From 1bb5b89ee14d6d1c46e87b2a948089067e641d6e Mon Sep 17 00:00:00 2001 From: Tom Eastep Date: Sun, 12 May 2013 09:27:12 -0700 Subject: [PATCH] Add the 'local' interface option. Signed-off-by: Tom Eastep --- Shorewall/Perl/Shorewall/Chains.pm | 25 ++++++++++++++++--------- Shorewall/Perl/Shorewall/Misc.pm | 4 +++- Shorewall/Perl/Shorewall/Zones.pm | 4 ++++ 3 files changed, 23 insertions(+), 10 deletions(-) diff --git a/Shorewall/Perl/Shorewall/Chains.pm b/Shorewall/Perl/Shorewall/Chains.pm index a15a20548..9ff33ee56 100644 --- a/Shorewall/Perl/Shorewall/Chains.pm +++ b/Shorewall/Perl/Shorewall/Chains.pm @@ -3055,15 +3055,22 @@ sub optimize_level0() { for my $table ( qw/raw rawpost mangle nat filter/ ) { next if $family == F_IPV6 && $table eq 'nat'; my $tableref = $chain_table{$table}; - my @chains = grep $_->{referenced}, values %$tableref; - my $chains = @chains; - for my $chainref ( @chains ) { - # - # If the chain isn't branched to, then delete it - # - unless ( $chainref->{optflags} & DONT_DELETE || keys %{$chainref->{references}} ) { - delete_chain $chainref if $chainref->{referenced}; + my $progress = 1; + + while ( $progress ) { + my @chains = grep $_->{referenced}, values %$tableref; + my $chains = @chains; + + $progress = 0; + + for my $chainref ( @chains ) { + # + # If the chain isn't branched to, then delete it + # + unless ( $chainref->{optflags} & DONT_DELETE || keys %{$chainref->{references}} ) { + delete_chain_and_references $chainref, $progress = 1 if $chainref->{referenced}; + } } } } @@ -3098,7 +3105,7 @@ sub optimize_level4( $$ ) { # If the chain isn't branched to, then delete it # unless ( ( $optflags & DONT_DELETE ) || keys %{$chainref->{references}} ) { - delete_chain $chainref if $chainref->{referenced}; + delete_chain_and_references $chainref if $chainref->{referenced}; next; } diff --git a/Shorewall/Perl/Shorewall/Misc.pm b/Shorewall/Perl/Shorewall/Misc.pm index 241a35016..7e6ab13d7 100644 --- a/Shorewall/Perl/Shorewall/Misc.pm +++ b/Shorewall/Perl/Shorewall/Misc.pm @@ -1628,6 +1628,8 @@ sub handle_complex_zone( $$ ) { my @interfacematch; my $interfaceref = find_interface $interface; + next if $interfaceref->{options}{destonly}; + if ( use_forward_chain( $interface, $sourcechainref ) ) { # # Use the interface forward chain @@ -2213,7 +2215,7 @@ sub generate_matrix() { for my $typeref ( values %{$zone1ref->{hosts}} ) { for my $interface ( sort { interface_number( $a ) <=> interface_number( $b ) } keys %$typeref ) { for my $hostref ( @{$typeref->{$interface}} ) { - next if $hostref->{options}{sourceonly}; + next if $hostref->{options}{sourceonly} || $hostref->{options}{local}; if ( $zone ne $zone1 || $num_ifaces > 1 || $hostref->{options}{routeback} ) { my @ipsec_out_match = match_ipsec_out $zone1 , $hostref; my $dest_exclusion = dest_exclusion( $hostref->{exclusions}, $chain); diff --git a/Shorewall/Perl/Shorewall/Zones.pm b/Shorewall/Perl/Shorewall/Zones.pm index 603c17190..d73acf828 100644 --- a/Shorewall/Perl/Shorewall/Zones.pm +++ b/Shorewall/Perl/Shorewall/Zones.pm @@ -302,6 +302,7 @@ sub initialize( $$ ) { dhcp => SIMPLE_IF_OPTION, ignore => NUMERIC_IF_OPTION + IF_OPTION_WILDOK, maclist => SIMPLE_IF_OPTION + IF_OPTION_HOST, + local => SIMPLE_IF_OPTION + IF_OPTION_HOST, logmartians => BINARY_IF_OPTION, nets => IPLIST_IF_OPTION + IF_OPTION_ZONEONLY + IF_OPTION_VSERVER, norfc1918 => OBSOLETE_IF_OPTION, @@ -339,6 +340,7 @@ sub initialize( $$ ) { bridge => SIMPLE_IF_OPTION, dhcp => SIMPLE_IF_OPTION, ignore => NUMERIC_IF_OPTION + IF_OPTION_WILDOK, + local => SIMPLE_IF_OPTION + IF_OPTION_HOST, maclist => SIMPLE_IF_OPTION + IF_OPTION_HOST, nets => IPLIST_IF_OPTION + IF_OPTION_ZONEONLY + IF_OPTION_VSERVER, nosmurfs => SIMPLE_IF_OPTION + IF_OPTION_HOST, @@ -1268,6 +1270,8 @@ sub process_interface( $$ ) { $options{ignore} ||= 0; } + $hostoptionsref->{destonly} = 1 if $hostoptionsref->{local}; + $physical{$physical} = $interfaces{$interface} = { name => $interface , bridge => $bridge , filter => $filterref ,