From 3ca9577f04e633258c3f6174a9c3fa5fd2990787 Mon Sep 17 00:00:00 2001 From: Tom Eastep Date: Wed, 28 Dec 2011 16:22:11 -0800 Subject: [PATCH] Cruft removal Signed-off-by: Tom Eastep --- Shorewall/Perl/Shorewall/Chains.pm | 143 +++++---------------------- Shorewall/Perl/Shorewall/Compiler.pm | 4 + Shorewall/Perl/Shorewall/Misc.pm | 5 +- Shorewall/Perl/Shorewall/Rules.pm | 24 +++-- 4 files changed, 51 insertions(+), 125 deletions(-) diff --git a/Shorewall/Perl/Shorewall/Chains.pm b/Shorewall/Perl/Shorewall/Chains.pm index 812726f89..0c97ef726 100644 --- a/Shorewall/Perl/Shorewall/Chains.pm +++ b/Shorewall/Perl/Shorewall/Chains.pm @@ -151,6 +151,7 @@ our %EXPORT_TAGS = ( new_nat_chain optimize_chain check_optimization + optimize_level0 optimize_ruleset setup_zone_mss newexclusionchain @@ -200,7 +201,6 @@ our %EXPORT_TAGS = ( do_ipsec log_rule expand_rule - promote_blacklist_rules addnatjump set_chain_variables mark_firewall_not_started @@ -257,7 +257,6 @@ our $VERSION = 'MODULEVERSION'; # ] # logchains => { = , ... } # references => { => , => , ... } -# blacklist => ( 0 or 1 ) # blacklistsection # => Chain was created by entries in the BLACKLIST section of the rules file # action => @@ -1224,9 +1223,7 @@ sub delete_reference( $$ ) { # Chain reference , Rule Number, Rule # # In the first function, the rule number is zero-relative. In the second function, -# the rule number is one-relative. In the first function, if the rule number is < 0, then -# the rule is a jump to a blacklist chain (blacklst or blackout). The rule will be -# inserted at the front of the chain and the chain's 'blacklist' member incremented. +# the rule number is one-relative. # sub insert_rule1($$$) { @@ -1238,11 +1235,6 @@ sub insert_rule1($$$) assert( ! ( $ruleref->{cmdlevel} = $chainref->{cmdlevel}) ); $ruleref->{mode} = CAT_MODE; - if ( $number < 0 ) { - $chainref->{blacklist}++; - $number = 0; - } - splice( @{$chainref->{rules}}, $number, 0, $ruleref ); trace( $chainref, 'I', ++$number, $ruleref ) if $debug; @@ -1283,11 +1275,6 @@ sub insert_irule( $$$$;@ ) { $ruleref->{comment} = $comment unless $ruleref->{comment}; } - if ( $number < 0 ) { - $chainref->{blacklist}++; - $number = 0; - } - splice( @{$chainref->{rules}}, $number, 0, $ruleref ); trace( $chainref, 'I', ++$number, format_rule( $chainref, $ruleref ) ) if $debug; @@ -1315,13 +1302,12 @@ sub clone_rule( $ ) { } # Do final work to 'delete' a chain. We leave it in the chain table but clear -# the 'referenced', 'rules', 'references' and 'blacklist' members. +# the 'referenced', 'rules', and 'references' members. # sub delete_chain( $ ) { my $chainref = shift; $chainref->{referenced} = 0; - $chainref->{blacklist} = 0; $chainref->{rules} = []; $chainref->{references} = {}; trace( $chainref, 'X', undef, '' ) if $debug; @@ -1391,7 +1377,7 @@ sub decrement_reference_count( $$ ) { # # The rules generated by interface options are added to the interfaces's input chain and # forward chain. Shorewall::Rules::generate_matrix() may decide to move those rules to -# the head of a rules chain (behind any blacklist rule already there). +# the head of a rules chain. # sub move_rules( $$ ) { my ($chain1, $chain2 ) = @_; @@ -1402,15 +1388,12 @@ sub move_rules( $$ ) { my $rules = $chain2->{rules}; my $count = @{$chain1->{rules}}; my $tableref = $chain_table{$chain1->{table}}; - my $blacklist = $chain2->{blacklist}; my $filtered; my $filtered1 = $chain1->{filtered}; my $filtered2 = $chain2->{filtered}; my @filtered1; my @filtered2; my $rule; - - assert( ! $chain1->{blacklist} ); # # We allow '+' in chain names and '+' is an RE meta-character. Escape it. # @@ -1430,11 +1413,11 @@ sub move_rules( $$ ) { push @filtered2 , shift @{$chain2->{rules}} while $filtered--; if ( $debug ) { - my $rule = $blacklist + $filtered2; + my $rule = $filtered2; trace( $chain2, 'A', ++$rule, $_ ) for @{$chain1->{rules}}; } - splice @$rules, $blacklist, 0, @{$chain1->{rules}}; + unshift @$rules, @{$chain1->{rules}}; $chain2->{referenced} = 1; @@ -1442,16 +1425,9 @@ sub move_rules( $$ ) { # In a firewall->x policy chain, multiple DHCP ACCEPT rules can be moved to the head of the chain. # This hack avoids that. # - if ( $blacklist ) { - my $rule = shift @{$rules}; - shift @{$rules} while @{$rules} > 1 && $rules->[0]{dhcp} && $rules->[1]{dhcp}; - unshift @{$rules}, $rule; - } else { - shift @{$rules} while @{$rules} > 1 && $rules->[0]{dhcp} && $rules->[1]{dhcp}; - } - + shift @{$rules} while @{$rules} > 1 && $rules->[0]{dhcp} && $rules->[1]{dhcp}; # - # Now insert the filter rules at the head of the chain (before blacklist rules) + # Now insert the filter rules at the head of the chain # if ( $filtered1 ) { @@ -1495,8 +1471,6 @@ sub copy_rules( $$;$ ) { my $name1 = $chain1->{name}; my $name = $name1; my $name2 = $chain2->{name}; - my $blacklist1 = $chain1->{blacklist}; - my $blacklist2 = $chain2->{blacklist}; my @rules1 = @{$chain1->{rules}}; my $rules2 = $chain2->{rules}; my $count = @{$chain1->{rules}}; @@ -1505,22 +1479,6 @@ sub copy_rules( $$;$ ) { # We allow '+' in chain names and '+' is an RE meta-character. Escape it. # pop @$rules2 unless $nojump; # Delete the jump to chain1 - - if ( $blacklist2 && $blacklist1 ) { - # - # Chains2 already has a blacklist jump -- delete the one at the head of chain1's rule list - # - my $rule = shift @rules1; - - my $chainb = $rule->{target}; - - assert( $chainb =~ /^black/ ); - - delete_reference $chain1, $chainb; - - assert( ! --$chain1->{blacklist} ); - $blacklist1 = 0; - } # # Chain2 is now a referent of all of Chain1's targets # @@ -1528,17 +1486,6 @@ sub copy_rules( $$;$ ) { increment_reference_count( $tableref->{$_->{target}}, $name2 ) if $_->{target}; } - if ( $blacklist1 ) { - assert( $blacklist1 == 1 ); - - trace( $chain2, 'A', 1 , $rules1[0]) if $debug; - - unshift @$rules2, shift @rules1; - - $chain1->{blacklist} = 0; - $chain2->{blacklist} = 1; - } - if ( $debug ) { my $rule = @$rules2; trace( $chain2, 'A', ++$rule, $_ ) for @rules1; @@ -1879,7 +1826,6 @@ sub new_chain($$) log => 1, cmdlevel => 0, references => {}, - blacklist => 0, filtered => 0 }; @@ -2680,6 +2626,25 @@ sub check_optimization( $ ) { # # Perform Optimization # +# When an unreferenced chain is found, itis deleted unless its 'dont_delete' flag is set. +sub optimize_level0() { + for my $table ( qw/raw rawpost mangle nat filter/ ) { + next if $family == F_IPV6 && $table eq 'nat'; + my $tableref = $chain_table{$table}; + my @chains = grep $_->{referenced}, values %$tableref; + my $chains = @chains; + + for my $chainref ( @chains ) { + # + # If the chain isn't branched to, then delete it + # + unless ( $chainref->{dont_delete} || keys %{$chainref->{references}} ) { + delete_chain $chainref if $chainref->{referenced}; + } + } + } +} + sub optimize_level4( $$ ) { my ( $table, $tableref ) = @_; my $progress = 1; @@ -2687,7 +2652,6 @@ sub optimize_level4( $$ ) { # # Make repeated passes through each table looking for short chains (those with less than 2 entries) # - # When an unreferenced chain is found, itis deleted unless its 'dont_delete' flag is set. # When an empty chain is found, delete the references to it. # When a chain with a single entry is found, replace it's references by its contents # @@ -5828,59 +5792,6 @@ sub expand_rule( $$$$$$$$$$;$ ) $diface; } -# -# Where a zone sharing a multi-zone interface has an 'in' blacklist rule, move the rule to the beginning of -# the associated interface chain -# -sub promote_blacklist_rules() { - my $chainbref = $filter_table->{blacklst}; - - return 1 unless $chainbref; - - my $promoted = 1; - - while ( $promoted ) { - $promoted = 0; - # - # Copy 'blacklst''s references since they will change in the following loop - # - my @references = map $filter_table->{$_}, keys %{$chainbref->{references}}; - - for my $chain1ref ( @references ) { - assert( $chain1ref->{blacklist} == 1 ); - - my $copied = 0; - my $rule = $chain1ref->{rules}[0]; - my $chain1 = $chain1ref->{name}; - - for my $chain2ref ( map $filter_table->{$_}, keys %{$chain1ref->{references}} ) { - unless ( $chain2ref->{builtin} ) { - # - # This is not INPUT or FORWARD -- we wouldn't want to move the - # rule to the