projects / project / firewall4.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: e1cb763)
ruleset: reorder declarations & output tweaks
authorJo-Philipp Wich <jo@mein.io>
Tue, 14 Jun 2022 14:23:50 +0000 (16:23 +0200)
committerJo-Philipp Wich <jo@mein.io>
Tue, 14 Jun 2022 14:27:26 +0000 (16:27 +0200)
 - Omit "Set definitions" header if no sets are declared
 - Always emit ${zone}_devices and ${zone}_subnets defines, even if empty
 - Move CT helper definitions to the top
 - Move ${zone}_helper chain definitions after ${zone}_forward chain defs
 - Consistently use two line spacing for output sections

Signed-off-by: Jo-Philipp Wich <jo@mein.io>
21 files changed:
root/usr/share/firewall4/templates/ruleset.uc patch | blob | history
tests/01_configuration/01_ruleset patch | blob | history
tests/01_configuration/02_rule_order patch | blob | history
tests/02_zones/01_policies patch | blob | history
tests/02_zones/02_masq patch | blob | history
tests/02_zones/03_masq_src_dest_restrictions patch | blob | history
tests/02_zones/04_wildcard_devices patch | blob | history
tests/02_zones/05_subnet_mask_matches patch | blob | history
tests/02_zones/06_family_selections patch | blob | history
tests/02_zones/07_helpers patch | blob | history
tests/03_rules/01_direction patch | blob | history
tests/03_rules/02_enabled patch | blob | history
tests/03_rules/03_constraints patch | blob | history
tests/03_rules/04_icmp patch | blob | history
tests/03_rules/05_mangle patch | blob | history
tests/03_rules/06_subnet_mask_matches patch | blob | history
tests/03_rules/07_redirect patch | blob | history
tests/03_rules/08_family_inheritance patch | blob | history
tests/03_rules/09_time patch | blob | history
tests/03_rules/10_notrack patch | blob | history
tests/04_forwardings/01_family_selections patch | blob | history

diff --git a/root/usr/share/firewall4/templates/ruleset.uc b/root/usr/share/firewall4/templates/ruleset.uc
index d37498447a99a368370cb8cfcfff68e1685564e0..712697f2e0029be6c2766141f6045f01b9bc198d 100644 (file)
--- a/root/usr/share/firewall4/templates/ruleset.uc
+++ b/root/usr/share/firewall4/templates/ruleset.uc
@@ -1,6 +1,7 @@
 {%
        let flowtable_devices = fw4.resolve_offload_devices();
        let available_helpers = filter(fw4.helpers(), h => h.available);
+       let defined_ipsets = fw4.ipsets();
 -%}
 
 table inet fw4
@@ -23,6 +24,7 @@ table inet fw4 {
 {% endif %}
        }
 
+
 {% endif %}
 {% if (length(available_helpers)): %}
        #
@@ -39,39 +41,38 @@ table inet fw4 {
 {%  endfor %}
 
 {% endif %}
+{% if (length(defined_ipsets)): %}
        #
        # Set definitions
        #
 
-{% for (let set in fw4.ipsets()): %}
+{%  for (let set in defined_ipsets): %}
        set {{ set.name }} {
                type {{ fw4.concat(set.types) }}
-{%  if (set.maxelem > 0): %}
+{%   if (set.maxelem > 0): %}
                size {{ set.maxelem }}
-{%  endif %}
-{%  if (set.timeout >= 0): %}
+{%   endif %}
+{%   if (set.timeout >= 0): %}
                timeout {{ set.timeout }}s
-{% endif %}
-{%  if (set.interval): %}
+{%   endif %}
+{%   if (set.interval): %}
                flags interval
                auto-merge
-{%  endif %}
-{%  fw4.print_setentries(set) %}
+{%   endif %}
+{%   fw4.print_setentries(set) %}
        }
 
-{% endfor %}
+{%  endfor %}
 
+{% endif %}
        #
        # Defines
        #
 
 {% for (let zone in fw4.zones()): %}
-{%  if (length(zone.match_devices)): %}
        define {{ zone.name }}_devices = {{ fw4.set(zone.match_devices, true) }}
-{%  endif %}
-{%  if (length(zone.match_subnets)): %}
        define {{ zone.name }}_subnets = {{ fw4.set(zone.match_subnets, true) }}
-{%  endif %}
+
 {% endfor %}
 
        #
diff --git a/tests/01_configuration/01_ruleset b/tests/01_configuration/01_ruleset
index 9acb429c50b94ad72fab8f07e171afb966037600..dd9750cba22e14025cb438ffdcba9fccc55d5f00 100644 (file)
--- a/tests/01_configuration/01_ruleset
+++ b/tests/01_configuration/01_ruleset
@@ -30,6 +30,7 @@ table inet fw4 {
                flags offload;
        }
 
+
        #
        # CT helper definitions
        #
@@ -83,20 +84,17 @@ table inet fw4 {
        }
 
 
-       #
-       # Set definitions
-       #
-
-
        #
        # Defines
        #
 
        define lan_devices = { "br-lan" }
        define lan_subnets = { 10.0.0.0/24, 192.168.26.0/24, 2001:db8:1000::/60, fd63:e2f:f706::/60 }
+
        define wan_devices = { "pppoe-wan" }
        define wan_subnets = { 10.11.12.0/24, 2001:db8:54:321::/64 }
 
+
        #
        # User includes
        #
diff --git a/tests/01_configuration/02_rule_order b/tests/01_configuration/02_rule_order
index fd37adfd593d04a67dc5b75b7f47e7bb289d4b5e..3c1546e025e93bfca687128440b430ca74bbffad 100644 (file)
--- a/tests/01_configuration/02_rule_order
+++ b/tests/01_configuration/02_rule_order
@@ -66,20 +66,17 @@ table inet fw4
 flush table inet fw4
 
 table inet fw4 {
-       #
-       # Set definitions
-       #
-
-
        #
        # Defines
        #
 
        define lan_devices = { "br-lan" }
        define lan_subnets = { 10.0.0.0/24, 192.168.26.0/24, 2001:db8:1000::/60, fd63:e2f:f706::/60 }
+
        define wan_devices = { "pppoe-wan" }
        define wan_subnets = { 10.11.12.0/24 }
 
+
        #
        # User includes
        #
diff --git a/tests/02_zones/01_policies b/tests/02_zones/01_policies
index 5a2eeac873284fa5b4bc8a9774abc110e15c944a..03be7af9dfc80263a5ecc0514208359bc71cfbcd 100644 (file)
--- a/tests/02_zones/01_policies
+++ b/tests/02_zones/01_policies
@@ -65,18 +65,19 @@ table inet fw4
 flush table inet fw4
 
 table inet fw4 {
-       #
-       # Set definitions
-       #
-
-
        #
        # Defines
        #
 
        define test1_devices = { "zone1" }
+       define test1_subnets = {  }
+
        define test2_devices = { "zone2" }
+       define test2_subnets = {  }
+
        define test3_devices = { "zone3" }
+       define test3_subnets = {  }
+
 
        #
        # User includes
diff --git a/tests/02_zones/02_masq b/tests/02_zones/02_masq
index e789fde2e9497160d2af9cdbf080f5294db02b49..369cdd60a23680072402054c3b11c6bb37549702 100644 (file)
--- a/tests/02_zones/02_masq
+++ b/tests/02_zones/02_masq
@@ -69,18 +69,19 @@ table inet fw4
 flush table inet fw4
 
 table inet fw4 {
-       #
-       # Set definitions
-       #
-
-
        #
        # Defines
        #
 
        define test1_devices = { "zone1" }
+       define test1_subnets = {  }
+
        define test2_devices = { "zone2" }
+       define test2_subnets = {  }
+
        define test3_devices = { "zone3" }
+       define test3_subnets = {  }
+
 
