From c1a74b54fc9aea4d5b12b705a92929e79a5ed49e Mon Sep 17 00:00:00 2001 From: Tom Eastep Date: Thu, 22 Feb 2018 12:20:02 -0800 Subject: [PATCH] Implement RENAME_COMBINED Signed-off-by: Tom Eastep --- Shorewall/Perl/Shorewall/Chains.pm | 2 +- Shorewall/Perl/Shorewall/Config.pm | 2 ++ Shorewall/Samples/Universal/shorewall.conf | 2 ++ Shorewall/Samples/one-interface/shorewall.conf | 2 ++ Shorewall/Samples/three-interfaces/shorewall.conf | 2 ++ Shorewall/Samples/two-interfaces/shorewall.conf | 2 ++ Shorewall/configfiles/shorewall.conf | 2 ++ Shorewall/manpages/shorewall.conf.xml | 14 ++++++++++++++ Shorewall6/Samples6/Universal/shorewall6.conf | 2 ++ Shorewall6/Samples6/one-interface/shorewall6.conf | 2 ++ .../Samples6/three-interfaces/shorewall6.conf | 2 ++ Shorewall6/Samples6/two-interfaces/shorewall6.conf | 2 ++ Shorewall6/configfiles/shorewall6.conf | 2 ++ 13 files changed, 37 insertions(+), 1 deletion(-) diff --git a/Shorewall/Perl/Shorewall/Chains.pm b/Shorewall/Perl/Shorewall/Chains.pm index e5c4eaeda..a824085be 100644 --- a/Shorewall/Perl/Shorewall/Chains.pm +++ b/Shorewall/Perl/Shorewall/Chains.pm @@ -3980,7 +3980,7 @@ sub optimize_level8( $$$ ) { '', # Origin 1 ); # Recalculate digests of modified chains - unless ( $chainref->{name} =~ /^~/ || $chainref1->{name} =~ /^%/ ) { + if ( $config{RENAME_COMBINED} && $chainref->{name} !~ /^[~%]/ ) { # # For simple use of the BLACKLIST section, we can end up with many identical # chains. To distinguish them from other renamed chains, we keep track of diff --git a/Shorewall/Perl/Shorewall/Config.pm b/Shorewall/Perl/Shorewall/Config.pm index c35b6b86a..a650221bb 100644 --- a/Shorewall/Perl/Shorewall/Config.pm +++ b/Shorewall/Perl/Shorewall/Config.pm @@ -995,6 +995,7 @@ sub initialize( $;$$$) { BALANCE_PROVIDERS => undef , PERL_HASH_SEED => undef , USE_NFLOG_SIZE => undef , + RENAME_COMBINED => undef , # # Packet Disposition # @@ -6540,6 +6541,7 @@ sub get_configuration( $$$ ) { default_yes_no 'AUTOCOMMENT' , 'Yes'; default_yes_no 'MULTICAST' , ''; default_yes_no 'MARK_IN_FORWARD_CHAIN' , ''; + default_yes_no 'RENAME_COMBINED' , 'Yes'; if ( supplied ( $val = $config{TRACK_RULES} ) ) { if ( lc( $val ) eq 'file' ) { diff --git a/Shorewall/Samples/Universal/shorewall.conf b/Shorewall/Samples/Universal/shorewall.conf index ea8950c7b..712a45e3c 100644 --- a/Shorewall/Samples/Universal/shorewall.conf +++ b/Shorewall/Samples/Universal/shorewall.conf @@ -217,6 +217,8 @@ PERL_HASH_SEED=0 REJECT_ACTION= +RENAME_COMBINED=Yes + REQUIRE_INTERFACE=Yes RESTART=restart diff --git a/Shorewall/Samples/one-interface/shorewall.conf b/Shorewall/Samples/one-interface/shorewall.conf index 059f27f6d..cafe6cc40 100644 --- a/Shorewall/Samples/one-interface/shorewall.conf +++ b/Shorewall/Samples/one-interface/shorewall.conf @@ -228,6 +228,8 @@ PERL_HASH_SEED=0 REJECT_ACTION= +RENAME_COMBINED=Yes + REQUIRE_INTERFACE=No RESTART=restart diff --git a/Shorewall/Samples/three-interfaces/shorewall.conf b/Shorewall/Samples/three-interfaces/shorewall.conf index 82ba127ef..b38d8bca5 100644 --- a/Shorewall/Samples/three-interfaces/shorewall.conf +++ b/Shorewall/Samples/three-interfaces/shorewall.conf @@ -225,6 +225,8 @@ PERL_HASH_SEED=0 REJECT_ACTION= +RENAME_COMBINED=Yes + REQUIRE_INTERFACE=No RESTART=restart diff --git a/Shorewall/Samples/two-interfaces/shorewall.conf b/Shorewall/Samples/two-interfaces/shorewall.conf index d5a1f04b4..cd5206855 100644 --- a/Shorewall/Samples/two-interfaces/shorewall.conf +++ b/Shorewall/Samples/two-interfaces/shorewall.conf @@ -228,6 +228,8 @@ PERL_HASH_SEED=0 REJECT_ACTION= +RENAME_COMBINED=Yes + REQUIRE_INTERFACE=No RESTART=restart diff --git a/Shorewall/configfiles/shorewall.conf b/Shorewall/configfiles/shorewall.conf index d81f2e67f..a2188d9a7 100644 --- a/Shorewall/configfiles/shorewall.conf +++ b/Shorewall/configfiles/shorewall.conf @@ -217,6 +217,8 @@ PERL_HASH_SEED=0 REJECT_ACTION= +RENAME_COMBINED=Yes + REQUIRE_INTERFACE=No RESTART=restart diff --git a/Shorewall/manpages/shorewall.conf.xml b/Shorewall/manpages/shorewall.conf.xml index c3ce1ddfa..90e3fc242 100644 --- a/Shorewall/manpages/shorewall.conf.xml +++ b/Shorewall/manpages/shorewall.conf.xml @@ -2447,6 +2447,20 @@ INLINE - - - ;; -j REJECT + + RENAME_COMBINED=[Yes|No] + + + Added in Shorewall 5.2.0. Traditionally, when OPTIMIZE + category 8 is enabled, identical chains are combined under a name + beginning with '~comb' or '~blacklist'. This behavior is maintained + under the default setting RENAME_COMBINED=Yes. If + RENAMED_COMBINED=No, the chains are combined under the original name + of one of the chains. + + + REQUIRE_INTERFACE=[Yes|No] diff --git a/Shorewall6/Samples6/Universal/shorewall6.conf b/Shorewall6/Samples6/Universal/shorewall6.conf index 54fb59e33..54465dcb4 100644 --- a/Shorewall6/Samples6/Universal/shorewall6.conf +++ b/Shorewall6/Samples6/Universal/shorewall6.conf @@ -200,6 +200,8 @@ PERL_HASH_SEED=0 REJECT_ACTION= +RENAME_COMBINED=Yes + REQUIRE_INTERFACE=Yes RESTART=restart diff --git a/Shorewall6/Samples6/one-interface/shorewall6.conf b/Shorewall6/Samples6/one-interface/shorewall6.conf index 1c662459e..ab7c30c03 100644 --- a/Shorewall6/Samples6/one-interface/shorewall6.conf +++ b/Shorewall6/Samples6/one-interface/shorewall6.conf @@ -201,6 +201,8 @@ PERL_HASH_SEED=0 REJECT_ACTION= +RENAME_COMBINED=Yes + REQUIRE_INTERFACE=No RESTART=restart diff --git a/Shorewall6/Samples6/three-interfaces/shorewall6.conf b/Shorewall6/Samples6/three-interfaces/shorewall6.conf index d28e0a77c..55cff13e1 100644 --- a/Shorewall6/Samples6/three-interfaces/shorewall6.conf +++ b/Shorewall6/Samples6/three-interfaces/shorewall6.conf @@ -200,6 +200,8 @@ PERL_HASH_SEED=0 REJECT_ACTION= +RENAME_COMBINED=Yes + REQUIRE_INTERFACE=No RESTART=restart diff --git a/Shorewall6/Samples6/two-interfaces/shorewall6.conf b/Shorewall6/Samples6/two-interfaces/shorewall6.conf index b2007de0c..e4aac1a73 100644 --- a/Shorewall6/Samples6/two-interfaces/shorewall6.conf +++ b/Shorewall6/Samples6/two-interfaces/shorewall6.conf @@ -200,6 +200,8 @@ PERL_HASH_SEED=0 REJECT_ACTION= +RENAME_COMBINED=Yes + REQUIRE_INTERFACE=No RESTART=restart diff --git a/Shorewall6/configfiles/shorewall6.conf b/Shorewall6/configfiles/shorewall6.conf index d2620644e..3da8b3a4a 100644 --- a/Shorewall6/configfiles/shorewall6.conf +++ b/Shorewall6/configfiles/shorewall6.conf @@ -200,6 +200,8 @@ PERL_HASH_SEED=0 REJECT_ACTION= +RENAME_COMBINED=Yes + REQUIRE_INTERFACE=No RESTART=restart