forked from extern/shorewall_code
More [re]start speedups
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@355 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
parent
2528043867
commit
14b0682723
@ -347,21 +347,6 @@ flushnat() # $1 = name of chain
|
|||||||
run_iptables -t nat -F $1
|
run_iptables -t nat -F $1
|
||||||
}
|
}
|
||||||
|
|
||||||
#
|
|
||||||
# Find interfaces to a given zone
|
|
||||||
#
|
|
||||||
# Read the interfaces file and for each record matching the passed ZONE,
|
|
||||||
# echo the expanded contents of the "INTERFACE" column
|
|
||||||
#
|
|
||||||
find_interfaces() # $1 = interface zone
|
|
||||||
{
|
|
||||||
local zne=$1
|
|
||||||
|
|
||||||
while read z interface subnet options; do
|
|
||||||
[ "x`expand $z`" = "x$zne" ] && echo `expand $interface`
|
|
||||||
done < $TMP_DIR/interfaces
|
|
||||||
}
|
|
||||||
|
|
||||||
#
|
#
|
||||||
# Chain name base for an interface
|
# Chain name base for an interface
|
||||||
#
|
#
|
||||||
@ -372,6 +357,25 @@ chain_base() #$1 = interface
|
|||||||
echo ${c:=common}
|
echo ${c:=common}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
#
|
||||||
|
# Find interfaces to a given zone
|
||||||
|
#
|
||||||
|
# Search the variables representing the contents of the interfaces file and
|
||||||
|
# for each record matching the passed ZONE, echo the expanded contents of
|
||||||
|
# the "INTERFACE" column
|
||||||
|
#
|
||||||
|
find_interfaces() # $1 = interface zone
|
||||||
|
{
|
||||||
|
local zne=$1
|
||||||
|
local z
|
||||||
|
local interface
|
||||||
|
|
||||||
|
for interface in $all_interfaces; do
|
||||||
|
eval z=\$`chain_base ${interface}`_zone
|
||||||
|
[ "x${z}" = x${zne} ] && echo $interface
|
||||||
|
done
|
||||||
|
}
|
||||||
|
|
||||||
#
|
#
|
||||||
# Forward Chain for an interface
|
# Forward Chain for an interface
|
||||||
#
|
#
|
||||||
@ -562,7 +566,12 @@ validate_interfaces_file() {
|
|||||||
while read z interface subnet options; do
|
while read z interface subnet options; do
|
||||||
expandv z interface subnet options
|
expandv z interface subnet options
|
||||||
r="$z $interface $subnet $options"
|
r="$z $interface $subnet $options"
|
||||||
[ "x$z" = "x-" ] || validate_zone $z || startup_error "Invalid zone ($z) in record \"$r\""
|
|
||||||
|
[ "x$z" = "x-" ] && z=
|
||||||
|
|
||||||
|
if [ -n "$z" ]; then
|
||||||
|
validate_zone $z || startup_error "Invalid zone ($z) in record \"$r\""
|
||||||
|
fi
|
||||||
|
|
||||||
[ "x$interface" = "xlo" ] && \
|
[ "x$interface" = "xlo" ] && \
|
||||||
startup_error "Error: The loopback interface (lo) may not be defined in /etc/shorewall/interfaces"
|
startup_error "Error: The loopback interface (lo) may not be defined in /etc/shorewall/interfaces"
|
||||||
@ -571,6 +580,12 @@ validate_interfaces_file() {
|
|||||||
startup_error "Error: Duplicate Interface $interface"
|
startup_error "Error: Duplicate Interface $interface"
|
||||||
|
|
||||||
all_interfaces="$all_interfaces $interface"
|
all_interfaces="$all_interfaces $interface"
|
||||||
|
options=`separate_list $options`
|
||||||
|
interface=`chain_base $interface`
|
||||||
|
|
||||||
|
eval ${interface}_broadcast="$subnet"
|
||||||
|
eval ${interface}_zone="$z"
|
||||||
|
