Detect terminating chains

- no RETURN Rules - last rule is terminating Signed-off-by: Tom Eastep <teastep@shorewall.net>
2013-01-08 16:32:24 -08:00 · 2013-01-08 16:32:24 -08:00 · 1fd3a6a522
commit 1fd3a6a522
parent 011dd2c901
1 changed files with 98 additions and 87 deletions
--- a/Shorewall/Perl/Shorewall/Chains.pm
+++ b/Shorewall/Perl/Shorewall/Chains.pm
@ -667,9 +667,7 @@ sub initialize( $$$ ) {
    %isocodes  = ();
    %nfobjects = ();
    %switches  = ();
-    #
-    # Initialize this here so we can make it dynamic without moving the initialization
-    #
+
    %terminating = ( ACCEPT       => 1,
 		     DROP         => 1,
 		     RETURN       => 1,
@ -2854,6 +2852,7 @@ sub optimize_level4( $$ ) {
    # The search continues until no short chains remain
    # Chains with 'DONT_OPTIMIZE' are exempted from optimization
    #
+
    while ( $progress ) {
 	$progress = 0;
 	$passes++;
@ -2892,11 +2891,23 @@ sub optimize_level4( $$ ) {
 			delete_references $chainref;
 			$progress = 1;
 		    }
-		} elsif ( $numrules == 1) {
-		    my $firstrule = $chainref->{rules}[0];
+		} else {
+		    #
+		    # The chain has rules -- determine if it is terminating
+		    #
+		    my $name    = $chainref->{name};
+		    my $lastref = $chainref->{rules}[-1];
+
+		    unless ( $terminating{$name} ) {
+			$progress = 1 if $terminating{$name} = ( ( $terminating{$lastref->{target} || ''} ) || ( $lastref->{jump} || '' ) eq 'g' );
+		    }
+
+		    if ( $numrules == 1) {
 			#
 			# Chain has a single rule
 			#
+			my $firstrule = $lastref;
+
 			if ( $firstrule ->{simple} ) {
 			    #
 			    # Easy case -- the rule is a simple jump
@ -2952,7 +2963,6 @@ sub optimize_level4( $$ ) {
 			# all immediately preceding rules that have the same target
 			#
 			my $rulesref = $chainref->{rules};
-		    my $lastref = $rulesref->[-1];

 			if ( $lastref->{simple} && $lastref->{target} && ! $lastref->{targetopts} ) {
 			    my $target = $lastref->{target};
@ -2985,7 +2995,8 @@ sub optimize_level4( $$ ) {
 				$count++;
 			    }

-			progress_message "   $count $target rules deleted from chain $chainref->{name}" if $count;
+			    progress_message "   $count $target rules deleted from chain $name" if $count;
+			}
 		    }
 		}
 	    }