forked from extern/shorewall_code
Continue with optimization rework
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@9064 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
parent
1f7b0990bb
commit
ddf7887139
@ -597,7 +597,7 @@ sub use_forward_chain($) {
|
|||||||
# Interface associated with a single zone -- Must use the interface chain if
|
# Interface associated with a single zone -- Must use the interface chain if
|
||||||
# the zone has multiple interfaces
|
# the zone has multiple interfaces
|
||||||
#
|
#
|
||||||
return 1 if keys %{ zone_interfaces( $zone ) } > 1;
|
$interfaceref->{options}{use_forward_chain} && keys %{ zone_interfaces( $zone ) } > 1;
|
||||||
}
|
}
|
||||||
|
|
||||||
#
|
#
|
||||||
@ -635,8 +635,8 @@ sub use_input_chain($) {
|
|||||||
#
|
#
|
||||||
# Interface associated with a single zone -- Must use the interface chain if
|
# Interface associated with a single zone -- Must use the interface chain if
|
||||||
# the zone has multiple interfaces
|
# the zone has multiple interfaces
|
||||||
#
|
# and this chain has option rules
|
||||||
return 1 if keys %{ zone_interfaces( $zone ) } > 1;
|
return 1 if $interfaceref->{options}{use_input_chain} && keys %{ zone_interfaces( $zone ) } > 1;
|
||||||
#
|
#
|
||||||
# Interface associated with a single zone -- use the zone's input chain if it has one
|
# Interface associated with a single zone -- use the zone's input chain if it has one
|
||||||
#
|
#
|
||||||
|
@ -274,6 +274,8 @@ sub setup_rfc1918_filteration( $ ) {
|
|||||||
for my $chain ( first_chains $interface ) {
|
for my $chain ( first_chains $interface ) {
|
||||||
add_rule $filter_table->{$chain} , join( '', '-m state --state NEW ', match_source_net( $hostref->[2]) , "${policy}-j norfc1918" );
|
add_rule $filter_table->{$chain} , join( '', '-m state --state NEW ', match_source_net( $hostref->[2]) , "${policy}-j norfc1918" );
|
||||||
}
|
}
|
||||||
|
set_interface_option $interface, 'use_input_chain', 1;
|
||||||
|
set_interface_option $interface, 'use_forward_chain', 1;
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -350,6 +352,9 @@ sub setup_blacklist() {
|
|||||||
add_rule $filter_table->{$chain} , "${source}${state}${policy}-j blacklst";
|
add_rule $filter_table->{$chain} , "${source}${state}${policy}-j blacklst";
|
||||||
}
|
}
|
||||||
|
|
||||||
|
set_interface_option $interface, 'use_input_chain', 1;
|
||||||
|
set_interface_option $interface, 'use_forward_chain', 1;
|
||||||
|
|
||||||
progress_message " Blacklisting enabled on ${interface}:${network}";
|
progress_message " Blacklisting enabled on ${interface}:${network}";
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
@ -587,6 +592,9 @@ sub add_common_rules() {
|
|||||||
for $chain ( first_chains $interface ) {
|
for $chain ( first_chains $interface ) {
|
||||||
add_rule $filter_table->{$chain} , join( '', '-m state --state NEW,INVALID ', match_source_net( $hostref->[2] ), "${policy}-j smurfs" );
|
add_rule $filter_table->{$chain} , join( '', '-m state --state NEW,INVALID ', match_source_net( $hostref->[2] ), "${policy}-j smurfs" );
|
||||||
}
|
}
|
||||||
|
|
||||||
|
set_interface_option $interface, 'use_input_chain', 1;
|
||||||
|
set_interface_option $interface, 'use_forward_chain', 1;
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -615,6 +623,7 @@ sub add_common_rules() {
|
|||||||
my $ports = $family == F_IPV4 ? '67:68' : '546:547';
|
my $ports = $family == F_IPV4 ? '67:68' : '546:547';
|
||||||
|
|
||||||
for $interface ( @$list ) {
|
for $interface ( @$list ) {
|
||||||
|
set_interface_option $interface, 'use_input_chain', 1;
|
||||||
for $chain ( input_chain $interface, output_chain $interface ) {
|
for $chain ( input_chain $interface, output_chain $interface ) {
|
||||||
add_rule $filter_table->{$chain} , "-p udp --dport $ports -j ACCEPT";
|
add_rule $filter_table->{$chain} , "-p udp --dport $ports -j ACCEPT";
|
||||||
}
|
}
|
||||||
@ -666,10 +675,13 @@ sub add_common_rules() {
|
|||||||
add_rule $chainref , "-p tcp --syn --sport 0 -j $disposition";
|
add_rule $chainref , "-p tcp --syn --sport 0 -j $disposition";
|
||||||
|
|
||||||
for my $hostref ( @$list ) {
|
for my $hostref ( @$list ) {
|
||||||
|
my $interface = $hostref->[0];
|
||||||
my $policy = $capabilities{POLICY_MATCH} ? "-m policy --pol $hostref->[1] --dir in " : '';
|
my $policy = $capabilities{POLICY_MATCH} ? "-m policy --pol $hostref->[1] --dir in " : '';
|
||||||
for $chain ( first_chains $hostref->[0] ) {
|
