Menu
▾
▴
astlinux-commits
|
From: <abe...@us...> - 2016-06-12 19:45:45
|
Revision: 7719
http://sourceforge.net/p/astlinux/code/7719
Author: abelbeck
Date: 2016-06-12 19:45:42 +0000 (Sun, 12 Jun 2016)
Log Message:
-----------
arnofw, optimize by only adding to FORWARD if LAN_LAN_FORWARD_CHAIN contains rules
Modified Paths:
--------------
branches/1.0/package/arnofw/arnofw-0004-add-LAN_LAN_FORWARD_CHAIN.patch
Modified: branches/1.0/package/arnofw/arnofw-0004-add-LAN_LAN_FORWARD_CHAIN.patch
===================================================================
--- branches/1.0/package/arnofw/arnofw-0004-add-LAN_LAN_FORWARD_CHAIN.patch 2016-06-12 14:55:41 UTC (rev 7718)
+++ branches/1.0/package/arnofw/arnofw-0004-add-LAN_LAN_FORWARD_CHAIN.patch 2016-06-12 19:45:42 UTC (rev 7719)
@@ -1,20 +1,20 @@
diff --git a/README b/README
-index 093151a..93641a4 100644
+index 093151a..802ce61 100644
--- a/README
+++ b/README
@@ -480,6 +480,7 @@ INT_FORWARD_IN_CHAIN - Internal-net FORWARD chain for INcoming traffic
INT_FORWARD_OUT_CHAIN - Internal-net FORWARD chain for OUTcoming traffic
INT_INPUT_CHAIN - Internal-net INPUT chain
INT_OUTPUT_CHAIN - Internal-net OUTPUT chain
-+LAN_LAN_FORWARD_CHAIN - LAN to LAN (Inter-LAN) forward chain
++LAN_LAN_FORWARD_CHAIN - LAN to LAN (Inter-LAN) forward chain (AIF private use only)
LAN_INET_FORWARD_CHAIN - LAN to internet (external net) forward chain
POST_INPUT_CHAIN - This chain is always processed last(post) in the
INPUT chain
diff --git a/bin/arno-iptables-firewall b/bin/arno-iptables-firewall
-index b02a85f..67d79ec 100755
+index b02a85f..beee62d 100755
--- a/bin/arno-iptables-firewall
+++ b/bin/arno-iptables-firewall
-@@ -2263,6 +2263,72 @@ setup_int_input_chain()
+@@ -2263,6 +2263,79 @@ setup_int_input_chain()
}
@@ -23,6 +23,8 @@
+##################################################
+setup_lan_lan_forward_chain()
+{
++ local rtn_val=1
++
+ echo " Setting up LAN->LAN policy"
+
+ # TCP ports to ALLOW for certain Inter-LAN hosts
@@ -38,6 +40,7 @@
+ for dhost in `ip_range "$dhosts"`; do
+ for port in $ports; do
+ iptables -A LAN_LAN_FORWARD_CHAIN -s $shost -d $dhost -p tcp --dport $port -j ACCEPT
++ rtn_val=0
+ done
+ done
+ done
@@ -57,6 +60,7 @@
+ for dhost in `ip_range "$dhosts"`; do
+ for port in $ports; do
+ iptables -A LAN_LAN_FORWARD_CHAIN -s $shost -d $dhost -p udp --dport $port -j ACCEPT
++ rtn_val=0
+ done
+ done
+ done
@@ -76,41 +80,54 @@
+ for dhost in `ip_range "$dhosts"`; do
+ for proto in $protos; do
+ iptables -A LAN_LAN_FORWARD_CHAIN -s $shost -d $dhost -p $proto -j ACCEPT
++ rtn_val=0
+ done
+ done
+ done
+ fi
+ done
++
++ return $rtn_val
+}
+
+
###################################################
# Setup chain for the LAN-to-INET forward traffic #
###################################################
-@@ -4803,7 +4869,8 @@ setup_firewall_rules()
+@@ -4803,7 +4876,10 @@ setup_firewall_rules()
echo " Logging of denied LAN->INET FORWARD connections disabled"
fi
- # Setup helper chain for the LAN:
+ # Setup helper chains for the LAN:
+ setup_lan_lan_forward_chain;
++ lan_lan_forward_result=$?
++
setup_lan_inet_forward_chain;
IFS=' ,'
-@@ -4813,6 +4880,12 @@ setup_firewall_rules()
+@@ -4813,10 +4889,20 @@ setup_firewall_rules()
# Always make subnets on the SAME interface trust each other
iptables -A FORWARD -i $iif -o $iif -j ACCEPT
-+ for output_if in $INT_IF; do
-+ if [ "$iif" != "$output_if" ]; then
-+ iptables -A FORWARD -i $iif -o $output_if -j LAN_LAN_FORWARD_CHAIN
-+ fi
-+ done
++ # Optimize by only adding to FORWARD if LAN_LAN_FORWARD_CHAIN contains rules
++ if [ $lan_lan_forward_result -eq 0 ]; then
++ for output_if in $INT_IF; do
++ if [ "$iif" != "$output_if" ]; then
++ iptables -A FORWARD -i $iif -o $output_if -j LAN_LAN_FORWARD_CHAIN
++ fi
++ done
++ fi
+
for eif in $EXT_IF; do
iptables -A FORWARD -i $iif -o $eif -j LAN_INET_FORWARD_CHAIN
done
-@@ -5035,6 +5108,7 @@ create_user_chains()
+ done
++ unset lan_lan_forward_result
+ fi
+
+
+@@ -5035,6 +5121,7 @@ create_user_chains()
iptables -N DMZ_LAN_FORWARD_CHAIN
iptables -N INET_DMZ_FORWARD_CHAIN
iptables -N DMZ_INET_FORWARD_CHAIN
@@ -118,7 +135,7 @@
iptables -N LAN_INET_FORWARD_CHAIN
# Chains for the external interface
-@@ -5091,6 +5165,7 @@ flush_user_chains()
+@@ -5091,6 +5178,7 @@ flush_user_chains()
iptables -F DMZ_LAN_FORWARD_CHAIN
iptables -F INET_DMZ_FORWARD_CHAIN
iptables -F DMZ_INET_FORWARD_CHAIN
This was sent by the SourceForge.net collaborative development platform, the world's largest Open Source development site.
