From e018ee6adce1ad7fc21ea4636621fbbc47d4b16e Mon Sep 17 00:00:00 2001
From: Tom Eastep <teastep@shorewall.net>
Date: Fri, 24 Sep 2010 15:25:57 -0700
Subject: [PATCH] Don't create <zone>_frwd when unnecessary

- Set the zone {complex} flag based on ipsec options rather than the presense of any options.
- Generate forwarding blacklist rules in lieu of creating<zone>_frwd

Signed-off-by: Tom Eastep <teastep@shorewall.net>
---
 Shorewall/Perl/Shorewall/Rules.pm | 20 +++++++++++++++++---
 Shorewall/Perl/Shorewall/Zones.pm | 15 +++++++++------
 2 files changed, 26 insertions(+), 9 deletions(-)

diff --git a/Shorewall/Perl/Shorewall/Rules.pm b/Shorewall/Perl/Shorewall/Rules.pm
index c40362d30..c222175b9 100644
--- a/Shorewall/Perl/Shorewall/Rules.pm
+++ b/Shorewall/Perl/Shorewall/Rules.pm
@@ -1861,14 +1861,28 @@ sub generate_matrix() {
 
     progress_message2 'Generating Rule Matrix...';
     #
-    # Special processing for complex and blacklisting configurations
+    # Special processing for complex and/or blacklisting configurations
     #
     for my $zone ( @zones ) {
 	my $zoneref = find_zone( $zone );
-
+	my $simple  =  @zones <= 2 && ! $zoneref->{options}{complex};
+	#
+	# Handle blacklisting first
+	#
 	if ( $zoneref->{options}{in}{blacklist} ) {
 	    my $blackref = $filter_table->{blacklst};
 	    add_jump ensure_filter_chain( rules_chain( $zone, $_ ), 1 ) , $blackref , 0, $state, 0, -1 for firewall_zone, @vservers;
+	
+	    if ( $simple ) {
+		for my $zone1 ( @zones ) {
+		    my $ruleschain    = rules_chain( $zone, $zone1 );
+		    my $ruleschainref = $filter_table->{$ruleschain};
+		    
+		    if ( ( $zone ne $zone1 || ( $ruleschainref && $ruleschainref->{referenced} ) ) && $ruleschainref->{policy} ne 'NONE' ) {
+			add_jump( ensure_filter_chain( $ruleschain, 1 ), $blackref, 0, $state, 0, -1 );
+		    }
+		}
+	    }
 	}
 
 	if ( $zoneref->{options}{out}{blacklist} ) {
@@ -1885,7 +1899,7 @@ sub generate_matrix() {
 	    }
 	}
 
-	next if @zones <= 2 && ! $zoneref->{options}{complex};
+	next if $simple;
 	
 	#
 	# Complex zone or we have more than one non-firewall zone -- create a zone forwarding chain
diff --git a/Shorewall/Perl/Shorewall/Zones.pm b/Shorewall/Perl/Shorewall/Zones.pm
index b3bce190b..3b8819784 100644
--- a/Shorewall/Perl/Shorewall/Zones.pm
+++ b/Shorewall/Perl/Shorewall/Zones.pm
@@ -296,7 +296,7 @@ sub initialize( $ ) {
 # => mss   = <MSS setting>
 # => ipsec = <-m policy arguments to match options>
 #
-sub parse_zone_option_list($$)
+sub parse_zone_option_list($$\$)
 {
     my %validoptions = ( mss          => NUMERIC,
 			 blacklist    => NOTHING,
@@ -316,7 +316,7 @@ sub parse_zone_option_list($$)
     #
     my %key = ( mss => UNRESTRICTED , blacklist => NOFW );
 
-    my ( $list, $zonetype ) = @_;
+    my ( $list, $zonetype, $complexref ) = @_;
     my %h;
     my $options = '';
     my $fmt;
@@ -354,6 +354,7 @@ sub parse_zone_option_list($$)
 		$options .= $invert;
 		$options .= "--$e ";
 		$options .= "$val "if defined $val;
+		$$complexref = 1;
 	    }
 	}
     }
@@ -439,13 +440,15 @@ sub process_zone( \$ ) {
 	}
     }
 
+    my $complex = 0;
+
     my $zoneref = $zones{$zone} = { type       => $type,
 				    parents    => \@parents,
 				    bridge     => '',
-				    options    => { in_out  => parse_zone_option_list( $options || '', $type ) ,
-						    in      => parse_zone_option_list( $in_options || '', $type ) ,
-						    out     => parse_zone_option_list( $out_options || '', $type ) ,
-						    complex => ( $type == IPSEC || $options ne '-' || $in_options ne '-' || $out_options ne '-' ) ,
+				    options    => { in_out  => parse_zone_option_list( $options , $type, $complex ) ,
+						    in      => parse_zone_option_list( $in_options , $type , $complex ) ,
+						    out     => parse_zone_option_list( $out_options , $type , $complex ) ,
+						    complex => ( $type == IPSEC || $complex ) ,
 						    nested  => @parents > 0 ,
 						    super   => 0 ,
 						  } ,