mirror of
https://gitlab.com/shorewall/code.git
synced 2024-12-25 07:38:57 +01:00
Ruleset optimization -- phase I
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@8100 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
parent
459812507a
commit
65df4d9f73
@ -75,8 +75,11 @@ our %EXPORT_TAGS = (
|
||||
decr_cmd_level
|
||||
chain_base
|
||||
forward_chain
|
||||
zone_forward_chain
|
||||
input_chain
|
||||
zone_input_chain
|
||||
output_chain
|
||||
zone_output_chain
|
||||
masq_chain
|
||||
syn_flood_chain
|
||||
mac_chain
|
||||
@ -510,6 +513,13 @@ sub forward_chain($)
|
||||
chain_base_cond($_[0]) . '_fwd';
|
||||
}
|
||||
|
||||
#
|
||||
# Forward Chain for a zone
|
||||
#
|
||||
sub zone_forward_chain($) {
|
||||
chain_base($_[0]) . '_frwd';
|
||||
}
|
||||
|
||||
#
|
||||
# Input Chain for an interface
|
||||
#
|
||||
@ -518,6 +528,13 @@ sub input_chain($)
|
||||
chain_base_cond($_[0]) . '_in';
|
||||
}
|
||||
|
||||
#
|
||||
# Input Chain for a zone
|
||||
#
|
||||
sub zone_input_chain($) {
|
||||
chain_base($_[0]) . '_input';
|
||||
}
|
||||
|
||||
#
|
||||
# Output Chain for an interface
|
||||
#
|
||||
@ -526,6 +543,13 @@ sub output_chain($)
|
||||
chain_base_cond($_[0]) . '_out';
|
||||
}
|
||||
|
||||
#
|
||||
# Output Chain for a zone
|
||||
#
|
||||
sub zone_output_chain($) {
|
||||
chain_base($_[0]) . '_output';
|
||||
}
|
||||
|
||||
#
|
||||
# Masquerade Chain for an interface
|
||||
#
|
||||
|
@ -1498,16 +1498,16 @@ sub generate_matrix() {
|
||||
my $preroutingref = ensure_chain 'nat', 'dnat';
|
||||
my $fw = firewall_zone;
|
||||
#
|
||||
# Special processing for complex zones
|
||||
# Set up forwarding chain for each zone
|
||||
#
|
||||
for my $zone ( complex_zones ) {
|
||||
my $frwd_ref = new_standard_chain "${zone}_frwd";
|
||||
for my $zone ( non_firewall_zones ) {
|
||||
my $frwd_ref = new_standard_chain zone_forward_chain( $zone );
|
||||
my $zoneref = find_zone( $zone );
|
||||
my $exclusions = $zoneref->{exclusions};
|
||||
|
||||
if ( @$exclusions ) {
|
||||
my $in_ref = new_standard_chain "${zone}_input";
|
||||
my $out_ref = new_standard_chain "${zone}_output";
|
||||
my $in_ref = new_standard_chain zone_input_chain $zone;
|
||||
my $out_ref = new_standard_chain zone_output_chain $zone;
|
||||
|
||||
add_rule ensure_filter_chain( "${zone}2${zone}", 1 ) , '-j ACCEPT' if rules_target( $zone, $zone ) eq 'ACCEPT';
|
||||
|
||||
@ -1552,21 +1552,16 @@ sub generate_matrix() {
|
||||
my $chain1 = rules_target firewall_zone , $zone;
|
||||
my $chain2 = rules_target $zone, firewall_zone;
|
||||
my $chain3 = rules_target $zone, $zone;
|
||||
my $complex = $zoneref->{options}{complex} || 0;
|
||||
my $type = $zoneref->{type};
|
||||
my $exclusions = $zoneref->{exclusions};
|
||||
my $frwd_ref = 0;
|
||||
my $frwd_ref = $filter_table->{ zone_forward_chain $zone };
|
||||
my $chain = 0;
|
||||
my $dnatref = $nat_table->{dnat_chain $zone} || {};
|
||||
my $dnatref = ensure_chain 'nat' , dnat_chain( $zone );
|
||||
my $nested = $zoneref->{options}{nested};
|
||||
|
||||
if ( $complex ) {
|
||||
$frwd_ref = $filter_table->{"${zone}_frwd"};
|
||||
$dnatref = ensure_chain 'nat' , dnat_chain( $zone );
|
||||
if ( @$exclusions ) {
|
||||
insert_exclusions $dnatref, $exclusions if $dnatref->{referenced};
|
||||
}
|
||||
}
|
||||
|
