Add intermediate input chain for complex zones

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@523 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
2003-03-24 21:01:53 +00:00 · 2003-03-24 21:01:53 +00:00 · 886ad1e547
commit 886ad1e547
parent 1a36e13f8c
3 changed files with 31 additions and 23 deletions
--- a/Shorewall/changelog.txt
+++ b/Shorewall/changelog.txt
@ -1,9 +1,7 @@
-Changes since 1.4.0
+Changes since 1.4.1

-1. Implement NONE policy.
+1. Re-order steps in the 'check' command so that the policy file is
+   checked before the rules file.

-2. Never create rules for <iface>:<subnet> to itself.
-
-3. Always allow intrazone traffic.
-
-4. Correct building of ECN interface list under ash.
+2. Create an intermediate chain for input from zones defined in terms
+   of specific hosts or networks.
--- a/Shorewall/firewall
+++ b/Shorewall/firewall
@ -542,6 +542,9 @@ determine_hosts() {
 		    interfaces="$interfaces $interface"
 		fi
 	    fi
+
+	    [ "${host#*:}" = "0.0.0.0/0" ] || \
+		eval ${zone}_is_constrained=Yes
 	done

 	eval ${zone}_interfaces="\$interfaces"
@ -3661,6 +3664,13 @@ activate_rules()
 	chain1=`rules_chain $FW $zone`
 	chain2=`rules_chain $zone $FW`

+	eval constrained=\$${zone}_is_constrained
+
+	if [ -n "$constrained" ]; then
+	    frwd_chain=${zone}_frwd
+	    createchain $frwd_chain No
+	fi
+	    
 	echo "$FW $zone $chain1" >> ${STATEDIR}/chains
 	echo "$zone $FW $chain2" >> ${STATEDIR}/chains

@ -3678,6 +3688,8 @@ activate_rules()

 	    run_iptables -A `input_chain $interface` -s $subnet -j $chain2

+	    [ -n "$constrained" ] && \
+		run_iptables -A `forward_chain $interface` -s $subnet -j $frwd_chain
 	done

 	for zone1 in $zones; do
@ -3694,15 +3706,21 @@ activate_rules()

 	    for host in $source_hosts; do
 		interface=${host%:*}
-		subnet=${host#*:}
-		chain1=`forward_chain $interface`
+
+		if [ -n "$constrained" ]; then
+		    chain1=$frwd_chain
+		    subnet=
+		else
+		    chain1=`forward_chain $interface`
+		    subnet="-s ${host#*:}"
+		fi

 		for host1 in $dest_hosts; do
 		    interface1=${host1%:*}
 		    subnet1=${host1#*:}

 		    if [ "$host" != "$host1" ]; then
-			run_iptables -A $chain1 -s $subnet -o $interface1 -d $subnet1 -j $chain
+			run_iptables -A $chain1 $subnet -o $interface1 -d $subnet1 -j $chain
 		    fi
 		done
 	    done
--- a/Shorewall/releasenotes.txt
+++ b/Shorewall/releasenotes.txt
@ -1,19 +1,11 @@
 This is a minor release of Shorewall.

-This release introduces incompatibilities with prior releases. See
-http://www.shorewall.net/upgrade_issues.htm.
-
 Changes are:

-a) There is now a new NONE policy specifiable in
-/etc/shorewall/policy. This policy will cause Shorewall to assume that
-there will never be any traffic between the source and destination
-zones.
-
-b) Shorewall no longer creates rules to govern traffic from an
-interface:subnet to itself.
-
-c) Intra-zone traffic is always accepted now (exception is (b)
- above).. Intrazone policies and rules are no longer allowed.
+a) Where an entry in the/etc/shorewall/hosts file specifies a
+   particular host or network, Shorewall now creates an intermediate
+   chain for handling input from the related zone. This can
+   substantially reduce the number of rules traversed by connections
+   requests from such zones.