From 370d61970a8f7867f7cf10f4475ba8297d4e6e7b Mon Sep 17 00:00:00 2001
From: teastep <teastep@fbd18981-670d-0410-9b5c-8dc0c1a9a2bb>
Date: Thu, 11 Aug 2005 19:53:07 +0000
Subject: [PATCH] Add FASTACCEPT option to accept ESTABLISHED/RELATED packets
 early

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@2474 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
---
 Shorewall/changelog.txt    |  2 ++
 Shorewall/firewall         | 13 ++++++++-----
 Shorewall/policy           |  4 ++++
 Shorewall/releasenotes.txt | 13 +++++++++++++
 Shorewall/shorewall.conf   | 15 +++++++++++++++
 5 files changed, 42 insertions(+), 5 deletions(-)

diff --git a/Shorewall/changelog.txt b/Shorewall/changelog.txt
index b3ebcee8b..6e0f8abe4 100755
--- a/Shorewall/changelog.txt
+++ b/Shorewall/changelog.txt
@@ -12,6 +12,8 @@ Changes in 2.5.1
 
 6) Don't generate redundant ACCEPT rules for DNAT/REDIRECT/SAME
 
+7) Add FASTACCEPT option in shorewall.conf.
+
 Changes in 2.5.1ex/2.5.0
 
 1) Clean up handling of zones
diff --git a/Shorewall/firewall b/Shorewall/firewall
index 3425f53e0..254aca273 100755
--- a/Shorewall/firewall
+++ b/Shorewall/firewall
@@ -1425,6 +1425,8 @@ validate_policy()
 
 	case $policy in
 	    *:*)
+		[ -n "$FASTACCEPT" ] && \
+		    startup_error "ESTABLISHED policy may not be specified with FASTACCEPT=Yes in shorewall.conf"
 		epolicy=${policy#*:}
 		policy=${policy%:*}
 
@@ -1432,7 +1434,7 @@ validate_policy()
 		    ACCEPT|QUEUE)
 			;;
 		    *)
-			startup_error " $client $server $policy $loglevel $synparams: Invalid ESTABLISHED/RELATED policy: $epolicy"
+			startup_error "$client $server $policy $loglevel $synparams: Invalid ESTABLISHED policy: $epolicy"
 			;;
 		esac
 		;;
@@ -3414,7 +3416,7 @@ setup_accounting() # $1 = Name of accounting file
 
     if havechain accounting; then
 	for chain in INPUT FORWARD OUTPUT; do
-	    run_iptables -A $chain -j accounting
+	    run_iptables -I $chain -j accounting
 	done
     fi
 
@@ -5839,7 +5841,7 @@ policy_rules() # $1 = chain to add rules to
 {
     local target="$2"
 
-    case $3 in
+    [ -n "$FASTACCEPT" ] || case $3 in
 	QUEUE)
 	    run_iptables -I $1 -m state --state RELATED -j ACCEPT
 	    run_iptables -I $1 -m state --state ESTABLISHED -j QUEUE
@@ -5903,7 +5905,7 @@ default_policy() # $1 = client $2 = server
 	# Add a jump to from the canonical chain to the policy chain. On return,
 	# $chain is set to the name of the policy chain
 	#
-	case $epolicy in
+	[ -n "$FASTACCEPT" ] || case $epolicy in
 	    QUEUE)
 		run_iptables -I $chain -m state --state RELATED -j ACCEPT
 		run_iptables -I $chain -m state --state ESTABLISHED -j QUEUE
@@ -7808,7 +7810,7 @@ activate_rules()
     disable_critical_hosts
 
     for chain in INPUT OUTPUT FORWARD; do
-	run_iptables -D $chain -m state --state ESTABLISHED,RELATED -j ACCEPT
+	[ -n "$FASTACCEPT" ] || run_iptables -D $chain -m state --state ESTABLISHED,RELATED -j ACCEPT
 	run_iptables -D $chain -p udp --dport 53 -j ACCEPT
     done
 
@@ -8690,6 +8692,7 @@ do_initialize() {
     RFC1918_STRICT=$(added_param_value_no RFC1918_STRICT $RFC1918_STRICT)
     SAVE_IPSETS=$(added_param_value_no SAVE_IPSETS $SAVE_IPSETS)
     MAPOLDACTIONS=$(added_param_value_yes MAPOLDACTIONS $MAPOLDACTIONS)
+    FASTACCEPT=$(added_param_value_no FASTACCEPT $FASTACCEPT)
 
     case ${IPSECFILE:=ipsec} in
 	ipsec|zones)
diff --git a/Shorewall/policy b/Shorewall/policy
index 079634fcc..815c4aaf4 100644
--- a/Shorewall/policy
+++ b/Shorewall/policy
@@ -61,6 +61,10 @@
 #			default) and QUEUE (to queue the packet to a
 #			user-space filter like Snort Inline).
 #
+#			WARNING: You may not specify an ESTABLISHED policy if
+#			you have set FASTACCEPT=Yes in
+#			/etc/shorewall/shorewall.conf.
+#
 #	LOG LEVEL	If supplied, each connection handled under the default
 #			POLICY is logged at that level. If not supplied, no
 #			log message is generated. See syslog.conf(5) for a
diff --git a/Shorewall/releasenotes.txt b/Shorewall/releasenotes.txt
index 2615cfc2e..2f4b89c6f 100755
--- a/Shorewall/releasenotes.txt
+++ b/Shorewall/releasenotes.txt
@@ -315,3 +315,16 @@ New Features in Shorewall 2.5.0
 	 ACCEPT     loc		 all	 tcp	   22
 	
     does not.
+
+8)  A new FASTACCEPT option has been added to shorewall.conf.
+
+    Normally, Shorewall accepting ESTABLISHED/RELATED packets until
+    these packets reach the chain in which the original connection was
+    accepted. So for packets going from the 'loc' zone to the 'net'
+    zone, ESTABLISHED/RELATED packets are ACCEPTED in the 'loc2net'
+    chain.
+
+    If you set FASTACCEPT=Yes, then ESTABLISHED/RELEATED packets are
+    accepted early in the INPUT, FORWARD and OUTPUT chains. If you set
+    FASTACCEPT=Yes then you may not specify ESTABLISHED policies in 
+    /etc/shorewall/policy (see above).
diff --git a/Shorewall/shorewall.conf b/Shorewall/shorewall.conf
index 81756adbf..ab13a2f1f 100755
--- a/Shorewall/shorewall.conf
+++ b/Shorewall/shorewall.conf
@@ -803,6 +803,21 @@ SAVE_IPSETS=No
 
 MAPOLDACTIONS=No
 
+#
+# Fast ESTABLISHED/RELATED handling
+#
+# Normally, Shorewall accepting ESTABLISHED/RELATED packets until these packets
+# reach the chain in which the original connection was accepted. So for packets
+# going from the 'loc' zone to the 'net' zone, ESTABLISHED/RELATED packets are
+# ACCEPTED in the 'loc2net' chain.
+#
+# If you set FASTACCEPT=Yes, then ESTABLISHED/RELEATED packets are accepted 
+# early in the INPUT, FORWARD and OUTPUT chains. If you set
+# FASTACCEPT=Yes then you may not specify ESTABLISHED policies in 
+# /etc/shorewall/policy.
+
+FASTACCEPT=No
+
 ###############################################################################
 #			P A C K E T   D I S P O S I T I O N
 ###############################################################################