extern/shorewall_code
1
0
Fork 1
mirror of https://gitlab.com/shorewall/code.git synced 2025-06-20 01:37:59 +02:00
Code Issues Packages Projects Releases Wiki Activity

Re-add optimization for complex zones

Browse Source 
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@769 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
teastep 2003-10-15 18:34:05 +00:00
parent ff2b9ce193
commit 1fd0345510
3 changed files with 39 additions and 13 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
Shorewall/changelog.txt
View File

@ -14,4 +14,4 @@ Changes since 1.4.7
6) Added BLACKLISTNEWONLY support. 6) Added BLACKLISTNEWONLY support.
7) Remove failed optimization for 'complex' zones. 7) Correct optimization for 'complex' zones.

30
Shorewall/firewall
View File

@ -572,6 +572,9 @@ determine_hosts() {
interfaces="$interfaces $interface" interfaces="$interfaces $interface"
fi fi
fi fi
[ "${host#*:}" = "0.0.0.0/0" ] || \
eval ${zone}_is_complex=Yes
done done
eval ${zone}_interfaces="\$interfaces" eval ${zone}_interfaces="\$interfaces"
@ -4368,6 +4371,13 @@ activate_rules()
chain1=`rules_chain $FW $zone` chain1=`rules_chain $FW $zone`
chain2=`rules_chain $zone $FW` chain2=`rules_chain $zone $FW`
eval complex=\$${zone}_is_complex
if [ -n "$complex" ]; then
frwd_chain=${zone}_frwd
createchain $frwd_chain No
fi
echo "$FW $zone $chain1" >> ${STATEDIR}/chains echo "$FW $zone $chain1" >> ${STATEDIR}/chains
echo "$zone $FW $chain2" >> ${STATEDIR}/chains echo "$zone $FW $chain2" >> ${STATEDIR}/chains
@ -4384,6 +4394,10 @@ activate_rules()
addrulejump POSTROUTING `snat_chain $zone` -o $interface -d $subnet addrulejump POSTROUTING `snat_chain $zone` -o $interface -d $subnet
run_iptables -A `input_chain $interface` -s $subnet -j $chain2 run_iptables -A `input_chain $interface` -s $subnet -j $chain2
[ -n "$complex" ] && \
run_iptables -A `forward_chain $interface` -s $subnet -j $frwd_chain
done done
for zone1 in $zones; do for zone1 in $zones; do
@ -4404,9 +4418,20 @@ activate_rules()
routeback= routeback=
fi fi
if [ -n "$complex" ]; then
for host1 in $dest_hosts; do
interface1=${host1%:*}
subnet1=${host1#*:}
if list_search $host1 $source_hosts && ! list_search $host1 $routeback; then
run_iptables -A $frwd_chain -s ! $subnet1 -o $interface1 -d $subnet1 -j $chain
else
run_iptables -A $frwd_chain -o $interface1 -d $subnet1 -j $chain
fi
done
else
for host in $source_hosts; do for host in $source_hosts; do
interface=${host%:*} interface=${host%:*}
subnet=${host#*:}
chain1=`forward_chain $interface` chain1=`forward_chain $interface`
@ -4415,10 +4440,11 @@ activate_rules()
subnet1=${host1#*:} subnet1=${host1#*:}
if [ "$host" != "$host1" ] || list_search $host $routeback; then if [ "$host" != "$host1" ] || list_search $host $routeback; then
run_iptables -A $chain1 -s $subnet -o $interface1 -d $subnet1 -j $chain run_iptables -A $chain1 -o $interface1 -d $subnet1 -j $chain
fi fi
done done
done done
fi
done done
done done

6
Shorewall/releasenotes.txt
View File

@ -29,9 +29,9 @@ Problems Corrected since version 1.4.6:
5) In Shorewall 1.4.2, an optimization was added. This optimization 5) In Shorewall 1.4.2, an optimization was added. This optimization
involved creating a chain named "<zone>_frwd" for most zones involved creating a chain named "<zone>_frwd" for most zones
defined using the /etc/shorewall/hosts file. It has since been defined using the /etc/shorewall/hosts file. It has since been
discovered that these new chains contain redundant rules in many discovered that in many cases these new chains contain redundant
cases so that the "optimization" is less than optimal. As a result, rules and that the "optimization" turns out to be less than
the optimization has been removed. optimal. The implementation has now been corrected.
Migration Issues: Migration Issues: