forked from extern/shorewall_code
A more comprehensive solution to multiple -[piosd] matches.
- eliminate duplicate -[piosd] matches in merged rules - avoid tracing !* unconditionally Signed-off-by: Tom Eastep <teastep@shorewall.net>
This commit is contained in:
Tom Eastep
parent
16161d9cfc
commit
219b2e0761
@ -1096,7 +1096,7 @@ sub dont_optimize( $ ) {
|
||||
|
||||
$chainref->{dont_optimize} = 1;
|
||||
|
||||
trace( $chainref, '!O', undef, '' );
|
||||
trace( $chainref, '!O', undef, '' ) if $debug;
|
||||
|
||||
$chainref;
|
||||
}
|
||||
@ -1111,7 +1111,7 @@ sub dont_delete( $ ) {
|
||||
|
||||
$chainref->{dont_optimize} = $chainref->{dont_delete} = 1;
|
||||
|
||||
trace( $chainref, '!OD', undef, '' );
|
||||
trace( $chainref, '!OD', undef, '' ) if $debug;
|
||||
|
||||
$chainref;
|
||||
}
|
||||
@ -1126,7 +1126,7 @@ sub dont_move( $ ) {
|
||||
|
||||
$chainref->{dont_move} = 1;
|
||||
|
||||
trace( $chainref, '!M', undef, '' );
|
||||
trace( $chainref, '!M', undef, '' ) if $debug;
|
||||
|
||||
$chainref;
|
||||
}
|
||||
@ -1542,6 +1542,11 @@ sub replace_references1( $$$ ) {
|
||||
my $tableref = $chain_table{$chainref->{table}};
|
||||
my $count = 0;
|
||||
my $name = $chainref->{name};
|
||||
my $hasp = $matches =~ / -p /;
|
||||
my $hasi = $matches =~ / -i /;
|
||||
my $haso = $matches =~ / -o /;
|
||||
my $hass = $matches =~ / -s /;
|
||||
my $hasd = $matches =~ / -d /;
|
||||
|
||||
$name =~ s/\+/\\+/;
|
||||
#
|
||||
@ -1558,9 +1563,13 @@ sub replace_references1( $$$ ) {
|
||||
$rule++;
|
||||
if ( /^-A .*-[jg] $name(?:$|\s)/ ) {
|
||||
#
|
||||
# Prevent multiple '-p' matches
|
||||
# Prevent multiple '-p', '-i', '-o', '-s' and '-d' matches
|
||||
#
|
||||
s/ -p [^ ]+ / / if / -p / && $matches =~ / -p /;
|
||||
s/ -p [^ ]+ / / if $hasp;
|
||||
s/ -i [^ ]+ / / if $hasi;
|
||||
s/ -o [^ ]+ / / if $haso;
|
||||
s/ -s [^ ]+ / / if $hass;
|
||||
s/ -d [^ ]+ / / if $hasd;
|
||||
s/\s+-([jg]) $name($|\s)/$matches -$1 ${target}$2/;
|
||||
add_reference ( $fromref, $tableref->{$target} );
|
||||
$count++;
|
||||
@ -1582,9 +1591,13 @@ sub replace_references1( $$$ ) {
|
||||
$rule++;
|
||||
if ( /^-A .*-[jg] $name(?:$|\s)/ ) {
|
||||
#
|
||||
# Prevent multiple '-p' matches
|
||||
# Prevent multiple '-p', '-i', '-o', '-s' and '-d' matches
|
||||
#
|
||||
s/ -p [^ ]+ / / if / -p / && $matches =~ / -p /;
|
||||
s/ -p [^ ]+ / / if $hasp;
|
||||
s/ -i [^ ]+ / / if $hasi;
|
||||
s/ -o [^ ]+ / / if $haso;
|
||||
s/ -s [^ ]+ / / if $hass;
|
||||
s/ -d [^ ]+ / / if $hasd;
|
||||
s/\s+-[jg] $name($|\s)/$matches -j ${target}$1/;
|
||||
$count++;
|
||||
trace( $fromref, 'R', $rule, $_ ) if $debug;
|
||||
@ -1734,7 +1747,9 @@ sub optimize_ruleset() {
|
||||
#
|
||||
# Not so easy -- the rule contains matches
|
||||
#
|
||||
if ( $chainref->{builtin} || ! have_capability 'KLUDGEFREE' ) {
|
||||
my ($target, $matches ) = ( $1, $2 );
|
||||
|
||||
if ( $chainref->{builtin} || ! have_capability 'KLUDGEFREE' || $matches =~ /! -[piosd] / ) {
|
||||
#
|
||||
# This case requires a new rule merging algorithm. Ignore this chain for
|
||||
# now.
|
||||
@ -1744,7 +1759,7 @@ sub optimize_ruleset() {
|
||||
#
|
||||
# Replace references to this chain with the target and add the predicates
|
||||
#
|
||||
replace_references1 $chainref, $2, $1;
|
||||
replace_references1 $chainref, $matches, $target;
|
||||
$progress = 1;
|
||||
}
|
||||
}
|
||||
|
||||
@ -201,8 +201,6 @@ sub process_one_masq( )
|
||||
|
||||
my $chainref = ensure_chain('nat', $pre_nat ? snat_chain $interface : masq_chain $interface);
|
||||
|
||||
dont_optimize $chainref unless $interfaceref->{name};
|
||||
|
||||
my $detectaddress = 0;
|
||||
my $exceptionrule = '';
|
||||
my $randomize = '';
|
||||
@ -393,10 +391,8 @@ sub do_one_nat( $$$$$ )
|
||||
add_nat_rule 'nat_out' , "-s $internal $policyout -j SNAT --to-source $external";
|
||||
} else {
|
||||
my $chainref = input_chain( $interface );
|
||||
dont_optimize $chainref if $rulein;
|
||||
add_nat_rule $chainref , $rulein . "-d $external $policyin -j DNAT --to-destination $internal";
|
||||
$chainref = output_chain( $interface );
|
||||
dont_optimize $chainref if $ruleout;
|
||||
add_nat_rule $chainref , $ruleout . "-s $internal $policyout -j SNAT --to-source $external";
|
||||
}
|
||||
|
||||
@ -472,11 +468,9 @@ sub setup_netmap() {
|
||||
|
||||
if ( $type eq 'DNAT' ) {
|
||||
my $chainref = ensure_chain( 'nat' , input_chain $interface );
|
||||
dont_optimize $chainref if $rulein;
|
||||
add_rule $chainref , $rulein . "-d $net1 -j NETMAP --to $net2";
|
||||
} elsif ( $type eq 'SNAT' ) {
|
||||
my $chainref = ensure_chain( 'nat' , output_chain $interface );
|
||||
dont_optimize $chainref if $ruleout;
|
||||
add_rule $chainref , $ruleout . "-s $net1 -j NETMAP --to $net2";
|
||||
} else {
|
||||
fatal_error "Invalid type ($type)";
|
||||
|
||||
Loading…
Reference in New Issue
Block a user