|
|
From: <abe...@us...> - 2016-06-22 20:51:40
|
Revision: 7733
http://sourceforge.net/p/astlinux/code/7733
Author: abelbeck
Date: 2016-06-22 20:51:38 +0000 (Wed, 22 Jun 2016)
Log Message:
-----------
arnofw, remove unused INT_FORWARD_IN_CHAIN and INT_FORWARD_OUT_CHAIN user chains
Ref: https://github.com/arno-iptables-firewall/aif/commit/dd4ac2ea35da58eb625a3e1bb87dc707044f13a6
Modified Paths:
--------------
branches/1.0/package/arnofw/arnofw-0004-add-LAN_LAN_FORWARD_CHAIN.patch
Modified: branches/1.0/package/arnofw/arnofw-0004-add-LAN_LAN_FORWARD_CHAIN.patch
===================================================================
--- branches/1.0/package/arnofw/arnofw-0004-add-LAN_LAN_FORWARD_CHAIN.patch 2016-06-22 17:00:12 UTC (rev 7732)
+++ branches/1.0/package/arnofw/arnofw-0004-add-LAN_LAN_FORWARD_CHAIN.patch 2016-06-22 20:51:38 UTC (rev 7733)
@@ -188,3 +188,66 @@
# LAN_INET_xxx = LAN->internet access rules (forward) #
# #
# Note that when the LAN_INET_OPEN_xxx & LAN_INET_HOST_OPEN_xxx variables are #
+
+
+From dd4ac2ea35da58eb625a3e1bb87dc707044f13a6 Mon Sep 17 00:00:00 2001
+From: Lonnie Abelbeck <lo...@ab...>
+Date: Wed, 22 Jun 2016 14:55:37 -0500
+Subject: [PATCH] removed: unused INT_FORWARD_IN_CHAIN and
+ INT_FORWARD_OUT_CHAIN user chains, related #28
+
+---
+ README | 2 --
+ bin/arno-iptables-firewall | 12 ------------
+ 2 files changed, 14 deletions(-)
+
+diff --git a/README b/README
+index 802ce61..3f88069 100644
+--- a/README
++++ b/README
+@@ -476,8 +476,6 @@ HOST_BLOCK_DST - Chain containing the list of destination based
+ blocked hosts
+ HOST_BLOCK_SRC - Chain containing the list of source based blocked
+ hosts
+-INT_FORWARD_IN_CHAIN - Internal-net FORWARD chain for INcoming traffic
+-INT_FORWARD_OUT_CHAIN - Internal-net FORWARD chain for OUTcoming traffic
+ INT_INPUT_CHAIN - Internal-net INPUT chain
+ INT_OUTPUT_CHAIN - Internal-net OUTPUT chain
+ LAN_LAN_FORWARD_CHAIN - LAN to LAN (Inter-LAN) forward chain (AIF private use only)
+diff --git a/bin/arno-iptables-firewall b/bin/arno-iptables-firewall
+index beee62d..99735ee 100755
+--- a/bin/arno-iptables-firewall
++++ b/bin/arno-iptables-firewall
+@@ -4769,14 +4769,6 @@ setup_firewall_rules()
+ iptables -A FORWARD -o $eif -j EXT_FORWARD_OUT_CHAIN
+ done
+
+- # Source the IN/OUT chains for the internal interface(s)
+- ########################################################
+- IFS=' ,'
+- for iif in $INT_IF; do
+- iptables -A FORWARD -i $iif -j INT_FORWARD_IN_CHAIN
+- iptables -A FORWARD -o $iif -j INT_FORWARD_OUT_CHAIN
+- done
+-
+ # Source the IN/OUT chains for the dmz interface(s)
+ ########################################################
+ IFS=' ,'
+@@ -5135,8 +5127,6 @@ create_user_chains()
+
+ # INT(LAN) chains
+ iptables -N INT_INPUT_CHAIN
+- iptables -N INT_FORWARD_IN_CHAIN
+- iptables -N INT_FORWARD_OUT_CHAIN
+ iptables -N INT_OUTPUT_CHAIN
+
+ # DMZ chains
+@@ -5192,8 +5182,6 @@ flush_user_chains()
+
+ # INT(LAN) chains
+ iptables -F INT_INPUT_CHAIN
+- iptables -F INT_FORWARD_IN_CHAIN
+- iptables -F INT_FORWARD_OUT_CHAIN
+ iptables -F INT_OUTPUT_CHAIN
+
+ # DMZ chains
This was sent by the SourceForge.net collaborative development platform, the world's largest Open Source development site.
|
×
Want the latest updates on software, tech news, and AI?
Get latest updates about software, tech news, and AI from SourceForge directly in your inbox once a month.
Thanks for helping keep SourceForge clean.
X