extern/shorewall_code
1
0
Fork 1
mirror of https://gitlab.com/shorewall/code.git synced 2025-06-20 17:58:07 +02:00
Code Issues Packages Projects Releases Wiki Activity

Add COMBINE_JUMPS option in shorewall.conf

Browse Source 
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@4726 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
teastep 2006-10-23 21:18:37 +00:00
parent 2157327399
commit 60144960fc
5 changed files with 134 additions and 90 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
Shorewall/changelog.txt
View File

@ -4,6 +4,8 @@ Changes in 3.3.4
2) Add 'show ip' and 'show routing' commands. 2) Add 'show ip' and 'show routing' commands.
3) Add COMBINE_JUMPS option.
Changes in 3.3.3 Changes in 3.3.3
1) Fix excluding in SUBNET column. 1) Fix excluding in SUBNET column.

199
Shorewall/compiler
View File

@ -4190,7 +4190,9 @@ activate_rules()
fi fi
fi fi
done done
#
# Main source zone rule-activation loop
#
for zone in $ZONES; do for zone in $ZONES; do
eval source_hosts=\$${zone}_hosts eval source_hosts=\$${zone}_hosts
@ -4221,7 +4223,9 @@ activate_rules()
insert_exclusions nat $chain $exclusions insert_exclusions nat $chain $exclusions
fi fi
fi fi
#
# Take care of PREROUTING, INPUT and OUTPUT jumps
#
for host in $source_hosts; do for host in $source_hosts; do
interface=${host%%:*} interface=${host%%:*}
networks=${host#*:} networks=${host#*:}
@ -4270,120 +4274,132 @@ activate_rules()
done done
fi fi
# #
# The following code attempts to eliminate redundant sequences of jumps to # F O R W A R D I N G
# all2all or <source zone>2all. It does so by combining all trailing
# jumps to the same policy-only chain.
# #
dest_zones=
temp_zones= temp_zones=
last_chain= last_chain=
for zone1 in $ZONES; do if [ -n "$COMBINE_JUMPS" ]; then
eval policy=\$${zone}2${zone1}_policy dest_zones=
#
# The following loop attempts to eliminate redundant sequences of jumps to
# all2all or <source zone>2all. It does so by combining all trailing
# jumps to the same policy-only chain.
#
for zone1 in $ZONES; do
[ "$policy" = NONE ] && continue eval policy=\$${zone}2${zone1}_policy
chain="$(rules_chain $zone $zone1)" [ "$policy" = NONE ] && continue
[ -z "$chain" ] && continue # CONTINUE policy and there is no canonical chain. chain="$(rules_chain $zone $zone1)"
if [ $zone = $zone1 ]; then [ -z "$chain" ] && continue # CONTINUE policy and there is no canonical chain.
#
# Try not to generate superfluous intra-zone rules if [ $zone = $zone1 ]; then
#
eval routeback=\"\$${zone}_routeback\"
eval interfaces=\"\$${zone}_interfaces\"
eval ports="\$${zone}_ports"
num_ifaces=$(list_count1 $interfaces)
#
# If the zone has a single interface then what matters is how many ports it has
#
[ $num_ifaces -eq 1 -a -n "$ports" ] && num_ifaces=$(list_count1 $ports)
#
# If we don't need to route back and if we have only one interface or one port to
# the zone then assume that hosts in the zone can communicate directly.
#
if [ $num_ifaces -lt 2 -a -z "$routeback" -a -z "$exclusions" ] ; then
continue
fi
fi
case $chain in
*2all)
# #
# Rules chain is a policy-only chain that could be used more than once (all2all or ${zone}2all # Try not to generate superfluous intra-zone rules
# #
if [ -n "$last_chain" ]; then eval routeback=\"\$${zone}_routeback\"
# eval interfaces=\"\$${zone}_interfaces\"
# And the last rules chain was a policy-only chain eval ports="\$${zone}_ports"
#
if [ "$chain" != "$last_chain" ]; then num_ifaces=$(list_count1 $interfaces)
#
# If the zone has a single interface then what matters is how many ports it has
#
[ $num_ifaces -eq 1 -a -n "$ports" ] && num_ifaces=$(list_count1 $ports)
#
# If we don't need to route back and if we have only one interface or one port to
# the zone then assume that hosts in the zone can communicate directly.
#
if [ $num_ifaces -lt 2 -a -z "$routeback" -a -z "$exclusions" ] ; then
continue
fi
fi
case $chain in
*2all)
#
# Rules chain is a policy-only chain that could be used more than once (all2all or ${zone}2all
#
if [ -n "$last_chain" ]; then
# #
# But it was a different one -- back to square 1 # And the last rules chain was a policy-only chain
# #
last_chain=$chain if [ "$chain" != "$last_chain" ]; then
dest_zones="$dest_zones $temp_zones" #
temp_zones=$zone1 # But it was a different one -- back to square 1
#
last_chain=$chain
dest_zones="$dest_zones $temp_zones"
temp_zones=$zone1
else
#
# Same chain -- add this dest zone to the running list of
# zones using the same rules chain
#
temp_zones="$temp_zones $zone1"
