extern/shorewall_code
1
0
Fork 1
mirror of https://gitlab.com/shorewall/code.git synced 2025-06-18 23:57:14 +02:00
Code Issues Packages Projects Releases Wiki Activity

Only create action chains that are needed

Browse Source 
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@1139 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
teastep 2004-02-13 22:58:11 +00:00
parent 6f0f82e8c1
commit 543b6b959f
2 changed files with 125 additions and 61 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
Shorewall2/changelog.txt
View File

@ -38,3 +38,5 @@ Changes since 1.4.10
18) Add the ":noah" option to IPSEC tunnels. 18) Add the ":noah" option to IPSEC tunnels.
19) Added a comment to the rules file to aid users who are terminally stupid. 19) Added a comment to the rules file to aid users who are terminally stupid.
20) Only create the action chains that are actually used.

168
Shorewall2/firewall
View File

@ -229,6 +229,11 @@ ensurechain() # $1 = chain name
havechain $1 || createchain $1 yes havechain $1 || createchain $1 yes
} }
ensurechain1() # $1 = chain name
{
havechain $1 || createchain $1 no
}
# #
# Add a rule to a chain creating the chain if necessary # Add a rule to a chain creating the chain if necessary
# #
@ -1908,7 +1913,7 @@ process_accounting_rule() {
[ "x$chain" = "x-" ] && chain=accounting [ "x$chain" = "x-" ] && chain=accounting
[ -z "$chain" ] && chain=accounting [ -z "$chain" ] && chain=accounting
havechain $chain || createchain $chain No ensurechain1 $chain
if iptables -A $chain $rule ; then if iptables -A $chain $rule ; then
[ "x$rule2" != x ] && run_iptables -A $jumpchain $rule2 [ "x$rule2" != x ] && run_iptables -A $jumpchain $rule2
@ -1990,9 +1995,9 @@ check_config() {
validate_policy validate_policy
echo "Validating Actions..." echo "Pre-validating Actions..."
process_actions process_actions1
echo "Validating rules file..." echo "Validating rules file..."
@ -2000,6 +2005,10 @@ check_config() {
strip_file rules $rules strip_file rules $rules
process_rules process_rules
echo "Validating Actions..."
process_actions2
rm -rf $TMP_DIR rm -rf $TMP_DIR
echo "Configuration Validated" echo "Configuration Validated"
@ -2332,11 +2341,11 @@ process_action() # $1 = action
} }
# #
# Read /etc/shorewall/actions and for each defined <action>, process # Read /etc/shorewall/actions and for each defined <action>, pre-process
# /etc/shorewall/action.<action> # /etc/shorewall/action.<action>
# #
process_actions() { process_actions1() {
# #
# Add the builtin actions # Add the builtin actions
# #
@ -2359,9 +2368,72 @@ process_actions() {
fi fi
ACTIONS="dropBcast dropNonSyn" ACTIONS="dropBcast dropNonSyn"
USEDACTIONS="dropBcast dropNonSyn"
} }
add_builtin_actions
strip_file actions
while read xaction rest; do
[ "x$rest" = x ] || fatal_error "Invalid Action: $xaction $rest"
case $xaction in
*:*)
temp=${xaction#*:}
xaction=${xaction%:*}
case $temp in
ACCEPT|REJECT|DROP)
eval ${temp}_common=$xaction
if ! list_search $xaction $USEDACTIONS; then
USEDACTIONS="$USEDACTIONS $xaction"
[ $command = check ] || createchain $xaction no
fi
;;
*)
fatal_error "Common Actions are only allowed for ACCEPT, DROP and REJECT"
;;
esac
esac
f=action.$xaction
fn=$(find_file $f)
eval requiredby_${action}=
if [ -f $fn ]; then
echo " Pre-processing $fn..."
strip_file $f $fn
while read xtarget xclients xservers xprotocol xports xcports xratelimit $xuserspec; do
expandv xtarget
temp="${xtarget%:*}"
case "${temp%<*}" in
ACCEPT|DROP|REJECT|LOG|QUEUE)
;;
*)
if list_search $temp $ACTIONS; then
eval requiredby_${xaction}=\"\$requiredby_${xaction} $temp\"
else
rule="$(echo $xtarget $xclients $xservers $xprotocol $xports $xcports $xratelimit $xuserspec)"
