holm/shorewall_code
1
0
Fork 0
forked from extern/shorewall_code
Code Pull Requests Activity

Allow OPTIMIZE=All

Browse Source 
- Remove use of literal 4096 from OPTIMIZATION checks.
- Moved constant declarations to the Config module.
- Documented that level 1 is ignored when level 4 is specified.

Signed-off-by: Tom Eastep <teastep@shorewall.net>
This commit is contained in:
Tom Eastep 2013-07-29 10:08:35 -07:00
parent e0a222938a
commit 83d1aa6682
13 changed files with 58 additions and 31 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

24
Shorewall/Perl/Shorewall/Chains.pm
View File

@ -123,10 +123,6 @@ our %EXPORT_TAGS = (
ALL_RESTRICT
ALL_COMMANDS
NOT_RESTORE
OPTIMIZE_POLICY_MASK
OPTIMIZE_POLICY_MASK2n4
OPTIMIZE_RULESET_MASK
OPTIMIZE_MASK
unreachable_warning
state_match
@ -453,17 +449,6 @@ our $ipset_rules;
#
use constant { ALL_COMMANDS => 1, NOT_RESTORE => 2 };
#
# Optimization masks
#
use constant {
OPTIMIZE_POLICY_MASK => 0x02 , # Call optimize_policy_chains()
OPTIMIZE_POLICY_MASK2n4 => 0x06 ,
OPTIMIZE_RULESET_MASK => 0x1C , # Call optimize_ruleset()
};
use constant { OPTIMIZE_MASK => OPTIMIZE_POLICY_MASK | OPTIMIZE_RULESET_MASK };
use constant { DONT_OPTIMIZE => 1 , DONT_DELETE => 2, DONT_MOVE => 4, RETURNS => 8, RETURNS_DONT_MOVE => 12 };
our %dscpmap = ( CS0 => 0x00,
@ -1226,8 +1211,7 @@ sub push_rule( $$ ) {
my $ruleref = transform_rule( $_[1], $complete );
$ruleref->{comment} = shortlineinfo($chainref->{origin}) || $comment;
$ruleref->{mode} = CMD_MODE if $ruleref->{cmdlevel} = $chainref->{cmdlevel};
$ruleref->{mode} = CMD_MODE if $ruleref->{cmdlevel} = $chainref->{cmdlevel};
push @{$chainref->{rules}}, $ruleref;
$chainref->{referenced} = 1;
@ -1957,7 +1941,7 @@ sub use_forward_chain($$) {
my $interfaceref = find_interface($interface);
my $nets = $interfaceref->{nets};
return 1 if @{$chainref->{rules}} && ( $config{OPTIMIZE} & 4096 );
return 1 if @{$chainref->{rules}} && ( $config{OPTIMIZE} & OPTIMIZE_USE_FIRST );
#
# Use it if we already have jumps to it
#
@ -2033,7 +2017,7 @@ sub use_input_chain($$) {
my $interfaceref = find_interface($interface);
my $nets = $interfaceref->{nets};
return 1 if @{$chainref->{rules}} && ( $config{OPTIMIZE} & 4096 );
return 1 if @{$chainref->{rules}} && ( $config{OPTIMIZE} & OPTIMIZE_USE_FIRST );
#
# We must use the interfaces's chain if the interface is associated with multiple Zones
#
@ -2113,7 +2097,7 @@ sub use_output_chain($$) {
my $interfaceref = find_interface($interface);
my $nets = $interfaceref->{nets};
return 1 if @{$chainref->{rules}} && ( $config{OPTIMIZE} & 4096 );
return 1 if @{$chainref->{rules}} && ( $config{OPTIMIZE} & OPTIMIZE_USE_FIRST );
#
# We must use the interfaces's chain if the interface is associated with multiple Zones
#

27
Shorewall/Perl/Shorewall/Config.pm
View File

@ -199,6 +199,12 @@ our %EXPORT_TAGS = ( internal => [ qw( create_temp_script
CONFIG_CONTINUATION
DO_INCLUDE
NORMAL_READ
OPTIMIZE_POLICY_MASK
OPTIMIZE_POLICY_MASK2n4
OPTIMIZE_RULESET_MASK
OPTIMIZE_USE_FIRST
OPTIMIZE_ALL
) , ] ,
protocols => [ qw (
TCP
@ -411,6 +417,17 @@ use constant {
SCTP => 132,
UDPLITE => 136,
};
#
# Optimization masks
#
use constant {
OPTIMIZE_POLICY_MASK => 0x02 , # Call optimize_policy_chains()
OPTIMIZE_POLICY_MASK2n4 => 0x06 ,
OPTIMIZE_RULESET_MASK => 0x1C , # Call optimize_ruleset()
OPTIMIZE_ALL => 0x1F , # Maximum value for documented categories.
OPTIMIZE_USE_FIRST => 0x1000 # Always use interface 'first' chains -- undocumented
};
our %helpers = ( amanda => UDP,
ftp => TCP,
@ -5659,9 +5676,15 @@ sub get_configuration( $$$$ ) {
$config{$default} = 'none' if "\L$config{$default}" eq 'none';
}
$val = numeric_value $config{OPTIMIZE};
if ( ( $val = $config{OPTIMIZE} ) =~ /^all$/i ) {
$config{OPTIMIZE} = $val = OPTIMIZE_ALL;
} elsif ( $val =~ /^none$/i ) {
$config{OPTIMIZE} = $val = 0;
} else {
$val = numeric_value $config{OPTIMIZE};
fatal_error "Invalid OPTIMIZE value ($config{OPTIMIZE})" unless supplied( $val ) && $val >= 0 && ( $val & ( 4096 ^ -1 ) ) <= 31;
fatal_error "Invalid OPTIMIZE value ($config{OPTIMIZE})" unless supplied( $val ) && $val >= 0 && ( $val & ~OPTIMIZE_USE_FIRST ) <= OPTIMIZE_ALL;
}
require_capability 'XMULTIPORT', 'OPTIMIZE level 16', 's' if $val & 16;

2
Shorewall/Perl/Shorewall/Rules.pm
View File

@ -2434,7 +2434,7 @@ sub process_rule ( $$$$$$$$$$$$$$$$$$$ ) {
fatal_error "Rules may not override a NONE policy";
}
#
# Handle Optimization
# Handle Optimization level 1 when specified alone
#
if ( $optimize == 1 && $section == NEW_SECTION ) {
my $loglevel = $filter_table->{$chainref->{policychain}}{loglevel};

2
Shorewall/Samples/Universal/shorewall.conf
View File

@ -190,7 +190,7 @@ MUTEX_TIMEOUT=60
NULL_ROUTE_RFC1918=No
OPTIMIZE=31
OPTIMIZE=All
OPTIMIZE_ACCOUNTING=No

2
Shorewall/Samples/one-interface/shorewall.conf
View File

@ -201,7 +201,7 @@ MUTEX_TIMEOUT=60
NULL_ROUTE_RFC1918=No
OPTIMIZE=31
OPTIMIZE=All
OPTIMIZE_ACCOUNTING=No

2
Shorewall/Samples/three-interfaces/shorewall.conf
View File

@ -199,7 +199,7 @@ MUTEX_TIMEOUT=60
NULL_ROUTE_RFC1918=No
OPTIMIZE=31
OPTIMIZE=All
OPTIMIZE_ACCOUNTING=No

2
Shorewall/Samples/two-interfaces/shorewall.conf
View File

@ -202,7 +202,7 @@ MUTEX_TIMEOUT=60
NULL_ROUTE_RFC1918=No
OPTIMIZE=31
OPTIMIZE=All
OPTIMIZE_ACCOUNTING=No

10
Shorewall/manpages/shorewall.conf.xml
View File

@ -1755,6 +1755,10 @@ LOG:info:,bar net fw</programlisting>
of two. To enable multiple optimization categories, simply add their
corresponding numbers together.</para>
<para>Beginning with Shorewall 4.5.20, you may specify OPTIMIZE=All
to enable all optimization categories, and you may also specify
OPTIMIZE=None to disable optimization.</para>
<itemizedlist>
<listitem>
<para>Optimization category 1 - Traditionally, Shorewall has
@ -1774,6 +1778,12 @@ LOG:info:,bar net fw</programlisting>
or DEST column). A wildcard rule is considered to be redundant
when it has the same ACTION and Log Level as the applicable
policy.</para>
<note>
<para>Optimization level 1 is ignored when optimization level
4 is also selected, since level 4 performs similar
optimizations in a more robust way.</para>
</note>
</listitem>
<listitem>

2
Shorewall6/Samples6/Universal/shorewall6.conf
View File

@ -173,7 +173,7 @@ MODULE_SUFFIX=ko
MUTEX_TIMEOUT=60
OPTIMIZE=31
OPTIMIZE=All
OPTIMIZE_ACCOUNTING=No

2
Shorewall6/Samples6/one-interface/shorewall6.conf
View File

@ -173,7 +173,7 @@ MODULE_SUFFIX=ko
MUTEX_TIMEOUT=60
OPTIMIZE=31
OPTIMIZE=All
OPTIMIZE_ACCOUNTING=No

2
Shorewall6/Samples6/three-interfaces/shorewall6.conf
View File

@ -173,7 +173,7 @@ MODULE_SUFFIX=ko
MUTEX_TIMEOUT=60
OPTIMIZE=31
OPTIMIZE=All
OPTIMIZE_ACCOUNTING=No

2
Shorewall6/Samples6/two-interfaces/shorewall6.conf
View File

@ -173,7 +173,7 @@ MODULE_SUFFIX=ko
MUTEX_TIMEOUT=60
OPTIMIZE=31
OPTIMIZE=All
OPTIMIZE_ACCOUNTING=No

10
Shorewall6/manpages/shorewall6.conf.xml
View File

@ -1516,6 +1516,10 @@ LOG:info:,bar net fw</programlisting>
of two. To enable multiple optimization categories, simply add their
corresponding numbers together.</para>
<para>Beginning with Shorewall 4.5.20, you may specify OPTIMIZE=All
to enable all optimization categories, and you may also specify
OPTIMIZE=None to disable optimization.</para>
<itemizedlist>
<listitem>
<para>Optimization category 1 - Traditionally, Shorewall has
@ -1535,6 +1539,12 @@ LOG:info:,bar net fw</programlisting>
or DEST column). A wildcard rule is considered to be redundant
when it has the same ACTION and Log Level as the applicable
policy.</para>
<note>
<para>Optimization level 1 is ignored when optimization level
4 is also selected, since level 4 performs similar
optimizations in a more robust way.</para>
</note>
</listitem>
<listitem>