From ddf788713962a7a2cad87433f8a5bc64d9a0368d Mon Sep 17 00:00:00 2001 From: teastep Date: Mon, 15 Dec 2008 16:42:54 +0000 Subject: [PATCH] Continue with optimization rework git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@9064 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb --- Shorewall-perl/Shorewall/Chains.pm | 6 +++--- Shorewall-perl/Shorewall/Rules.pm | 22 ++++++++++++++++------ 2 files changed, 19 insertions(+), 9 deletions(-) diff --git a/Shorewall-perl/Shorewall/Chains.pm b/Shorewall-perl/Shorewall/Chains.pm index 0f88efd43..effe2bdda 100644 --- a/Shorewall-perl/Shorewall/Chains.pm +++ b/Shorewall-perl/Shorewall/Chains.pm @@ -597,7 +597,7 @@ sub use_forward_chain($) { # Interface associated with a single zone -- Must use the interface chain if # the zone has multiple interfaces # - return 1 if keys %{ zone_interfaces( $zone ) } > 1; + $interfaceref->{options}{use_forward_chain} && keys %{ zone_interfaces( $zone ) } > 1; } # @@ -635,8 +635,8 @@ sub use_input_chain($) { # # Interface associated with a single zone -- Must use the interface chain if # the zone has multiple interfaces - # - return 1 if keys %{ zone_interfaces( $zone ) } > 1; + # and this chain has option rules + return 1 if $interfaceref->{options}{use_input_chain} && keys %{ zone_interfaces( $zone ) } > 1; # # Interface associated with a single zone -- use the zone's input chain if it has one # diff --git a/Shorewall-perl/Shorewall/Rules.pm b/Shorewall-perl/Shorewall/Rules.pm index c87a77a0d..e25db8683 100644 --- a/Shorewall-perl/Shorewall/Rules.pm +++ b/Shorewall-perl/Shorewall/Rules.pm @@ -274,6 +274,8 @@ sub setup_rfc1918_filteration( $ ) { for my $chain ( first_chains $interface ) { add_rule $filter_table->{$chain} , join( '', '-m state --state NEW ', match_source_net( $hostref->[2]) , "${policy}-j norfc1918" ); } + set_interface_option $interface, 'use_input_chain', 1; + set_interface_option $interface, 'use_forward_chain', 1; } } @@ -350,6 +352,9 @@ sub setup_blacklist() { add_rule $filter_table->{$chain} , "${source}${state}${policy}-j blacklst"; } + set_interface_option $interface, 'use_input_chain', 1; + set_interface_option $interface, 'use_forward_chain', 1; + progress_message " Blacklisting enabled on ${interface}:${network}"; } } @@ -587,6 +592,9 @@ sub add_common_rules() { for $chain ( first_chains $interface ) { add_rule $filter_table->{$chain} , join( '', '-m state --state NEW,INVALID ', match_source_net( $hostref->[2] ), "${policy}-j smurfs" ); } + + set_interface_option $interface, 'use_input_chain', 1; + set_interface_option $interface, 'use_forward_chain', 1; } } @@ -615,6 +623,7 @@ sub add_common_rules() { my $ports = $family == F_IPV4 ? '67:68' : '546:547'; for $interface ( @$list ) { + set_interface_option $interface, 'use_input_chain', 1; for $chain ( input_chain $interface, output_chain $interface ) { add_rule $filter_table->{$chain} , "-p udp --dport $ports -j ACCEPT"; } @@ -666,10 +675,13 @@ sub add_common_rules() { add_rule $chainref , "-p tcp --syn --sport 0 -j $disposition"; for my $hostref ( @$list ) { + my $interface = $hostref->[0]; my $policy = $capabilities{POLICY_MATCH} ? "-m policy --pol $hostref->[1] --dir in " : ''; - for $chain ( first_chains $hostref->[0] ) { + for $chain ( first_chains $interface ) { add_rule $filter_table->{$chain} , join( '', '-p tcp ', match_source_net( $hostref->[2] ), "${policy}-j tcpflags" ); } + set_interface_option $interface, 'use_input_chain', 1; + set_interface_option $interface, 'use_forward_chain', 1; } } @@ -813,6 +825,8 @@ sub setup_mac_lists( $ ) { for my $chain ( first_chains $interface ) { add_rule $filter_table->{$chain} , "${source}-m state --state NEW ${policy}-j $target"; } + set_interface_option $interface, 'use_input_chain', 1; + set_interface_option $interface, 'use_forward_chain', 1; } else { add_rule $mangle_table->{PREROUTING}, match_source_dev( $interface ) . "${source}-m state --state NEW ${policy}-j $target"; } @@ -1531,7 +1545,6 @@ sub add_interface_jumps { # Add the jumps to the interface chains from filter FORWARD, INPUT, OUTPUT # for my $interface ( @_ ) { - add_jump( $filter_table->{FORWARD} , forward_chain $interface , 0, match_source_dev( $interface ) ) if use_forward_chain $interface; add_jump( $filter_table->{INPUT} , input_chain $interface , 0, match_source_dev( $interface ) ) if use_input_chain $interface; @@ -1640,12 +1653,11 @@ sub generate_matrix() { next if @zones <= 2 && ! $zoneref->{options}{complex}; my $exclusions = $zoneref->{exclusions}; - my $frwd_ref; + my $frwd_ref = new_standard_chain zone_forward_chain( $zone ); if ( @$exclusions ) { my $in_ref = new_standard_chain zone_input_chain $zone; my $out_ref = new_standard_chain zone_output_chain $zone; - $frwd_ref = new_standard_chain zone_forward_chain( $zone ); add_rule ensure_filter_chain( "${zone}2${zone}", 1 ) , '-j ACCEPT' if rules_target( $zone, $zone ) eq 'ACCEPT'; @@ -1669,7 +1681,6 @@ sub generate_matrix() { if ( use_forward_chain( $interface ) ) { $sourcechainref = $filter_table->{forward_chain $interface}; } else { - $frwd_ref = new_standard_chain zone_forward_chain( $zone ) unless $frwd_ref; $sourcechainref = $filter_table->{FORWARD}; $interfacematch = match_source_dev $interface; move_rules( $filter_table->{forward_chain $interface} , $frwd_ref ); @@ -1680,7 +1691,6 @@ sub generate_matrix() { for my $hostref ( @{$arrayref} ) { my $ipsec_match = match_ipsec_in $zone , $hostref; for my $net ( @{$hostref->{hosts}} ) { - $frwd_ref = new_standard_chain zone_forward_chain( $zone ) unless $frwd_ref; add_jump( $sourcechainref, $frwd_ref,