extern/shorewall_code
1
0
Fork 1
mirror of https://gitlab.com/shorewall/code.git synced 2024-11-22 23:53:30 +01:00
Code Issues Packages Projects Releases Wiki Activity

Fix a couple of optimization bugs

Browse Source
This commit is contained in:
Tom Eastep 2010-08-23 15:59:09 -07:00
parent 807ef11c36
commit bc08ff1e36
3 changed files with 38 additions and 17 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

31
Shorewall/Perl/Shorewall/Chains.pm
View File

@ -687,7 +687,7 @@ sub delete_jumps ( $$ ) {
# deleting elements from the array over which we are iterating. # deleting elements from the array over which we are iterating.
# #
for ( my $rule = 0; $rule <= $#{$rules}; $rule++ ) { for ( my $rule = 0; $rule <= $#{$rules}; $rule++ ) {
if ( $rules->[$rule] =~ / -[gj] ${to}\s*$/ ) { if ( $rules->[$rule] =~ / -[gj] ${to}( -m comment .*)?\s*$/ ) {
trace( $fromref, 'D', $rule + 1, $rules->[$rule] ) if $debug; trace( $fromref, 'D', $rule + 1, $rules->[$rule] ) if $debug;
splice( @$rules, $rule, 1 ); splice( @$rules, $rule, 1 );
last unless --$refs > 0; last unless --$refs > 0;
@ -3117,17 +3117,6 @@ sub expand_rule( $$$$$$$$$$;$ )
} elsif ( $disposition eq 'LOG' ) { } elsif ( $disposition eq 'LOG' ) {
fatal_error "LOG requires a level"; fatal_error "LOG requires a level";
} }
#
# Mark Target as referenced, if it's a chain
#
if ( $target =~ /-[jg]\s+([^\s]+)/ ) {
my $targetref = $chain_table{$chainref->{table}}{$1};
if ( $targetref ) {
$targetref->{referenced} = 1;
add_reference $chainref, $targetref;
}
}
# #
# Isolate Source Interface, if any # Isolate Source Interface, if any
# #
@ -3397,6 +3386,8 @@ sub expand_rule( $$$$$$$$$$;$ )
fatal_error "SOURCE interface may not be specified with a source IP address in the POSTROUTING chain" if $restriction == POSTROUTE_RESTRICT && $iiface && ( $inets ne ALLIP || $iexcl || $trivialiexcl); fatal_error "SOURCE interface may not be specified with a source IP address in the POSTROUTING chain" if $restriction == POSTROUTE_RESTRICT && $iiface && ( $inets ne ALLIP || $iexcl || $trivialiexcl);
fatal_error "DEST interface may not be specified with a destination IP address in the PREROUTING chain" if $restriction == PREROUTE_RESTRICT && $diface && ( $dnets ne ALLIP || $dexcl || $trivialdexcl); fatal_error "DEST interface may not be specified with a destination IP address in the PREROUTING chain" if $restriction == PREROUTE_RESTRICT && $diface && ( $dnets ne ALLIP || $dexcl || $trivialdexcl);
my $fromref;
if ( $iexcl || $dexcl || $oexcl ) { if ( $iexcl || $dexcl || $oexcl ) {
# #
# We have non-trivial exclusion -- need to create an exclusion chain # We have non-trivial exclusion -- need to create an exclusion chain
@ -3438,7 +3429,7 @@ sub expand_rule( $$$$$$$$$$;$ )
# #
# Generate Final Rule # Generate Final Rule
# #
add_rule( $echainref, $exceptionrule . $target, 1 ) unless $disposition eq 'LOG'; add_rule( $fromref = $echainref, $exceptionrule . $target, 1 ) unless $disposition eq 'LOG';
} else { } else {
# #
# No exclusions # No exclusions
@ -3478,7 +3469,7 @@ sub expand_rule( $$$$$$$$$$;$ )
'add', 'add',
$matches ); $matches );
add_rule( $chainref, $matches . $target, 1 ); add_rule( $fromref = $chainref, $matches . $target, 1 );
} }
} else { } else {
# #
@ -3499,12 +3490,22 @@ sub expand_rule( $$$$$$$$$$;$ )
# #
# No logging -- add the target rule with matches to the rule chain # No logging -- add the target rule with matches to the rule chain
# #
add_rule( $chainref, $matches . $target , 1 ); add_rule( $fromref = $chainref, $matches . $target , 1 );
} }
} }
} }
} }
} }
#
# Mark Target as referenced, if it's a chain
#
if ( $fromref && $target =~ /-[jg]\s+([^\s]+)/ ) {
my $targetref = $chain_table{$chainref->{table}}{$1};
if ( $targetref ) {
$targetref->{referenced} = 1;
add_reference $fromref, $targetref;
}
}
while ( @ends ) { while ( @ends ) {
decr_cmd_level $chainref; decr_cmd_level $chainref;

4
Shorewall/changelog.txt
View File

@ -1,3 +1,7 @@
Changes in Shorewall 4.4.12.1
1) Fix optimization bugs.
Changes in Shorewall 4.4.12 Changes in Shorewall 4.4.12
1) Fix IPv6 shorecap program. 1) Fix IPv6 shorecap program.

18
Shorewall/releasenotes.txt
View File

@ -1,5 +1,5 @@
---------------------------------------------------------------------------- ----------------------------------------------------------------------------
S H O R E W A L L 4 . 4 . 1 2 S H O R E W A L L 4 . 4 . 1 2 . 1
---------------------------------------------------------------------------- ----------------------------------------------------------------------------
I. RELEASE 4.4 HIGHLIGHTS I. RELEASE 4.4 HIGHLIGHTS
@ -224,6 +224,22 @@ VI. PROBLEMS CORRECTED AND NEW FEATURES IN PRIOR RELEASES
I I I. P R O B L E M S C O R R E C T E D I N T H I S R E L E A S E I I I. P R O B L E M S C O R R E C T E D I N T H I S R E L E A S E
---------------------------------------------------------------------------- ----------------------------------------------------------------------------
4.4.12.1
1) Under rare circumstances where COMMENT is used to attach comments
to rules, OPTIMIZE 8 through 15 could result in invalid
iptables-restore (ip6tables-restore) input.
Workaround: Don't use optimizaiton levels greater than 7.
2) Under rare circumstances unvolving exclusion, OPTIMIZE 8 through 15
could result in invalid iptables-restore (ip6tables-restore) input.
Workaround: Don't use optimizaiton levels greater than 7.
4.4.12
1) Previously, the Shorewall6-lite version of shorecap was using 1) Previously, the Shorewall6-lite version of shorecap was using
iptables rather than ip6tables, with the result that many capabilities iptables rather than ip6tables, with the result that many capabilities
that are only available in IPv4 were being reported as available. that are only available in IPv4 were being reported as available.