Merge branch '4.5.10'

Conflicts: Shorewall/Perl/Shorewall/Chains.pm Shorewall/manpages/shorewall.conf.xml Shorewall6/manpages/shorewall6.conf.xml
2025-06-20 09:47:51 +02:00 · 2012-12-02 13:18:33 -08:00 · 2012-12-02 13:18:33 -08:00 · d5405757dd
commit d5405757dd
parent 334bdd16d6 cd5e9be467
3 changed files with 39 additions and 22 deletions
--- a/Shorewall/Perl/Shorewall/Chains.pm
+++ b/Shorewall/Perl/Shorewall/Chains.pm
@ -3370,6 +3370,13 @@ sub combine_dports {
    \@rules;
 }
 my %bad_match = ( conntrack => 1, 
 		  dscp      => 1,
 		  ecn       => 1,
 		  mark      => 1,
 		  set       => 1,
 		  tos       => 1,
 		  u32       => 1 );
 #
 # Delete duplicate rules from the passed chain.
 #
@ -3388,22 +3395,10 @@ sub delete_duplicates {
 	my $duplicate = 0;
 	if ( $baseref->{mode} == CAT_MODE ) {
 	    $docheck = 1;
 	    #
 	    # We must not suppress duplicate rules that match on things that can
 	    # be altered by other rules in the chain
 	    #
 	    for ( qw( mark connmark dscp tos set ecn u32 ) ) {
 		$docheck = 0, last if exists $baseref->{$_};
 	    }
 	} else {
 	    $docheck = 0;
 	}
 	if ( $docheck ) {
 	    my $ports1;
-	    my @keys1     = sort( keys( %$baseref ) );
+	    my @keys1    = sort( keys( %$baseref ) );
-	    my $rulenum   = @_;
+	    my $rulenum  = @_;
 	    my $adjacent = 1;
 	    {
 	      RULE:
@ -3419,12 +3414,24 @@ sub delete_duplicates {
 		    my $keynum = 0;
-		    for my $key ( @keys1 ) {
+		    if ( $adjacent > 0 ) {
-			next RULE unless $key eq $keys2[$keynum++];
+			for my $key ( @keys1 ) {
-			next RULE unless compare_values( $baseref->{$key}, $ruleref->{$key} );
+			    next RULE unless $key eq $keys2[$keynum++];
 			    next RULE unless compare_values( $baseref->{$key}, $ruleref->{$key} );
 			}
 		    } else {
 			for my $key ( @keys1 ) {
 			    last RULE if $bad_match{$key};
 			    next RULE unless $key eq $keys2[$keynum++];
 			    next RULE unless compare_values( $baseref->{$key}, $ruleref->{$key} );
 			}
 		    }
 		    $duplicate = 1;
 		    $adjacent++;
 		} continue {
 		    $adjacent--;
 		}
 	    }
 	}
--- a/Shorewall/manpages/shorewall.conf.xml
+++ b/Shorewall/manpages/shorewall.conf.xml
@ -1725,8 +1725,13 @@ net     all  DROP   info</programlisting>then the chain name is 'net2all'
              comments are replaced by 'and others'.</para>
              <para>Beginning in Shorewall 4.5.10, this option also suppresses
-              duplicate rules in a chain that don't include mark, connmark,
+              duplicate adjacent rules and duplicate non-adjacent rules that
-              dscp, tos, set, ecn or u32 matches.</para>
+              don't include <emphasis role="bold">mark</emphasis>, <emphasis
              role="bold">connmark</emphasis>, <emphasis
              role="bold">dscp</emphasis>, <emphasis
              role="bold">ecn</emphasis>, <emphasis
              role="bold">set</emphasis>, <emphasis role="bold">tos</emphasis>
              or <emphasis role="bold">u32</emphasis> matches.</para>
              <variablelist>
                <varlistentry>
--- a/Shorewall6/manpages/shorewall6.conf.xml
+++ b/Shorewall6/manpages/shorewall6.conf.xml
@ -1526,8 +1526,13 @@ net     all  DROP   info</programlisting>then the chain name is 'net2all'
              comments are replaced by 'and others'.</para>
              <para>Beginning in Shorewall 4.5.10, this option also suppresses
-              duplicate rules in a chain that don't include mark, connmark,
+              duplicate adjacent rules and duplicate non-adjacent rules that
-              dscp, tos, set, ecn or u32 matches.</para>
+              don't include <emphasis role="bold">mark</emphasis>, <emphasis
              role="bold">connmark</emphasis>, <emphasis
              role="bold">dscp</emphasis>, <emphasis
              role="bold">ecn</emphasis>, <emphasis
              role="bold">set</emphasis>, <emphasis role="bold">tos</emphasis>
              or <emphasis role="bold">u32</emphasis> matches.</para>
              <variablelist>
                <varlistentry>