From 886ad1e547c729a09706bfe31112b659e1cbd1f1 Mon Sep 17 00:00:00 2001 From: teastep Date: Mon, 24 Mar 2003 21:01:53 +0000 Subject: [PATCH] Add intermediate input chain for complex zones git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@523 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb --- Shorewall/changelog.txt | 12 +++++------- Shorewall/firewall | 24 +++++++++++++++++++++--- Shorewall/releasenotes.txt | 18 +++++------------- 3 files changed, 31 insertions(+), 23 deletions(-) diff --git a/Shorewall/changelog.txt b/Shorewall/changelog.txt index f47da6b25..803e76cd6 100755 --- a/Shorewall/changelog.txt +++ b/Shorewall/changelog.txt @@ -1,9 +1,7 @@ -Changes since 1.4.0 +Changes since 1.4.1 -1. Implement NONE policy. +1. Re-order steps in the 'check' command so that the policy file is + checked before the rules file. -2. Never create rules for : to itself. - -3. Always allow intrazone traffic. - -4. Correct building of ECN interface list under ash. +2. Create an intermediate chain for input from zones defined in terms + of specific hosts or networks. diff --git a/Shorewall/firewall b/Shorewall/firewall index 43383b4a0..5f1775b12 100755 --- a/Shorewall/firewall +++ b/Shorewall/firewall @@ -542,6 +542,9 @@ determine_hosts() { interfaces="$interfaces $interface" fi fi + + [ "${host#*:}" = "0.0.0.0/0" ] || \ + eval ${zone}_is_constrained=Yes done eval ${zone}_interfaces="\$interfaces" @@ -3661,6 +3664,13 @@ activate_rules() chain1=`rules_chain $FW $zone` chain2=`rules_chain $zone $FW` + eval constrained=\$${zone}_is_constrained + + if [ -n "$constrained" ]; then + frwd_chain=${zone}_frwd + createchain $frwd_chain No + fi + echo "$FW $zone $chain1" >> ${STATEDIR}/chains echo "$zone $FW $chain2" >> ${STATEDIR}/chains @@ -3678,6 +3688,8 @@ activate_rules() run_iptables -A `input_chain $interface` -s $subnet -j $chain2 + [ -n "$constrained" ] && \ + run_iptables -A `forward_chain $interface` -s $subnet -j $frwd_chain done for zone1 in $zones; do @@ -3694,15 +3706,21 @@ activate_rules() for host in $source_hosts; do interface=${host%:*} - subnet=${host#*:} - chain1=`forward_chain $interface` + + if [ -n "$constrained" ]; then + chain1=$frwd_chain + subnet= + else + chain1=`forward_chain $interface` + subnet="-s ${host#*:}" + fi for host1 in $dest_hosts; do interface1=${host1%:*} subnet1=${host1#*:} if [ "$host" != "$host1" ]; then - run_iptables -A $chain1 -s $subnet -o $interface1 -d $subnet1 -j $chain + run_iptables -A $chain1 $subnet -o $interface1 -d $subnet1 -j $chain fi done done diff --git a/Shorewall/releasenotes.txt b/Shorewall/releasenotes.txt index fb6bad082..36bdf5c30 100755 --- a/Shorewall/releasenotes.txt +++ b/Shorewall/releasenotes.txt @@ -1,19 +1,11 @@ This is a minor release of Shorewall. -This release introduces incompatibilities with prior releases. See -http://www.shorewall.net/upgrade_issues.htm. - Changes are: -a) There is now a new NONE policy specifiable in -/etc/shorewall/policy. This policy will cause Shorewall to assume that -there will never be any traffic between the source and destination -zones. - -b) Shorewall no longer creates rules to govern traffic from an -interface:subnet to itself. - -c) Intra-zone traffic is always accepted now (exception is (b) - above).. Intrazone policies and rules are no longer allowed. +a) Where an entry in the/etc/shorewall/hosts file specifies a + particular host or network, Shorewall now creates an intermediate + chain for handling input from the related zone. This can + substantially reduce the number of rules traversed by connections + requests from such zones.