More [re]start speedups

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@355 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
teastep 2002-12-07 03:21:32 +00:00
parent 2528043867
commit 14b0682723

View File

@ -347,21 +347,6 @@ flushnat() # $1 = name of chain
run_iptables -t nat -F $1 run_iptables -t nat -F $1
} }
#
# Find interfaces to a given zone
#
# Read the interfaces file and for each record matching the passed ZONE,
# echo the expanded contents of the "INTERFACE" column
#
find_interfaces() # $1 = interface zone
{
local zne=$1
while read z interface subnet options; do
[ "x`expand $z`" = "x$zne" ] && echo `expand $interface`
done < $TMP_DIR/interfaces
}
# #
# Chain name base for an interface # Chain name base for an interface
# #
@ -372,6 +357,25 @@ chain_base() #$1 = interface
echo ${c:=common} echo ${c:=common}
} }
#
# Find interfaces to a given zone
#
# Search the variables representing the contents of the interfaces file and
# for each record matching the passed ZONE, echo the expanded contents of
# the "INTERFACE" column
#
find_interfaces() # $1 = interface zone
{
local zne=$1
local z
local interface
for interface in $all_interfaces; do
eval z=\$`chain_base ${interface}`_zone
[ "x${z}" = x${zne} ] && echo $interface
done
}
# #
# Forward Chain for an interface # Forward Chain for an interface
# #
@ -562,7 +566,12 @@ validate_interfaces_file() {
while read z interface subnet options; do while read z interface subnet options; do
expandv z interface subnet options expandv z interface subnet options
r="$z $interface $subnet $options" r="$z $interface $subnet $options"
[ "x$z" = "x-" ] || validate_zone $z || startup_error "Invalid zone ($z) in record \"$r\""
[ "x$z" = "x-" ] && z=
if [ -n "$z" ]; then
validate_zone $z || startup_error "Invalid zone ($z) in record \"$r\""
fi
[ "x$interface" = "xlo" ] && \ [ "x$interface" = "xlo" ] && \
startup_error "Error: The loopback interface (lo) may not be defined in /etc/shorewall/interfaces" startup_error "Error: The loopback interface (lo) may not be defined in /etc/shorewall/interfaces"
@ -571,6 +580,12 @@ validate_interfaces_file() {
startup_error "Error: Duplicate Interface $interface" startup_error "Error: Duplicate Interface $interface"
all_interfaces="$all_interfaces $interface" all_interfaces="$all_interfaces $interface"
options=`separate_list $options`
interface=`chain_base $interface`
eval ${interface}_broadcast="$subnet"
eval ${interface}_zone="$z"
eval ${interface}_options=\"$options\"
for option in `separate_list $options`; do for option in `separate_list $options`; do
case $option in case $option in
@ -946,12 +961,26 @@ validate_rules() # $1 = name of rules file
# #
validate_policy() validate_policy()
{ {
local clientwild
local serverwild
local zone
local zone1
local pc
local chain
all_policy_chains=
strip_file policy $policy strip_file policy $policy
while read client server policy loglevel synparams; do while read client server policy loglevel synparams; do
expandv client server policy loglevel synparams expandv client server policy loglevel synparams
clientwild=
serverwild=
case "$client" in case "$client" in
all|ALL) all|ALL)
clientwild=Yes
;; ;;
*) *)
if ! validate_zone $client; then if ! validate_zone $client; then
@ -961,6 +990,7 @@ validate_policy()
case "$server" in case "$server" in
all|ALL) all|ALL)
serverwild=Yes
;; ;;
*) *)
if ! validate_zone $server; then if ! validate_zone $server; then
@ -985,7 +1015,45 @@ validate_policy()
startup_error "Error: Duplicate policy $policy" startup_error "Error: Duplicate policy $policy"
fi fi
eval ${client}2${server}_is_policy=Yes [ "x$loglevel" = "x-" ] && loglevel=
chain=${client}2${server}
all_policy_chains="$all_policy_chains $chain"
eval ${chain}_is_policy=Yes
eval ${chain}_policy=$policy
eval ${chain}_loglevel=$loglevel
eval ${chain}_synparams=$synparams
if [ -n "${clientwild}" ]; then
if [ -n "${serverwild}" ]; then
for zone in $zones $FW; do
for zone1 in $zones $FW; do
