forked from extern/shorewall_code
Add intermediate input chain for complex zones
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@523 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
teastep
parent
1a36e13f8c
commit
886ad1e547
@ -1,9 +1,7 @@
|
||||
Changes since 1.4.0
|
||||
Changes since 1.4.1
|
||||
|
||||
1. Implement NONE policy.
|
||||
1. Re-order steps in the 'check' command so that the policy file is
|
||||
checked before the rules file.
|
||||
|
||||
2. Never create rules for <iface>:<subnet> to itself.
|
||||
|
||||
3. Always allow intrazone traffic.
|
||||
|
||||
4. Correct building of ECN interface list under ash.
|
||||
2. Create an intermediate chain for input from zones defined in terms
|
||||
of specific hosts or networks.
|
||||
|
||||
@ -542,6 +542,9 @@ determine_hosts() {
|
||||
interfaces="$interfaces $interface"
|
||||
fi
|
||||
fi
|
||||
|
||||
[ "${host#*:}" = "0.0.0.0/0" ] || \
|
||||
eval ${zone}_is_constrained=Yes
|
||||
done
|
||||
|
||||
eval ${zone}_interfaces="\$interfaces"
|
||||
@ -3661,6 +3664,13 @@ activate_rules()
|
||||
chain1=`rules_chain $FW $zone`
|
||||
chain2=`rules_chain $zone $FW`
|
||||
|
||||
eval constrained=\$${zone}_is_constrained
|
||||
|
||||
if [ -n "$constrained" ]; then
|
||||
frwd_chain=${zone}_frwd
|
||||
createchain $frwd_chain No
|
||||
fi
|
||||
|
||||
echo "$FW $zone $chain1" >> ${STATEDIR}/chains
|
||||
echo "$zone $FW $chain2" >> ${STATEDIR}/chains
|
||||
|
||||
@ -3678,6 +3688,8 @@ activate_rules()
|
||||
|
||||
run_iptables -A `input_chain $interface` -s $subnet -j $chain2
|
||||
|
||||
[ -n "$constrained" ] && \
|
||||
run_iptables -A `forward_chain $interface` -s $subnet -j $frwd_chain
|
||||
done
|
||||
|
||||
for zone1 in $zones; do
|
||||
@ -3694,15 +3706,21 @@ activate_rules()
|
||||
|
||||
for host in $source_hosts; do
|
||||
interface=${host%:*}
|
||||
subnet=${host#*:}
|
||||
chain1=`forward_chain $interface`
|
||||
|
||||
if [ -n "$constrained" ]; then
|
||||
chain1=$frwd_chain
|
||||
subnet=
|
||||
else
|
||||
chain1=`forward_chain $interface`
|
||||
subnet="-s ${host#*:}"
|
||||
fi
|
||||
|
||||
for host1 in $dest_hosts; do
|
||||
interface1=${host1%:*}
|
||||
subnet1=${host1#*:}
|
||||
|
||||
if [ "$host" != "$host1" ]; then
|
||||
run_iptables -A $chain1 -s $subnet -o $interface1 -d $subnet1 -j $chain
|
||||
run_iptables -A $chain1 $subnet -o $interface1 -d $subnet1 -j $chain
|
||||
fi
|
||||
done
|
||||
done
|
||||
|
||||
@ -1,19 +1,11 @@
|
||||
This is a minor release of Shorewall.
|
||||
|
||||
This release introduces incompatibilities with prior releases. See
|
||||
http://www.shorewall.net/upgrade_issues.htm.
|
||||
|
||||
Changes are:
|
||||
|
||||
a) There is now a new NONE policy specifiable in
|
||||
/etc/shorewall/policy. This policy will cause Shorewall to assume that
|
||||
there will never be any traffic between the source and destination
|
||||
zones.
|
||||
|
||||
b) Shorewall no longer creates rules to govern traffic from an
|
||||
interface:subnet to itself.
|
||||
|
||||
c) Intra-zone traffic is always accepted now (exception is (b)
|
||||
above).. Intrazone policies and rules are no longer allowed.
|
||||
a) Where an entry in the/etc/shorewall/hosts file specifies a
|
||||
particular host or network, Shorewall now creates an intermediate
|
||||
chain for handling input from the related zone. This can
|
||||
substantially reduce the number of rules traversed by connections
|
||||
requests from such zones.
|
||||
|
||||
|
||||
|
||||
Loading…
Reference in New Issue
Block a user