fatal_error "Invalid TARGET in rule \"$rule\""
fi
;;
esac
done < $TMP_DIR/$f
else
fatal_error "Missing Action File: $f"
fi
ACTIONS="$ACTIONS $xaction"
done < $TMP_DIR/actions
}
#
# Generate the transitive closure of $USEDACTIONS (the actions directly referred to in rules and as common actions) then
# process the associated action files.
#
process_actions2() {
# #
# Process a rule where the source or destination is "all" # Process a rule where the source or destination is "all"
# #
@ -2401,64 +2473,44 @@ process_actions() {
fi fi
process_action $xaction $xtarget $xclients $xservers $xprotocol $xports $xcports $xratelimit $xuserspec process_action $xaction $xtarget $xclients $xservers $xprotocol $xports $xcports $xratelimit $xuserspec
} }
#
# Generate the transitive closure of $USEDACTIONS
#
changed=Yes
add_builtin_actions while [ -n "$changed" ]; do
changed=
strip_file actions for xaction in $USEDACTIONS; do
eval required=\"\$requiredby_${xaction}\"
while read xaction rest; do for action in $required; do
[ "x$rest" = x ] || fatal_error "Invalid Action: $xaction $rest" if ! list_search $action $USEDACTIONS; then
USEDACTIONS="$USEDACTIONS $action"
[ $command = check ] || createchain $action no
changed=Yes
fi
done
done
done
#
# Now process the relevant action files -- they were already stripped in process_actions1() above.
#
for xaction in $USEDACTIONS; do
case $xaction in case $xaction in
*:*) dropNonSyn|dropBcasts)
temp=${xaction#*:}
xaction=${xaction%:*}
case $temp in
ACCEPT|REJECT|DROP)
eval ${temp}_common=$xaction
;; ;;
*) *)
fatal_error "Common Actions are only allowed for ACCEPT, DROP and REJECT"
;;
esac
esac
if [ "$command" != check ]; then
createchain $xaction No
run_user_exit $xaction
fi
f=action.$xaction f=action.$xaction
fn=$(find_file $f) fn=$(find_file $f)
if [ -f $fn ]; then
echo "Processing $fn..." echo "Processing $fn..."
strip_file $f $fn
while read xtarget xclients xservers xprotocol xports xcports xratelimit $xuserspec; do while read xtarget xclients xservers xprotocol xports xcports xratelimit $xuserspec; do
expandv xtarget
temp="${xtarget%:*}"
case "${temp%<*}" in
ACCEPT|DROP|REJECT|LOG|QUEUE)
do_it do_it
;;
*)
if list_search $temp $ACTIONS; then
do_it
else
rule="$(echo $xtarget $xclients $xservers $xprotocol $xports $xcports $xratelimit $xuserspec)"
fatal_error "Invalid TARGET in rule \"$rule\""
fi
;;
esac
done < $TMP_DIR/$f done < $TMP_DIR/$f
else ;;
fatal_error "Missing Action File: $f" esac
fi done
ACTIONS="$ACTIONS $xaction"
done < $TMP_DIR/actions
} }
# #
@ -3234,6 +3286,11 @@ process_rules()
;; ;;
*) *)
if list_search $temp $ACTIONS; then if list_search $temp $ACTIONS; then
if ! list_search $temp $USEDACTIONS; then
[ $command = check ] || createchain $temp no
USEDACTIONS="$USEDACTIONS $temp"
fi
do_it do_it
else else
rule="$(echo $xtarget $xclients $xservers $xprotocol $xports $xcports $xaddress $xratelimit $xuserspec)" rule="$(echo $xtarget $xclients $xservers $xprotocol $xports $xcports $xaddress $xratelimit $xuserspec)"
@ -4845,14 +4902,18 @@ define_firewall() # $1 = Command (Start or Restart)
rules=$(find_file rules) rules=$(find_file rules)
echo "Processing Actions..." echo "Pre-processing Actions..."
process_actions process_actions1
echo "Processing $rules..." echo "Processing $rules..."
process_rules process_rules
echo "Processing Actions..."
process_actions2
policy=$(find_file policy) policy=$(find_file policy)
echo "Processing $policy..." echo "Processing $policy..."
@ -5368,6 +5429,7 @@ do_initialize() {
BLACKLISTNEWONLY= BLACKLISTNEWONLY=
MODULE_SUFFIX= MODULE_SUFFIX=
ACTIONS= ACTIONS=
USEDACTIONS=
SMURF_LOG_LEVEL= SMURF_LOG_LEVEL=
stopping= stopping=