From 249f9412f6f5632e5eed338214fb738d6cebe1fd Mon Sep 17 00:00:00 2001 From: Tom Eastep Date: Wed, 10 Mar 2010 17:25:06 -0800 Subject: [PATCH] Add undocumented OPTIMIZE=-1 Signed-off-by: Tom Eastep --- Shorewall/Perl/Shorewall/Chains.pm | 22 ++++++++++----------- Shorewall/Perl/Shorewall/Compiler.pm | 2 +- Shorewall/Perl/Shorewall/Config.pm | 8 +++++++- Shorewall/Perl/Shorewall/Rules.pm | 29 +++++++++++++++------------- 4 files changed, 35 insertions(+), 26 deletions(-) diff --git a/Shorewall/Perl/Shorewall/Chains.pm b/Shorewall/Perl/Shorewall/Chains.pm index 6a714f27b..6ab86e3ac 100644 --- a/Shorewall/Perl/Shorewall/Chains.pm +++ b/Shorewall/Perl/Shorewall/Chains.pm @@ -770,9 +770,11 @@ sub zone_forward_chain($) { # # Returns true if we're to use the interface's forward chain # -sub use_forward_chain($) { - my $interface = $_[0]; +sub use_forward_chain($$) { + my ( $interface, $chainref ) = @_; my $interfaceref = find_interface($interface); + + return 1 if $globals{UNOPTIMIZED} && @{$chainref->{rules}}; # # We must use the interfaces's chain if the interface is associated with multiple zone nets # @@ -806,10 +808,12 @@ sub zone_input_chain($) { # # Returns true if we're to use the interface's input chain # -sub use_input_chain($) { - my $interface = $_[0]; +sub use_input_chain($$) { + my ( $interface, $chainref ) = @_; my $interfaceref = find_interface($interface); my $nets = $interfaceref->{nets}; + + return 1 if $globals{UNOPTIMIZED} && @{$chainref->{rules}}; # # We must use the interfaces's chain if: # @@ -835,8 +839,6 @@ sub use_input_chain($) { # # Interface associated with a single zone -- use the zone's input chain if it has one # - my $chainref = $filter_table->{zone_input_chain $zone}; - return 0 if $chainref; # # Use the '2fw' chain if it is referenced. @@ -864,14 +866,14 @@ sub zone_output_chain($) { # # Returns true if we're to use the interface's output chain # -sub use_output_chain($) { - my $interface = $_[0]; +sub use_output_chain($$) { + my ( $interface, $chainref) = @_; my $interfaceref = find_interface($interface); my $nets = $interfaceref->{nets}; # # We must use the interfaces's chain if the interface is associated with multiple zone nets # - return 1 if $nets > 1; + return 1 if $nets > 1 || ( $globals{UNOPTIMIZED} && @{$chainref->{rules}} ); # # Don't need it if it isn't associated with any zone # @@ -879,8 +881,6 @@ sub use_output_chain($) { # # Interface associated with a single zone -- use the zone's output chain if it has one # - my $chainref = $filter_table->{zone_output_chain $interfaceref->{zone}}; - return 0 if $chainref; # # Use the 'fw2' chain if it is referenced. diff --git a/Shorewall/Perl/Shorewall/Compiler.pm b/Shorewall/Perl/Shorewall/Compiler.pm index 32e5edb49..05f16eef6 100644 --- a/Shorewall/Perl/Shorewall/Compiler.pm +++ b/Shorewall/Perl/Shorewall/Compiler.pm @@ -823,7 +823,7 @@ sub compiler { # generate_matrix; - if ( $config{OPTIMIZE} & 6 ) { + if ( $config{OPTIMIZE} > 0 && $config{OPTIMIZE} & 6 ) { progress_message2 'Optimizing Ruleset...'; # # Optimize Policy Chains diff --git a/Shorewall/Perl/Shorewall/Config.pm b/Shorewall/Perl/Shorewall/Config.pm index ea4bc93df..e403cc8a8 100644 --- a/Shorewall/Perl/Shorewall/Config.pm +++ b/Shorewall/Perl/Shorewall/Config.pm @@ -338,6 +338,7 @@ sub initialize( $ ) { TC_SCRIPT => '', EXPORT => 0, UNTRACKED => 0, + UNOPTIMIZED => 0, VERSION => "4.4.8-RC1", CAPVERSION => 40408 , ); @@ -3002,7 +3003,12 @@ sub get_configuration( $ ) { $val = numeric_value $config{OPTIMIZE}; - fatal_error "Invalid OPTIMIZE value ($config{OPTIMIZE})" unless defined( $val ) && $val >= 0 && $val <= 7; + fatal_error "Invalid OPTIMIZE value ($config{OPTIMIZE})" unless defined( $val ) && $val >= -1 && $val <= 7; + + if ( $val == -1 ) { + $config{OPTIMIZE} = 0; + $globals{UNOPTIMIZED} = 1; + } $globals{MARKING_CHAIN} = $config{MARK_IN_FORWARD_CHAIN} ? 