From c0abdc1fe8e6e2ffd4f49615de54d7dcfde6f154 Mon Sep 17 00:00:00 2001
From: Tom Eastep <teastep@shorewall.net>
Date: Sun, 2 Dec 2012 17:31:13 -0800
Subject: [PATCH] Add some comments in and around delete_duplicates()

Signed-off-by: Tom Eastep <teastep@shorewall.net>
---
 Shorewall/Perl/Shorewall/Chains.pm | 18 +++++++++++++++++-
 1 file changed, 17 insertions(+), 1 deletion(-)

diff --git a/Shorewall/Perl/Shorewall/Chains.pm b/Shorewall/Perl/Shorewall/Chains.pm
index 719fce778..873668961 100644
--- a/Shorewall/Perl/Shorewall/Chains.pm
+++ b/Shorewall/Perl/Shorewall/Chains.pm
@@ -3370,6 +3370,11 @@ sub combine_dports {
     \@rules;
 }
 
+#
+# When suppressing duplicate rules, care must be taken to avoid suppressing non-adjacent duplicates 
+# using any of these matches, because an intervening rule could modify the result of the match
+# of the second duplicate
+#
 my %bad_match = ( conntrack => 1, 
 		  dscp      => 1,
 		  ecn       => 1,
@@ -3415,19 +3420,30 @@ sub delete_duplicates {
 		    my $keynum = 0;
 
 		    if ( $adjacent > 0 ) {
+			#
+			# There are no non-duplicate rules between this rule and the base rule
+			#
 			for my $key ( @keys1 ) {
 			    next RULE unless $key eq $keys2[$keynum++];
 			    next RULE unless compare_values( $baseref->{$key}, $ruleref->{$key} );
 			}
 		    } else {
+			#
+			# There are non-duplicate rules between this rule and the base rule
+			#
 			for my $key ( @keys1 ) {
 			    last RULE if $bad_match{$key};
 			    next RULE unless $key eq $keys2[$keynum++];
 			    next RULE unless compare_values( $baseref->{$key}, $ruleref->{$key} );
 			}
 		    }
-
+		    #
+		    # This rule is a duplicate
+		    #
 		    $duplicate = 1;
+		    #
+		    # Increment $adjacent so that the continue block won't set it to zero
+		    #
 		    $adjacent++;
 
 		} continue {