holm/shorewall_code
1
0
Fork 0
forked from extern/shorewall_code
Code Pull Requests Activity

More performance tweaks

Browse Source
This commit is contained in:
Tom Eastep 2009-08-17 16:29:18 -07:00
parent 787a1867a0
commit 90b0bedc43
2 changed files with 55 additions and 28 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

17
Shorewall/Perl/Shorewall/Chains.pm
View File

@ -784,9 +784,12 @@ sub use_input_chain($) {
my $interfaceref = find_interface($interface); my $interfaceref = find_interface($interface);
my $nets = $interfaceref->{nets}; my $nets = $interfaceref->{nets};
# #
# We must use the interfaces's chain if the interface is associated with multiple zone nets or # We must use the interfaces's chain if:
# if the interface has the 'upnpclient' option. In the latter case, the chain's rules will contain #
# run-time code which cannot currently be transferred to a zone-oriented chain by move_rules(). # - the interface is associated with multiple zone nets; or
# - the interface has the 'upnpclient' option.
#
# In the latter case, the chain's rules will contain run-time code which cannot currently be transferred to a zone-oriented chain by move_rules().
# #
return 1 if $nets > 1 || $interfaceref->{options}{upnpclient}; return 1 if $nets > 1 || $interfaceref->{options}{upnpclient};
# #
@ -1009,9 +1012,7 @@ sub ensure_mangle_chain($) {
my $chain = $_[0]; my $chain = $_[0];
my $chainref = ensure_chain 'mangle', $chain; my $chainref = ensure_chain 'mangle', $chain;
$chainref->{referenced} = 1; $chainref->{referenced} = 1;
$chainref; $chainref;
} }
@ -1019,9 +1020,7 @@ sub ensure_nat_chain($) {
my $chain = $_[0]; my $chain = $_[0];
my $chainref = ensure_chain 'nat', $chain; my $chainref = ensure_chain 'nat', $chain;
$chainref->{referenced} = 1; $chainref->{referenced} = 1;
$chainref; $chainref;
} }
@ -1075,7 +1074,7 @@ sub ensure_manual_chain($) {
} }
# #
# Add all builtin chains to the chain table # Add all builtin chains to the chain table -- it is separate from initialize() for purely historical reasons.
# #
# #
sub initialize_chain_table() sub initialize_chain_table()
@ -1357,6 +1356,8 @@ sub port_count( $ ) {
# #
# Handle parsing of PROTO, DEST PORT(S) , SOURCE PORTS(S). Returns the appropriate match string. # Handle parsing of PROTO, DEST PORT(S) , SOURCE PORTS(S). Returns the appropriate match string.
# #
# If the optional argument is true, port lists > 15 result in a fatal error.
#
sub do_proto( $$$;$ ) sub do_proto( $$$;$ )
{ {
my ($proto, $ports, $sports, $restricted ) = @_; my ($proto, $ports, $sports, $restricted ) = @_;

66
Shorewall/Perl/Shorewall/IPAddrs.pm
View File

@ -80,6 +80,12 @@ our $VERSION = '4.3_7';
our @allipv4 = ( '0.0.0.0/0' ); our @allipv4 = ( '0.0.0.0/0' );
our @allipv6 = ( '::/0' ); our @allipv6 = ( '::/0' );
our $family; our $family;
our $allip;
our $valid_address;
our $validate_address;
our $validate_net;
our $validate_range;
our $validate_host;
use constant { ALLIPv4 => '0.0.0.0/0' , use constant { ALLIPv4 => '0.0.0.0/0' ,
ALLIPv6 => '::/0' , ALLIPv6 => '::/0' ,
@ -101,20 +107,10 @@ use constant { ALLIPv4 => '0.0.0.0/0' ,
our @rfc1918_networks = ( "10.0.0.0/8", "172.16.0.0/12", "192.168.0.0/16" ); our @rfc1918_networks = ( "10.0.0.0/8", "172.16.0.0/12", "192.168.0.0/16" );
#
# Rather than initializing globals in an INIT block or during declaration,
# we initialize them in a function. This is done for two reasons:
#
# 1. Proper initialization depends on the address family which isn't
# known until the compiler has started.
#
# 2. The compiler can run multiple times in the same process so it has to be
# able to re-initialize its dependent modules' state.
#
sub initialize( $ ) {
$family = shift;
}
#
# Note: initialize() is declared at the bottom of the file
#
sub vlsm_to_mask( $ ) { sub vlsm_to_mask( $ ) {
my $vlsm = $_[0]; my $vlsm = $_[0];
@ -626,31 +622,61 @@ sub validate_icmp6( $ ) {
} }
sub ALLIP() { sub ALLIP() {
$family == F_IPV4 ? ALLIPv4 : ALLIPv6; $allip;
} }
sub allip() { sub allip() {
$family == F_IPV4 ? ALLIPv4 : ALLIPv6; $allip;
} }
sub valid_address ( $ ) { sub valid_address ( $ ) {
$family == F_IPV4 ? valid_4address( $_[0] ) : valid_6address( $_[0] ); $valid_address->(@_);
} }
sub validate_address ( $$ ) { sub validate_address ( $$ ) {
$family == F_IPV4 ? validate_4address( $_[0], $_[1] ) : validate_6address( $_[0], $_[1] ); $validate_address->(@_);
} }
sub validate_net ( $$ ) { sub validate_net ( $$ ) {
$family == F_IPV4 ? validate_4net( $_[0], $_[1] ) : validate_6net( $_[0], $_[1] ); $validate_net->(@_);
} }
sub validate_range ($$ ) { sub validate_range ($$ ) {
$family == F_IPV4 ? validate_4range( $_[0], $_[1] ) : validate_6range( $_[0], $_[1] ); $validate_range->(@_);
} }
sub validate_host ($$ ) { sub validate_host ($$ ) {
$family == F_IPV4 ? validate_4host( $_[0], $_[1] ) : validate_6host( $_[0], $_[1] ); $validate_host->(@_);
}
#
# Rather than initializing globals in an INIT block or during declaration,
# we initialize them in a function. This is done for two reasons:
#
# 1. Proper initialization depends on the address family which isn't
# known until the compiler has started.
#
# 2. The compiler can run multiple times in the same process so it has to be
# able to re-initialize its dependent modules' state.
#
sub initialize( $ ) {
$family = shift;
if ( $family == F_IPV4 ) {
$allip = ALLIPv4;
$valid_address = \&valid_4address;
$validate_address = \&validate_4address;
$validate_net = \&validate_4net;
$validate_range = \&validate_4range;
$validate_host = \&validate_4host;
} else {
$allip = ALLIPv6;
$valid_address = \&valid_6address;
$validate_address = \&validate_6address;
$validate_net = \&validate_6net;
$validate_range = \&validate_6range;
$validate_host = \&validate_6host;
}
} }
1; 1;