'tcfor' : 'tcpre'; diff --git a/Shorewall/Perl/Shorewall/Rules.pm b/Shorewall/Perl/Shorewall/Rules.pm index b6ab76394..2b6fa2971 100644 --- a/Shorewall/Perl/Shorewall/Rules.pm +++ b/Shorewall/Perl/Shorewall/Rules.pm @@ -1682,11 +1682,15 @@ sub add_interface_jumps { # Add the jumps to the interface chains from filter FORWARD, INPUT, OUTPUT # for my $interface ( @_ ) { - add_jump( $filter_table->{FORWARD} , forward_chain $interface , 0, match_source_dev( $interface ) ) unless $forward_jump_added{$interface} || ! use_forward_chain $interface; - add_jump( $filter_table->{INPUT} , input_chain $interface , 0, match_source_dev( $interface ) ) unless $input_jump_added{$interface} || ! use_input_chain $interface; + my $forwardref = $filter_table->{forward_chain $interface}; + my $inputref = $filter_table->{input_chain $interface}; + my $outputref = $filter_table->{output_chain $interface}; - unless ( $output_jump_added{$interface} || ! use_output_chain $interface ) { - add_jump $filter_table->{OUTPUT} , output_chain $interface , 0, match_dest_dev( $interface ) unless get_interface_option( $interface, 'port' ); + add_jump( $filter_table->{FORWARD} , $forwardref , 0, match_source_dev( $interface ) ) unless $forward_jump_added{$interface} || ! use_forward_chain $interface, $forwardref; + add_jump( $filter_table->{INPUT} , $inputref , 0, match_source_dev( $interface ) ) unless $input_jump_added{$interface} || ! use_input_chain $interface, $inputref; + + unless ( $output_jump_added{$interface} || ! use_output_chain $interface, $outputref ) { + add_jump $filter_table->{OUTPUT} , $outputref , 0, match_dest_dev( $interface ) unless get_interface_option( $interface, 'port' ); } } # @@ -1742,11 +1746,10 @@ sub generate_matrix() { my $source_ref = ( $zoneref->{hosts}{ipsec} ) || {}; for my $interface ( sort { interface_number( $a ) <=> interface_number( $b ) } keys %$source_ref ) { - my $sourcechainref; + my $sourcechainref = $filter_table->{forward_chain $interface}; my $interfacematch = ''; - if ( use_forward_chain( $interface ) ) { - $sourcechainref = $filter_table->{forward_chain $interface}; + if ( use_forward_chain( $interface, $sourcechainref ) ) { add_jump $filter_table->{FORWARD} , $sourcechainref, 0 , match_source_dev( $interface ) unless $forward_jump_added{$interface}++; } else { $sourcechainref = $filter_table->{FORWARD}; @@ -1860,7 +1863,7 @@ sub generate_matrix() { my $interfacematch = ''; my $use_output = 0; - if ( use_output_chain $interface || ( @{$interfacechainref->{rules}} && ! $chain1ref ) ) { + if ( use_output_chain( $interface, $interfacechainref ) || ( @{$interfacechainref->{rules}} && ! $chain1ref ) ) { $outputref = $interfacechainref; add_jump $filter_table->{OUTPUT}, $outputref, 0, match_dest_dev( $interface ) unless $output_jump_added{$interface}++; $use_output = 1; @@ -1915,7 +1918,7 @@ sub generate_matrix() { my $interfacematch = ''; my $use_input; - if ( use_input_chain $interface || ! $chain2 || ( @{$interfacechainref->{rules}} && ! $chain2ref ) ) { + if ( use_input_chain( $interface, $interfacechainref ) || ! $chain2 || ( @{$interfacechainref->{rules}} && ! $chain2ref ) ) { $inputchainref = $interfacechainref; add_jump $filter_table->{INPUT}, $inputchainref, 0, match_source_dev($interface) unless $input_jump_added{$interface}++; $use_input = 1; @@ -1931,13 +1934,13 @@ sub generate_matrix() { if ( $frwd_ref && $hostref->{ipsec} ne 'ipsec' ) { my $ref = source_exclusion( $exclusions, $frwd_ref ); - if ( use_forward_chain $interface ) { - my $forwardref = $filter_table->{forward_chain $interface}; + my $forwardref = $filter_table->{forward_chain $interface}; + if ( use_forward_chain $interface, $forwardref ) { add_jump $forwardref , $ref, 0, join( '', $source, $ipsec_in_match ); add_jump $filter_table->{FORWARD} , $forwardref, 0 , match_source_dev( $interface ) unless $forward_jump_added{$interface}++; } else { add_jump $filter_table->{FORWARD} , $ref, 0, join( '', match_source_dev( $interface ) , $source, $ipsec_in_match ); - move_rules ( $filter_table->{forward_chain $interface} , $frwd_ref ); + move_rules ( $forwardref , $frwd_ref ); } } } @@ -2052,7 +2055,7 @@ sub generate_matrix() { my $match_source_dev = ''; my $forwardchainref = $filter_table->{forward_chain $interface}; - if ( use_forward_chain $interface || ( @{$forwardchainref->{rules} } && ! $chainref ) ) { + if ( use_forward_chain( $interface , $forwardchainref ) || ( @{$forwardchainref->{rules} } && ! $chainref ) ) { # # Either we must use the interface's forwarding chain or that chain has rules and we have nowhere to move them #