From b8cc9c5a6a5dea6602715bc422b3d67d801a019e Mon Sep 17 00:00:00 2001 From: Tom Eastep Date: Fri, 25 Jan 2013 14:03:04 -0800 Subject: [PATCH] Drop chain-ending rules whose target is 'RETURN'. Signed-off-by: Tom Eastep --- Shorewall/Perl/Shorewall/Chains.pm | 21 +++++++++++++++++---- 1 file changed, 17 insertions(+), 4 deletions(-) diff --git a/Shorewall/Perl/Shorewall/Chains.pm b/Shorewall/Perl/Shorewall/Chains.pm index 2debbd581..e1925619d 100644 --- a/Shorewall/Perl/Shorewall/Chains.pm +++ b/Shorewall/Perl/Shorewall/Chains.pm @@ -2961,6 +2961,7 @@ sub optimize_level4( $$ ) { # A chain with a single 'RETURN' rule -- get rid of it # delete_chain_and_references( $chainref ); + $progress = 1; } else { # # Replace all references to this chain with references to the target @@ -2969,10 +2970,13 @@ sub optimize_level4( $$ ) { $progress = 1; } } elsif ( $firstrule->{target} ) { - # - # Not so easy -- the rule contains matches - # - if ( $chainref->{builtin} || ! $globals{KLUDGEFREE} || $firstrule->{policy} ) { + if ( $firstrule->{target} eq 'RETURN' ) { + # + # A chain with a single 'RETURN' rule -- get rid of it + # + delete_chain_and_references( $chainref ); + $progress = 1; + } elsif ( $chainref->{builtin} || ! $globals{KLUDGEFREE} || $firstrule->{policy} ) { # # This case requires a new rule merging algorithm. Ignore this chain for # now on. @@ -2992,6 +2996,15 @@ sub optimize_level4( $$ ) { # my $rulesref = $chainref->{rules}; + if ( ( $lastref->{target} || '' ) eq 'RETURN' ) { + # + # The last rule is a RETURN -- get rid of it + # + pop @$rulesref; + $lastref = $rulesref->[-1]; + $progress = 1; + } + if ( $lastref->{simple} && $lastref->{target} && ! $lastref->{targetopts} ) { my $target = $lastref->{target}; my $count = 0;