Add undocumented OPTIMIZE=-1

Signed-off-by: Tom Eastep <teastep@shorewall.net>

Shorewall/Perl/Shorewall/Chains.pm

@@ -770,9 +770,11 @@ sub zone_forward_chain($) {
 #
 # Returns true if we're to use the interface's forward chain
 #
-sub use_forward_chain($) {
-    my $interface = $_[0];
+sub use_forward_chain($$) {
+    my ( $interface, $chainref ) = @_;
     my $interfaceref = find_interface($interface);
+
+    return 1 if $globals{UNOPTIMIZED} && @{$chainref->{rules}};
     #
     # We must use the interfaces's chain if the interface is associated with multiple zone nets
     #
@@ -806,10 +808,12 @@ sub zone_input_chain($) {
 #
 # Returns true if we're to use the interface's input chain
 #
-sub use_input_chain($) {
-    my $interface = $_[0];
+sub use_input_chain($$) {
+    my ( $interface, $chainref ) = @_;
     my $interfaceref = find_interface($interface);
     my $nets = $interfaceref->{nets};
+
+    return 1 if $globals{UNOPTIMIZED} && @{$chainref->{rules}};
     #
     # We must use the interfaces's chain if:
     #
@@ -835,8 +839,6 @@ sub use_input_chain($) {
     #
     # Interface associated with a single zone -- use the zone's input chain if it has one
     #
-    my $chainref = $filter_table->{zone_input_chain $zone};
-
     return 0 if $chainref;
     #
     # Use the '<zone>2fw' chain if it is referenced.
@@ -864,14 +866,14 @@ sub zone_output_chain($) {
 #
 # Returns true if we're to use the interface's output chain
 #
-sub use_output_chain($) {
-    my $interface = $_[0];
+sub use_output_chain($$) {
+    my ( $interface, $chainref)  = @_;
     my $interfaceref = find_interface($interface);
     my $nets = $interfaceref->{nets};
     #
     # We must use the interfaces's chain if the interface is associated with multiple zone nets
     #
-    return 1 if $nets > 1;
+    return 1 if $nets > 1 || ( $globals{UNOPTIMIZED} && @{$chainref->{rules}} );
     #
     # Don't need it if it isn't associated with any zone
     #
@@ -879,8 +881,6 @@ sub use_output_chain($) {
     #
     # Interface associated with a single zone -- use the zone's output chain if it has one
     #
-    my $chainref = $filter_table->{zone_output_chain $interfaceref->{zone}};
-
     return 0 if $chainref;
     #
     # Use the 'fw2<zone>' chain if it is referenced.

Shorewall/Perl/Shorewall/Compiler.pm

@@ -823,7 +823,7 @@ sub compiler {
 	#
 	generate_matrix;
 
-	if ( $config{OPTIMIZE} & 6 ) {
+	if ( $config{OPTIMIZE} > 0 && $config{OPTIMIZE} & 6 ) {
 	    progress_message2 'Optimizing Ruleset...';
 	    #
 	    # Optimize Policy Chains

Shorewall/Perl/Shorewall/Config.pm

@@ -338,6 +338,7 @@ sub initialize( $ ) {
 		    TC_SCRIPT => '',
 		    EXPORT => 0,
 		    UNTRACKED => 0,
+		    UNOPTIMIZED => 0,
 		    VERSION => "4.4.8-RC1",
 		    CAPVERSION => 40408 ,
 		  );
@@ -3002,7 +3003,12 @@ sub get_configuration( $ ) {
 
     $val = numeric_value $config{OPTIMIZE};
 
-    fatal_error "Invalid OPTIMIZE value ($config{OPTIMIZE})" unless defined( $val ) && $val >= 0 && $val <= 7;
+    fatal_error "Invalid OPTIMIZE value ($config{OPTIMIZE})" unless defined( $val ) && $val >= -1 && $val <= 7;
+
+    if ( $val == -1 ) {
+	$config{OPTIMIZE} = 0;
+	$globals{UNOPTIMIZED} = 1;
+    }
 
     $globals{MARKING_CHAIN} = $config{MARK_IN_FORWARD_CHAIN} ? 'tcfor' : 'tcpre';
 

Shorewall/Perl/Shorewall/Rules.pm

@@ -1682,11 +1682,15 @@ sub add_interface_jumps {
     # Add the jumps to the interface chains from filter FORWARD, INPUT, OUTPUT
     #
     for my $interface ( @_ ) {
-	add_jump( $filter_table->{FORWARD} , forward_chain $interface , 0, match_source_dev( $interface ) ) unless $forward_jump_added{$interface} || ! use_forward_chain $interface;
-	add_jump( $filter_table->{INPUT}   , input_chain $interface ,   0, match_source_dev( $interface ) ) unless $input_jump_added{$interface}   || ! use_input_chain $interface;
+	my $forwardref = $filter_table->{forward_chain $interface};
+	my $inputref   = $filter_table->{input_chain $interface};
+	my $outputref  = $filter_table->{output_chain $interface};
 