||||
if ( $config{DYNAMIC_ZONES} ) {
|
||||
push @rule_chains , [ firewall_zone , $zone , $chain1 ] if $chain1;
|
||||
@ -1625,9 +1620,10 @@ sub generate_matrix() {
|
||||
my $outputref = $filter_table->{output_chain $interface};
|
||||
|
||||
if ( @$exclusions ) {
|
||||
add_rule $outputref , join( '', $dest, $ipsec_out_match, "-j ${zone}_output" );
|
||||
add_rule $filter_table->{"${zone}_output"} , "-j $chain1";
|
||||
$nextchain = "${zone}_output";
|
||||
my $output = zone_output_chain $zone;
|
||||
add_rule $outputref , join( '', $dest, $ipsec_out_match, "-j $output" );
|
||||
add_rule $filter_table->{$output} , "-j $chain1";
|
||||
$nextchain = $output;
|
||||
} else {
|
||||
add_rule $outputref , join( '', $dest, $ipsec_out_match, "-j $chain1" );
|
||||
$nextchain = $chain1;
|
||||
@ -1656,15 +1652,16 @@ sub generate_matrix() {
|
||||
|
||||
if ( $chain2 ) {
|
||||
if ( @$exclusions ) {
|
||||
add_rule $filter_table->{input_chain $interface}, join( '', $source, $ipsec_in_match, "-j ${zone}_input" );
|
||||
add_rule $filter_table->{"${zone}_input"} , "-j $chain2";
|
||||
my $input = zone_input_chain $zone;
|
||||
add_rule $filter_table->{input_chain $interface}, join( '', $source, $ipsec_in_match, "-j $input" );
|
||||
add_rule $filter_table->{ $input } , "-j $chain2";
|
||||
} else {
|
||||
add_rule $filter_table->{input_chain $interface}, join( '', $source, $ipsec_in_match, "-j $chain2" );
|
||||
}
|
||||
}
|
||||
|
||||
add_rule $filter_table->{forward_chain $interface} , join( '', $source, $ipsec_in_match. "-j $frwd_ref->{name}" )
|
||||
if $complex && $hostref->{ipsec} ne 'ipsec';
|
||||
if $hostref->{ipsec} ne 'ipsec';
|
||||
}
|
||||
}
|
||||
}
|
||||
@ -1781,7 +1778,6 @@ sub generate_matrix() {
|
||||
}
|
||||
}
|
||||
|
||||
if ( $complex ) {
|
||||
for my $typeref ( values %$dest_hosts_ref ) {
|
||||
for my $interface ( keys %$typeref ) {
|
||||
my $arrayref = $typeref->{$interface};
|
||||
@ -1796,61 +1792,12 @@ sub generate_matrix() {
|
||||
}
|
||||
}
|
||||
}
|
||||
} else {
|
||||
for my $typeref ( values %$source_hosts_ref ) {
|
||||
for my $interface ( keys %$typeref ) {
|
||||
my $arrayref = $typeref->{$interface};
|
||||
my $chain3ref = $filter_table->{forward_chain $interface};
|
||||
for my $hostref ( @$arrayref ) {
|
||||
next if $hostref->{options}{destonly};
|
||||
for my $net ( @{$hostref->{hosts}} ) {
|
||||
for my $type1ref ( values %$dest_hosts_ref ) {
|
||||
for my $interface1 ( keys %$type1ref ) {
|
||||
my $array1ref = $type1ref->{$interface1};
|
||||
for my $host1ref ( @$array1ref ) {
|
||||
next if $host1ref->{options}{sourceonly};
|
||||
my $ipsec_out_match = match_ipsec_out $zone1 , $host1ref;
|
||||
for my $net1 ( @{$host1ref->{hosts}} ) {
|
||||
unless ( $interface eq $interface1 && $net eq $net1 && ! $host1ref->{options}{routeback} ) {
|
||||
#
|
||||
# We defer evaluation of the source net match to accomodate systems without $capabilities{KLUDEFREE};
|
||||
#
|
||||
add_rule(
|
||||
$chain3ref ,
|
||||
join( '', match_dest_dev($interface1), match_source_net($net), match_dest_net($net1), $ipsec_out_match, "-j $chain" )
|
||||
);
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
#
|
||||
# E N D F O R W A R D I N G
|
||||
#
|
||||
# Now add (an) unconditional jump(s) to the last unique policy-only chain determined above, if any
|
