Add router patch for better rule reduction

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@4004 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb

contrib/shoregen/shoregen

@@ -132,6 +132,7 @@ sub constructfile
 #
 
 my $fw;			# Firewall zone for this host
+my $router;		# Is this host a router?
 my @globalzones;	# All known zones
 my %globalzones;
 my %hostzones;		# zones applicable to this host
@@ -182,9 +183,12 @@ open( my $infile, "$dir/shorewall.conf" ) or
     die "Can't open $dir/shorewall.conf: $!";
 
 for (<$infile>) {
-    next unless m/^\s*FW=(\S+)/;
+    if (/^\s*FW=(\S+)/) {
-    $fw = $1;
+	$fw = $1 unless defined $fw;
-    last;
+    }
+    if (/^\s*IP_FORWARDING=(\S+)/) {
+	$router = $1 unless defined $router;
+    }
 }
 
 close $infile;
@@ -192,9 +196,20 @@ close $infile;
 
 # The firewall name must be defined
 unless (defined $fw) {
-    fatal 1, "Can't find firewall name for $host in $dir/shorewall.conf";
+    fatal 1, "Can't find firewall name (FW variable) for $host in $dir/shorewall.conf";
 }
 
+# Router must be defined
+unless (defined $router) {
+    fatal 1, "Can't find IP_FORWARDING setting for $host in $dir/shorewall.conf";
+}
+if ($router =~ m/On|Yes/i) {
+    $router = 1;
+}
+else {
+    $router = 0;
+}
+print "fw=$fw, router=$router\n" if $DEBUG > 3;
 
 # Find all valid zones
 unless (-r "zones") {
@@ -330,41 +345,45 @@ printf $outfile $HEADER, "$conf";
 
 my $ret = 0;
 
-for (stripfile $conf) {
+for my $infile ("$conf.COMMON", "$conf.$host", "$conf") {
+    next unless -r $infile;
+    for (stripfile $infile) {
 	chomp;
 
 	my ($act, $src, $dst, $rest) = split /\s+/, $_, 4;
 
-    # strip down to only the main tag
+	$act =~ s/:.*//;	# strip off logging directives
-    $act =~ s/:.*//;
+	$src =~ s/:.*//;	# strip off host & port specifiers
-    $src =~ s/:.*//;
+	$dst =~ s/:.*//;	# strip off host & port specifiers
-    $dst =~ s/:.*//;
+
 	print "$act, $src, $dst, $rest\n" if $DEBUG > 3;
 
-    # Both source and destination zones must be valid on this host for this
+	# Both source and destination zones must be valid on this host
-    # rule to apply.
+	# for this rule to apply.
 	next unless defined $hostzones{$src} and defined $hostzones{$dst};
 
-    # Source and destination zones must be on different interfaces as well,
+	# If host is not a router, either the source or destination zone
-    # except for the case of all2all.
+	# must be the firewall itself.
-    next if ($hostzones{$src} eq $hostzones{$dst} && $src ne "all");
+	if (!$router) {
+	    next unless $src eq $fw or $dst eq $fw;
+	}
 
 	# Save additional WARN/BAN rules
 	if ($act eq "WARN"  or  $act eq "BAN") {
 	    if (exists $warnban{$src}{$dst}) {
-	    warning "Duplicate WARN/BAN rule: $src,$dst,$act - possible typo?";
+		error "Duplicate WARN/BAN rule: $src,$dst,$act - possible typo?";
 	    }
 	    $warnban{$src}{$dst} = $act;
 	    next;
 	}
 
 	# Check against WARN/BAN rules
-    if (exists $warnban{$src}{$dst} && $act =~ /^(ACCEPT|DNAT)\b/) {
+	if (exists $warnban{$src}{$dst} && $act =~ /^(ACCEPT|Allow|DNAT)/) {
 	    if ($warnban{$src}{$dst} eq "WARN") {
 		warning "Rule contravenes WARN policy:\n\t$_";
 	    }
 	    else { # $warnban{$src}{$dst} eq "BAN"
-	    warning "Rule contravenes BAN policy (omitted):\n\t$_";
+		error "Rule contravenes BAN policy (omitted):\n\t$_";
 		++$ret;
 		next;
 	    }
@@ -378,8 +397,9 @@ for (stripfile $conf) {
 
 	printf $outfile "%s\n", $_;
     }
+}
 close $outfile or warn "Can't close $dir/$conf for writing: $!";
 
 
-# If we get here, everything's OK - return whatever we produced above...
+# Finished - return whatever we produced above...
 exit $ret;