holm/shorewall_code
1
0
Fork 0
forked from extern/shorewall_code
Code Pull Requests Activity

Keep rules arrays compressed throughout the compilation process

Browse Source 
Signed-off-by: Tom Eastep <teastep@shorewall.net>
This commit is contained in:
Tom Eastep 2010-04-08 12:53:30 -07:00
parent 3937c10251
commit 359c221783
3 changed files with 25 additions and 43 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

55
Shorewall/Perl/Shorewall/Chains.pm
View File

@ -116,7 +116,6 @@ our %EXPORT_TAGS = (
new_nat_chain
ensure_filter_chain
finish_section
prepare_for_optimization
optimize_chain
check_optimization
optimize_ruleset
@ -594,6 +593,22 @@ sub add_reference ( $$ ) {
$toref->{references}{$fromref->{name}}++;
}
#
# Compress out undefined elements in rules
#
sub compress_rules( $ ) {
my $chainref = shift;
my @rules;
for ( @{$chainref->{rules}} ) {
push @rules, $_ if defined;
}
$chainref->{rules} = \@rules;
trace( $chainref, 'C', undef, '' ) if $debug;
}
#
# Purge jumps previously added via add_jump. If the target chain is empty, reset its
# referenced flag
@ -602,15 +617,20 @@ sub purge_jump ( $$ ) {
my ( $fromref, $toref ) = @_;
my $to = $toref->{name};
my $rule = 0;
my $rules = @{$fromref->{rules}};
my $deleted = 0;
for ( @{$fromref->{rules}} ) {
$rule++;
if ( defined && / -[gj] ${to}\b/ ) {
trace( $fromref, 'D', $rule, $_ ) if $debug;
$_ = undef;
$deleted = 1 unless $rule == $rules;
}
}
compress_rules( $fromref ) if $deleted;
unless ( @{$toref->{rules}} ) {
$toref->{referenced} = 0;
trace ( $toref, 'X', undef, '' ) if $debug;
@ -1365,36 +1385,6 @@ sub finish_section ( $ ) {
}
}
#
# Compress out undefined elements in rules
#
sub compress_rules( $ ) {
my $chainref = shift;
my @rules;
for ( @{$chainref->{rules}} ) {
push @rules, $_ if defined;
}
$chainref->{rules} = \@rules;
}
#
# Prepare chain table for optimization by squeezing out undefined rules array entries
#
sub prepare_for_optimization() {
for my $table ( qw/raw mangle nat filter/ ) {
next if $family == F_IPV6 && $table eq 'nat';
for my $chainref ( grep $_->{referenced}, values %{$chain_table{$table}} ) {
for ( @{$chainref->{rules}} ) {
compress_rules( $chainref ), last unless defined;
}
}
}
}
#
# Delete redundant ACCEPT rules from the end of a policy chain whose policy is ACCEPT
#
@ -1449,6 +1439,7 @@ sub delete_references( $ ) {
for my $fromref ( map $chain_table{$table}{$_} , keys %{$chainref->{references}} ) {
my $rule = 0;
my $deleted = 0;
my $rules = @{$fromref->{rules}};
for ( @{$fromref->{rules}} ) {
$rule++;
@ -1457,7 +1448,7 @@ sub delete_references( $ ) {
trace( $fromref, 'D', $rule, $_ ) if $debug;
$_ = undef;
$count++;
$deleted = 1;
$deleted = 1 unless $rule == $rules;
}
}

4
Shorewall/Perl/Shorewall/Compiler.pm
View File

@ -833,10 +833,6 @@ sub compiler {
if ( $config{OPTIMIZE} & 6 ) {
progress_message2 'Optimizing Ruleset...';
#
# Prepare table for optimization
#
prepare_for_optimization;
#
# Optimize Policy Chains
#
optimize_policy_chains if $config{OPTIMIZE} & 2;

9
Shorewall/releasenotes.txt
View File

@ -282,6 +282,8 @@ None.
T - Shell source text appended/inserted into a chain --
converted into rules at run-time.
D - Deleted Rule from a chain
C - Compressed the rules array for a chain to remove deleted
rules. This renumbers the remaining rules.
X - Deleted a chain
Netfilter trace records indicate the table and chain being
@ -299,13 +301,6 @@ None.
NF-(X)-> mangle:tcpost
The compiler keeps the rules for each chain in a Perl array. When
deleting a rule, the corresponding array entry is set to
'undef'. So when a rule is deleted, the rule numbers of the
remaining rules do not change. If the last rule in an array is
deleted, then the array itself is truncated back to the last valid
rule and subsequent append operations grow the array from there.
3) Thanks to Vincent Smeets, there is now an IPv6 mDNS macro.
----------------------------------------------------------------------------