for $chain ( first_chains $interface ) {
|
||||||
add_rule $filter_table->{$chain} , join( '', '-p tcp ', match_source_net( $hostref->[2] ), "${policy}-j tcpflags" );
|
add_rule $filter_table->{$chain} , join( '', '-p tcp ', match_source_net( $hostref->[2] ), "${policy}-j tcpflags" );
|
||||||
}
|
}
|
||||||
|
set_interface_option $interface, 'use_input_chain', 1;
|
||||||
|
set_interface_option $interface, 'use_forward_chain', 1;
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -813,6 +825,8 @@ sub setup_mac_lists( $ ) {
|
|||||||
for my $chain ( first_chains $interface ) {
|
for my $chain ( first_chains $interface ) {
|
||||||
add_rule $filter_table->{$chain} , "${source}-m state --state NEW ${policy}-j $target";
|
add_rule $filter_table->{$chain} , "${source}-m state --state NEW ${policy}-j $target";
|
||||||
}
|
}
|
||||||
|
set_interface_option $interface, 'use_input_chain', 1;
|
||||||
|
set_interface_option $interface, 'use_forward_chain', 1;
|
||||||
} else {
|
} else {
|
||||||
add_rule $mangle_table->{PREROUTING}, match_source_dev( $interface ) . "${source}-m state --state NEW ${policy}-j $target";
|
add_rule $mangle_table->{PREROUTING}, match_source_dev( $interface ) . "${source}-m state --state NEW ${policy}-j $target";
|
||||||
}
|
}
|
||||||
@ -1531,7 +1545,6 @@ sub add_interface_jumps {
|
|||||||
# Add the jumps to the interface chains from filter FORWARD, INPUT, OUTPUT
|
# Add the jumps to the interface chains from filter FORWARD, INPUT, OUTPUT
|
||||||
#
|
#
|
||||||
for my $interface ( @_ ) {
|
for my $interface ( @_ ) {
|
||||||
|
|
||||||
add_jump( $filter_table->{FORWARD} , forward_chain $interface , 0, match_source_dev( $interface ) ) if use_forward_chain $interface;
|
add_jump( $filter_table->{FORWARD} , forward_chain $interface , 0, match_source_dev( $interface ) ) if use_forward_chain $interface;
|
||||||
add_jump( $filter_table->{INPUT} , input_chain $interface , 0, match_source_dev( $interface ) ) if use_input_chain $interface;
|
add_jump( $filter_table->{INPUT} , input_chain $interface , 0, match_source_dev( $interface ) ) if use_input_chain $interface;
|
||||||
|
|
||||||
@ -1640,12 +1653,11 @@ sub generate_matrix() {
|
|||||||
next if @zones <= 2 && ! $zoneref->{options}{complex};
|
next if @zones <= 2 && ! $zoneref->{options}{complex};
|
||||||
|
|
||||||
my $exclusions = $zoneref->{exclusions};
|
my $exclusions = $zoneref->{exclusions};
|
||||||
my $frwd_ref;
|
my $frwd_ref = new_standard_chain zone_forward_chain( $zone );
|
||||||
|
|
||||||
if ( @$exclusions ) {
|
if ( @$exclusions ) {
|
||||||
my $in_ref = new_standard_chain zone_input_chain $zone;
|
my $in_ref = new_standard_chain zone_input_chain $zone;
|
||||||
my $out_ref = new_standard_chain zone_output_chain $zone;
|
my $out_ref = new_standard_chain zone_output_chain $zone;
|
||||||
$frwd_ref = new_standard_chain zone_forward_chain( $zone );
|
|
||||||
|
|
||||||
add_rule ensure_filter_chain( "${zone}2${zone}", 1 ) , '-j ACCEPT' if rules_target( $zone, $zone ) eq 'ACCEPT';
|
add_rule ensure_filter_chain( "${zone}2${zone}", 1 ) , '-j ACCEPT' if rules_target( $zone, $zone ) eq 'ACCEPT';
|
||||||
|
|
||||||
@ -1669,7 +1681,6 @@ sub generate_matrix() {
|
|||||||
if ( use_forward_chain( $interface ) ) {
|
if ( use_forward_chain( $interface ) ) {
|
||||||
$sourcechainref = $filter_table->{forward_chain $interface};
|
$sourcechainref = $filter_table->{forward_chain $interface};
|
||||||
} else {
|
} else {
|
||||||
$frwd_ref = new_standard_chain zone_forward_chain( $zone ) unless $frwd_ref;
|
|
||||||
$sourcechainref = $filter_table->{FORWARD};
|
$sourcechainref = $filter_table->{FORWARD};
|
||||||
$interfacematch = match_source_dev $interface;
|
$interfacematch = match_source_dev $interface;
|
||||||
move_rules( $filter_table->{forward_chain $interface} , $frwd_ref );
|
move_rules( $filter_table->{forward_chain $interface} , $frwd_ref );
|
||||||
@ -1680,7 +1691,6 @@ sub generate_matrix() {
|
|||||||
for my $hostref ( @{$arrayref} ) {
|
for my $hostref ( @{$arrayref} ) {
|
||||||
my $ipsec_match = match_ipsec_in $zone , $hostref;
|
my $ipsec_match = match_ipsec_in $zone , $hostref;
|
||||||
for my $net ( @{$hostref->{hosts}} ) {
|
for my $net ( @{$hostref->{hosts}} ) {
|
||||||
$frwd_ref = new_standard_chain zone_forward_chain( $zone ) unless $frwd_ref;
|
|
||||||
add_jump(
|
add_jump(
|
||||||
$sourcechainref,
|
$sourcechainref,
|
||||||
$frwd_ref,
|
$frwd_ref,
|
||||||
|
Loading…
Reference in New Issue
Block a user