[Astlinux-commits] SF.net SVN: astlinux:[7719] branches/1.0/package/arnofw/ arnofw-0004-add-LAN_LAN_FORWARD_CHAIN.patch

[<abe...@us...>]

Revision: 7719
          http://sourceforge.net/p/astlinux/code/7719
Author:   abelbeck
Date:     2016-06-12 19:45:42 +0000 (Sun, 12 Jun 2016)
Log Message:
-----------
arnofw, optimize by only adding to FORWARD if LAN_LAN_FORWARD_CHAIN contains rules

Modified Paths:
--------------
    branches/1.0/package/arnofw/arnofw-0004-add-LAN_LAN_FORWARD_CHAIN.patch

Modified: branches/1.0/package/arnofw/arnofw-0004-add-LAN_LAN_FORWARD_CHAIN.patch
===================================================================
--- branches/1.0/package/arnofw/arnofw-0004-add-LAN_LAN_FORWARD_CHAIN.patch	2016-06-12 14:55:41 UTC (rev 7718)
+++ branches/1.0/package/arnofw/arnofw-0004-add-LAN_LAN_FORWARD_CHAIN.patch	2016-06-12 19:45:42 UTC (rev 7719)
@@ -1,20 +1,20 @@
 diff --git a/README b/README
-index 093151a..93641a4 100644
+index 093151a..802ce61 100644
 --- a/README
 +++ b/README
 @@ -480,6 +480,7 @@ INT_FORWARD_IN_CHAIN        - Internal-net FORWARD chain for INcoming traffic
  INT_FORWARD_OUT_CHAIN       - Internal-net FORWARD chain for OUTcoming traffic
  INT_INPUT_CHAIN             - Internal-net INPUT chain
  INT_OUTPUT_CHAIN            - Internal-net OUTPUT chain
-+LAN_LAN_FORWARD_CHAIN       - LAN to LAN (Inter-LAN) forward chain
++LAN_LAN_FORWARD_CHAIN       - LAN to LAN (Inter-LAN) forward chain (AIF private use only)
  LAN_INET_FORWARD_CHAIN      - LAN to internet (external net) forward chain
  POST_INPUT_CHAIN            - This chain is always processed last(post) in the
                                INPUT chain
 diff --git a/bin/arno-iptables-firewall b/bin/arno-iptables-firewall
-index b02a85f..67d79ec 100755
+index b02a85f..beee62d 100755
 --- a/bin/arno-iptables-firewall
 +++ b/bin/arno-iptables-firewall
-@@ -2263,6 +2263,72 @@ setup_int_input_chain()
+@@ -2263,6 +2263,79 @@ setup_int_input_chain()
  }
  
  
@@ -23,6 +23,8 @@
 +##################################################
 +setup_lan_lan_forward_chain()
 +{
++  local rtn_val=1
++
 +  echo " Setting up LAN->LAN policy"
 +
 +  # TCP ports to ALLOW for certain Inter-LAN hosts
@@ -38,6 +40,7 @@
 +        for dhost in `ip_range "$dhosts"`; do
 +          for port in $ports; do
 +            iptables -A LAN_LAN_FORWARD_CHAIN -s $shost -d $dhost -p tcp --dport $port -j ACCEPT
++            rtn_val=0
 +          done
 +        done
 +      done
@@ -57,6 +60,7 @@
 +        for dhost in `ip_range "$dhosts"`; do
 +          for port in $ports; do
 +            iptables -A LAN_LAN_FORWARD_CHAIN -s $shost -d $dhost -p udp --dport $port -j ACCEPT
++            rtn_val=0
 +          done
 +        done
 +      done
@@ -76,41 +80,54 @@
 +        for dhost in `ip_range "$dhosts"`; do
 +          for proto in $protos; do
 +            iptables -A LAN_LAN_FORWARD_CHAIN -s $shost -d $dhost -p $proto -j ACCEPT
++            rtn_val=0
 +          done
 +        done
 +      done
 +    fi
 +  done
++
++  return $rtn_val
 +}
 +
 +
  ###################################################
  # Setup chain for the LAN-to-INET forward traffic #
  ###################################################
-@@ -4803,7 +4869,8 @@ setup_firewall_rules()
+@@ -4803,7 +4876,10 @@ setup_firewall_rules()
        echo " Logging of denied LAN->INET FORWARD connections disabled"
      fi
  
 -    # Setup helper chain for the LAN:
 +    # Setup helper chains for the LAN:
 +    setup_lan_lan_forward_chain;
++    lan_lan_forward_result=$?
++
      setup_lan_inet_forward_chain;
  
      IFS=' ,'
-@@ -4813,6 +4880,12 @@ setup_firewall_rules()
+@@ -4813,10 +4889,20 @@ setup_firewall_rules()
        # Always make subnets on the SAME interface trust each other
        iptables -A FORWARD -i $iif -o $iif -j ACCEPT
  
-+      for output_if in $INT_IF; do
-+        if [ "$iif" != "$output_if" ]; then
-+          iptables -A FORWARD -i $iif -o $output_if -j LAN_LAN_FORWARD_CHAIN
-+        fi
-+      done
++      # Optimize by only adding to FORWARD if LAN_LAN_FORWARD_CHAIN contains rules
++      if [ $lan_lan_forward_result -eq 0 ]; then
++        for output_if in $INT_IF; do
++          if [ "$iif" != "$output_if" ]; then
++            iptables -A FORWARD -i $iif -o $output_if -j LAN_LAN_FORWARD_CHAIN
++          fi
++        done
++      fi
 +
        for eif in $EXT_IF; do
          iptables -A FORWARD -i $iif -o $eif -j LAN_INET_FORWARD_CHAIN
        done
-@@ -5035,6 +5108,7 @@ create_user_chains()
+     done
++    unset lan_lan_forward_result
+   fi
+ 
+ 
+@@ -5035,6 +5121,7 @@ create_user_chains()
    iptables -N DMZ_LAN_FORWARD_CHAIN
    iptables -N INET_DMZ_FORWARD_CHAIN
    iptables -N DMZ_INET_FORWARD_CHAIN
@@ -118,7 +135,7 @@
    iptables -N LAN_INET_FORWARD_CHAIN
  
    # Chains for the external interface
-@@ -5091,6 +5165,7 @@ flush_user_chains()
+@@ -5091,6 +5178,7 @@ flush_user_chains()
    iptables -F DMZ_LAN_FORWARD_CHAIN
    iptables -F INET_DMZ_FORWARD_CHAIN
    iptables -F DMZ_INET_FORWARD_CHAIN

This was sent by the SourceForge.net collaborative development platform, the world's largest Open Source development site.