Re-add optimization for complex zones

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@769 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
2024-12-15 10:51:02 +01:00 · 2003-10-15 18:34:05 +00:00 · 2003-10-15 18:34:05 +00:00 · 1fd0345510
commit 1fd0345510
parent ff2b9ce193
3 changed files with 39 additions and 13 deletions
--- a/Shorewall/changelog.txt
+++ b/Shorewall/changelog.txt
@ -14,4 +14,4 @@ Changes since 1.4.7

 6) Added BLACKLISTNEWONLY support.

-7) Remove failed optimization for 'complex' zones.
+7) Correct optimization for 'complex' zones.
--- a/Shorewall/firewall
+++ b/Shorewall/firewall
@ -572,6 +572,9 @@ determine_hosts() {
 		    interfaces="$interfaces $interface"
 		fi
 	    fi
+
+	    [ "${host#*:}" = "0.0.0.0/0" ] || \
+		eval ${zone}_is_complex=Yes
 	done

 	eval ${zone}_interfaces="\$interfaces"
@ -4368,6 +4371,13 @@ activate_rules()
 	chain1=`rules_chain $FW $zone`
 	chain2=`rules_chain $zone $FW`

+	eval complex=\$${zone}_is_complex
+
+	if [ -n "$complex" ]; then
+	    frwd_chain=${zone}_frwd
+	    createchain $frwd_chain No
+	fi
+
 	echo "$FW $zone $chain1" >> ${STATEDIR}/chains
 	echo "$zone $FW $chain2" >> ${STATEDIR}/chains

@ -4384,6 +4394,10 @@ activate_rules()
 	    addrulejump POSTROUTING `snat_chain $zone` -o $interface -d $subnet

 	    run_iptables -A `input_chain $interface` -s $subnet -j $chain2
+
+	    [ -n "$complex" ] && \
+		run_iptables -A `forward_chain $interface` -s $subnet -j $frwd_chain
+
 	done

 	for zone1 in $zones; do
@ -4404,21 +4418,33 @@ activate_rules()
 		routeback=
 	    fi
 	    
-	    for host in $source_hosts; do
-		interface=${host%:*}
-		subnet=${host#*:}
-
-		chain1=`forward_chain $interface`
-
+	    if [ -n "$complex" ]; then
 		for host1 in $dest_hosts; do
 		    interface1=${host1%:*}
 		    subnet1=${host1#*:}

-		    if [ "$host" != "$host1" ] || list_search $host $routeback; then
-			run_iptables -A $chain1 -s $subnet -o $interface1 -d $subnet1 -j $chain
+		    if list_search $host1 $source_hosts && ! list_search $host1 $routeback; then
+			run_iptables -A $frwd_chain -s ! $subnet1 -o $interface1 -d $subnet1 -j $chain
+		    else
+			run_iptables -A $frwd_chain -o $interface1 -d $subnet1 -j $chain
 		    fi
 		done
-	    done
+	    else
+		for host in $source_hosts; do
+		    interface=${host%:*}
+
+		    chain1=`forward_chain $interface`
+
+		    for host1 in $dest_hosts; do
+			interface1=${host1%:*}
+			subnet1=${host1#*:}
+
+			if [ "$host" != "$host1" ] || list_search $host $routeback; then
+			    run_iptables -A $chain1 -o $interface1 -d $subnet1 -j $chain
+			fi
+		    done
+		done
+	    fi
 	done
    done

--- a/Shorewall/releasenotes.txt
+++ b/Shorewall/releasenotes.txt
@ -29,9 +29,9 @@ Problems Corrected since version 1.4.6:
 5) In Shorewall 1.4.2, an optimization was added. This optimization
   involved creating a chain named "<zone>_frwd" for most zones
   defined using the /etc/shorewall/hosts file. It has since been
-   discovered that these new chains contain redundant rules in many
-   cases so that the "optimization" is less than optimal. As a result,
-   the optimization has been removed. 
+   discovered that in many cases these new chains contain redundant
+   rules and that the "optimization" turns out to be less than
+   optimal. The implementation has now been corrected. 

 Migration Issues: