diff --git a/Shorewall/changelog.txt b/Shorewall/changelog.txt index 2ec799abb..2a3c016cf 100644 --- a/Shorewall/changelog.txt +++ b/Shorewall/changelog.txt @@ -10,6 +10,8 @@ Changes in 3.3.4 5) Rename COMBINE_JUMPS to OPTIMIZE and make its value numeric. +6) Suppress superfluous wildcard rules under OPTIMIZE > 0. + Changes in 3.3.3 1) Fix excluding in SUBNET column. diff --git a/Shorewall/compiler b/Shorewall/compiler index 3e8a662ed..c2a6d62e2 100755 --- a/Shorewall/compiler +++ b/Shorewall/compiler @@ -2647,7 +2647,17 @@ process_rules() ydestzone=${yservers%%:*} if [ "${ysourcezone}" != "${ydestzone}" -o "$2" = Yes ] ; then eval ypolicy=\$${ysourcezone}2${ydestzone}_policy - if [ "$ypolicy" != NONE ] ; then + if [ "$ypolicy" != NONE ]; then + if [ $OPTIMIZE -gt 0 ]; then + eval yloglevel=\$${ysourcezone}2${ydestzone}_loglevel + if [ -n "$yloglevel" ]; then + if [ x$ypolicy:$yloglevel = x$xtarget ]; then + continue + fi + elif [ x$ypolicy = x$xtarget ]; then + continue + fi + fi if [ "$1" = Yes ]; then process_macro $xtarget "$xparam" $yclients $yservers $xprotocol $xports $xcports $xaddress $xratelimit $xuserspec else @@ -3530,7 +3540,6 @@ __EOF__ for address in $broadcasts ; do [ -n "$SMURF_LOG_LEVEL" ] && log_rule $SMURF_LOG_LEVEL smurfs DROP -s $address run_iptables -A smurfs $(source_ip_range $address) -j DROP - run_iptables -A reject -s $address -j DROP done # # Reject Rules -- Don't respond to broadcasts with an ICMP @@ -4366,6 +4375,13 @@ activate_rules() ;; esac done + # + # If there is no reduction in the number of rules then don't bother with the optimization + # + if [ -n "$last_chain" -a $(list_count1 $temp_zones) -eq 1 ]; then + dest_zones="$dest_zones $temp_zones" + last_chain= + fi else dest_zones=$ZONES fi diff --git a/Shorewall/releasenotes.txt b/Shorewall/releasenotes.txt index a9babe6a9..7108a8499 100644 --- a/Shorewall/releasenotes.txt +++ b/Shorewall/releasenotes.txt @@ -45,6 +45,95 @@ Other Changes in 3.3.4. 2) Beginning with this release, Shorewall and Shorewall Lite will share common change logs and release notes. +3) A change introduced in 3.3.3 has been modified as described here. + + In Shorewall versions prior to 3.3.2, multiple jumps to a '2all' + chain could be generated in succession. + + Example from an earlier shorewall version: + + gateway:~ # shorewall-lite show eth2_fwd + Shorewall Lite 3.3.2 Chains eth2_fwd at gateway - Thu Oct 19 08:54:37 PDT 2006 + + Counters reset Thu Oct 19 08:34:47 PDT 2006 + + Chain eth2_fwd (1 references) + pkts bytes target prot opt in out source destination + 0 0 dynamic all -- * * 0.0.0.0/0 0.0.0.0/0 state INVALID,NEW + 0 0 wifi2all all -- * eth0 0.0.0.0/0 0.0.0.0/0 policy match dir out pol none + 0 0 wifi2all all -- * br0 0.0.0.0/0 0.0.0.0/0 policy match dir out pol none + 0 0 wifi2all all -- * eth3 0.0.0.0/0 0.0.0.0/0 policy match dir out pol none + 0 0 wifi2all all -- * tun+ 0.0.0.0/0 0.0.0.0/0 policy match dir out pol none + gateway:~ # + + This redundancy may be eliminated by setting OPTIMIZE=1 in shorewall.conf. + + gateway:~ # shorewall-lite show eth2_fwd + Shorewall Lite 3.3.3 Chains eth2_fwd at gateway - Thu Oct 19 09:15:24 PDT 2006 + + Counters reset Thu Oct 19 09:15:19 PDT 2006 + + Chain eth2_fwd (1 references) + pkts bytes target prot opt in out source destination + 0 0 dynamic all -- * * 0.0.0.0/0 0.0.0.0/0 