holm/shorewall_code
1
0
Fork 0
forked from extern/shorewall_code
Code Pull Requests Activity

Add some comments in and around delete_duplicates()

Browse Source 
Signed-off-by: Tom Eastep <teastep@shorewall.net>
This commit is contained in:
Tom Eastep 2012-12-02 17:31:13 -08:00
parent d5405757dd
commit c0abdc1fe8
1 changed files with 17 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

18
Shorewall/Perl/Shorewall/Chains.pm
View File

@ -3370,6 +3370,11 @@ sub combine_dports {
\@rules; \@rules;
} }
#
# When suppressing duplicate rules, care must be taken to avoid suppressing non-adjacent duplicates
# using any of these matches, because an intervening rule could modify the result of the match
# of the second duplicate
#
my %bad_match = ( conntrack => 1, my %bad_match = ( conntrack => 1,
dscp => 1, dscp => 1,
ecn => 1, ecn => 1,
@ -3415,19 +3420,30 @@ sub delete_duplicates {
my $keynum = 0; my $keynum = 0;
if ( $adjacent > 0 ) { if ( $adjacent > 0 ) {
#
# There are no non-duplicate rules between this rule and the base rule
#
for my $key ( @keys1 ) { for my $key ( @keys1 ) {
next RULE unless $key eq $keys2[$keynum++]; next RULE unless $key eq $keys2[$keynum++];
next RULE unless compare_values( $baseref->{$key}, $ruleref->{$key} ); next RULE unless compare_values( $baseref->{$key}, $ruleref->{$key} );
} }
} else { } else {
#
# There are non-duplicate rules between this rule and the base rule
#
for my $key ( @keys1 ) { for my $key ( @keys1 ) {
last RULE if $bad_match{$key}; last RULE if $bad_match{$key};
next RULE unless $key eq $keys2[$keynum++]; next RULE unless $key eq $keys2[$keynum++];
next RULE unless compare_values( $baseref->{$key}, $ruleref->{$key} ); next RULE unless compare_values( $baseref->{$key}, $ruleref->{$key} );
} }
} }
#
# This rule is a duplicate
#
$duplicate = 1; $duplicate = 1;
#
# Increment $adjacent so that the continue block won't set it to zero
#
$adjacent++; $adjacent++;
} continue { } continue {