Add FASTACCEPT option to accept ESTABLISHED/RELATED packets early

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@2474 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
2005-08-11 19:53:07 +00:00 · 2005-08-11 19:53:07 +00:00 · 370d61970a
commit 370d61970a
parent 946a464437
5 changed files with 42 additions and 5 deletions
--- a/Shorewall/changelog.txt
+++ b/Shorewall/changelog.txt
@ -12,6 +12,8 @@ Changes in 2.5.1

 6) Don't generate redundant ACCEPT rules for DNAT/REDIRECT/SAME

+7) Add FASTACCEPT option in shorewall.conf.
+
 Changes in 2.5.1ex/2.5.0

 1) Clean up handling of zones
--- a/Shorewall/firewall
+++ b/Shorewall/firewall
@ -1425,6 +1425,8 @@ validate_policy()

 	case $policy in
 	    *:*)
+		[ -n "$FASTACCEPT" ] && \
+		    startup_error "ESTABLISHED policy may not be specified with FASTACCEPT=Yes in shorewall.conf"
 		epolicy=${policy#*:}
 		policy=${policy%:*}

@ -1432,7 +1434,7 @@ validate_policy()
 		    ACCEPT|QUEUE)
 			;;
 		    *)
-			startup_error " $client $server $policy $loglevel $synparams: Invalid ESTABLISHED/RELATED policy: $epolicy"
+			startup_error "$client $server $policy $loglevel $synparams: Invalid ESTABLISHED policy: $epolicy"
 			;;
 		esac
 		;;
@ -3414,7 +3416,7 @@ setup_accounting() # $1 = Name of accounting file

    if havechain accounting; then
 	for chain in INPUT FORWARD OUTPUT; do
-	    run_iptables -A $chain -j accounting
+	    run_iptables -I $chain -j accounting
 	done
    fi

@ -5839,7 +5841,7 @@ policy_rules() # $1 = chain to add rules to
 {
    local target="$2"

-    case $3 in
+    [ -n "$FASTACCEPT" ] || case $3 in
 	QUEUE)
 	    run_iptables -I $1 -m state --state RELATED -j ACCEPT
 	    run_iptables -I $1 -m state --state ESTABLISHED -j QUEUE
@ -5903,7 +5905,7 @@ default_policy() # $1 = client $2 = server
 	# Add a jump to from the canonical chain to the policy chain. On return,
 	# $chain is set to the name of the policy chain
 	#
-	case $epolicy in
+	[ -n "$FASTACCEPT" ] || case $epolicy in
 	    QUEUE)
 		run_iptables -I $chain -m state --state RELATED -j ACCEPT
 		run_iptables -I $chain -m state --state ESTABLISHED -j QUEUE
@ -7808,7 +7810,7 @@ activate_rules()
    disable_critical_hosts

    for chain in INPUT OUTPUT FORWARD; do
-	run_iptables -D $chain -m state --state ESTABLISHED,RELATED -j ACCEPT
+	[ -n "$FASTACCEPT" ] || run_iptables -D $chain -m state --state ESTABLISHED,RELATED -j ACCEPT
 	run_iptables -D $chain -p udp --dport 53 -j ACCEPT
    done

@ -8690,6 +8692,7 @@ do_initialize() {
    RFC1918_STRICT=$(added_param_value_no RFC1918_STRICT $RFC1918_STRICT)
    SAVE_IPSETS=$(added_param_value_no SAVE_IPSETS $SAVE_IPSETS)
    MAPOLDACTIONS=$(added_param_value_yes MAPOLDACTIONS $MAPOLDACTIONS)
+    FASTACCEPT=$(added_param_value_no FASTACCEPT $FASTACCEPT)

    case ${IPSECFILE:=ipsec} in
 	ipsec|zones)
--- a/Shorewall/policy
+++ b/Shorewall/policy
@ -61,6 +61,10 @@
 #			default) and QUEUE (to queue the packet to a
 #			user-space filter like Snort Inline).
 #
+#			WARNING: You may not specify an ESTABLISHED policy if
+#			you have set FASTACCEPT=Yes in
+#			/etc/shorewall/shorewall.conf.
+#
 #	LOG LEVEL	If supplied, each connection handled under the default
 #			POLICY is logged at that level. If not supplied, no
 #			log message is generated. See syslog.conf(5) for a
--- a/Shorewall/releasenotes.txt
+++ b/Shorewall/releasenotes.txt
@ -315,3 +315,16 @@ New Features in Shorewall 2.5.0
 	 ACCEPT     loc		 all	 tcp	   22
 	
    does not.
+
+8)  A new FASTACCEPT option has been added to shorewall.conf.
+
+    Normally, Shorewall accepting ESTABLISHED/RELATED packets until
+    these packets reach the chain in which the original connection was
+    accepted. So for packets going from the 'loc' zone to the 'net'
+    zone, ESTABLISHED/RELATED packets are ACCEPTED in the 'loc2net'
+    chain.
+
+    If you set FASTACCEPT=Yes, then ESTABLISHED/RELEATED packets are
+    accepted early in the INPUT, FORWARD and OUTPUT chains. If you set
+    FASTACCEPT=Yes then you may not specify ESTABLISHED policies in 
+    /etc/shorewall/policy (see above).
--- a/Shorewall/shorewall.conf
+++ b/Shorewall/shorewall.conf
@ -803,6 +803,21 @@ SAVE_IPSETS=No

 MAPOLDACTIONS=No

+#
+# Fast ESTABLISHED/RELATED handling
+#
+# Normally, Shorewall accepting ESTABLISHED/RELATED packets until these packets
+# reach the chain in which the original connection was accepted. So for packets
+# going from the 'loc' zone to the 'net' zone, ESTABLISHED/RELATED packets are
+# ACCEPTED in the 'loc2net' chain.
+#
+# If you set FASTACCEPT=Yes, then ESTABLISHED/RELEATED packets are accepted 
+# early in the INPUT, FORWARD and OUTPUT chains. If you set
+# FASTACCEPT=Yes then you may not specify ESTABLISHED policies in 
+# /etc/shorewall/policy.
+
+FASTACCEPT=No
+
 ###############################################################################
 #			P A C K E T   D I S P O S I T I O N
 ###############################################################################