extern/shorewall_code
1
0
Fork 1
mirror of https://gitlab.com/shorewall/code.git synced 2025-06-24 19:51:40 +02:00
Code Issues Packages Projects Releases Wiki Activity

Some more micro-optimizations

Browse Source 
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@5697 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
teastep 2007-03-26 02:53:51 +00:00
parent 377b23e183
commit da9c54a426
3 changed files with 123 additions and 124 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

15
New/Shorewall/Common.pm
View File

@ -37,7 +37,8 @@ our @EXPORT = qw(ALLIPv4
split_line split_line
create_temp_object create_temp_object
finalize_object finalize_object
emit emit
emitj
emit_unindented emit_unindented
emit_as_is emit_as_is
save_progress_message save_progress_message
@ -179,6 +180,18 @@ sub emit ( $ ) {
} }
} }
sub emitj {
if ( $object ) {
#
# 'compile' as opposed to 'check'
#
for my $line ( @_ ) {
emit $line;
}
}
}
# #
# Write passed message to the object with no indentation. # Write passed message to the object with no indentation.
# #

107
New/Shorewall/Providers.pm
View File

@ -100,21 +100,20 @@ sub setup_providers() {
$match =~ s/ /\|/g; $match =~ s/ /\|/g;
emit join ( "\n", emitj ( "ip route show table $duplicate | while read net route; do",
"ip route show table $duplicate | while read net route; do", ' case $net in',
' case $net in', ' default|nexthop)',
' default|nexthop)', ' ;;',
' ;;', ' *)',
' *)', " run_ip route add table $number \$net \$route",
" run_ip route add table $number \$net \$route", ' case $(find_device $route) in',
' case $(find_device $route) in', " $match)",
" $match)", " run_ip route add table $number \$net \$route",
" run_ip route add table $number \$net \$route", ' ;;',
' ;;', ' esac',
' esac', ' ;;',
' ;;', ' esac',
' esac', "done\n" );
"done\n" );
} }
sub balance_default_route( $$$ ) { sub balance_default_route( $$$ ) {
@ -186,14 +185,13 @@ sub setup_providers() {
$gateway = '-' unless $gateway; $gateway = '-' unless $gateway;
if ( $gateway eq 'detect' ) { if ( $gateway eq 'detect' ) {
emit join( "\n", emitj ( "gateway=\$(detect_gateway $interface)\n",
"gateway=\$(detect_gateway $interface)\n", 'if [ -n "$gateway" ]; then',
'if [ -n "$gateway" ]; then', " run_ip route replace \$gateway src \$(find_first_interface_address $interface) dev $interface table $number",
" run_ip route replace \$gateway src \$(find_first_interface_address $interface) dev $interface table $number", " run_ip route add default via \$gateway dev $interface table $number",
" run_ip route add default via \$gateway dev $interface table $number", 'else',
'else', " fatal_error \"Unable to detect the gateway through interface $interface\"",
" fatal_error \"Unable to detect the gateway through interface $interface\"", "fi\n" );
"fi\n" );
} elsif ( $gateway && $gateway ne '-' ) { } elsif ( $gateway && $gateway ne '-' ) {
emit "run_ip route replace $gateway src \$(find_first_interface_address $interface) dev $interface table $number"; emit "run_ip route replace $gateway src \$(find_first_interface_address $interface) dev $interface table $number";
emit "run_ip route add default via $gateway dev $interface table $number"; emit "run_ip route add default via $gateway dev $interface table $number";
@ -262,13 +260,12 @@ sub setup_providers() {
emit "\nrulenum=0\n"; emit "\nrulenum=0\n";
emit join( "\n" , emitj ( "find_interface_addresses $interface | while read address; do",
"find_interface_addresses $interface | while read address; do", ' qt ip rule del from $address',
' qt ip rule del from $address', " run_ip rule add from \$address pref \$(( $rulebase + \$rulenum )) table $number",
" run_ip rule add from \$address pref \$(( $rulebase + \$rulenum )) table $number", " echo \"qt ip rule del from \$address\" >> \${VARDIR}/undo_routing",
" echo \"qt ip rule del from \$address\" >> \${VARDIR}/undo_routing", ' rulenum=$(($rulenum + 1))',
' rulenum=$(($rulenum + 1))', 'done' );
'done' );
} else { } else {
emit "\nfind_interface_addresses $interface | while read address; do"; emit "\nfind_interface_addresses $interface | while read address; do";
emit ' qt ip rule del from $address'; emit ' qt ip rule del from $address';
@ -345,23 +342,22 @@ sub setup_providers() {
emit "\nif [ -z \"\$NOROUTES\" ]; then"; emit "\nif [ -z \"\$NOROUTES\" ]; then";
push_indent; push_indent;
emit join( "\n", emitj ( '#',
'#', '# Undo any changes made since the last time that we [re]started -- this will not restore the default route',
'# Undo any changes made since the last time that we [re]started -- this will not restore the default route', '#',
'#', 'undo_routing',
'undo_routing', '#',
'#', '# Save current routing table database so that it can be restored later',
'# Save current routing table database so that it can be restored later', '#',
'#', 'cp /etc/iproute2/rt_tables ${VARDIR}/',
'cp /etc/iproute2/rt_tables ${VARDIR}/', '#',
'#', '# Capture the default route(s) if we don\'t have it (them) already.',
'# Capture the default route(s) if we don\'t have it (them) already.', '#',
'#', '[ -f ${VARDIR}/default_route ] || ip route ls | grep -E \'^\s*(default |nexthop )\' > ${VARDIR}/default_route',
'[ -f ${VARDIR}/default_route ] || ip route ls | grep -E \'^\s*(default |nexthop )\' > ${VARDIR}/default_route', '#',
'#', '# Initialize the file that holds \'undo\' commands',
'# Initialize the file that holds \'undo\' commands', '#',
'#', '> ${VARDIR}/undo_routing' );
'> ${VARDIR}/undo_routing' );
save_progress_message 'Adding Providers...'; save_progress_message 'Adding Providers...';
@ -387,15 +383,14 @@ sub setup_providers() {
if ( $providers ) { if ( $providers ) {
if ( $balance ) { if ( $balance ) {
emit join ( "\n", emitj ( 'if [ -n "$DEFAULT_ROUTE" ]; then',
'if [ -n "$DEFAULT_ROUTE" ]; then', ' run_ip route replace default scope global $DEFAULT_ROUTE',
' run_ip route replace default scope global $DEFAULT_ROUTE', " progress_message \"Default route '\$(echo \$DEFAULT_ROUTE | sed 's/\$\\s*//')' Added\"",
" progress_message \"Default route '\$(echo \$DEFAULT_ROUTE | sed 's/\$\\s*//')' Added\"", 'else',
'else', ' error_message "WARNING: No Default route added (all \'balance\' providers are down)"',
' error_message "WARNING: No Default route added (all \'balance\' providers are down)"', ' restore_default_route',
' restore_default_route', 'fi',
'fi', '' );
'' );
} else { } else {
emit "#\n# We don't have any 'balance' providers so we restore any default route that we've saved\n#"; emit "#\n# We don't have any 'balance' providers so we restore any default route that we've saved\n#";
emit 'restore_default_route'; emit 'restore_default_route';