eval ${interface}_options=\"$options\"
|
||||||
|
|
||||||
for option in `separate_list $options`; do
|
for option in `separate_list $options`; do
|
||||||
case $option in
|
case $option in
|
||||||
@ -946,12 +961,26 @@ validate_rules() # $1 = name of rules file
|
|||||||
#
|
#
|
||||||
validate_policy()
|
validate_policy()
|
||||||
{
|
{
|
||||||
|
local clientwild
|
||||||
|
local serverwild
|
||||||
|
local zone
|
||||||
|
local zone1
|
||||||
|
local pc
|
||||||
|
local chain
|
||||||
|
|
||||||
|
all_policy_chains=
|
||||||
|
|
||||||
strip_file policy $policy
|
strip_file policy $policy
|
||||||
|
|
||||||
while read client server policy loglevel synparams; do
|
while read client server policy loglevel synparams; do
|
||||||
expandv client server policy loglevel synparams
|
expandv client server policy loglevel synparams
|
||||||
|
|
||||||
|
clientwild=
|
||||||
|
serverwild=
|
||||||
|
|
||||||
case "$client" in
|
case "$client" in
|
||||||
all|ALL)
|
all|ALL)
|
||||||
|
clientwild=Yes
|
||||||
;;
|
;;
|
||||||
*)
|
*)
|
||||||
if ! validate_zone $client; then
|
if ! validate_zone $client; then
|
||||||
@ -961,6 +990,7 @@ validate_policy()
|
|||||||
|
|
||||||
case "$server" in
|
case "$server" in
|
||||||
all|ALL)
|
all|ALL)
|
||||||
|
serverwild=Yes
|
||||||
;;
|
;;
|
||||||
*)
|
*)
|
||||||
if ! validate_zone $server; then
|
if ! validate_zone $server; then
|
||||||
@ -985,7 +1015,45 @@ validate_policy()
|
|||||||
startup_error "Error: Duplicate policy $policy"
|
startup_error "Error: Duplicate policy $policy"
|
||||||
fi
|
fi
|
||||||
|
|
||||||
eval ${client}2${server}_is_policy=Yes
|
[ "x$loglevel" = "x-" ] && loglevel=
|
||||||
|
|
||||||
|
chain=${client}2${server}
|
||||||
|
|
||||||
|
all_policy_chains="$all_policy_chains $chain"
|
||||||
|
|
||||||
|
eval ${chain}_is_policy=Yes
|
||||||
|
eval ${chain}_policy=$policy
|
||||||
|
eval ${chain}_loglevel=$loglevel
|
||||||
|
eval ${chain}_synparams=$synparams
|
||||||
|
|
||||||
|
if [ -n "${clientwild}" ]; then
|
||||||
|
if [ -n "${serverwild}" ]; then
|
||||||
|
for zone in $zones $FW; do
|
||||||
|
for zone1 in $zones $FW; do
|
||||||
|
eval pc=\$${zone}2${zone1}_policychain
|
||||||
|
|
||||||
|
[ -n "$pc" ] || \
|
||||||
|
eval ${zone}2${zone1}_policychain=$chain
|
||||||
|
done
|
||||||
|
done
|
||||||
|
else
|
||||||
|
for zone in $zones $FW; do
|
||||||
|
eval pc=\$${zone}2${server}_policychain
|
||||||
|
|
||||||
|
[ -n "$pc" ] || \
|
||||||
|
eval ${zone}2${server}_policychain=$chain
|
||||||
|
done
|
||||||
|
fi
|
||||||
|
elif [ -n "$serverwild" ]; then
|
||||||
|
for zone in $zones $FW; do
|
||||||
|
eval pc=\$${client}2${zone}_policychain
|
||||||
|
|
||||||
|
[ -n "$pc" ] || \
|
||||||
|
eval ${client}2${zone}_policychain=$chain
|
||||||
|
done
|
||||||
|
else
|
||||||
|
eval ${chain}_policychain=${chain}
|
||||||
|
fi
|
||||||
|
|
||||||
done < $TMP_DIR/policy
|
done < $TMP_DIR/policy
|
||||||
}
|
}
|
||||||
@ -994,8 +1062,9 @@ validate_policy()
|
|||||||
# Find broadcast addresses
|
# Find broadcast addresses
|
||||||
#
|
#
|
||||||
find_broadcasts() {
|
find_broadcasts() {
|
||||||
while read z interface bcast options; do
|
for interface in $all_interfaces; do
|
||||||
expandv interface bcast
|
interface=`chain_base $interface`
