extern/shorewall_code
1
0
Fork 1
mirror of https://gitlab.com/shorewall/code.git synced 2025-06-19 17:28:35 +02:00
Code Issues Packages Projects Releases Wiki Activity

Eliminate Redundant Rules

Browse Source 
Signed-off-by: Tom Eastep <teastep@shorewall.net>
This commit is contained in:
Tom Eastep 2014-09-11 10:17:01 -07:00
parent 9947f4d968
commit 988ee64621
2 changed files with 18 additions and 12 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
Shorewall/Perl/Shorewall/Misc.pm
View File

@ -994,7 +994,7 @@ sub add_common_rules ( $$ ) {
for my $hostref ( @$list ) { for my $hostref ( @$list ) {
$interface = $hostref->[0]; $interface = $hostref->[0];
my $ipsec = $hostref->[1]; my $ipsec = $hostref->[1];
my @policy = have_ipsec ? ( policy => "--pol $ipsec --dir in" ) : (); my @policy = $ipsec && have_ipsec ? ( policy => "--pol $ipsec --dir in" ) : ();
my $target = source_exclusion( $hostref->[3], $chainref ); my $target = source_exclusion( $hostref->[3], $chainref );
for $chain ( option_chains $interface ) { for $chain ( option_chains $interface ) {
@ -1118,7 +1118,8 @@ sub add_common_rules ( $$ ) {
for my $hostref ( @$list ) { for my $hostref ( @$list ) {
my $interface = $hostref->[0]; my $interface = $hostref->[0];
my $target = source_exclusion( $hostref->[3], $chainref ); my $target = source_exclusion( $hostref->[3], $chainref );
my @policy = have_ipsec ? ( policy => "--pol $hostref->[1] --dir in" ) : (); my $ipsec = $hostref->[1];
my @policy = $ipsec && have_ipsec ? ( policy => "--pol $ipsec --dir in" ) : ();
for $chain ( option_chains $interface ) { for $chain ( option_chains $interface ) {
add_ijump( $filter_table->{$chain} , j => $target, p => 'tcp', imatch_source_net( $hostref->[2] ), @policy ); add_ijump( $filter_table->{$chain} , j => $target, p => 'tcp', imatch_source_net( $hostref->[2] ), @policy );
@ -1289,7 +1290,7 @@ sub setup_mac_lists( $ ) {
for my $hostref ( @$maclist_hosts ) { for my $hostref ( @$maclist_hosts ) {
my $interface = $hostref->[0]; my $interface = $hostref->[0];
my $ipsec = $hostref->[1]; my $ipsec = $hostref->[1];
my @policy = have_ipsec ? ( policy => "--pol $ipsec --dir in" ) : (); my @policy = $ipsec && have_ipsec ? ( policy => "--pol $ipsec --dir in" ) : ();
my @source = imatch_source_net $hostref->[2]; my @source = imatch_source_net $hostref->[2];
my @state = have_capability( 'RAW_TABLE' ) ? state_imatch 'NEW,UNTRACKED' : state_imatch 'NEW'; my @state = have_capability( 'RAW_TABLE' ) ? state_imatch 'NEW,UNTRACKED' : state_imatch 'NEW';

23
Shorewall/Perl/Shorewall/Zones.pm
View File

@ -2121,14 +2121,25 @@ sub have_ipsec() {
sub find_hosts_by_option( $ ) { sub find_hosts_by_option( $ ) {
my $option = $_[0]; my $option = $_[0];
my @hosts; my @hosts;
my %done;
for my $interface ( @interfaces ) {
if ( ! $interfaces{$interface}{zone} && $interfaces{$interface}{options}{$option} ) {
push @hosts, [ $interface, '', ALLIP , [] ];
$done{$interface} = 1;
}
}
for my $zone ( grep ! ( $zones{$_}{type} & FIREWALL ) , @zones ) { for my $zone ( grep ! ( $zones{$_}{type} & FIREWALL ) , @zones ) {
while ( my ($type, $interfaceref) = each %{$zones{$zone}{hosts}} ) { while ( my ($type, $interfaceref) = each %{$zones{$zone}{hosts}} ) {
while ( my ( $interface, $arrayref) = ( each %{$interfaceref} ) ) { while ( my ( $interface, $arrayref) = ( each %{$interfaceref} ) ) {
for my $host ( @{$arrayref} ) { for my $host ( @{$arrayref} ) {
if ( my $value = $host->{options}{$option} ) { my $ipsec = $host->{ipsec};
for my $net ( @{$host->{hosts}} ) { unless ( $done{$interface} ) {
push @hosts, [ $interface, $host->{ipsec} , $net , $host->{exclusions}, $value ]; if ( my $value = $host->{options}{$option} ) {
for my $net ( @{$host->{hosts}} ) {
push @hosts, [ $interface, $ipsec , $net , $host->{exclusions}, $value ];
}
} }
} }
} }
@ -2136,12 +2147,6 @@ sub find_hosts_by_option( $ ) {
} }
} }
for my $interface ( @interfaces ) {
if ( ! $interfaces{$interface}{zone} && $interfaces{$interface}{options}{$option} ) {
push @hosts, [ $interface, 'none', ALLIP , [] ];
}
}
\@hosts; \@hosts;
} }