Extend OPTIMIZE=1

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@4738 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb

Shorewall/changelog.txt

@@ -10,6 +10,8 @@ Changes in 3.3.4
 
 5)  Rename COMBINE_JUMPS to OPTIMIZE and make its value numeric.
 
+6)  Suppress superfluous wildcard rules under OPTIMIZE > 0.
+
 Changes in 3.3.3
 
 1)  Fix excluding in SUBNET column.

Shorewall/compiler

@@ -2647,7 +2647,17 @@ process_rules()
 		ydestzone=${yservers%%:*}
 		if [ "${ysourcezone}" != "${ydestzone}" -o "$2" = Yes ] ; then
 		    eval ypolicy=\$${ysourcezone}2${ydestzone}_policy
-		    if [ "$ypolicy" != NONE ] ; then
+		    if [ "$ypolicy" != NONE ]; then
+			if [ $OPTIMIZE -gt 0 ]; then
+			    eval yloglevel=\$${ysourcezone}2${ydestzone}_loglevel
+			    if [ -n "$yloglevel" ]; then
+				if [ x$ypolicy:$yloglevel = x$xtarget ]; then
+				    continue
+				fi
+			    elif [ x$ypolicy = x$xtarget ]; then
+				continue
+			    fi
+			fi
 			if [ "$1" = Yes ]; then
 			    process_macro $xtarget "$xparam" $yclients $yservers $xprotocol $xports $xcports $xaddress $xratelimit $xuserspec
 			else
@@ -3530,7 +3540,6 @@ __EOF__
     for address in $broadcasts ; do
 	[ -n "$SMURF_LOG_LEVEL" ] && log_rule $SMURF_LOG_LEVEL smurfs DROP -s $address
 	run_iptables -A smurfs $(source_ip_range $address) -j DROP
-	run_iptables -A reject -s $address -j DROP
     done
     #
     # Reject Rules -- Don't respond to broadcasts with an ICMP
@@ -4366,6 +4375,13 @@ activate_rules()
 			;;
 		esac
 	    done
+	    #
+	    # If there is no reduction in the number of rules then don't bother with the optimization
+	    #
+	    if [ -n "$last_chain" -a $(list_count1 $temp_zones) -eq 1 ]; then
+		dest_zones="$dest_zones $temp_zones"
+		last_chain=
+	    fi
 	else
 	    dest_zones=$ZONES
 	fi

Shorewall/releasenotes.txt

@@ -45,6 +45,95 @@ Other Changes in 3.3.4.
 2)  Beginning with this release, Shorewall and Shorewall Lite will
     share common change logs and release notes.
 