fi
elif [ $policy = ACCEPT ]; then
#
# We don't wild-card ACCEPT policies -- could open up security holes through interfaces
# that aren't described in /etc/shorewall/interfaces
#
dest_zones="$dest_zones $zone1"
else else
# #
# Same chain -- add this dest zone to the running list of # First in a potential run of rules using this chain
# zones using the same rules chain #
# last_chain=$chain
temp_zones="$temp_zones $zone1" temp_zones=$zone1
fi fi
elif [ $policy = ACCEPT ]; then ;;
# *)
# We don't wild-card ACCEPT policies -- could open up security holes through interfaces #
# that aren't described in /etc/shorewall/interfaces # Not a policy-only chain -- add accumulated sequence of dest zones to those needing processing
# #
dest_zones="$dest_zones $zone1" dest_zones="$dest_zones $temp_zones $zone1"
else temp_zones=
# last_chain=
# First in a potential run of rules using this chain ;;
# esac
last_chain=$chain done
temp_zones=$zone1 else
fi dest_zones=$ZONES
;; fi
*)
#
# Not a policy-only chain -- add accumulated sequence of dest zones to those needing processing
#
dest_zones="$dest_zones $temp_zones $zone1"
temp_zones=
last_chain=
;;
esac
done
# #
# $dest_zones is now the (possibly condensed) list of destination zones that we need to handle from this source zone # We now loop through the destination zones creating jumps to the rules chain for each source/dest combination.
# $dest_zones is the list of destination zones that we need to handle from this source zone
# #
for zone1 in $dest_zones; do for zone1 in $dest_zones; do
eval policy=\$${zone}2${zone1}_policy eval policy=\$${zone}2${zone1}_policy
[ "$policy" = NONE ] && continue
eval dest_hosts=\$${zone1}_hosts eval dest_hosts=\$${zone1}_hosts
eval exclusions1=\"\$${zone1}_exclusions\" eval exclusions1=\"\$${zone1}_exclusions\"
chain="$(rules_chain $zone $zone1)" chain="$(rules_chain $zone $zone1)"
[ -z "$chain" ] && continue # CONTINUE policy and there is no canonical chain.
[ -n "$DYNAMIC_ZONES" ] && echo "$zone $zone1 $chain" >> $STATEDIR/chains [ -n "$DYNAMIC_ZONES" ] && echo "$zone $zone1 $chain" >> $STATEDIR/chains
if [ $zone = $zone1 ]; then if [ $zone = $zone1 ]; then
#
# Try not to generate superfluous intra-zone rules
#
eval routeback=\"\$${zone}_routeback\" eval routeback=\"\$${zone}_routeback\"
eval interfaces=\"\$${zone}_interfaces\" eval interfaces=\"\$${zone}_interfaces\"
eval ports="\$${zone}_ports" eval ports="\$${zone}_ports"
num_ifaces=$(list_count1 $interfaces) num_ifaces=$(list_count1 $interfaces)
#
# If the zone has a single interface then what matters is how many ports it has
#
[ $num_ifaces -eq 1 -a -n "$ports" ] && num_ifaces=$(list_count1 $ports) [ $num_ifaces -eq 1 -a -n "$ports" ] && num_ifaces=$(list_count1 $ports)
if [ $num_ifaces -lt 2 -a -z "$routeback" -a -z "$exclusions" ] ; then
continue
fi
else else
routeback= routeback=
num_ifaces=0 num_ifaces=0
@ -4465,6 +4481,9 @@ activate_rules()
fi fi
done done
# #
# E N D F O R W A R D I N G
#
#
# Now add (an) unconditional jump(s) to the last unique policy-only chain determined above, if any # Now add (an) unconditional jump(s) to the last unique policy-only chain determined above, if any
# #
if [ -n "$last_chain" ]; then if [ -n "$last_chain" ]; then
@ -4482,13 +4501,17 @@ activate_rules()
fi fi
fi fi
done done
#
# Now add the jumps to the interface (first) chains from FORWARD, INPUT and POSTROUTING
#
for interface in $ALL_INTERFACES ; do for interface in $ALL_INTERFACES ; do
run_iptables -A FORWARD -i $interface -j $(forward_chain $interface) run_iptables -A FORWARD -i $interface -j $(forward_chain $interface)
run_iptables -A INPUT -i $interface -j $(input_chain $interface) run_iptables -A INPUT -i $interface -j $(input_chain $interface)
addnatjump POSTROUTING $(masq_chain $interface) -o $interface addnatjump POSTROUTING $(masq_chain $interface) -o $interface
done done
#
# Handle fw->fw
#
chain=${FW}2${FW} chain=${FW}2${FW}
if havechain $chain; then if havechain $chain; then
@ -4501,7 +4524,9 @@ activate_rules()
# #
run_iptables -D OUTPUT -o lo -j ACCEPT run_iptables -D OUTPUT -o lo -j ACCEPT
fi fi
#
# Add policy enforcement to the builtin filter chains to catch underfined hosts
#
complete_standard_chain INPUT all $FW complete_standard_chain INPUT all $FW
complete_standard_chain OUTPUT $FW all complete_standard_chain OUTPUT $FW all
complete_standard_chain FORWARD all all complete_standard_chain FORWARD all all