        #
        # User includes
diff --git a/tests/02_zones/03_masq_src_dest_restrictions b/tests/02_zones/03_masq_src_dest_restrictions
index 9129c609ec86e8296d431c74f9b39e5a47c5a68a..2cb0ce459f6365c949c6a58947d75ad4f5772832 100644 (file)
--- a/tests/02_zones/03_masq_src_dest_restrictions
+++ b/tests/02_zones/03_masq_src_dest_restrictions
@@ -95,17 +95,16 @@ table inet fw4
 flush table inet fw4
 
 table inet fw4 {
-       #
-       # Set definitions
-       #
-
-
        #
        # Defines
        #
 
        define test1_devices = { "zone1" }
+       define test1_subnets = {  }
+
        define test2_devices = { "zone2" }
+       define test2_subnets = {  }
+
 
        #
        # User includes
diff --git a/tests/02_zones/04_wildcard_devices b/tests/02_zones/04_wildcard_devices
index b7e01e1ce28a44385e8604372abfd510af52d575..292fd114d228942f66fe707d7849b4a170241be8 100644 (file)
--- a/tests/02_zones/04_wildcard_devices
+++ b/tests/02_zones/04_wildcard_devices
@@ -86,20 +86,25 @@ table inet fw4
 flush table inet fw4
 
 table inet fw4 {
-       #
-       # Set definitions
-       #
-
-
        #
        # Defines
        #
 
        define test1_devices = { "+" }
+       define test1_subnets = {  }
+
        define test2_devices = { "/never/" }
+       define test2_subnets = {  }
+
        define test3_devices = { "test*" }
+       define test3_subnets = {  }
+
        define test4_devices = { "foo*", "bar*", "test1", "test2" }
+       define test4_subnets = {  }
+
        define test5_devices = { "foo*", "bar*", "test1", "test2" }
+       define test5_subnets = {  }
+
 
        #
        # User includes
diff --git a/tests/02_zones/05_subnet_mask_matches b/tests/02_zones/05_subnet_mask_matches
index 27f9dbc8b6031acd6df296567443f2b73e3cf00d..c171ac7944157ce61563704a435c7ceeddfef6e7 100644 (file)
--- a/tests/02_zones/05_subnet_mask_matches
+++ b/tests/02_zones/05_subnet_mask_matches
@@ -54,17 +54,17 @@ table inet fw4
 flush table inet fw4
 
 table inet fw4 {
-       #
-       # Set definitions
-       #
-
-
        #
        # Defines
        #
 
+       define test1_devices = {  }
+       define test1_subnets = {  }
+
+       define test2_devices = {  }
        define test2_subnets = { ::3, ::4 }
 
+
        #
        # User includes
        #
diff --git a/tests/02_zones/06_family_selections b/tests/02_zones/06_family_selections
index 29af97dc77353730a2e7eb09dadd90efaecc4cdb..a2d48b5eea1b75a283353f63a4e845e6df260b66 100644 (file)
--- a/tests/02_zones/06_family_selections
+++ b/tests/02_zones/06_family_selections
@@ -69,20 +69,25 @@ table inet fw4
 flush table inet fw4
 
 table inet fw4 {
-       #
-       # Set definitions
-       #
-
-
        #
        # Defines
        #
 
+       define test1_devices = {  }
        define test1_subnets = { 10.0.0.0/8 }
+
+       define test2_devices = {  }
        define test2_subnets = { 2001:db8:1234::/64 }
+
+       define test3_devices = {  }
        define test3_subnets = { 2001:db8:1234::/64 }
+
+       define test4_devices = {  }
        define test4_subnets = { 2001:db8:1234::/64 }
+
        define test5_devices = { "eth0" }
+       define test5_subnets = {  }
+
 
        #
        # User includes
diff --git a/tests/02_zones/07_helpers b/tests/02_zones/07_helpers
index ceef65aa749047a3facf14c56b18b6dc31f033a7..1a5a24aafb65b72a9bba34e572f0fcefefaf122e 100644 (file)
--- a/tests/02_zones/07_helpers
+++ b/tests/02_zones/07_helpers
@@ -135,19 +135,22 @@ table inet fw4 {
        }
 
 
-       #
-       # Set definitions
-       #
-
-
        #
        # Defines
        #
 
        define test1_devices = { "zone1" }
+       define test1_subnets = {  }
+
        define test2_devices = { "zone2" }
+       define test2_subnets = {  }
+
        define test3_devices = { "zone3" }
+       define test3_subnets = {  }
+
        define test4_devices = { "zone4" }
+       define test4_subnets = {  }
+
 