+3)  A change introduced in 3.3.3 has been modified as described here.
+
+    In Shorewall versions prior to 3.3.2, multiple jumps to a '2all'
+    chain could be generated in succession.
+
+    Example from an earlier shorewall version:
+
+    gateway:~ # shorewall-lite show eth2_fwd
+    Shorewall Lite 3.3.2 Chains eth2_fwd at gateway - Thu Oct 19 08:54:37 PDT 2006
+
+    Counters reset Thu Oct 19 08:34:47 PDT 2006
+
+    Chain eth2_fwd (1 references)
+     pkts bytes target     prot opt in     out     source            destination
+        0     0 dynamic    all  --  *      *       0.0.0.0/0            0.0.0.0/0           state INVALID,NEW
+        0     0 wifi2all   all  --  *      eth0    0.0.0.0/0            0.0.0.0/0           policy match dir out pol none
+        0     0 wifi2all   all  --  *      br0     0.0.0.0/0            0.0.0.0/0           policy match dir out pol none
+        0     0 wifi2all   all  --  *      eth3    0.0.0.0/0            0.0.0.0/0           policy match dir out pol none
+        0     0 wifi2all   all  --  *      tun+    0.0.0.0/0            0.0.0.0/0           policy match dir out pol none
+    gateway:~ # 
+
+    This redundancy may be eliminated by setting OPTIMIZE=1 in shorewall.conf.
+
+    gateway:~ # shorewall-lite show eth2_fwd
+    Shorewall Lite 3.3.3 Chains eth2_fwd at gateway - Thu Oct 19 09:15:24 PDT 2006
+
+    Counters reset Thu Oct 19 09:15:19 PDT 2006
+
+    Chain eth2_fwd (1 references)
+     pkts bytes target     prot opt in     out     source               destination
+        0     0 dynamic    all  --  *      *       0.0.0.0/0            0.0.0.0/0           state INVALID,NEW
+        0     0 wifi2all   all  --  *      *       0.0.0.0/0            0.0.0.0/0
+    gateway:~ #
+ 
+    Note that with OPTIMIZE=1, traffic destined for an
+    interface/Address that falls outside of all defined zones may now
+    be logged out of a '2all' chain rather than out of the FORWARD
+    chain.
+
+    The OPTIMIZE setting also controls the suppression of redundant
+    wildcard rules (those specifying "all" in the SOURCE or DEST
+    column). A wildcard rule is considered to be redundant when it
+    has the same ACTION and Log Level as the applicable policy.
+
+    Example:
+
+	/etc/shorewall/policy
+
+	#SOURCE		DEST		POLICY		LEVEL
+	loc		net		ACCEPT
+
+        /etc/shorewall/rules
+
+	#ACTION		SOURCE		DEST	PROTO	DEST
+	#						PORT(S)
+	...
+	ACCEPT		all		all	icmp	8
+
+    OPTIMIZE=0
+
+    gateway:~ # shorewall show loc2net
+    Shorewall Lite 3.3.3 Chains loc2net at gateway - Thu Oct 26 07:55:03 PDT 2006
+
+    Counters reset Thu Oct 26 07:54:58 PDT 2006
+
+    Chain loc2net (1 references)
+     pkts bytes target     prot opt in     out     source               destination         
+      ...
+        0     0 DROP       all  --  *      *      !192.168.0.0/22       0.0.0.0/0 
+        0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0           icmp type 8 
+        0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           
+
+    gateway:~
+
+    OPTIMIZE=1
+    
+    gateway:~ # shorewall show loc2net
+    Shorewall Lite 3.3.3 Chains loc2net at gateway - Thu Oct 26 07:57:12 PDT 2006
+
+    Counters reset Thu Oct 26 07:56:38 PDT 2006
+
+    Chain loc2net (1 references)
+     pkts bytes target     prot opt in     out     source               destination         
+      ...
+        0     0 DROP       all  --  *      *      !192.168.0.0/22       0.0.0.0/0 
+        0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           
+
+    gateway:~
+
 Migration Considerations:
 
 1)  Shorewall supports the notion of "default actions". A default
@@ -323,40 +412,3 @@ New Features:
     In that example, the 'loc' zone is defined to be the subnet
     192.168.1.0/24 interfacing via eth0 *except* for host 192.168.1.4
     and hosts in the sub-network 192.168.1.16/28.
-
-11) In prior Shorewall versions, multiple jumps to a '2all' chain could
-    be generated in succession.
-
-    Example from an earlier shorewall version:
-
-    gateway:~ # shorewall-lite show eth2_fwd
-    Shorewall Lite 3.3.2 Chains eth2_fwd at gateway - Thu Oct 19 08:54:37 PDT 2006
-
-    Counters reset Thu Oct 19 08:34:47 PDT 2006
-
-    Chain eth2_fwd (1 references)
-     pkts bytes target     prot opt in     out     source            destination
-        0     0 dynamic    all  --  *      *       0.0.0.0/0            0.0.0.0/0           state INVALID,NEW
-        0     0 wifi2all   all  --  *      eth0    0.0.0.0/0            0.0.0.0/0           policy match dir out pol none
-        0     0 wifi2all   all  --  *      br0     0.0.0.0/0            0.0.0.0/0           policy match dir out pol none
-        0     0 wifi2all   all  --  *      eth3    0.0.0.0/0            0.0.0.0/0           policy match dir out pol none
-        0     0 wifi2all   all  --  *      tun+    0.0.0.0/0            0.0.0.0/0           policy match dir out pol none
-    gateway:~ # 
-
-    This redundancy may be eliminated by setting OPTIMIZE=1 in shorewall.conf.
-
-    gateway:~ # shorewall-lite show eth2_fwd
-    Shorewall Lite 3.3.3 Chains eth2_fwd at gateway - Thu Oct 19 09:15:24 PDT 2006
-
-    Counters reset Thu Oct 19 09:15:19 PDT 2006
-
-    Chain eth2_fwd (1 references)
-     pkts bytes target     prot opt in     out     source               destination
-        0     0 dynamic    all  --  *      *       0.0.0.0/0            0.0.0.0/0           state INVALID,NEW
-        0     0 wifi2all   all  --  *      *       0.0.0.0/0            0.0.0.0/0
-    gateway:~ #
- 
-    Note that with OPTIMIZE=1, traffic destined for an
-    interface/Address that falls outside of all defined zones may now
-    be logged out of a '2all' chain rather than out of the FORWARD
-    chain.