From 4a05e56d6d171e5384ed9b88228065a9ca6db864 Mon Sep 17 00:00:00 2001 From: Tom Eastep Date: Sat, 1 Jun 2013 13:01:55 -0700 Subject: [PATCH 1/4] Disable warning on unreachable rules. Signed-off-by: Tom Eastep --- Shorewall/Perl/Shorewall/Chains.pm | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Shorewall/Perl/Shorewall/Chains.pm b/Shorewall/Perl/Shorewall/Chains.pm index 86699cdcb..ddd904283 100644 --- a/Shorewall/Perl/Shorewall/Chains.pm +++ b/Shorewall/Perl/Shorewall/Chains.pm @@ -7063,7 +7063,7 @@ sub expand_rule( $$$$$$$$$$$;$ ) ) = @_; if ( $chainref->{complete} ) { - warning_message "The rule(s) generated by this entry are unreachable and have been discarded"; +# warning_message "The rule(s) generated by this entry are unreachable and have been discarded"; return ''; } From 4340bcffb1133427b2ea55744fecb15075a385c7 Mon Sep 17 00:00:00 2001 From: Tom Eastep Date: Sat, 1 Jun 2013 13:02:39 -0700 Subject: [PATCH 2/4] Don't optimize away a rule that includes nfacct matches. Signed-off-by: Tom Eastep --- Shorewall/Perl/Shorewall/Chains.pm | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Shorewall/Perl/Shorewall/Chains.pm b/Shorewall/Perl/Shorewall/Chains.pm index ddd904283..76bc83e62 100644 --- a/Shorewall/Perl/Shorewall/Chains.pm +++ b/Shorewall/Perl/Shorewall/Chains.pm @@ -3247,7 +3247,7 @@ sub optimize_level4( $$ ) { while ( @$rulesref ) { my $rule1ref = $rulesref->[-1]; - last unless ( $rule1ref->{target} || '' ) eq $target && ! $rule1ref->{targetopts}; + last unless ( $rule1ref->{target} || '' ) eq $target && ! ( $rule1ref->{targetopts} || $rule1ref->{nfacct} ); trace ( $chainref, 'D', $rule, $rule1ref ) if $debug; From 7dbd50708b7d215618666dc5423a0874e048d977 Mon Sep 17 00:00:00 2001 From: Tom Eastep Date: Sat, 1 Jun 2013 13:03:10 -0700 Subject: [PATCH 3/4] Clear the current filename after last file is processed. Signed-off-by: Tom Eastep --- Shorewall/Perl/Shorewall/Compiler.pm | 4 ++++ Shorewall/Perl/Shorewall/Config.pm | 10 +++++++++- 2 files changed, 13 insertions(+), 1 deletion(-) diff --git a/Shorewall/Perl/Shorewall/Compiler.pm b/Shorewall/Perl/Shorewall/Compiler.pm index 112bfd92d..9c98a9196 100644 --- a/Shorewall/Perl/Shorewall/Compiler.pm +++ b/Shorewall/Perl/Shorewall/Compiler.pm @@ -829,6 +829,10 @@ sub compiler { # setup_tunnels; # + # Clear the current filename + # + clear_currentfilename; + # # MACLIST Filtration again # setup_mac_lists 2; diff --git a/Shorewall/Perl/Shorewall/Config.pm b/Shorewall/Perl/Shorewall/Config.pm index b5593a28d..64a84671c 100644 --- a/Shorewall/Perl/Shorewall/Config.pm +++ b/Shorewall/Perl/Shorewall/Config.pm @@ -48,6 +48,7 @@ our @EXPORT = qw( fatal_error assert currentlineinfo + clear_currentfilename progress_message progress_message_nocompress @@ -658,7 +659,7 @@ sub initialize( $;$$) { EXPORT => 0, KLUDGEFREE => '', STATEMATCH => '-m state --state', - VERSION => "4.5.13-Beta3", + VERSION => "4.5.18-Beta1", CAPVERSION => 40515 , ); # @@ -2167,6 +2168,13 @@ sub close_file() { } } +# +# Clear the current filename +# +sub clear_currentfilename() { + $currentfilename = ''; +} + # # Process an ?IF, ?ELSIF, ?ELSE or ?END directive # From 481811d29f924a1ea7b74b56086978ed903523e0 Mon Sep 17 00:00:00 2001 From: Tom Eastep Date: Sun, 2 Jun 2013 13:29:13 -0700 Subject: [PATCH 4/4] Merge NFACCT and EXPENSIVE matches during optimization Signed-off-by: Tom Eastep --- Shorewall/Perl/Shorewall/Chains.pm | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/Shorewall/Perl/Shorewall/Chains.pm b/Shorewall/Perl/Shorewall/Chains.pm index 76bc83e62..1f31332c9 100644 --- a/Shorewall/Perl/Shorewall/Chains.pm +++ b/Shorewall/Perl/Shorewall/Chains.pm @@ -1121,7 +1121,7 @@ sub merge_rules( $$$ ) { } } - for my $option ( grep ! $opttype{$_}, keys %$fromref ) { + for my $option ( grep ! $opttype{$_} || $_ eq 'nfacct', keys %$fromref ) { set_rule_option( $toref, $option, $fromref->{$option} ); } @@ -1137,6 +1137,10 @@ sub merge_rules( $$$ ) { set_rule_option( $toref, 'policy', $fromref->{policy} ) if exists $fromref->{policy}; + for my $option ( grep( ( $opttype{$_} || 0 ) == EXPENSIVE, keys %$fromref ) ) { + set_rule_option( $toref, $option, $fromref->{$option} ); + } + unless ( $toref->{comment} ) { $toref->{comment} = $fromref->{comment} if exists $fromref->{comment}; }