extern/shorewall_code
1
0
Fork 1
mirror of https://gitlab.com/shorewall/code.git synced 2024-11-14 19:54:06 +01:00
Code Issues Packages Projects Releases Wiki Activity

Finish optimization changes

Browse Source 
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@8166 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
teastep 2008-02-07 23:47:02 +00:00
parent 44c9717a67
commit 94c4b5bd81
2 changed files with 66 additions and 13 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

61
Shorewall-perl/Shorewall/Rules.pm
View File

@ -1512,12 +1512,15 @@ sub generate_matrix() {
my @zones = non_firewall_zones;
#
# Set up forwarding chain for each zone
# Special processing for complex configurations
#
for my $zone ( @zones ) {
my $frwd_ref = new_standard_chain zone_forward_chain( $zone );
my $zoneref = find_zone( $zone );
next if @zones <= 2 && ! $zoneref->{complex};
my $exclusions = $zoneref->{exclusions};
my $frwd_ref = new_standard_chain zone_forward_chain( $zone );
if ( @$exclusions ) {
my $in_ref = new_standard_chain zone_input_chain $zone;
@ -1578,9 +1581,10 @@ sub generate_matrix() {
my $chain1 = rules_target firewall_zone , $zone;
my $chain2 = rules_target $zone, firewall_zone;
my $chain3 = rules_target $zone, $zone;
my $complex = $zoneref->{options}{complex} || 0;
my $type = $zoneref->{type};
my $exclusions = $zoneref->{exclusions};
my $frwd_ref = $filter_table->{ zone_forward_chain $zone };
my $frwd_ref = $filter_table->{"${zone}_frwd"};
my $chain = 0;
my $dnatref = ensure_chain 'nat' , dnat_chain( $zone );
my $nested = $zoneref->{options}{nested};
@ -1712,7 +1716,7 @@ sub generate_matrix() {
move_rules( $filter_table->{input_chain $interface} , $filter_table->{$nextchain} ) unless use_input_chain $interface;
}
if ( $hostref->{ipsec} ne 'ipsec' ) {
if ( $frwd_ref && $hostref->{ipsec} ne 'ipsec' ) {
if ( use_forward_chain $interface ) {
add_rule $filter_table->{forward_chain $interface} , join( '', $source, $ipsec_in_match. "-j $frwd_ref->{name}" );
} else {
@ -1836,6 +1840,7 @@ sub generate_matrix() {
}
}
if ( $frwd_ref ) {
for my $typeref ( values %$dest_hosts_ref ) {
for my $interface ( sort { interface_number( $a ) <=> interface_number( $b ) } keys %$typeref ) {
my $arrayref = $typeref->{$interface};
@ -1850,6 +1855,54 @@ sub generate_matrix() {
}
}
}
} else {
for my $typeref ( values %$source_hosts_ref ) {
for my $interface ( keys %$typeref ) {
my $arrayref = $typeref->{$interface};
my $chain3ref;
my $match_source_dev = '';
if ( use_forward_chain $interface ) {
$chain3ref = $filter_table->{forward_chain $interface};
} else {
$chain3ref = $filter_table->{FORWARD};
$match_source_dev = match_source_dev $interface;
}
for my $hostref ( @$arrayref ) {
next if $hostref->{options}{destonly};
for my $net ( @{$hostref->{hosts}} ) {
for my $type1ref ( values %$dest_hosts_ref ) {
for my $interface1 ( keys %$type1ref ) {
my $array1ref = $type1ref->{$interface1};
for my $host1ref ( @$array1ref ) {
next if $host1ref->{options}{sourceonly};
my $ipsec_out_match = match_ipsec_out $zone1 , $host1ref;
for my $net1 ( @{$host1ref->{hosts}} ) {
unless ( $interface eq $interface1 && $net eq $net1 && ! $host1ref->{options}{routeback} ) {
#
# We defer evaluation of the source net match to accomodate systems without $capabilities{KLUDEFREE};
#
add_rule(
$chain3ref ,
join( '',
$match_source_dev,
match_dest_dev($interface1),
match_source_net($net),
match_dest_net($net1),
$ipsec_out_match,
"-j $chain" )
);
}
}
}
}
}
}
}
}
}
}
#
# E N D F O R W A R D I N G
#

2
Shorewall-perl/Shorewall/Zones.pm
View File

@ -302,7 +302,7 @@ sub determine_zones()
options => { in_out => parse_zone_option_list( $options || '', $type ) ,
in => parse_zone_option_list( $in_options || '', $type ) ,
out => parse_zone_option_list( $out_options || '', $type ) ,
complex => ($type eq 'ipsec4' || $options || $in_options || $out_options ? 1 : 0) } ,
complex => ($type eq 'ipsec4' || $options || $in_options || $out_options ? 1 : 0) ,
nested => @parents > 0 } ,
interfaces => {} ,
children => [] ,