From bbb71aacc5fb88e6e046cf2039225b36610601e5 Mon Sep 17 00:00:00 2001 From: teastep Date: Wed, 1 Nov 2006 17:15:23 +0000 Subject: [PATCH] Don't generate superfluous policy matches git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@4780 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb --- Shorewall/changelog.txt | 5 +++++ Shorewall/compiler | 9 ++++++++- Shorewall/lib.base | 1 - Shorewall/lib.config | 5 ++++- Shorewall/releasenotes.txt | 5 ++++- 5 files changed, 21 insertions(+), 4 deletions(-) diff --git a/Shorewall/changelog.txt b/Shorewall/changelog.txt index d562202f1..b47631c47 100644 --- a/Shorewall/changelog.txt +++ b/Shorewall/changelog.txt @@ -4,6 +4,11 @@ Changes in 3.3.4 2) Fixes to change 1. +3) Many changed to improve the readability, appearance and effeciency + of the generated script. + +4) Turn off POLICY_MATCH if no IPSEC. + Changes in 3.3.4 1) Make exclusion work with "show zones" diff --git a/Shorewall/compiler b/Shorewall/compiler index 386c904c2..5486f34a0 100755 --- a/Shorewall/compiler +++ b/Shorewall/compiler @@ -4997,6 +4997,14 @@ VARDIR=/var/lib/shorewall-lite __EOF__ cat ${SHAREDIR}/lib.base >&3 + + cat >&3 << __EOF__ + +################################################################################ +# End of ${SHAREDIR}/lib.base +################################################################################ + +__EOF__ else cat >&3 << __EOF__ SHAREDIR=/usr/share/shorewall @@ -5008,7 +5016,6 @@ __EOF__ fi cat >&3 << __EOF__ - # # Set policy of chain \$1 to \$2 # diff --git a/Shorewall/lib.base b/Shorewall/lib.base index ebda4ea85..8934c4bc6 100644 --- a/Shorewall/lib.base +++ b/Shorewall/lib.base @@ -1371,4 +1371,3 @@ find_echo() { echo echo } - diff --git a/Shorewall/lib.config b/Shorewall/lib.config index 74851bab5..0375467c9 100644 --- a/Shorewall/lib.config +++ b/Shorewall/lib.config @@ -554,7 +554,7 @@ setup_ipsec() { # Validate the zone names and options in the hosts file # validate_hosts_file() { - local z hosts options r interface host option zports + local z hosts options r interface host option zports ipsec= check_bridge_port() { @@ -645,6 +645,7 @@ validate_hosts_file() { startup_error "Your kernel and/or iptables does not support policy match: ipsec" eval ${z}_ipsec_hosts=\"\$${z}_ipsec_hosts $interface:$host\" eval ${z}_is_complex=Yes + ipsec=Yes ;; routeback) eval ${z}_routeback=\"$interface:$host \$${z}_routeback\" @@ -661,6 +662,8 @@ validate_hosts_file() { done < $TMP_DIR/hosts [ -n "$ALL_PORTS" ] && progress_message2 " Bridge ports are: $ALL_PORTS" + + [ -n "${IPSEC_ZONES}${ipsec}" ] || POLICY_MATCH= } # diff --git a/Shorewall/releasenotes.txt b/Shorewall/releasenotes.txt index dd096ba53..d7148d7a7 100644 --- a/Shorewall/releasenotes.txt +++ b/Shorewall/releasenotes.txt @@ -42,7 +42,10 @@ Problems Corrected in 3.3.5 Other Changes in 3.3.5. -None. +1) Shorewall no longer includes policy matches in its generated + ruleset when no IPSEC zones or IPSEC networks are defined (IPSEC + networks are defined using the 'ipsec' option in + /etc/shorewall/hosts). Migration Considerations: