Re: [Shorewall-devel] Shorewall 4.5.13 RC 3

[Tom Eastep]

On 02/10/2013 09:38 AM, Mr Dash Four wrote:
> 
>> Please send me a test case. If the fix is simple enough, I can include
>> it in this release.
>>   
> rules
> ~~~~~
> SECTION RELATED
> ESLOG(log,-,-,-,ACCEPT,-,log_ssh_related=0) $FW net:+ssh-local-hosts
> 
> action.ESLOG
> ~~~~~~~~~~~~~~
> ?IF $5 eq 'Drop'
>   $5
> ?ENDIF
> ?IF $6
>   ?SET p6 $6
> ?ELSE
>   ?SET p6 @{chain}
> ?ENDIF
> ALOG($1,$2,$3,$4,$5,$p6) ; switch:${p6}_${7}
> ?IF $5 && (! ($5 eq 'Drop'))
>   $5
> ?ENDIF
> 
> action.ALOG
> ~~~~~~~~~~~~~~
> ?IF $5
>   ?SET @disposition $5
> ?ENDIF
> ?IF $6
>   ?SET @chain $6
> ?ENDIF
> ?IF $1
>   LOG:$LOG_OPTIONS
> ?ENDIF
> ?IF $2
>   NFLOG($2,0,1)
> ?ENDIF
> ?IF $3
>   NFLOG($3,0,1)
> ?ENDIF
> ?IF $4
>   AUDIT($4)
> ?ENDIF
> 
> produces:
> 
> :%ALOG10 - [0:0]
> [...]
> -A %ALOG10 -j LOG --log-tcp-options --log-ip-options --log-macdecode 
> --log-tcp-sequence --log-uid --log-level 6 --log-prefix 
> "Shorewall:fw2net:ACCEPT:"
> [...]
> -A +fw2net -m condition --condition fw2net_log_ssh_related -m set 
> --match-set ssh-local-hosts dst -j %ALOG10
> 
> This can be optimised to:
> 
> -A +fw2net -m condition --condition fw2net_log_ssh_related -m set 
> --match-set ssh-local-hosts dst -j LOG --log-tcp-options 
> --log-ip-options --log-macdecode --log-tcp-sequence --log-uid 
> --log-level 6 --log-prefix "Shorewall:fw2net:ACCEPT:"
> 
> and the whole %ALOG10 chain (plus the additional jump to it) wiped out.

The compiler has historically set the 'DONT_OPTIMIZE' flag on non-inline
action chains. This prevents that sort of optimization.

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________

signature.asc
Description: OpenPGP digital signature

------------------------------------------------------------------------------
Free Next-Gen Firewall Hardware Offer
Buy your Sophos next-gen firewall before the end March 2013 
and get the hardware for free! Learn more.
http://p.sf.net/sfu/sophos-d2d-feb
_______________________________________________
Shorewall-devel mailing list
Shorewall-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-devel