forked from extern/shorewall_code
Some optimizations
This commit is contained in:
parent
c893ba6ffa
commit
f2f91ce7dd
@ -1952,9 +1952,8 @@ sub generate_matrix() {
|
|||||||
#
|
#
|
||||||
for my $zone1 ( @dest_zones ) {
|
for my $zone1 ( @dest_zones ) {
|
||||||
my $zone1ref = find_zone( $zone1 );
|
my $zone1ref = find_zone( $zone1 );
|
||||||
my $policy = $filter_table->{"${zone}2${zone1}"}->{policy};
|
|
||||||
|
|
||||||
next if $policy eq 'NONE';
|
next if $filter_table->{"${zone}2${zone1}"}->{policy} eq 'NONE';
|
||||||
|
|
||||||
my $chain = rules_target $zone, $zone1;
|
my $chain = rules_target $zone, $zone1;
|
||||||
|
|
||||||
@ -1970,15 +1969,15 @@ sub generate_matrix() {
|
|||||||
next unless $zoneref->{bridge} eq $zone1ref->{bridge};
|
next unless $zoneref->{bridge} eq $zone1ref->{bridge};
|
||||||
}
|
}
|
||||||
|
|
||||||
my $chainref = $filter_table->{$chain};
|
my $chainref = $filter_table->{$chain}; #Will be null if $chain is a Netfilter Built-in target like ACCEPT
|
||||||
|
|
||||||
my $dest_hosts_ref = $zone1ref->{hosts};
|
|
||||||
|
|
||||||
if ( $frwd_ref ) {
|
if ( $frwd_ref ) {
|
||||||
for my $typeref ( values %$dest_hosts_ref ) {
|
#
|
||||||
|
# Simple case -- the source zone has it's own forwarding chain
|
||||||
|
#
|
||||||
|
for my $typeref ( values %{$zone1ref->{hosts}} ) {
|
||||||
for my $interface ( sort { interface_number( $a ) <=> interface_number( $b ) } keys %$typeref ) {
|
for my $interface ( sort { interface_number( $a ) <=> interface_number( $b ) } keys %$typeref ) {
|
||||||
my $arrayref = $typeref->{$interface};
|
for my $hostref ( @{$typeref->{$interface}} ) {
|
||||||
for my $hostref ( @$arrayref ) {
|
|
||||||
next if $hostref->{options}{sourceonly};
|
next if $hostref->{options}{sourceonly};
|
||||||
if ( $zone ne $zone1 || $num_ifaces > 1 || $hostref->{options}{routeback} ) {
|
if ( $zone ne $zone1 || $num_ifaces > 1 || $hostref->{options}{routeback} ) {
|
||||||
my $ipsec_out_match = match_ipsec_out $zone1 , $hostref;
|
my $ipsec_out_match = match_ipsec_out $zone1 , $hostref;
|
||||||
@ -1990,9 +1989,11 @@ sub generate_matrix() {
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
} else {
|
} else {
|
||||||
|
#
|
||||||
|
# More compilcated case. If the interface is associated with a single simple zone, we try to combine the interface's forwarding chain with the rules chain
|
||||||
|
#
|
||||||
for my $typeref ( values %$source_hosts_ref ) {
|
for my $typeref ( values %$source_hosts_ref ) {
|
||||||
for my $interface ( keys %$typeref ) {
|
for my $interface ( keys %$typeref ) {
|
||||||
my $arrayref = $typeref->{$interface};
|
|
||||||
my $chain3ref;
|
my $chain3ref;
|
||||||
my $match_source_dev = '';
|
my $match_source_dev = '';
|
||||||
my $forwardchainref = $filter_table->{forward_chain $interface};
|
my $forwardchainref = $filter_table->{forward_chain $interface};
|
||||||
@ -2004,16 +2005,19 @@ sub generate_matrix() {
|
|||||||
$chain3ref = $forwardchainref;
|
$chain3ref = $forwardchainref;
|
||||||
add_jump $filter_table->{FORWARD} , $chain3ref, 0 , match_source_dev( $interface ) unless $forward_jump_added{$interface}++;
|
add_jump $filter_table->{FORWARD} , $chain3ref, 0 , match_source_dev( $interface ) unless $forward_jump_added{$interface}++;
|
||||||
} else {
|
} else {
|
||||||
|
#
|
||||||
|
# Don't use the interface's forward chain -- move any rules in that chain to this rules chain
|
||||||
|
#
|
||||||
$chain3ref = $filter_table->{FORWARD};
|
$chain3ref = $filter_table->{FORWARD};
|
||||||
$match_source_dev = match_source_dev $interface;
|
$match_source_dev = match_source_dev $interface;
|
||||||
move_rules $forwardchainref, $chainref;
|
move_rules $forwardchainref, $chainref;
|
||||||
}
|
}
|
||||||
|
|
||||||
for my $hostref ( @$arrayref ) {
|
for my $hostref ( @{$typeref->{$interface}} ) {
|
||||||
next if $hostref->{options}{destonly};
|
next if $hostref->{options}{destonly};
|
||||||
my $excl3ref = source_exclusion( $hostref->{exclusions}, $chain3ref );
|
my $excl3ref = source_exclusion( $hostref->{exclusions}, $chain3ref );
|
||||||
for my $net ( @{$hostref->{hosts}} ) {
|
for my $net ( @{$hostref->{hosts}} ) {
|
||||||
for my $type1ref ( values %$dest_hosts_ref ) {
|
for my $type1ref ( values %{$zone1ref->{hosts}} ) {
|
||||||
for my $interface1 ( keys %$type1ref ) {
|
for my $interface1 ( keys %$type1ref ) {
|
||||||
my $array1ref = $type1ref->{$interface1};
|
my $array1ref = $type1ref->{$interface1};
|
||||||
for my $host1ref ( @$array1ref ) {
|
for my $host1ref ( @$array1ref ) {
|
||||||
@ -2045,13 +2049,13 @@ sub generate_matrix() {
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
}
|
||||||
#
|
#
|
||||||
# E N D F O R W A R D I N G
|
# E N D F O R W A R D I N G
|
||||||
#
|
#
|
||||||
# Now add an unconditional jump to the last unique policy-only chain determined above, if any
|
# Now add an unconditional jump to the last unique policy-only chain determined above, if any
|
||||||
#
|
#
|
||||||
add_jump $frwd_ref , $last_chain, 1 if $last_chain;
|
add_jump $frwd_ref , $last_chain, 1 if $frwd_ref && $last_chain;
|
||||||
}
|
|
||||||
}
|
}
|
||||||
|
|
||||||
add_interface_jumps @interfaces unless $interface_jumps_added;
|
add_interface_jumps @interfaces unless $interface_jumps_added;
|
||||||
|
Loading…
Reference in New Issue
Block a user