|
||||||
|
eval bcast=\$${interface}_broadcast
|
||||||
if [ "x$bcast" = "xdetect" ]; then
|
if [ "x$bcast" = "xdetect" ]; then
|
||||||
addr="`ip addr show $interface 2> /dev/null`"
|
addr="`ip addr show $interface 2> /dev/null`"
|
||||||
if [ -n "`echo "$addr" | grep 'inet.*brd '`" ]; then
|
if [ -n "`echo "$addr" | grep 'inet.*brd '`" ]; then
|
||||||
@ -1006,7 +1075,7 @@ find_broadcasts() {
|
|||||||
elif [ "x${bcast}" != "x-" ]; then
|
elif [ "x${bcast}" != "x-" ]; then
|
||||||
echo `separate_list $bcast`
|
echo `separate_list $bcast`
|
||||||
fi
|
fi
|
||||||
done < $TMP_DIR/interfaces
|
done
|
||||||
}
|
}
|
||||||
|
|
||||||
#
|
#
|
||||||
@ -1014,23 +1083,19 @@ find_broadcasts() {
|
|||||||
#
|
#
|
||||||
find_interface_broadcasts() # $1 = Interface name
|
find_interface_broadcasts() # $1 = Interface name
|
||||||
{
|
{
|
||||||
while read z interface bcast options; do
|
eval bcast=\$${1}_broadcast
|
||||||
expandv interface bcast
|
|
||||||
if [ "$interface" = "$1" ]; then
|
|
||||||
if [ "x$bcast" = "xdetect" ]; then
|
|
||||||
addr="`ip addr show $interface 2> /dev/null`"
|
|
||||||
if [ -n "`echo "$addr" | grep 'inet.*brd '`" ]; then
|
|
||||||
addr="`echo "$addr" | \
|
|
||||||
grep "inet " | sed 's/^.* inet.*brd //;s/scope.*//'`"
|
|
||||||
echo $addr | cut -d' ' -f 1
|
|
||||||
fi
|
|
||||||
elif [ "x${bcast}" != "x-" ]; then
|
|
||||||
echo `separate_list $bcast`
|
|
||||||
fi
|
|
||||||
|
|
||||||
return
|
if [ "x$bcast" = "xdetect" ]; then
|
||||||
|
addr="`ip addr show $interface 2> /dev/null`"
|
||||||
|
if [ -n "`echo "$addr" | grep 'inet.*brd '`" ]; then
|
||||||
|
addr="`echo "$addr" | \
|
||||||
|
grep "inet " | sed 's/^.* inet.*brd //;s/scope.*//'`"
|
||||||
|
echo $addr | cut -d' ' -f 1
|
||||||
fi
|
fi
|
||||||
done < $TMP_DIR/interfaces
|
elif [ "x${bcast}" != "x-" ]; then
|
||||||
|
echo `separate_list $bcast`
|
||||||
|
fi
|
||||||
|
|
||||||
}
|
}
|
||||||
|
|
||||||
#
|
#
|
||||||
@ -1059,11 +1124,10 @@ find_interface_address() # $1 = interface
|
|||||||
#
|
#
|
||||||
find_interfaces_by_option() # $1 = option
|
find_interfaces_by_option() # $1 = option
|
||||||
{
|
{
|
||||||
while read ignore interface subnet options; do
|
for interface in $all_interfaces; do
|
||||||
expandv options
|
eval options=\$`chain_base ${interface}`_options
|
||||||
list_search $1 `separate_list $options` && \
|
list_search $1 $options && echo $interface
|
||||||
echo `expand $interface`
|
done
|
||||||
done < $TMP_DIR/interfaces
|
|
||||||
}
|
}
|
||||||
|
|
||||||
#
|
#
|
||||||
@ -1077,11 +1141,11 @@ find_hosts_by_option() # $1 = option
|
|||||||
echo `expand $hosts`
|
echo `expand $hosts`
|
||||||
done < $TMP_DIR/hosts
|
done < $TMP_DIR/hosts
|
||||||
|
|
||||||
while read ignore interface ignore1 options; do
|
for interface in $all_interfaces; do
|
||||||
expandv options
|
eval options=\$`chain_base ${interface}`_options
|
||||||
list_search $1 `separate_list $options` && \
|
list_search $options && \
|
||||||
echo `expand $interface`:0.0.0.0/0
|
echo ${interface}:0.0.0.0/0
|
||||||
done < $TMP_DIR/interfaces
|
done
|
||||||
}
|
}
|
||||||
|
|
||||||
#
|
#
|
||||||
@ -1092,12 +1156,17 @@ find_hosts_by_option() # $1 = option
|
|||||||
have_interfaces_in_zone_with_option() # $1 = zone, $2 = option
|
have_interfaces_in_zone_with_option() # $1 = zone, $2 = option
|
||||||
{
|
{
|
||||||
local zne=$1
|
local zne=$1
|
||||||
|
local z
|
||||||
|
local interface
|
||||||
|
|
||||||
while read z interface broadcast options; do
|
for interface in $all_interfaces; do
|
||||||
[ "x`expand $z`" = "x$zne" ] && expandv options && \
|
eval z=\$`chain_base ${interface}`_zone
|
||||||
list_search $1 `separate_list $options` && \
|
|
||||||
|
[ "x$z" = "x$zne" ] && \
|
||||||
|
list_search $1 $options && \
|
||||||
return 0
|
return 0
|
||||||
done < $TMP_DIR/interfaces
|
done
|
||||||
|
|
||||||
return 1
|
return 1
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -2576,13 +2645,15 @@ default_policy() # $1 = client $2 = server
|
|||||||
|
|
||||||
apply_default()
|
apply_default()
|
||||||
{
|
{
|
||||||
|
#
|
||||||
|
# Generate policy file column values from the policy chain
|
||||||
|
#
|
||||||
|
eval policy=\$${chain1}_policy
|
||||||
|
eval loglevel=\$${chain1}_loglevel
|
||||||
|
eval synparams=\$${chain1}_synparams
|
||||||
#
|
#
|
||||||
# Add the appropriate rules to the canonical chain ($chain) to enforce
|
# Add the appropriate rules to the canonical chain ($chain) to enforce
|
||||||
# the specified policy
|
# the specified policy
|
||||||
#
|
|
||||||
# Construct policy chain name
|
|
||||||
#
|
|
||||||
chain1=${client}2${server}
|
|
||||||
|
|
||||||
if [ "$chain" = "$chain1" ]; then
|
if [ "$chain" = "$chain1" ]; then
|
||||||
#
|
#
|
||||||
@ -2636,27 +2707,13 @@ default_policy() # $1 = client $2 = server
|
|||||||
echo " Policy $policy for $1 to $2 using chain $chain"
|
echo " Policy $policy for $1 to $2 using chain $chain"
|
||||||
}
|
}
|
||||||
|
|
||||||
while read client server policy loglevel synparams; do
|
eval chain1=\$${1}2${2}_policychain
|
||||||
expandv client server policy loglevel synparams
|
|
||||||
case "$client" in
|
|
||||||
all|ALL)
|
|
||||||
if [ "$server" = "$2" -o "$server" = "all" ]; then
|
|
||||||
apply_default $1 $2
|
|
||||||
return
|
|
||||||
fi
|
|
||||||
;;
|
|
||||||
*)
|
|
||||||
if [ "$client" = "$1" ] && \
|
|
||||||
[ "$server" = "all" -o "$server" = "$2" ]
|
|
||||||
then
|
|
||||||
apply_default $1 $2
|
|
||||||
return
|
|
||||||
fi
|
|
||||||
;;
|
|
||||||
esac
|
|
||||||
done < $TMP_DIR/policy
|
|
||||||
|
|
||||||
fatal_error "Error: No default policy for zone $1 to zone $2"
|
if [ -n "$chain1" ]; then
|
||||||
|
apply_default $1 $2
|
||||||
|
else
|
||||||
|
fatal_error "Error: No default policy for zone $1 to zone $2"
|
||||||
|
fi
|
||||||
}
|
}
|
||||||
|
|
||||||
#
|
#
|
||||||
@ -2672,33 +2729,20 @@ complete_standard_chain() # $1 = chain, $2 = source zone, $3 = destination zone
|
|||||||
{
|
{
|
||||||
local policy=
|
local policy=
|
||||||
local loglevel=
|
local loglevel=
|
||||||
|
local policychain=
|
||||||
|
|
||||||
run_user_exit $1
|
run_user_exit $1
|
||||||
|
|
||||||
while read client server policy loglevel synparams; do
|
eval policychain=\$${2}2${3}_policychain
|
||||||
expandv client server policy loglevel synparams
|
|
||||||
|
|
||||||
[ "x$loglevel" = "x-" ] && loglevel=
|
if [ -n "$policychain" ]; then
|
||||||
|
eval policy=\$${policychain}_policy
|
||||||
|