eval pc=\$${zone}2${zone1}_policychain
[ -n "$pc" ] || \
eval ${zone}2${zone1}_policychain=$chain
done
done
else
for zone in $zones $FW; do
eval pc=\$${zone}2${server}_policychain
[ -n "$pc" ] || \
eval ${zone}2${server}_policychain=$chain
done
fi
elif [ -n "$serverwild" ]; then
for zone in $zones $FW; do
eval pc=\$${client}2${zone}_policychain
[ -n "$pc" ] || \
eval ${client}2${zone}_policychain=$chain
done
else
eval ${chain}_policychain=${chain}
fi
done < $TMP_DIR/policy done < $TMP_DIR/policy
} }
@ -994,8 +1062,9 @@ validate_policy()
# Find broadcast addresses # Find broadcast addresses
# #
find_broadcasts() { find_broadcasts() {
while read z interface bcast options; do for interface in $all_interfaces; do
expandv interface bcast interface=`chain_base $interface`
eval bcast=\$${interface}_broadcast
if [ "x$bcast" = "xdetect" ]; then if [ "x$bcast" = "xdetect" ]; then
addr="`ip addr show $interface 2> /dev/null`" addr="`ip addr show $interface 2> /dev/null`"
if [ -n "`echo "$addr" | grep 'inet.*brd '`" ]; then if [ -n "`echo "$addr" | grep 'inet.*brd '`" ]; then
@ -1006,7 +1075,7 @@ find_broadcasts() {
elif [ "x${bcast}" != "x-" ]; then elif [ "x${bcast}" != "x-" ]; then
echo `separate_list $bcast` echo `separate_list $bcast`
fi fi
done < $TMP_DIR/interfaces done
} }
# #
@ -1014,23 +1083,19 @@ find_broadcasts() {
# #
find_interface_broadcasts() # $1 = Interface name find_interface_broadcasts() # $1 = Interface name
{ {
while read z interface bcast options; do eval bcast=\$${1}_broadcast
expandv interface bcast
if [ "$interface" = "$1" ]; then
if [ "x$bcast" = "xdetect" ]; then
addr="`ip addr show $interface 2> /dev/null`"
if [ -n "`echo "$addr" | grep 'inet.*brd '`" ]; then
addr="`echo "$addr" | \
grep "inet " | sed 's/^.* inet.*brd //;s/scope.*//'`"
echo $addr | cut -d' ' -f 1
fi
elif [ "x${bcast}" != "x-" ]; then
echo `separate_list $bcast`
fi
return if [ "x$bcast" = "xdetect" ]; then
addr="`ip addr show $interface 2> /dev/null`"
if [ -n "`echo "$addr" | grep 'inet.*brd '`" ]; then
addr="`echo "$addr" | \
grep "inet " | sed 's/^.* inet.*brd //;s/scope.*//'`"
echo $addr | cut -d' ' -f 1
fi fi
done < $TMP_DIR/interfaces elif [ "x${bcast}" != "x-" ]; then
echo `separate_list $bcast`
fi
} }
# #
@ -1059,11 +1124,10 @@ find_interface_address() # $1 = interface
# #
find_interfaces_by_option() # $1 = option find_interfaces_by_option() # $1 = option
{ {
while read ignore interface subnet options; do for interface in $all_interfaces; do
expandv options eval options=\$`chain_base ${interface}`_options
list_search $1 `separate_list $options` && \ list_search $1 $options && echo $interface
echo `expand $interface` done
done < $TMP_DIR/interfaces
} }
# #
@ -1077,11 +1141,11 @@ find_hosts_by_option() # $1 = option
echo `expand $hosts` echo `expand $hosts`
done < $TMP_DIR/hosts done < $TMP_DIR/hosts
while read ignore interface ignore1 options; do for interface in $all_interfaces; do
expandv options eval options=\$`chain_base ${interface}`_options
list_search $1 `separate_list $options` && \ list_search $options && \
echo `expand $interface`:0.0.0.0/0 echo ${interface}:0.0.0.0/0
done < $TMP_DIR/interfaces done
} }
# #
@ -1092,12 +1156,17 @@ find_hosts_by_option() # $1 = option
have_interfaces_in_zone_with_option() # $1 = zone, $2 = option have_interfaces_in_zone_with_option() # $1 = zone, $2 = option
{ {
local zne=$1 local zne=$1
local z
local interface
while read z interface broadcast options; do for interface in $all_interfaces; do
[ "x`expand $z`" = "x$zne" ] && expandv options && \ eval z=\$`chain_base ${interface}`_zone
list_search $1 `separate_list $options` && \
[ "x$z" = "x$zne" ] && \
list_search $1 $options && \
return 0 return 0
done < $TMP_DIR/interfaces done
return 1 return 1
} }
@ -2576,13 +2645,15 @@ default_policy() # $1 = client $2 = server
apply_default() apply_default()
{ {
#
# Generate policy file column values from the policy chain
#
eval policy=\$${chain1}_policy
