sometimes we may have multiple top filter rule sets, e.g. in iptables there can be top filter and top mangle rule set. Process these properly

2026-03-24 04:07:55 +01:00 · 2009-10-22 20:31:26 +00:00 · 2009-10-22 20:31:26 +00:00 · 4c21327c4f
commit 4c21327c4f
parent b5eff7ec40
3 changed files with 22 additions and 38 deletions
--- a/2
+++ b/2
@ -1 +1 @@
-#define BUILD_NUM 1632
+#define BUILD_NUM 1633
--- a/src/iptlib/CompilerDriver_ipt_run.cpp
+++ b/src/iptlib/CompilerDriver_ipt_run.cpp
@ -327,47 +327,31 @@ string CompilerDriver_ipt::run(const std::string &cluster_id,
                policy_af,
                minus_n_commands_nat)) empty_output = false;

-        Policy *top_policy = NULL;
-
-        for (list<FWObject*>::iterator p=all_policies.begin();
-             p!=all_policies.end(); ++p )
+        for (int all_top = 0; all_top < 2; ++all_top)
        {
-            Policy *policy = Policy::cast(*p);
-            if (!policy->matchingAddressFamily(policy_af)) continue;
-            if (policy->isTop())
+            for (list<FWObject*>::iterator p=all_policies.begin();
+                 p!=all_policies.end(); ++p )
            {
-                top_policy = policy;
-                continue;
+                Policy *policy = Policy::cast(*p);
+                if (!policy->matchingAddressFamily(policy_af)) continue;
+
+                if (policy->isTop() && all_top == 0) continue;
+                if (!policy->isTop() && all_top == 1) continue;
+
+                if (! processPolicyRuleSet(
+                        fw,
+                        policy,
+                        single_rule_id,
+                        filter_rules_stream,
+                        mangle_rules_stream,
+                        automaitc_rules_stream,
+                        oscnf.get(),
+                        policy_af,
+                        minus_n_commands_filter,
+                        minus_n_commands_mangle)) empty_output = false;
            }
-
-            if (! processPolicyRuleSet(
-                    fw,
-                    policy,
-                    single_rule_id,
-                    filter_rules_stream,
-                    mangle_rules_stream,
-                    automaitc_rules_stream,
-                    oscnf.get(),
-                    policy_af,
-                    minus_n_commands_filter,
-                    minus_n_commands_mangle)) empty_output = false;
        }

-        if (top_policy &&
-            ! processPolicyRuleSet(
-                fw,
-                top_policy,
-                single_rule_id,
-                filter_rules_stream,
-                mangle_rules_stream,
-                automaitc_rules_stream,
-                oscnf.get(),
-                policy_af,
-                minus_n_commands_filter,
-                minus_n_commands_mangle)) empty_output = false;
-
-
-
        if (!empty_output && !single_rule_compile_on)
        {
            if (ipv6_policy)
--- a/src/iptlib/OSConfigurator_linux24.cpp
+++ b/src/iptlib/OSConfigurator_linux24.cpp
@ -171,7 +171,7 @@ void OSConfigurator_linux24::processFirewallOptions()
        &conntrack_vars, "conntrack_tcp_be_liberal");

    output << kernel_vars.expand().toStdString();
-    output << endl;
+    //output << endl;
    output << conntrack_vars.expand().toStdString();
 }