eval loglevel=\$${policychain}_loglevel
|
||||||
|
|
||||||
case "$client" in
|
policy_rules $1 $policy $loglevel
|
||||||
all|ALL)
|
else
|
||||||
if [ "$server" = "$3" -o "$server" = "all" ]; then
|
policy_rules $1 DROP INFO
|
||||||
policy_rules $1 $policy $loglevel
|
fi
|
||||||
return
|
|
||||||
fi
|
|
||||||
;;
|
|
||||||
*)
|
|
||||||
if [ "$client" = "$2" ] && \
|
|
||||||
[ "$server" = "all" -o "$server" = "$3" ]
|
|
||||||
then
|
|
||||||
policy_rules $1 $policy $loglevel
|
|
||||||
return
|
|
||||||
fi
|
|
||||||
;;
|
|
||||||
esac
|
|
||||||
done < $TMP_DIR/policy
|
|
||||||
|
|
||||||
policy_rules $1 DROP INFO
|
|
||||||
}
|
}
|
||||||
|
|
||||||
#
|
#
|
||||||
@ -2714,23 +2758,9 @@ rules_chain() # $1 = source zone, $2 = destination zone
|
|||||||
|
|
||||||
havechain $chain && { echo $chain; return; }
|
havechain $chain && { echo $chain; return; }
|
||||||
|
|
||||||
while read client server policy loglevel ; do
|
eval chain=\$${chain}_policychain
|
||||||
expandv client server policy loglevel
|
|
||||||
case "$client" in
|
[ -n "$chain" ] && { echo $chain; return; }
|
||||||
all|ALL)
|
|
||||||
if [ "$server" = "$2" -o "$server" = "all" ]; then
|
|
||||||
echo all2${server}
|
|
||||||
return
|
|
||||||
fi
|
|
||||||
;;
|
|
||||||
*)
|
|
||||||
if [ "$client" = "$1" -a "$server" = "all" ]; then
|
|
||||||
echo ${client}2${server}
|
|
||||||
return
|
|
||||||
fi
|
|
||||||
;;
|
|
||||||
esac
|
|
||||||
done < $TMP_DIR/policy
|
|
||||||
|
|
||||||
fatal_error "Error: No appropriate chain for zone $1 to zone $2"
|
fatal_error "Error: No appropriate chain for zone $1 to zone $2"
|
||||||
}
|
}
|
||||||
@ -3471,10 +3501,10 @@ apply_policy_rules() {
|
|||||||
#
|
#
|
||||||
# Create policy chains
|
# Create policy chains
|
||||||
#
|
#
|
||||||
while read client server policy loglevel synparams; do
|
for chain in $all_policy_chains; do
|
||||||
expandv client server policy loglevel synparams
|
eval policy=\$${chain}_policy
|
||||||
|
eval loglevel=\$${chain}_loglevel
|
||||||
chain=${client}2${server}
|
eval synparams=\$${chain}_synparams
|
||||||
|
|
||||||
[ -n "$synparams" ] && setup_syn_flood_chain $chain $synparams
|
[ -n "$synparams" ] && setup_syn_flood_chain $chain $synparams
|
||||||
|
|
||||||
@ -3500,15 +3530,18 @@ apply_policy_rules() {
|
|||||||
# Otherwise, this is a canonical chain which will be handled in
|
# Otherwise, this is a canonical chain which will be handled in
|
||||||
# the for loop below
|
# the for loop below
|
||||||
#
|
#
|
||||||
[ "$client" = "all" -o "$server" = "all" ] && \
|
case $chain in
|
||||||
policy_rules $chain $policy $loglevel
|
all2*|*2all)
|
||||||
|
policy_rules $chain $policy $loglevel
|
||||||
|
;;
|
||||||
|
esac
|
||||||
|
|
||||||
[ -n "$synparams" ] && \
|
[ -n "$synparams" ] && \
|
||||||
[ $policy = ACCEPT -o $policy = CONTINUE ] && \
|
[ $policy = ACCEPT -o $policy = CONTINUE ] && \
|
||||||
run_iptables -I $chain 2 -p tcp --syn -j @$chain
|
run_iptables -I $chain 2 -p tcp --syn -j @$chain
|
||||||
fi
|
fi
|
||||||
|
|
||||||
done < $TMP_DIR/policy
|
done
|
||||||
#
|
#
|
||||||
# Add policy rules to canonical chains
|
# Add policy rules to canonical chains
|
||||||
#
|
#
|
||||||
|
Loading…
Reference in New Issue
Block a user