||||
# Now add an unconditional jump to the last unique policy-only chain determined above, if any
|
||||
#
|
||||
if ( $last_chain ) {
|
||||
if ( $complex ) {
|
||||
add_rule $frwd_ref , "-j $last_chain";
|
||||
} else {
|
||||
for my $typeref ( values %$source_hosts_ref ) {
|
||||
for my $interface ( keys %$typeref ) {
|
||||
my $arrayref = $typeref->{$interface};
|
||||
my $chain2ref = $filter_table->{forward_chain $interface};
|
||||
for my $hostref ( @$arrayref ) {
|
||||
for my $net ( @{$hostref->{hosts}} ) {
|
||||
add_rule $chain2ref, match_source_net($net) . "-j $last_chain";
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
add_rule $frwd_ref , "-j $last_chain" if $last_chain;
|
||||
}
|
||||
}
|
||||
#
|
||||
|
@ -45,7 +45,6 @@ our @EXPORT = qw( NOTHING
|
||||
defined_zone
|
||||
zone_type
|
||||
all_zones
|
||||
complex_zones
|
||||
non_firewall_zones
|
||||
single_interface
|
||||
validate_interfaces_file
|
||||
@ -82,8 +81,7 @@ use constant { NOTHING => 'NOTHING',
|
||||
# @zones contains the ordered list of zones with sub-zones appearing before their parents.
|
||||
#
|
||||
# %zones{<zone1> => {type = > <zone type> 'firewall', 'ipv4', 'ipsec4', 'bport4';
|
||||
# options => { complex => 0|1
|
||||
# nested => 0|1
|
||||
# options => { nested => 0|1
|
||||
# in_out => < policy match string >
|
||||
# in => < policy match string >
|
||||
# out => < policy match string >
|
||||
@ -299,7 +297,6 @@ sub determine_zones()
|
||||
options => { in_out => parse_zone_option_list( $options || '', $type ) ,
|
||||
in => parse_zone_option_list( $in_options || '', $type ) ,
|
||||
out => parse_zone_option_list( $out_options || '', $type ) ,
|
||||
complex => ($type eq 'ipsec4' || $options || $in_options || $out_options ? 1 : 0) ,
|
||||
nested => @parents > 0 } ,
|
||||
interfaces => {} ,
|
||||
children => [] ,
|
||||
@ -495,8 +492,6 @@ sub add_group_to_zone($$$$$)
|
||||
$interfaceref = ( $typeref->{$type} || ( $interfaceref = $typeref->{$type} = {} ) );
|
||||
$arrayref = ( $interfaceref->{$interface} || ( $interfaceref->{$interface} = [] ) );
|
||||
|
||||
$zoneref->{options}{complex} = 1 if @$arrayref || ( @newnetworks > 1 ) || ( @exclusions );
|
||||
|
||||
push @{$zoneref->{exclusions}}, @exclusions;
|
||||
|
||||
push @{$arrayref}, { options => $options,
|
||||
@ -534,10 +529,6 @@ sub non_firewall_zones() {
|
||||
grep ( $zones{$_}{type} ne 'firewall' , @zones );
|
||||
}
|
||||
|
||||
sub complex_zones() {
|
||||
grep( $zones{$_}{options}{complex} , @zones );
|
||||
}
|
||||
|
||||
sub firewall_zone() {
|
||||
$firewall_zone;
|
||||
}
|
||||
@ -923,7 +914,6 @@ sub validate_hosts_file()
|
||||
if ( $hosts =~ /^([\w.@%-]+\+?):(.*)$/ ) {
|
||||
$interface = $1;
|
||||
$hosts = $2;
|
||||
$zoneref->{options}{complex} = 1 if $hosts =~ /^\+/;
|
||||
fatal_error "Unknown interface ($interface)" unless $interfaces{$interface}{root};
|
||||
} else {
|
||||
fatal_error "Invalid HOST(S) column contents: $hosts";
|
||||
@ -948,7 +938,6 @@ sub validate_hosts_file()
|
||||
{
|
||||
if ( $option eq 'ipsec' ) {
|
||||
$type = 'ipsec4';
|
||||
$zoneref->{options}{complex} = 1;
|
||||
$ipsec = 1;
|
||||
} elsif ( $validoptions{$option}) {
|
||||
$options{$option} = 1;
|
||||
|
Loading…
Reference in New Issue
Block a user