125
New/compiler.pl
View File

@ -71,25 +71,22 @@ sub generate_script_1 {
emit join ( '', "#\n# Compiled firewall script generated by Shorewall-pl ", $env{VERSION}, " - $date\n#" ); emit join ( '', "#\n# Compiled firewall script generated by Shorewall-pl ", $env{VERSION}, " - $date\n#" );
if ( $ENV{EXPORT} ) { if ( $ENV{EXPORT} ) {
emit join ( "\n", emitj ( 'SHAREDIR=/usr/share/shorewall-lite',
'SHAREDIR=/usr/share/shorewall-lite', 'CONFDIR=/etc/shorewall-lite',
'CONFDIR=/etc/shorewall-lite', 'VARDIR=/var/lib/shorewall-lite',
'VARDIR=/var/lib/shorewall-lite', 'PRODUCT="Shorewall Lite"' );
'PRODUCT="Shorewall Lite"' );
copy "$env{SHAREDIR}/lib.base"; copy "$env{SHAREDIR}/lib.base";
emit join ( "\n", emitj ( '################################################################################',
'################################################################################', '# End of /usr/share/shorewall/lib.base',
'# End of /usr/share/shorewall/lib.base', '################################################################################' );
'################################################################################' );
} else { } else {
emit join ( "\n", emitj ( 'SHAREDIR=/usr/share/shorewall',
'SHAREDIR=/usr/share/shorewall', 'CONFDIR=/etc/shorewall',
'CONFDIR=/etc/shorewall', 'VARDIR=/var/lib/shorewall',
'VARDIR=/var/lib/shorewall', 'PRODUCT=\'Shorewall\'',
'PRODUCT=\'Shorewall\'', '. /usr/share/shorewall/lib.base' );
'. /usr/share/shorewall/lib.base' );
} }
emit 'TEMPFILE='; emit 'TEMPFILE=';
@ -110,38 +107,35 @@ sub generate_script_1 {
push_indent; push_indent;
if ( $ENV{EXPORT} ) { if ( $ENV{EXPORT} ) {
emit join ( "\n", emitj ( '#',
'#', '# These variables are required by the library functions called in this script',
'# These variables are required by the library functions called in this script', '#',
'#', 'CONFIG_PATH="/etc/shorewall-lite:/usr/share/shorewall-lite"' );
'CONFIG_PATH="/etc/shorewall-lite:/usr/share/shorewall-lite"' );
} else { } else {
emit join ( "\n", emitj ( 'if [ ! -f ${SHAREDIR}/version ]; then',
'if [ ! -f ${SHAREDIR}/version ]; then', ' fatal_error "This script requires Shorewall which do not appear to be installed on this system (did you forget \"-e\" when you compiled?)"',
' fatal_error "This script requires Shorewall which do not appear to be installed on this system (did you forget \"-e\" when you compiled?)"', 'fi',
'fi', '',
'', 'local version=$(cat ${SHAREDIR}/version)',
'local version=$(cat ${SHAREDIR}/version)', '',
'', 'if [ ${SHOREWALL_LIBVERSION:-0} -lt 30401 ]; then',
'if [ ${SHOREWALL_LIBVERSION:-0} -lt 30401 ]; then', ' fatal_error "This script requires Shorewall version 3.4.2 or later; current version is $version"',
' fatal_error "This script requires Shorewall version 3.4.2 or later; current version is $version"', 'fi',
'fi', '#',
'#', '# These variables are required by the library functions called in this script',
'# These variables are required by the library functions called in this script', '#',
