Re: [Shorewall-devel] Shorewall 4.5.10 Beta 3

Sun, 02 Dec 2012 08:58:44 -0800 

On 12/01/2012 04:53 PM, Mr Dash Four wrote:




5. Minor issue, which could be improved upon as far as optimisation of
inline actions goes:

rules
~~~~~
circ1(dropBcast) $FW net
dropBcast $FW net

generates something like:

:~comb2 [0:0]
[...]
-A fw2net -j ~comb2
-A fw2net -j ~comb2
[...]
-A ~comb2 -m addrtype --dst-type BROADCAST -j DROP
-A ~comb2 -d 224.0.0.0/4 -j DROP

Both statements for "-A fw2net ..." above should have been combined into
a single one.


Doesn't setting OPTIMIZE=31 remove the duplicate rule?

No.



I have:

actions:
--------

run

action.run:
-----------

$1

rules:
------
...
run(dropBcast)  $FW             net
dropBcast       $FW             net

shorewall.conf:
---------------
...
OPTIMIZE=31
...

That generates the following rules in fw2net:

-A fw2net -p udp --dport 67:68 -j ACCEPT
-A fw2net -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
-A fw2net -p 17 --dport 53 -j ACCEPT -m comment --comment "DNS"
-A fw2net -p 6 --dport 53 -j ACCEPT -m comment --comment "DNS"
-A fw2net -p 1 -j ACCEPT
-A fw2net -j run
-A fw2net -m addrtype --dst-type BROADCAST -j DROP
-A fw2net -d 224.0.0.0/4 -j DROP
-A fw2net -j Reject
-A fw2net -j LOG --log-level 6 --log-prefix "Shorewall:fw2net:REJECT:"
-A fw2net -g reject

If I replace the rules with:

run(Broadcast(DROP))    $FW             net
Broadcast(DROP)         $FW             net

Then I get:

-A fw2net -p udp --dport 67:68 -j ACCEPT
-A fw2net -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
-A fw2net -p 17 --dport 53 -j ACCEPT -m comment --comment "DNS"
-A fw2net -p 6 --dport 53 -j ACCEPT -m comment --comment "DNS"
-A fw2net -p 1 -j ACCEPT
-A fw2net -j run
-A fw2net -j ~comb0
-A fw2net -j Reject
-A fw2net -j LOG --log-level 6 --log-prefix "Shorewall:fw2net:REJECT:"
-A fw2net -g reject
...
-A run -j ~comb0
...
-A ~comb0 -m addrtype --dst-type BROADCAST -j DROP
-A ~comb0 -m addrtype --dst-type MULTICAST -j DROP
-A ~comb0 -m addrtype --dst-type ANYCAST -j DROP
-A ~comb0 -d 224.0.0.0/4 -j DROP

If I inline the run action, I get:

-A fw2net -j ~comb0 -m comment --comment "run"
-A fw2net -j ~comb0


If I turn off AUTOCOMMENT (after fixing AUTOCOMMENT=No with the attached 
patch), I get:


-A fw2net -p udp --dport 67:68 -j ACCEPT
-A fw2net -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
-A fw2net -p 17 --dport 53 -j ACCEPT
-A fw2net -p 6 --dport 53 -j ACCEPT
-A fw2net -p 1 -j ACCEPT
-A fw2net -j ~comb0
-A fw2net -j ~comb0
-A fw2net -j Reject
-A fw2net -j LOG --log-level 6 --log-prefix "Shorewall:fw2net:REJECT:"
-A fw2net -g reject

(Finally!)


When optimize level 16 is requested, the optimizer currently deletes 
duplicate rules only in the 'raw' table. There is quite a bit of work 
and lots of testing to be done to delete them in the other table chains, 
because there are cases in those chains where duplicate rules must not 
deleted. As a trivial example:


        -A chain -j CONNMARK --restore-mark
        -A chain -m mark ! --mark 0 RETURN
        -A chain -s 1.2.3.4 -j MARK --set-mark 1
        -A chain -s 2.3.4.5 -j MARK --set-mark 2
        -A chain -m mark ! --mark 0 RETURN
        -A chain -j MARK --set-mark 3
        -A chain -j CONNMARK --save-mark

It's clearly a bad idea to remove the duplicate RETURN rule.

I'll think about working on this for 4.5.11.

-Tom
--
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________

diff --git a/Shorewall/Perl/Shorewall/Chains.pm b/Shorewall/Perl/Shorewall/Chains.pm
index 260a10e..4174165 100644
--- a/Shorewall/Perl/Shorewall/Chains.pm
+++ b/Shorewall/Perl/Shorewall/Chains.pm
@@ -725,7 +725,7 @@ sub set_comment( $ ) {
 sub macro_comment( $ ) {
     my $macro = $_[0];
 
-    $comment = $macro unless $comment || ! ( have_capability( 'COMMENTS' ) && $config{AUTO_COMMENT} );
+    $comment = $macro unless $comment || ! ( have_capability( 'COMMENTS' ) && $config{AUTOCOMMENT} );
 }
 
 #
diff --git a/Shorewall/Perl/Shorewall/Config.pm b/Shorewall/Perl/Shorewall/Config.pm
index 14ec041..29ff0f9 100644
--- a/Shorewall/Perl/Shorewall/Config.pm
+++ b/Shorewall/Perl/Shorewall/Config.pm
@@ -4595,7 +4595,7 @@ sub get_configuration( $$$ ) {
     default_yes_no 'EXPAND_POLICIES'            , '';
     default_yes_no 'KEEP_RT_TABLES'             , '';
     default_yes_no 'DELETE_THEN_ADD'            , 'Yes';
-    default_yes_no 'AUTO_COMMENT'               , 'Yes';
+    default_yes_no 'AUTOCOMMENT'                , 'Yes';
     default_yes_no 'MULTICAST'                  , '';
     default_yes_no 'MARK_IN_FORWARD_CHAIN'      , '';
     default_yes_no 'MANGLE_ENABLED'             , have_capability 'MANGLE_ENABLED' ? 'Yes' : '';

------------------------------------------------------------------------------
Keep yourself connected to Go Parallel: 
DESIGN Expert tips on starting your parallel project right.
http://goparallel.sourceforge.net/
_______________________________________________
Shorewall-devel mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/shorewall-devel

























					Reply via email to