head of one of those chains - $copied++; - # - # Copy the blacklist rule to the head of the parent chain (after any - # filter rules) unless it already has a blacklist rule. - # - unless ( $chain2ref->{blacklist} ) { - splice @{$chain2ref->{rules}}, $chain2ref->{filtered}, 0, $rule; - add_reference $chain2ref, $chainbref; - $chain2ref->{blacklist} = 1; - } - } - } - - if ( $copied ) { - shift @{$chain1ref->{rules}}; - $chain1ref->{blacklist} = 0; - delete_reference $chain1ref, $chainbref; - $promoted = 1; - } - } - } -} - # # The following code generates the input to iptables-restore from the contents of the # @rules arrays in the chain table entries. diff --git a/Shorewall/Perl/Shorewall/Compiler.pm b/Shorewall/Perl/Shorewall/Compiler.pm index 7f7768f62..8560b2b95 100644 --- a/Shorewall/Perl/Shorewall/Compiler.pm +++ b/Shorewall/Perl/Shorewall/Compiler.pm @@ -814,6 +814,8 @@ sub compiler { # generate_matrix; + optimize_level0; + if ( $config{OPTIMIZE} & 0x1E ) { progress_message2 'Optimizing Ruleset...'; # @@ -883,6 +885,8 @@ sub compiler { # generate_matrix; + optimize_level0; + if ( $config{OPTIMIZE} & 0x1E ) { progress_message2 'Optimizing Ruleset...'; # diff --git a/Shorewall/Perl/Shorewall/Misc.pm b/Shorewall/Perl/Shorewall/Misc.pm index f7b3842d0..db9eefd9f 100644 --- a/Shorewall/Perl/Shorewall/Misc.pm +++ b/Shorewall/Perl/Shorewall/Misc.pm @@ -560,7 +560,6 @@ sub add_common_rules ( $ ) { add_rule_pair dont_delete( new_standard_chain( 'logdrop' ) ), '' , 'DROP' , $level ; add_rule_pair dont_delete( new_standard_chain( 'logreject' ) ), '' , 'reject' , $level ; $dynamicref = dont_optimize( new_standard_chain( 'dynamic' ) ); - add_ijump $filter_table->{INPUT}, j => $dynamicref, @state; add_commands( $dynamicref, '[ -f ${VARDIR}/.dynamic ] && cat ${VARDIR}/.dynamic >&3' ); } @@ -647,8 +646,8 @@ sub add_common_rules ( $ ) { } for ( option_chains( $interface ) ) { - add_ijump( $filter_table->{$_}, j => 'ACCEPT', state_imatch $faststate ) if $config{FASTACCEPT}; add_ijump( $filter_table->{$_}, j => $dynamicref, @state ) if $dynamicref; + add_ijump( $filter_table->{$_}, j => 'ACCEPT', state_imatch $faststate ) if $config{FASTACCEPT}; } } } @@ -787,7 +786,7 @@ sub add_common_rules ( $ ) { 'dhcp', 1 ) for input_option_chain( $interface ), output_chain( $interface ); - add_ijump( $filter_table->{forward_chain $interface} , + add_ijump( $filter_table->{forward_option_chain $interface} , j => 'ACCEPT', p => "udp --dport $ports" , imatch_dest_dev( $interface ) ) diff --git a/Shorewall/Perl/Shorewall/Rules.pm b/Shorewall/Perl/Shorewall/Rules.pm index bd6248d2a..e7feb0fd4 100644 --- a/Shorewall/Perl/Shorewall/Rules.pm +++ b/Shorewall/Perl/Shorewall/Rules.pm @@ -2632,15 +2632,27 @@ sub process_rules() { my $chainref = $filter_table->{rules_chain( $zone1, $zone2 )}; if ( zone_type( $zone2 ) & (FIREWALL | VSERVER ) ) { - for my $interface ( @interfaces ) { - if ( my $chain1ref = $filter_table->{input_option_chain $interface} ) { - add_ijump ( $chainref , j => $chain1ref->{name}, @interfaces > 1 ? imatch_source_dev( $interface ) : () ); + if ( @interfaces ==1 ) { + if ( my $chain1ref = $filter_table->{input_option_chain $interfaces[0]} ) { + push( @{$chainref->{rules}}, @{$chain1ref->{rules}} ); + } + } else { + for my $interface ( @interfaces ) { + if ( my $chain1ref = $filter_table->{input_option_chain $interface} ) { + add_ijump ( $chainref , j => $chain1ref->{name}, imatch_source_dev( $interface ) ); + } } } } else { - for my $interface ( @interfaces ) { - if ( my $chain1ref = $filter_table->{forward_option_chain $interface} ) { - add_ijump ( $chainref , j => $chain1ref->{name}, @interfaces > 1 ? imatch_source_dev( $interface ) : () ); + if ( @interfaces ==1 ) { + if ( my $chain1ref = $filter_table->{forward_option_chain $interfaces[0]} ) { + push( @{$chainref->{rules}}, @{$chain1ref->{rules}} ); + } + } else { + for my $interface ( @interfaces ) { + if ( my $chain1ref = $filter_table->{forward_option_chain $interface} ) { + add_ijump ( $chainref , j => $chain1ref->{name}, imatch_source_dev( $interface ) ); + } } } }