eval loglevel=\$${chain1}_loglevel
eval synparams=\$${chain1}_synparams
# #
# Add the appropriate rules to the canonical chain ($chain) to enforce # Add the appropriate rules to the canonical chain ($chain) to enforce
# the specified policy # the specified policy
#
# Construct policy chain name
#
chain1=${client}2${server}
if [ "$chain" = "$chain1" ]; then if [ "$chain" = "$chain1" ]; then
# #
@ -2636,27 +2707,13 @@ default_policy() # $1 = client $2 = server
echo " Policy $policy for $1 to $2 using chain $chain" echo " Policy $policy for $1 to $2 using chain $chain"
} }
while read client server policy loglevel synparams; do eval chain1=\$${1}2${2}_policychain
expandv client server policy loglevel synparams
case "$client" in
all|ALL)
if [ "$server" = "$2" -o "$server" = "all" ]; then
apply_default $1 $2
return
fi
;;
*)
if [ "$client" = "$1" ] && \
[ "$server" = "all" -o "$server" = "$2" ]
then
apply_default $1 $2
return
fi
;;
esac
done < $TMP_DIR/policy
fatal_error "Error: No default policy for zone $1 to zone $2" if [ -n "$chain1" ]; then
apply_default $1 $2
else
fatal_error "Error: No default policy for zone $1 to zone $2"
fi
} }
# #
@ -2672,33 +2729,20 @@ complete_standard_chain() # $1 = chain, $2 = source zone, $3 = destination zone
{ {
local policy= local policy=
local loglevel= local loglevel=
local policychain=
run_user_exit $1 run_user_exit $1
while read client server policy loglevel synparams; do eval policychain=\$${2}2${3}_policychain
expandv client server policy loglevel synparams
[ "x$loglevel" = "x-" ] && loglevel= if [ -n "$policychain" ]; then
eval policy=\$${policychain}_policy
eval loglevel=\$${policychain}_loglevel
case "$client" in policy_rules $1 $policy $loglevel
all|ALL) else
if [ "$server" = "$3" -o "$server" = "all" ]; then policy_rules $1 DROP INFO
policy_rules $1 $policy $loglevel fi
return
fi
;;
*)
if [ "$client" = "$2" ] && \
[ "$server" = "all" -o "$server" = "$3" ]
then
policy_rules $1 $policy $loglevel
return
fi
;;
esac
done < $TMP_DIR/policy
policy_rules $1 DROP INFO
} }
# #
@ -2714,23 +2758,9 @@ rules_chain() # $1 = source zone, $2 = destination zone
havechain $chain && { echo $chain; return; } havechain $chain && { echo $chain; return; }
while read client server policy loglevel ; do eval chain=\$${chain}_policychain
expandv client server policy loglevel
case "$client" in [ -n "$chain" ] && { echo $chain; return; }
all|ALL)
if [ "$server" = "$2" -o "$server" = "all" ]; then
echo all2${server}
return
fi
;;
*)
if [ "$client" = "$1" -a "$server" = "all" ]; then
echo ${client}2${server}
return
fi
;;
esac
done < $TMP_DIR/policy
fatal_error "Error: No appropriate chain for zone $1 to zone $2" fatal_error "Error: No appropriate chain for zone $1 to zone $2"
} }
@ -3471,10 +3501,10 @@ apply_policy_rules() {
# #
# Create policy chains # Create policy chains
# #
while read client server policy loglevel synparams; do for chain in $all_policy_chains; do
expandv client server policy loglevel synparams eval policy=\$${chain}_policy
eval loglevel=\$${chain}_loglevel
chain=${client}2${server} eval synparams=\$${chain}_synparams
[ -n "$synparams" ] && setup_syn_flood_chain $chain $synparams [ -n "$synparams" ] && setup_syn_flood_chain $chain $synparams
@ -3500,15 +3530,18 @@ apply_policy_rules() {
# Otherwise, this is a canonical chain which will be handled in # Otherwise, this is a canonical chain which will be handled in
# the for loop below # the for loop below
# #
[ "$client" = "all" -o "$server" = "all" ] && \ case $chain in
policy_rules $chain $policy $loglevel all2*|*2all)
policy_rules $chain $policy $loglevel
;;
esac
[ -n "$synparams" ] && \ [ -n "$synparams" ] && \
[ $policy = ACCEPT -o $policy = CONTINUE ] && \ [ $policy = ACCEPT -o $policy = CONTINUE ] && \
run_iptables -I $chain 2 -p tcp --syn -j @$chain run_iptables -I $chain 2 -p tcp --syn -j @$chain
fi fi
done < $TMP_DIR/policy done
# #
# Add policy rules to canonical chains # Add policy rules to canonical chains
# #