        #
        # User includes
diff --git a/tests/03_rules/01_direction b/tests/03_rules/01_direction
index 4c33868c5fc4e5f26d8abf3b0d8edb6059cc603d..7751a2328839073ad92245f0268e5a0950341b4e 100644 (file)
--- a/tests/03_rules/01_direction
+++ b/tests/03_rules/01_direction
@@ -50,11 +50,6 @@ table inet fw4
 flush table inet fw4
 
 table inet fw4 {
-       #
-       # Set definitions
-       #
-
-
        #
        # Defines
        #
diff --git a/tests/03_rules/02_enabled b/tests/03_rules/02_enabled
index f9eb3bf08de7665f5361ab752589234c14d7159a..c5ef8c6544476e9551419730ca58298220dbea7f 100644 (file)
--- a/tests/03_rules/02_enabled
+++ b/tests/03_rules/02_enabled
@@ -47,11 +47,6 @@ table inet fw4
 flush table inet fw4
 
 table inet fw4 {
-       #
-       # Set definitions
-       #
-
-
        #
        # Defines
        #
diff --git a/tests/03_rules/03_constraints b/tests/03_rules/03_constraints
index 51b1ab92a46f8bbda98307f0086e748b2b52dc53..05fb3799ddc891daf46b025e9522663ec17cda64 100644 (file)
--- a/tests/03_rules/03_constraints
+++ b/tests/03_rules/03_constraints
@@ -83,15 +83,13 @@ table inet fw4
 flush table inet fw4
 
 table inet fw4 {
-       #
-       # Set definitions
-       #
-
-
        #
        # Defines
        #
 
+       define lan_devices = {  }
+       define lan_subnets = {  }
+
 
        #
        # User includes
diff --git a/tests/03_rules/04_icmp b/tests/03_rules/04_icmp
index 0c615a7d7184f3e520e41d1ce2bc2a2d3d7b6516..c3553752e4b739bfd110a0fd1e8291c4b9d318f2 100644 (file)
--- a/tests/03_rules/04_icmp
+++ b/tests/03_rules/04_icmp
@@ -56,11 +56,6 @@ table inet fw4
 flush table inet fw4
 
 table inet fw4 {
-       #
-       # Set definitions
-       #
-
-
        #
        # Defines
        #
diff --git a/tests/03_rules/05_mangle b/tests/03_rules/05_mangle
index 04ae461e2fabdcca354376419e2c95a8fef1c9f3..57444ded8b77ab00a8314a18152537a466ca81e4 100644 (file)
--- a/tests/03_rules/05_mangle
+++ b/tests/03_rules/05_mangle
@@ -151,17 +151,16 @@ table inet fw4
 flush table inet fw4
 
 table inet fw4 {
-       #
-       # Set definitions
-       #
-
-
        #
        # Defines
        #
 
        define lan_devices = { "eth0", "eth1" }
+       define lan_subnets = {  }
+
        define wan_devices = { "eth2", "eth3" }
+       define wan_subnets = {  }
+
 
        #
        # User includes
diff --git a/tests/03_rules/06_subnet_mask_matches b/tests/03_rules/06_subnet_mask_matches
index c5b90bd5f11b5fd0e60f100f81de9ea0363bd8d0..6423398c385f28cef36ab3c0cbeff874400ac584 100644 (file)
--- a/tests/03_rules/06_subnet_mask_matches
+++ b/tests/03_rules/06_subnet_mask_matches
@@ -103,22 +103,20 @@ table inet fw4
 flush table inet fw4
 
 table inet fw4 {
-       #
-       # Set definitions
-       #
-
-
        #
        # Defines
        #
 
        define wan_devices = { "pppoe-wan" }
        define wan_subnets = { 2001:db8:54:321::/64 }
+
        define lan_devices = { "br-lan" }
        define lan_subnets = { 10.0.0.0/24, 192.168.26.0/24, 2001:db8:1000::/60, fd63:e2f:f706::/60 }
+
        define guest_devices = { "br-guest" }
        define guest_subnets = { 10.1.0.0/24, 192.168.27.0/24, 2001:db8:1000::/60, fd63:e2f:f706::/60 }
 