4
Shorewall/lib.config
View File

@ -1786,7 +1786,7 @@ do_initialize() {
REJECT_DEFAULT= REJECT_DEFAULT=
ACCEPT_DEFAULT= ACCEPT_DEFAULT=
QUEUE_DEFAULT= QUEUE_DEFAULT=
MACLIST_LOG_BROADCASTS= COMBINE_JUMPS=
LOGLIMIT= LOGLIMIT=
LOGPARMS= LOGPARMS=
@ -2000,7 +2000,7 @@ do_initialize() {
HIGH_ROUTE_MARKS=$(added_param_value_no HIGH_ROUTE_MARKS $HIGH_ROUTE_MARKS) HIGH_ROUTE_MARKS=$(added_param_value_no HIGH_ROUTE_MARKS $HIGH_ROUTE_MARKS)
TC_EXPERT=$(added_param_value_no TC_EXPERT $TC_EXPERT) TC_EXPERT=$(added_param_value_no TC_EXPERT $TC_EXPERT)
USE_ACTIONS=$(added_param_value_yes USE_ACTIONS $USE_ACTIONS) USE_ACTIONS=$(added_param_value_yes USE_ACTIONS $USE_ACTIONS)
MACLIST_LOG_BROADCASTS=$(added_param_value_yes MACLIST_LOG_BROADCASTS $MACLIST_LOG_BROADCASTS) COMBINE_JUMPS=$(added_param_value_no COMBINE_JUMPS $COMBINE_JUMPS)
[ -n "$USE_ACTIONS" ] && lib_load actions "USE_ACTIONS=Yes" [ -n "$USE_ACTIONS" ] && lib_load actions "USE_ACTIONS=Yes"
[ -n "$XCONNMARK_MATCH" ] || XCONNMARK= [ -n "$XCONNMARK_MATCH" ] || XCONNMARK=

5
Shorewall/releasenotes.txt
View File

@ -343,7 +343,7 @@ New Features:
0 0 wifi2all all -- * tun+ 0.0.0.0/0 0.0.0.0/0 policy match dir out pol none 0 0 wifi2all all -- * tun+ 0.0.0.0/0 0.0.0.0/0 policy match dir out pol none
gateway:~ # gateway:~ #
This redundancy has been eliminated: This redundancy may be eliminated by setting COMBINE_JUMPS=Yes in shorewall.conf.
gateway:~ # shorewall-lite show eth2_fwd gateway:~ # shorewall-lite show eth2_fwd
Shorewall Lite 3.3.3 Chains eth2_fwd at gateway - Thu Oct 19 09:15:24 PDT 2006 Shorewall Lite 3.3.3 Chains eth2_fwd at gateway - Thu Oct 19 09:15:24 PDT 2006
@ -356,3 +356,6 @@ New Features:
0 0 wifi2all all -- * * 0.0.0.0/0 0.0.0.0/0 0 0 wifi2all all -- * * 0.0.0.0/0 0.0.0.0/0
gateway:~ # gateway:~ #
Note that with COMBINE_JUMPS=Yes, traffic destined for an
interface/Address that falls outside of all defined zones may now
be logged out of a '2all' chain rather than out of the FORWARD chain.

14
Shorewall/shorewall.conf
View File

@ -950,6 +950,20 @@ HIGH_ROUTE_MARKS=No
USE_ACTIONS=Yes USE_ACTIONS=Yes
#
# Combine Jumps
#
# Traditionally, Shorewall has created rules for the complete matrix of
# Networks defined by the zones, interfaces and hosts files. Any traffic that
# didn't correspond to an element of that matrix was rejected in one of the
# built-in changes. When the matrix is sparse, this results in lots of
# largely useless rules.
#
# These extra rules can be eliminated by setting COMBINE_JUMPS=Yes
#
COMBINE_JUMPS=No
############################################################################### ###############################################################################
# P A C K E T D I S P O S I T I O N # P A C K E T D I S P O S I T I O N
############################################################################### ###############################################################################