state INVALID,NEW + 0 0 wifi2all all -- * * 0.0.0.0/0 0.0.0.0/0 + gateway:~ # + + Note that with OPTIMIZE=1, traffic destined for an + interface/Address that falls outside of all defined zones may now + be logged out of a '2all' chain rather than out of the FORWARD + chain. + + The OPTIMIZE setting also controls the suppression of redundant + wildcard rules (those specifying "all" in the SOURCE or DEST + column). A wildcard rule is considered to be redundant when it + has the same ACTION and Log Level as the applicable policy. + + Example: + + /etc/shorewall/policy + + #SOURCE DEST POLICY LEVEL + loc net ACCEPT + + /etc/shorewall/rules + + #ACTION SOURCE DEST PROTO DEST + # PORT(S) + ... + ACCEPT all all icmp 8 + + OPTIMIZE=0 + + gateway:~ # shorewall show loc2net + Shorewall Lite 3.3.3 Chains loc2net at gateway - Thu Oct 26 07:55:03 PDT 2006 + + Counters reset Thu Oct 26 07:54:58 PDT 2006 + + Chain loc2net (1 references) + pkts bytes target prot opt in out source destination + ... + 0 0 DROP all -- * * !192.168.0.0/22 0.0.0.0/0 + 0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmp type 8 + 0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 + + gateway:~ + + OPTIMIZE=1 + + gateway:~ # shorewall show loc2net + Shorewall Lite 3.3.3 Chains loc2net at gateway - Thu Oct 26 07:57:12 PDT 2006 + + Counters reset Thu Oct 26 07:56:38 PDT 2006 + + Chain loc2net (1 references) + pkts bytes target prot opt in out source destination + ... + 0 0 DROP all -- * * !192.168.0.0/22 0.0.0.0/0 + 0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 + + gateway:~ + Migration Considerations: 1) Shorewall supports the notion of "default actions". A default @@ -323,40 +412,3 @@ New Features: In that example, the 'loc' zone is defined to be the subnet 192.168.1.0/24 interfacing via eth0 *except* for host 192.168.1.4 and hosts in the sub-network 192.168.1.16/28. - -11) In prior Shorewall versions, multiple jumps to a '2all' chain could - be generated in succession. - - Example from an earlier shorewall version: - - gateway:~ # shorewall-lite show eth2_fwd - Shorewall Lite 3.3.2 Chains eth2_fwd at gateway - Thu Oct 19 08:54:37 PDT 2006 - - Counters reset Thu Oct 19 08:34:47 PDT 2006 - - Chain eth2_fwd (1 references) - pkts bytes target prot opt in out source destination - 0 0 dynamic all -- * * 0.0.0.0/0 0.0.0.0/0 state INVALID,NEW - 0 0 wifi2all all -- * eth0 0.0.0.0/0 0.0.0.0/0 policy match dir out pol none - 0 0 wifi2all all -- * br0 0.0.0.0/0 0.0.0.0/0 policy match dir out pol none - 0 0 wifi2all all -- * eth3 0.0.0.0/0 0.0.0.0/0 policy match dir out pol none - 0 0 wifi2all all -- * tun+ 0.0.0.0/0 0.0.0.0/0 policy match dir out pol none - gateway:~ # - - This redundancy may be eliminated by setting OPTIMIZE=1 in shorewall.conf. - - gateway:~ # shorewall-lite show eth2_fwd - Shorewall Lite 3.3.3 Chains eth2_fwd at gateway - Thu Oct 19 09:15:24 PDT 2006 - - Counters reset Thu Oct 19 09:15:19 PDT 2006 - - Chain eth2_fwd (1 references) - pkts bytes target prot opt in out source destination - 0 0 dynamic all -- * * 0.0.0.0/0 0.0.0.0/0 state INVALID,NEW - 0 0 wifi2all all -- * * 0.0.0.0/0 0.0.0.0/0 - gateway:~ # - - Note that with OPTIMIZE=1, traffic destined for an - interface/Address that falls outside of all defined zones may now - be logged out of a '2all' chain rather than out of the FORWARD - chain.