+
        #
        # User includes
        #
diff --git a/tests/03_rules/07_redirect b/tests/03_rules/07_redirect
index 471b0439d633348fd1c4c6277c89877ef9b0721a..e6057fd601bcd8de1318b120427c87490c68c42f 100644 (file)
--- a/tests/03_rules/07_redirect
+++ b/tests/03_rules/07_redirect
@@ -135,20 +135,19 @@ table inet fw4
 flush table inet fw4
 
 table inet fw4 {
-       #
-       # Set definitions
-       #
-
-
        #
        # Defines
        #
 
        define wan_devices = { "pppoe-wan" }
        define wan_subnets = { 10.11.12.0/24, 2001:db8:54:321::/64 }
+
        define lan_devices = { "br-lan" }
        define lan_subnets = { 10.0.0.0/24, 192.168.26.0/24, 2001:db8:1000::/60, fd63:e2f:f706::/60 }
+
        define noaddr_devices = { "wwan0" }
+       define noaddr_subnets = {  }
+
 
        #
        # User includes
diff --git a/tests/03_rules/08_family_inheritance b/tests/03_rules/08_family_inheritance
index b33d01fc3818098004b1c15e2a5617111978a1ff..fc489b571388a903a78849ecc561fa072865ff97 100644 (file)
--- a/tests/03_rules/08_family_inheritance
+++ b/tests/03_rules/08_family_inheritance
@@ -182,8 +182,10 @@ table inet fw4 {
        # Defines
        #
 
+       define ipv4only_devices = {  }
        define ipv4only_subnets = { 192.168.1.0/24 }
 
+
        #
        # User includes
        #
diff --git a/tests/03_rules/09_time b/tests/03_rules/09_time
index e7c55db3d60371e1fb9aa5c5a42cc23a3359d8ee..7a7471b8f8373f0f25739ff733ab9be6dd6a80d3 100644 (file)
--- a/tests/03_rules/09_time
+++ b/tests/03_rules/09_time
@@ -118,11 +118,6 @@ table inet fw4
 flush table inet fw4
 
 table inet fw4 {
-       #
-       # Set definitions
-       #
-
-
        #
        # Defines
        #
diff --git a/tests/03_rules/10_notrack b/tests/03_rules/10_notrack
index 717894b6a0adfbd494e524f92ddb5a79cb668cfd..e2b6acc1cc9e3c89d9cd67ca1424c7d8b0d3a3e4 100644 (file)
--- a/tests/03_rules/10_notrack
+++ b/tests/03_rules/10_notrack
@@ -73,19 +73,20 @@ table inet fw4
 flush table inet fw4
 
 table inet fw4 {
-       #
-       # Set definitions
-       #
-
-
        #
        # Defines
        #
 
        define zone1_devices = { "eth0" }
+       define zone1_subnets = {  }
+
        define zone2_devices = { "lo" }
+       define zone2_subnets = {  }
+
+       define zone3_devices = {  }
        define zone3_subnets = { 127.0.0.0/8, ::1 }
 
+
        #
        # User includes
        #
diff --git a/tests/04_forwardings/01_family_selections b/tests/04_forwardings/01_family_selections
index f9362869785d64c3ec49d6201b1d855db00eba3b..6f2ddaee36afffbc69a085dd0ef39f5290abc2e7 100644 (file)
--- a/tests/04_forwardings/01_family_selections
+++ b/tests/04_forwardings/01_family_selections
@@ -62,18 +62,19 @@ table inet fw4
 flush table inet fw4
 
 table inet fw4 {
-       #
-       # Set definitions
-       #
-
-
        #
        # Defines
        #
 
        define wanA_devices = { "eth0" }
+       define wanA_subnets = {  }
+
        define wanB_devices = { "eth1" }
+       define wanB_subnets = {  }
+
        define lan_devices = { "eth2" }
+       define lan_subnets = {  }
+
 
        #
        # User includes
OpenWrt nftables firewall