexcl || $trivialdexcl); + my $fromref; + if ( $iexcl || $dexcl || $oexcl ) { # # We have non-trivial exclusion -- need to create an exclusion chain @@ -3438,7 +3429,7 @@ sub expand_rule( $$$$$$$$$$;$ ) # # Generate Final Rule # - add_rule( $echainref, $exceptionrule . $target, 1 ) unless $disposition eq 'LOG'; + add_rule( $fromref = $echainref, $exceptionrule . $target, 1 ) unless $disposition eq 'LOG'; } else { # # No exclusions @@ -3478,7 +3469,7 @@ sub expand_rule( $$$$$$$$$$;$ ) 'add', $matches ); - add_rule( $chainref, $matches . $target, 1 ); + add_rule( $fromref = $chainref, $matches . $target, 1 ); } } else { # @@ -3499,12 +3490,22 @@ sub expand_rule( $$$$$$$$$$;$ ) # # No logging -- add the target rule with matches to the rule chain # - add_rule( $chainref, $matches . $target , 1 ); + add_rule( $fromref = $chainref, $matches . $target , 1 ); } } } } } + # + # Mark Target as referenced, if it's a chain + # + if ( $fromref && $target =~ /-[jg]\s+([^\s]+)/ ) { + my $targetref = $chain_table{$chainref->{table}}{$1}; + if ( $targetref ) { + $targetref->{referenced} = 1; + add_reference $fromref, $targetref; + } + } while ( @ends ) { decr_cmd_level $chainref; diff --git a/Shorewall/changelog.txt b/Shorewall/changelog.txt index c15375a92..f0880742e 100644 --- a/Shorewall/changelog.txt +++ b/Shorewall/changelog.txt @@ -1,3 +1,7 @@ +Changes in Shorewall 4.4.12.1 + +1) Fix optimization bugs. + Changes in Shorewall 4.4.12 1) Fix IPv6 shorecap program. diff --git a/Shorewall/releasenotes.txt b/Shorewall/releasenotes.txt index ae826cb1a..69b29faa1 100644 --- a/Shorewall/releasenotes.txt +++ b/Shorewall/releasenotes.txt @@ -1,5 +1,5 @@ ---------------------------------------------------------------------------- - S H O R E W A L L 4 . 4 . 1 2 + S H O R E W A L L 4 . 4 . 1 2 . 1 ---------------------------------------------------------------------------- I. RELEASE 4.4 HIGHLIGHTS @@ -10,7 +10,7 @@ V. NEW FEATURES IN THIS RELEASE VI. PROBLEMS CORRECTED AND NEW FEATURES IN PRIOR RELEASES ---------------------------------------------------------------------------- - I. R E L E A S E 4 . 4 H I G H L I G H T S + I. R E L E A S E 4 . 4 H I G H L I G H T S ---------------------------------------------------------------------------- 1) Support for Shorewall-shell has been discontinued. Shorewall-perl @@ -224,6 +224,22 @@ VI. PROBLEMS CORRECTED AND NEW FEATURES IN PRIOR RELEASES I I I. P R O B L E M S C O R R E C T E D I N T H I S R E L E A S E ---------------------------------------------------------------------------- +4.4.12.1 + +1) Under rare circumstances where COMMENT is used to attach comments + to rules, OPTIMIZE 8 through 15 could result in invalid + iptables-restore (ip6tables-restore) input. + + Workaround: Don't use optimizaiton levels greater than 7. + +2) Under rare circumstances unvolving exclusion, OPTIMIZE 8 through 15 + could result in invalid iptables-restore (ip6tables-restore) input. + + Workaround: Don't use optimizaiton levels greater than 7. + +4.4.12 + + 1) Previously, the Shorewall6-lite version of shorecap was using iptables rather than ip6tables, with the result that many capabilities that are only available in IPv4 were being reported as available.