Don't create <zone>_frwd when unnecessary

- Set the zone {complex} flag based on ipsec options rather than the presense of any options.
- Generate forwarding blacklist rules in lieu of creating<zone>_frwd

Signed-off-by: Tom Eastep <teastep@shorewall.net>
This commit is contained in:
Tom Eastep 2010-09-24 15:25:57 -07:00
parent b5fdb089bc
commit e018ee6adc
2 changed files with 26 additions and 9 deletions

View File

@ -1861,14 +1861,28 @@ sub generate_matrix() {
progress_message2 'Generating Rule Matrix...'; progress_message2 'Generating Rule Matrix...';
# #
# Special processing for complex and blacklisting configurations # Special processing for complex and/or blacklisting configurations
# #
for my $zone ( @zones ) { for my $zone ( @zones ) {
my $zoneref = find_zone( $zone ); my $zoneref = find_zone( $zone );
my $simple = @zones <= 2 && ! $zoneref->{options}{complex};
#
# Handle blacklisting first
#
if ( $zoneref->{options}{in}{blacklist} ) { if ( $zoneref->{options}{in}{blacklist} ) {
my $blackref = $filter_table->{blacklst}; my $blackref = $filter_table->{blacklst};
add_jump ensure_filter_chain( rules_chain( $zone, $_ ), 1 ) , $blackref , 0, $state, 0, -1 for firewall_zone, @vservers; add_jump ensure_filter_chain( rules_chain( $zone, $_ ), 1 ) , $blackref , 0, $state, 0, -1 for firewall_zone, @vservers;
if ( $simple ) {
for my $zone1 ( @zones ) {
my $ruleschain = rules_chain( $zone, $zone1 );
my $ruleschainref = $filter_table->{$ruleschain};
if ( ( $zone ne $zone1 || ( $ruleschainref && $ruleschainref->{referenced} ) ) && $ruleschainref->{policy} ne 'NONE' ) {
add_jump( ensure_filter_chain( $ruleschain, 1 ), $blackref, 0, $state, 0, -1 );
}
}
}
} }
if ( $zoneref->{options}{out}{blacklist} ) { if ( $zoneref->{options}{out}{blacklist} ) {
@ -1885,7 +1899,7 @@ sub generate_matrix() {
} }
} }
next if @zones <= 2 && ! $zoneref->{options}{complex}; next if $simple;
# #
# Complex zone or we have more than one non-firewall zone -- create a zone forwarding chain # Complex zone or we have more than one non-firewall zone -- create a zone forwarding chain

View File

@ -296,7 +296,7 @@ sub initialize( $ ) {
# => mss = <MSS setting> # => mss = <MSS setting>
# => ipsec = <-m policy arguments to match options> # => ipsec = <-m policy arguments to match options>
# #
sub parse_zone_option_list($$) sub parse_zone_option_list($$\$)
{ {
my %validoptions = ( mss => NUMERIC, my %validoptions = ( mss => NUMERIC,
blacklist => NOTHING, blacklist => NOTHING,
@ -316,7 +316,7 @@ sub parse_zone_option_list($$)
# #
my %key = ( mss => UNRESTRICTED , blacklist => NOFW ); my %key = ( mss => UNRESTRICTED , blacklist => NOFW );
my ( $list, $zonetype ) = @_; my ( $list, $zonetype, $complexref ) = @_;
my %h; my %h;
my $options = ''; my $options = '';
my $fmt; my $fmt;
@ -354,6 +354,7 @@ sub parse_zone_option_list($$)
$options .= $invert; $options .= $invert;
$options .= "--$e "; $options .= "--$e ";
$options .= "$val "if defined $val; $options .= "$val "if defined $val;
$$complexref = 1;
} }
} }
} }
@ -439,13 +440,15 @@ sub process_zone( \$ ) {
} }
} }
my $complex = 0;
my $zoneref = $zones{$zone} = { type => $type, my $zoneref = $zones{$zone} = { type => $type,
parents => \@parents, parents => \@parents,
bridge => '', bridge => '',
options => { in_out => parse_zone_option_list( $options || '', $type ) , options => { in_out => parse_zone_option_list( $options , $type, $complex ) ,
in => parse_zone_option_list( $in_options || '', $type ) , in => parse_zone_option_list( $in_options , $type , $complex ) ,
out => parse_zone_option_list( $out_options || '', $type ) , out => parse_zone_option_list( $out_options , $type , $complex ) ,
complex => ( $type == IPSEC || $options ne '-' || $in_options ne '-' || $out_options ne '-' ) , complex => ( $type == IPSEC || $complex ) ,
nested => @parents > 0 , nested => @parents > 0 ,
super => 0 , super => 0 ,
} , } ,