Eliminate redundant rules

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@4708 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
2025-06-24 19:51:40 +02:00 · 2006-10-19 16:56:29 +00:00 · 2006-10-19 16:56:29 +00:00 · 7914680c58
commit 7914680c58
parent a1af476c8e
3 changed files with 111 additions and 0 deletions
--- a/Shorewall/changelog.txt
+++ b/Shorewall/changelog.txt
@ -18,6 +18,8 @@ Changes in 3.3.3
 9)  Allow exclusion in /etc/shorewall/hosts.
 10) Eliminate extra jumps to policy chains
 Changes in 3.3.1
 1)  Load the proxyarp lib when 'proxyarp' option is specified.
--- a/Shorewall/compiler
+++ b/Shorewall/compiler
@ -4265,6 +4265,10 @@ activate_rules()
 	    done
 	fi
 	dest_zones=
 	temp_zones=
 	last_chain=
 	for zone1 in $ZONES; do
 	    eval policy=\$${zone}2${zone1}_policy
@ -4278,6 +4282,64 @@ activate_rules()
 	    [ -z "$chain" ] && continue # CONTINUE policy and there is no canonical chain.
 	    if [ $zone = $zone1 ]; then
 		#
 		# Try not to generate superfluous intra-zone rules
 		#
 		eval routeback=\"\$${zone}_routeback\"
 		eval interfaces=\"\$${zone}_interfaces\"
 		eval ports="\$${zone}_ports"
 		num_ifaces=$(list_count1 $interfaces)
 		#
 		# If the zone has a single interface then what matters is how many ports it has
 		#
 		[ $num_ifaces -eq 1 -a -n "$ports" ] && num_ifaces=$(list_count1 $ports)
 		#
 		# If we don't need to route back and if we have only one interface or one port to
 		# the zone then assume that hosts in the zone can communicate directly.
 		#
 		if [ $num_ifaces -lt 2 -a -z "$routeback" -a -z "$exclusions" ] ; then
 		    continue
 		fi
 	    fi
 	    case $chain in
 		*2all)
 		    if [ -n "$last_chain" ]; then
 			if [ "$chain" != "$last_chain" ]; then
 			    last_chain=$chain
 			    dest_zones="$dest_zones $temp_zones"
 			    temp_zones=$zone1
 			else
 			    temp_zones="$temp_zones $zone1"
 			fi
 		    else
 			last_chain=$chain
 			temp_zones=$zone1
 		    fi
 		    ;;
 		*)
 		    dest_zones="$dest_zones $temp_zones $zone1"
 		    temp_zones=
 		    last_chain=
 		    ;;
 	    esac
 	done
 	for zone1 in $dest_zones; do
 	    eval policy=\$${zone}2${zone1}_policy
 	    [ "$policy" = NONE ] && continue
 	    eval dest_hosts=\$${zone1}_hosts
 	    eval exclusions1=\"\$${zone1}_exclusions\"
 	    chain="$(rules_chain $zone $zone1)"
 	    [ -z "$chain" ] && continue # CONTINUE policy and there is no canonical chain.
 	    [ -n "$DYNAMIC_ZONES" ] && echo "$zone $zone1 $chain" >> $STATEDIR/chains
 	    if [ $zone = $zone1 ]; then
@ -4363,6 +4425,21 @@ activate_rules()
 		done
 	    fi
 	done
 	if [ -n "$last_chain" ]; then
 	    if [ -n "$complex" ]; then
 		run_iptables -A $frwd_chain -j $last_chain
 	    else
 		for host in $source_hosts; do
 		    interface=${host%%:*}
 		    networks=${host#*:}
 		    chain=$(forward_chain $interface)
 		    run_iptables -A $chain $(match_source_hosts $networks) -j $last_chain
 		done
 	    fi
 	fi
    done
    for interface in $ALL_INTERFACES ; do
--- a/Shorewall/releasenotes.txt
+++ b/Shorewall/releasenotes.txt
@ -142,6 +142,38 @@ Other changes in 3.3.3
    192.168.1.0/24 interfacing via eth0 *except* for host 192.168.1.4
    and hosts in the sub-network 192.168.1.16/28.
 8)  In prior Shorewall versions, multiple jumps to a '2all' chain could
    be generated in succession.
    Example from an earlier shorewall version:
    gateway:~ # shorewall show eth2_fwd
    Shorewall Lite 3.3.2 Chains eth2_fwd at gateway - Thu Oct 19 08:54:37 PDT 2006
    Counters reset Thu Oct 19 08:34:47 PDT 2006
    Chain eth2_fwd (1 references)
     pkts bytes target     prot opt in     out     source            destination
        0     0 dynamic    all  --  *      *       0.0.0.0/0            0.0.0.0/0           state INVALID,NEW
        0     0 wifi2all   all  --  *      eth0    0.0.0.0/0            0.0.0.0/0           policy match dir out pol none
        0     0 wifi2all   all  --  *      br0     0.0.0.0/0            0.0.0.0/0           policy match dir out pol none
        0     0 wifi2all   all  --  *      eth3    0.0.0.0/0            0.0.0.0/0           policy match dir out pol none
        0     0 wifi2all   all  --  *      tun+    0.0.0.0/0            0.0.0.0/0           policy match dir out pol none
    gateway:~ # 
    This redundancy has been eliminated:
    gateway:~ # shorewall show eth2_fwd
    Shorewall Lite 3.3.3 Chains eth2_fwd at gateway - Thu Oct 19 09:15:24 PDT 2006
    Counters reset Thu Oct 19 09:15:19 PDT 2006
    Chain eth2_fwd (1 references)
     pkts bytes target     prot opt in     out     source               destination
        0     0 dynamic    all  --  *      *       0.0.0.0/0            0.0.0.0/0           state INVALID,NEW
        0     0 wifi2all   all  --  *      *       0.0.0.0/0            0.0.0.0/0
    gateway:~ #
 Migration Considerations:
 1)  Shorewall supports the notion of "default actions". A default