Eliminate Redundant Rules

Signed-off-by: Tom Eastep <teastep@shorewall.net>
2014-09-11 10:17:01 -07:00 · 2014-09-11 10:17:01 -07:00 · 988ee64621
commit 988ee64621
parent 9947f4d968
2 changed files with 18 additions and 12 deletions
--- a/Shorewall/Perl/Shorewall/Misc.pm
+++ b/Shorewall/Perl/Shorewall/Misc.pm
@ -994,7 +994,7 @@ sub add_common_rules ( $$ ) {
 	for my $hostref  ( @$list ) {
 	    $interface     = $hostref->[0];
 	    my $ipsec      = $hostref->[1];
-	    my @policy     = have_ipsec ? ( policy => "--pol $ipsec --dir in" ) : ();
+	    my @policy     = $ipsec && have_ipsec ? ( policy => "--pol $ipsec --dir in" ) : ();
 	    my $target     = source_exclusion( $hostref->[3], $chainref );

 	    for $chain ( option_chains $interface ) {
@ -1118,7 +1118,8 @@ sub add_common_rules ( $$ ) {
 	for my $hostref  ( @$list ) {
 	    my $interface  = $hostref->[0];
 	    my $target     = source_exclusion( $hostref->[3], $chainref );
-	    my @policy     = have_ipsec ? ( policy => "--pol $hostref->[1] --dir in" ) : ();
+	    my $ipsec      = $hostref->[1];
+	    my @policy     = $ipsec && have_ipsec ? ( policy => "--pol $ipsec --dir in" ) : ();

 	    for $chain ( option_chains $interface ) {
 		add_ijump( $filter_table->{$chain} , j => $target, p => 'tcp', imatch_source_net( $hostref->[2] ), @policy );
@ -1289,7 +1290,7 @@ sub setup_mac_lists( $ ) {
 	for my $hostref ( @$maclist_hosts ) {
 	    my $interface  = $hostref->[0];
 	    my $ipsec      = $hostref->[1];
-	    my @policy     = have_ipsec ? ( policy => "--pol $ipsec --dir in" ) : ();
+	    my @policy     = $ipsec && have_ipsec ? ( policy => "--pol $ipsec --dir in" ) : ();
 	    my @source     = imatch_source_net $hostref->[2];

 	    my @state = have_capability( 'RAW_TABLE' ) ? state_imatch 'NEW,UNTRACKED' : state_imatch 'NEW';
--- a/Shorewall/Perl/Shorewall/Zones.pm
+++ b/Shorewall/Perl/Shorewall/Zones.pm
@ -2121,14 +2121,25 @@ sub have_ipsec() {
 sub find_hosts_by_option( $ ) {
    my $option = $_[0];
    my @hosts;
+    my %done;
+
+    for my $interface ( @interfaces ) {
+	if ( ! $interfaces{$interface}{zone} && $interfaces{$interface}{options}{$option} ) {
+	    push @hosts, [ $interface, '', ALLIP , [] ];
+	    $done{$interface} = 1;
+	}
+    }

    for my $zone ( grep ! ( $zones{$_}{type} & FIREWALL ) , @zones ) {
 	while ( my ($type, $interfaceref) = each %{$zones{$zone}{hosts}} ) {
 	    while ( my ( $interface, $arrayref) = ( each %{$interfaceref} ) ) {
 		for my $host ( @{$arrayref} ) {
-		    if ( my $value = $host->{options}{$option} ) {
-			for my $net ( @{$host->{hosts}} ) {
-			    push @hosts, [ $interface, $host->{ipsec} , $net , $host->{exclusions}, $value ];
+		    my $ipsec = $host->{ipsec};
+		    unless ( $done{$interface} ) { 
+			if ( my $value = $host->{options}{$option} ) {
+			    for my $net ( @{$host->{hosts}} ) {
+				push @hosts, [ $interface, $ipsec , $net , $host->{exclusions}, $value ];
+			    }
 			}
 		    }
 		}
@ -2136,12 +2147,6 @@ sub find_hosts_by_option( $ ) {
 	}
    }

-    for my $interface ( @interfaces ) {
-	if ( ! $interfaces{$interface}{zone} && $interfaces{$interface}{options}{$option} ) {
-	    push @hosts, [ $interface, 'none', ALLIP , [] ];
-	}
-    }
-
    \@hosts;
 }