-	unless ( $output_jump_added{$interface} || ! use_output_chain $interface ) {
-	    add_jump $filter_table->{OUTPUT} , output_chain $interface , 0, match_dest_dev( $interface ) unless get_interface_option( $interface, 'port' );
+	add_jump( $filter_table->{FORWARD} , $forwardref , 0, match_source_dev( $interface ) ) unless $forward_jump_added{$interface} || ! use_forward_chain $interface, $forwardref;
+	add_jump( $filter_table->{INPUT}   , $inputref ,   0, match_source_dev( $interface ) ) unless $input_jump_added{$interface}   || ! use_input_chain $interface, $inputref;
+
+	unless ( $output_jump_added{$interface} || ! use_output_chain $interface, $outputref ) {
+	    add_jump $filter_table->{OUTPUT} , $outputref , 0, match_dest_dev( $interface ) unless get_interface_option( $interface, 'port' );
 	}
     }
     #
@@ -1742,11 +1746,10 @@ sub generate_matrix() {
 	    my $source_ref = ( $zoneref->{hosts}{ipsec} ) || {};
 
 	    for my $interface ( sort { interface_number( $a ) <=> interface_number( $b ) } keys %$source_ref ) {
-		my $sourcechainref;
+		my $sourcechainref = $filter_table->{forward_chain $interface};
 		my $interfacematch = '';
 
-		if ( use_forward_chain( $interface ) ) {
-		    $sourcechainref = $filter_table->{forward_chain $interface};
+		if ( use_forward_chain( $interface, $sourcechainref ) ) {
 		    add_jump $filter_table->{FORWARD} , $sourcechainref, 0 , match_source_dev( $interface ) unless $forward_jump_added{$interface}++;
 		} else {
 		    $sourcechainref = $filter_table->{FORWARD};
@@ -1860,7 +1863,7 @@ sub generate_matrix() {
 			    my $interfacematch = '';
 			    my $use_output = 0;
 
-			    if ( use_output_chain $interface || ( @{$interfacechainref->{rules}} && ! $chain1ref ) ) {
+			    if ( use_output_chain( $interface, $interfacechainref ) || ( @{$interfacechainref->{rules}} && ! $chain1ref ) ) {
 				$outputref = $interfacechainref;
 				add_jump $filter_table->{OUTPUT}, $outputref, 0, match_dest_dev( $interface ) unless $output_jump_added{$interface}++;
 				$use_output = 1;
@@ -1915,7 +1918,7 @@ sub generate_matrix() {
 			my $interfacematch = '';
 			my $use_input;
 
-			if ( use_input_chain $interface || ! $chain2 || ( @{$interfacechainref->{rules}} && ! $chain2ref ) ) {
+			if ( use_input_chain( $interface, $interfacechainref ) || ! $chain2 || ( @{$interfacechainref->{rules}} && ! $chain2ref ) ) {
 			    $inputchainref = $interfacechainref;
 			    add_jump $filter_table->{INPUT}, $inputchainref, 0, match_source_dev($interface) unless $input_jump_added{$interface}++;
 			    $use_input = 1;
@@ -1931,13 +1934,13 @@ sub generate_matrix() {
 
 			if ( $frwd_ref && $hostref->{ipsec} ne 'ipsec' ) {
 			    my $ref = source_exclusion( $exclusions, $frwd_ref );
-			    if ( use_forward_chain $interface ) {
-				my $forwardref = $filter_table->{forward_chain $interface};
+			    my $forwardref = $filter_table->{forward_chain $interface};
+			    if ( use_forward_chain $interface, $forwardref ) {
 				add_jump $forwardref , $ref, 0, join( '', $source, $ipsec_in_match );
 				add_jump $filter_table->{FORWARD} , $forwardref, 0 , match_source_dev( $interface ) unless $forward_jump_added{$interface}++;
 			    } else {
 				add_jump $filter_table->{FORWARD} , $ref, 0, join( '', match_source_dev( $interface ) , $source, $ipsec_in_match );
-				move_rules ( $filter_table->{forward_chain $interface} , $frwd_ref );
+				move_rules ( $forwardref , $frwd_ref );
 			    }
 			}
 		    }
@@ -2052,7 +2055,7 @@ sub generate_matrix() {
 			my $match_source_dev = '';
 			my $forwardchainref = $filter_table->{forward_chain $interface};
 
-			if ( use_forward_chain $interface || ( @{$forwardchainref->{rules} } && ! $chainref ) ) {
+			if ( use_forward_chain( $interface , $forwardchainref ) || ( @{$forwardchainref->{rules} } && ! $chainref ) ) {
 			    #
 			    # Either we must use the interface's forwarding chain or that chain has rules and we have nowhere to move them
 			    #