Don't generate superfluous policy matches

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@4780 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
2024-12-23 14:48:51 +01:00 · 2006-11-01 17:15:23 +00:00 · 2006-11-01 17:15:23 +00:00 · bbb71aacc5
commit bbb71aacc5
parent 4d6cf619fe
5 changed files with 21 additions and 4 deletions
--- a/Shorewall/changelog.txt
+++ b/Shorewall/changelog.txt
@ -4,6 +4,11 @@ Changes in 3.3.4

 2)  Fixes to change 1.

+3)  Many changed to improve the readability, appearance and effeciency
+    of the generated script.
+
+4)  Turn off POLICY_MATCH if no IPSEC.
+
 Changes in 3.3.4

 1)  Make exclusion work with "show zones"
--- a/Shorewall/compiler
+++ b/Shorewall/compiler
@ -4997,6 +4997,14 @@ VARDIR=/var/lib/shorewall-lite
 __EOF__

 	cat ${SHAREDIR}/lib.base >&3
+
+	cat >&3 << __EOF__
+
+################################################################################
+#                        End of ${SHAREDIR}/lib.base
+################################################################################
+
+__EOF__
    else
 	cat >&3 << __EOF__
 SHAREDIR=/usr/share/shorewall
@ -5008,7 +5016,6 @@ __EOF__
    fi

    cat >&3 << __EOF__
-
 #
 # Set policy of chain \$1 to \$2
 #
--- a/Shorewall/lib.base
+++ b/Shorewall/lib.base
@ -1371,4 +1371,3 @@ find_echo() {

    echo echo 
 }
-        
--- a/Shorewall/lib.config
+++ b/Shorewall/lib.config
@ -554,7 +554,7 @@ setup_ipsec() {
 # Validate the zone names and options in the hosts file
 #
 validate_hosts_file() {
-   local z hosts options r interface host option zports
+   local z hosts options r interface host option zports ipsec=

   check_bridge_port()
   {
@ -645,6 +645,7 @@ validate_hosts_file() {
 			    startup_error "Your kernel and/or iptables does not support policy match: ipsec"
 			eval ${z}_ipsec_hosts=\"\$${z}_ipsec_hosts $interface:$host\"
 			eval ${z}_is_complex=Yes
+			ipsec=Yes
 			;;
 		   routeback)
 			eval ${z}_routeback=\"$interface:$host \$${z}_routeback\"
@ -661,6 +662,8 @@ validate_hosts_file() {
   done < $TMP_DIR/hosts

   [ -n "$ALL_PORTS" ] && progress_message2 "   Bridge ports are: $ALL_PORTS"
+
+   [ -n "${IPSEC_ZONES}${ipsec}" ] || POLICY_MATCH=
 }

 #
--- a/Shorewall/releasenotes.txt
+++ b/Shorewall/releasenotes.txt
@ -42,7 +42,10 @@ Problems Corrected in 3.3.5

 Other Changes in 3.3.5.

-None.
+1)  Shorewall no longer includes policy matches in its generated
+    ruleset when no IPSEC zones or IPSEC networks are defined (IPSEC
+    networks are defined using the 'ipsec' option in
+    /etc/shorewall/hosts).

 Migration Considerations: