Re: [Shorewall-devel] various shorewall bugs and suggestions

Sat, 01 Sep 2012 11:16:50 -0700 

On 09/01/2012 10:51 AM, Tom Eastep wrote:



6. Shorewall(-lite): The following could be optimised:

interfaces ~~~~~~~~~~ vpn eth1
arp_filter=1,arp_ignore=2,logmartians=1,nets=10.1.1.0/24,nosmurfs,routefilter=1,tcpflags

red eth2
arp_filter=1,arp_ignore=2,logmartians=1,nosmurfs,routefilter=1,tcpflags

Produces:

-A vpn2net -s 10.1.1.0/24 -m conntrack --ctstate NEW,INVALID -j
smurfs -A vpn2net -m conntrack --ctstate NEW,INVALID -j smurfs [...]
-A vpn2net -p tcp -s 10.1.1.0/24 -j tcpflags -A vpn2net -p tcp -j
tcpflags

This could be optimised to just the second line in both statements
above (I have OPTIMIZE=15 in shorewall.conf)



I'll see what I can do.


Patch attached.

-Tom
--
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________

diff --git a/Shorewall/Perl/Shorewall/Misc.pm b/Shorewall/Perl/Shorewall/Misc.pm
index 44d1dde..c6984bb 100644
--- a/Shorewall/Perl/Shorewall/Misc.pm
+++ b/Shorewall/Perl/Shorewall/Misc.pm
@@ -888,6 +888,8 @@ sub add_common_rules ( $ ) {
 	    my @policy     = have_ipsec ? ( policy => "--pol $ipsec --dir in" ) : ();
 	    my $target     = source_exclusion( $hostref->[3], $chainref );
 
+	    next if get_interface_option( $interface, 'nosmurfs' ) && $hostref->[2] ne ALLIP;
+
 	    for $chain ( option_chains $interface ) {
 		add_ijump( $filter_table->{$chain} , j => $target, @state, imatch_source_net( $hostref->[2] ), @policy );
 	    }
@@ -1009,6 +1011,8 @@ sub add_common_rules ( $ ) {
 	    my $target     = source_exclusion( $hostref->[3], $chainref );
 	    my @policy     = have_ipsec ? ( policy => "--pol $hostref->[1] --dir in" ) : ();
 
+	    next if get_interface_option( $interface, 'tcpflags' ) && $hostref->[2] ne ALLIP;
+
 	    for $chain ( option_chains $interface ) {
 		add_ijump( $filter_table->{$chain} , j => $target, p => 'tcp', imatch_source_net( $hostref->[2] ), @policy );
 	    }

------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
_______________________________________________
Shorewall-devel mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/shorewall-devel






















					Reply via email to