'#', "CONFIG_PATH=\"$config{CONFIG_PATH}\"" );
"CONFIG_PATH=\"$config{CONFIG_PATH}\"" );
} }
propagateconfig; propagateconfig;
emit join ( "\n" , emitj ( '[ -n "${COMMAND:=restart}" ]',
'[ -n "${COMMAND:=restart}" ]', '[ -n "${VERBOSE:=0}" ]',
'[ -n "${VERBOSE:=0}" ]', '[ -n "${RESTOREFILE:=$RESTOREFILE}" ]',
'[ -n "${RESTOREFILE:=$RESTOREFILE}" ]', '[ -n "$LOGFORMAT" ] || LOGFORMAT="Shorewall:%s:%s:"',
'[ -n "$LOGFORMAT" ] || LOGFORMAT="Shorewall:%s:%s:"', qq(VERSION="$env{VERSION}") ,
qq(VERSION="$env{VERSION}") , qq(PATH="$config{PATH}") ,
qq(PATH="$config{PATH}") , 'TERMINATOR=fatal_error' );
'TERMINATOR=fatal_error' );
if ( $config{IPTABLES} ) { if ( $config{IPTABLES} ) {
emit "IPTABLES=\"$config{IPTABLES}\"\n"; emit "IPTABLES=\"$config{IPTABLES}\"\n";
@ -154,14 +148,13 @@ sub generate_script_1 {
append_file 'params' if $config{EXPORTPARAMS}; append_file 'params' if $config{EXPORTPARAMS};
emit join ( "\n", emitj ( '',
'', "STOPPING=",
"STOPPING=", "COMMENT=\n", # Maintain compability with lib.base
"COMMENT=\n", # Maintain compability with lib.base '#',
'#', '# The library requires that ${VARDIR} exist',
'# The library requires that ${VARDIR} exist', '#',
'#', '[ -d ${VARDIR} ] || mkdir -p ${VARDIR}' );
'[ -d ${VARDIR} ] || mkdir -p ${VARDIR}' );
pop_indent; pop_indent;
@ -319,13 +312,12 @@ stop_firewall() {
if ( @$criticalhosts ) { if ( @$criticalhosts ) {
if ( $config{ADMINISABSENTMINDED} ) { if ( $config{ADMINISABSENTMINDED} ) {
emit join ( "\n", emitj ( ' for chain in INPUT OUTPUT; do',
' for chain in INPUT OUTPUT; do', ' setpolicy $chain ACCEPT',
' setpolicy $chain ACCEPT', " done\n",
" done\n", " setpolicy FORWARD DROP\n",
" setpolicy FORWARD DROP\n", ' deleteallchains',
' deleteallchains', '' );
'' );
for my $hosts ( @$criticalhosts ) { for my $hosts ( @$criticalhosts ) {
my ( $interface, $host ) = ( split /:/, $hosts ); my ( $interface, $host ) = ( split /:/, $hosts );
@ -488,16 +480,15 @@ sub generate_script_2 () {
emit ''; emit '';
for my $interface ( @{find_interfaces_by_option 'norfc1918'} ) { for my $interface ( @{find_interfaces_by_option 'norfc1918'} ) {
emit join( "\n", emitj ( "addr=\$(ip -f inet addr show $interface 2> /dev/null | grep 'inet\ ' | head -n1)",
"addr=\$(ip -f inet addr show $interface 2> /dev/null | grep 'inet\ ' | head -n1)", 'if [ -n "$addr" ]; then',
'if [ -n "$addr" ]; then', ' addr=$(echo $addr | sed \'s/inet //;s/\/.*//;s/ peer.*//\')',
' addr=$(echo $addr | sed \'s/inet //;s/\/.*//;s/ peer.*//\')', ' for network in 10.0.0.0/8 176.16.0.0/12 192.168.0.0/16; do',
' for network in 10.0.0.0/8 176.16.0.0/12 192.168.0.0/16; do', ' if in_network $addr $network; then',
' if in_network $addr $network; then', " startup_error \"The 'norfc1918' option has been specified on an interface with an RFC 1918 address. Interface:$interface\"",
" startup_error \"The 'norfc1918' option has been specified on an interface with an RFC 1918 address. Interface:$interface\"", ' fi',
' fi', ' done',
' done', "fi\n" );
"fi\n" );
} }
emit "run_init_exit\n"; emit "run_init_exit\n";