Re: [Shorewall-devel] local_frwd chain

Tom Eastep Sun, 12 May 2013 08:53:29 -0700

On 05/12/2013 07:58 AM, Dash Four wrote:

>>   
> As I suggested earlier, the easiest way to implement this is to add an 
> option to the interface (or zone?) definition which asks shorewall not 
> to involve this interface (or zone) in any inter-chain rules (i.e. keep 
> it local-only). That way all I have to do is add this option and forget 
> messing about with "hosts" and stuff like that.
> 
> The 'local' interface/zone can't possibly have any matching rules 
> from/to other interfaces/zones, so to me it makes a perfect sense to use 
> that option. Is this doable?


Patch attached. It has uncovered an optimizer bug that is leaving a few
unreferenced chains behind; I'll chase that today.

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________

diff --git a/Shorewall/Perl/Shorewall/Chains.pm b/Shorewall/Perl/Shorewall/Chains.pm
index a15a205..35b9b4b 100644
--- a/Shorewall/Perl/Shorewall/Chains.pm
+++ b/Shorewall/Perl/Shorewall/Chains.pm
@@ -3053,17 +3053,24 @@ sub check_optimization( $ ) {
 # When an unreferenced chain is found, it is deleted unless its 'dont_delete' flag is set.
 sub optimize_level0() {
     for my $table ( qw/raw rawpost mangle nat filter/ ) {
-	next if $family == F_IPV6 && $table eq 'nat';
 	my $tableref = $chain_table{$table};
-	my @chains  = grep $_->{referenced}, values %$tableref;
-	my $chains  = @chains;
+	next unless $tableref;
 
-	for my $chainref ( @chains ) {
-	    #
-	    # If the chain isn't branched to, then delete it
-	    #
-	    unless ( $chainref->{optflags} & DONT_DELETE || keys %{$chainref->{references}} ) {
-		delete_chain $chainref if $chainref->{referenced};
+	my $progress = 1;
+
+	while ( $progress ) {
+	    my @chains  = grep $_->{referenced}, values %$tableref;
+	    my $chains  = @chains;
+
+	    $progress = 0;
+
+	    for my $chainref ( @chains ) {
+		#
+		# If the chain isn't branched to, then delete it
+		#
+		unless ( $chainref->{optflags} & DONT_DELETE || keys %{$chainref->{references}} ) {
+		    delete_chain_and_references $chainref, $progress = 1 if $chainref->{referenced};
+		}
 	    }
 	}
     }
@@ -3098,7 +3105,7 @@ sub optimize_level4( $$ ) {
 	    # If the chain isn't branched to, then delete it
 	    #
 	    unless ( ( $optflags & DONT_DELETE ) || keys %{$chainref->{references}} ) {
-		delete_chain $chainref if $chainref->{referenced};
+		delete_chain_and_references $chainref if $chainref->{referenced};
 		next;
 	    }
 
diff --git a/Shorewall/Perl/Shorewall/Misc.pm b/Shorewall/Perl/Shorewall/Misc.pm
index 241a350..7e6ab13 100644
--- a/Shorewall/Perl/Shorewall/Misc.pm
+++ b/Shorewall/Perl/Shorewall/Misc.pm
@@ -1628,6 +1628,8 @@ sub handle_complex_zone( $$ ) {
 	    my @interfacematch;
 	    my $interfaceref = find_interface $interface;
 
+	    next if $interfaceref->{options}{destonly};
+
 	    if ( use_forward_chain( $interface, $sourcechainref ) ) {
 		#
 		# Use the interface forward chain
@@ -2213,7 +2215,7 @@ sub generate_matrix() {
 		for my $typeref ( values %{$zone1ref->{hosts}} ) {
 		    for my $interface ( sort { interface_number( $a ) <=> interface_number( $b ) } keys %$typeref ) {
 			for my $hostref ( @{$typeref->{$interface}} ) {
-			    next if $hostref->{options}{sourceonly};
+			    next if $hostref->{options}{sourceonly} || $hostref->{options}{local};
 			    if ( $zone ne $zone1 || $num_ifaces > 1 || $hostref->{options}{routeback} ) {
 				my @ipsec_out_match = match_ipsec_out $zone1 , $hostref;
 				my $dest_exclusion = dest_exclusion( $hostref->{exclusions}, $chain);
diff --git a/Shorewall/Perl/Shorewall/Zones.pm b/Shorewall/Perl/Shorewall/Zones.pm
index 603c171..d73acf8 100644
--- a/Shorewall/Perl/Shorewall/Zones.pm
+++ b/Shorewall/Perl/Shorewall/Zones.pm
@@ -302,6 +302,7 @@ sub initialize( $$ ) {
 				  dhcp        => SIMPLE_IF_OPTION,
 				  ignore      => NUMERIC_IF_OPTION + IF_OPTION_WILDOK,
 				  maclist     => SIMPLE_IF_OPTION + IF_OPTION_HOST,
+				  local       => SIMPLE_IF_OPTION + IF_OPTION_HOST,
 				  logmartians => BINARY_IF_OPTION,
 				  nets        => IPLIST_IF_OPTION + IF_OPTION_ZONEONLY + IF_OPTION_VSERVER,
 				  norfc1918   => OBSOLETE_IF_OPTION,
@@ -339,6 +340,7 @@ sub initialize( $$ ) {
 				    bridge      => SIMPLE_IF_OPTION,
 				    dhcp        => SIMPLE_IF_OPTION,
 				    ignore      => NUMERIC_IF_OPTION + IF_OPTION_WILDOK,
+				    local       => SIMPLE_IF_OPTION + IF_OPTION_HOST,
 				    maclist     => SIMPLE_IF_OPTION + IF_OPTION_HOST,
 				    nets        => IPLIST_IF_OPTION + IF_OPTION_ZONEONLY + IF_OPTION_VSERVER,
 				    nosmurfs    => SIMPLE_IF_OPTION + IF_OPTION_HOST,
@@ -1268,6 +1270,8 @@ sub process_interface( $$ ) {
 	$options{ignore} ||= 0;
     }
 
+    $hostoptionsref->{destonly} = 1 if $hostoptionsref->{local};
+
     $physical{$physical} = $interfaces{$interface} = { name       => $interface ,
 						       bridge     => $bridge ,
 						       filter     => $filterref ,

signature.asc
Description: OpenPGP digital signature

------------------------------------------------------------------------------
Learn Graph Databases - Download FREE O'Reilly Book
"Graph Databases" is the definitive new guide to graph databases and 
their applications. This 200-page book is written by three acclaimed 
leaders in the field. The early access version is available now. 
Download your free book today! http://p.sf.net/sfu/neotech_d2d_may

_______________________________________________
Shorewall-devel mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/shorewall-devel

Re: [Shorewall-devel] local_frwd chain

Reply via email to