More conversion to new rule interface

Signed-off-by: Tom Eastep <teastep@shorewall.net>

Shorewall/Perl/Shorewall/Accounting.pm

@@ -400,47 +400,47 @@ sub setup_accounting() {
 
 	    if ( have_bridges || $asection ) {
 		if ( $tableref->{accountin} ) {
-		    add_jump( $tableref->{INPUT}, 'accountin', 0, '', 0, 0 );
+		    insert_ijump( $tableref->{INPUT}, j => 'accountin', 0 );
 		}
 
 		if ( $tableref->{accounting} ) {
 		    dont_optimize( 'accounting' );
 		    for my $chain ( qw/INPUT FORWARD/ ) {
-			add_jump( $tableref->{$chain}, 'accounting', 0, '', 0, 0 );
+			insert_ijump( $tableref->{$chain}, j => 'accounting', 0 );
 		    }
 		}
 
 		if ( $tableref->{accountfwd} ) {
-		    add_jump( $tableref->{FORWARD}, 'accountfwd', 0, '', 0, 0 );
+		    insert_ijump( $tableref->{FORWARD}, j => 'accountfwd', 0 );
 		}
 
 		if ( $tableref->{accountout} ) {
-		    add_jump( $tableref->{OUTPUT}, 'accountout', 0, '', 0, 0 );
+		    insert_ijump( $tableref->{OUTPUT}, j => 'accountout', 0 );
 		}
 
 		if ( $tableref->{accountpre} ) {
-		    add_jump( $tableref->{PREROUTING}, 'accountpre', 0, '', 0, 0 );
+		    insert_ijump( $tableref->{PREROUTING}, j => 'accountpre' , 0 );
 		}
 
 		if ( $tableref->{accountpost} ) {
-		    add_jump( $tableref->{POSTROUTING}, 'accountpost', 0, '', 0, 0 );
+		    insert_ijump( $tableref->{POSTROUTING}, j => 'accountpost', 0 );
 		}
 	    } elsif ( $tableref->{accounting} ) {
 		dont_optimize( 'accounting' );
 		for my $chain ( qw/INPUT FORWARD OUTPUT/ ) {
-		    add_jump( $tableref->{$chain}, 'accounting', 0, '', 0, 0 );
+		    insert_ijump( $tableref->{$chain}, j => 'accounting', 0 );
 		}
 	    }
 
 	    if ( $tableref->{accipsecin} ) {
 		for my $chain ( qw/INPUT FORWARD/ ) {
-		    add_jump( $tableref->{$chain}, 'accipsecin', 0,  '', 0, 0 );
+		    insert_ijump( $tableref->{$chain}, j => 'accipsecin', 0 );
 		}
 	    }
 
 	    if ( $tableref->{accipsecout} ) {
 		for my $chain ( qw/FORWARD OUTPUT/ ) {
-		    add_jump( $tableref->{$chain}, 'accipsecout', 0, '', 0, 0 );
+		    insert_ijump( $tableref->{$chain}, j => 'accipsecout', 0 );
 		}
 	    }
 

Shorewall/Perl/Shorewall/Chains.pm

@@ -1809,7 +1809,7 @@ sub insert_ijump( $$$$;@ ) {
 }
 
 #
-# Delete jumps previously added via add_jump. If the target chain is empty, reset its
+# Delete jumps previously added via add_ijump. If the target chain is empty, reset its
 # referenced flag
 #
 sub delete_jumps ( $$ ) {
@@ -2052,12 +2052,12 @@ sub ensure_audit_chain( $;$$ ) {
 
 	$tgt ||= $action;
 
-	add_rule $ref, '-j AUDIT --type ' . lc $action;
+	add_irule $ref, j => 'AUDIT --type ' . lc $action;
 	
 	if ( $tgt eq 'REJECT' ) {
-	    add_jump $ref , 'reject', 1;
+	    add_ijump $ref , g => 'reject';
 	} else {
-	    add_jump $ref , $tgt, 0;
+	    add_ijump $ref , j => $tgt;
 	}
     }
 
@@ -2221,7 +2221,7 @@ sub optimize_chain( $ ) {
 	pop @$rules, $count++ while @$rules && $rules->[-1]->{target} eq 'ACCEPT';
 
 	if ( @${rules} ) {
-	    add_rule $chainref, '-j ACCEPT';
+	    add_irule $chainref, j => 'ACCEPT';
 	    my $type = $chainref->{builtin} ? 'builtin' : 'policy';
 	    progress_message "  $count ACCEPT rules deleted from $type chain $chainref->{name}" if $count;
 	} elsif ( $chainref->{builtin} ) {
@@ -2733,8 +2733,8 @@ sub source_exclusion( $$ ) {
 
     my $chainref = new_chain( $table , newexclusionchain( $table ) );
 
-    add_rule( $chainref, match_source_net( $_ ) . '-j RETURN' ) for @$exclusions;
-    add_jump( $chainref, $target, 1 );
+    add_irule( $chainref, j => 'RETURN', imatch_source_net( $_ ) ) for @$exclusions;
+    add_ijump( $chainref, g => $target );
 
     reftype $target ? $chainref : $chainref->{name};
 }
@@ -2748,8 +2748,8 @@ sub dest_exclusion( $$ ) {
 
     my $chainref = new_chain( $table , newexclusionchain( $table ) );
 
-    add_rule( $chainref, match_dest_net( $_ ) . '-j RETURN' ) for @$exclusions;
-    add_jump( $chainref, $target, 1 );
+    add_irule( $chainref, j => 'RETURN', imatch_dest_net( $_ ) ) for @$exclusions;
+    add_ijump( $chainref, g => $target );
 
     reftype $target ? $chainref : $chainref->{name};
 }
@@ -3956,13 +3956,13 @@ sub log_rule( $$$$ ) {
 #
 # If the destination chain exists, then at the end of the source chain add a jump to the destination.
 #
-sub addnatjump( $$$ ) {
-    my ( $source , $dest, $matches ) = @_;
+sub addnatjump( $$;@ ) {
+    my ( $source , $dest, @matches ) = @_;
 
     my $destref   = $nat_table->{$dest} || {};
 
     if ( $destref->{referenced} ) {
-	add_jump $nat_table->{$source} , $dest , 0, $matches;
+	add_ijump $nat_table->{$source} , j => $dest , @matches;
     } else {
 	clearrule;
     }
@@ -4766,7 +4766,7 @@ sub expand_rule( $$$$$$$$$$;$ )
 	    #
 	    # Clear the exclusion bit
 	    #
-	    add_rule $chainref , '-j MARK --and-mark ' . in_hex( $globals{EXCLUSION_MASK} ^ 0xffffffff );
+	    add_rule $chainref , j => 'MARK --and-mark ' . in_hex( $globals{EXCLUSION_MASK} ^ 0xffffffff );
 	    #
 	    # Mark packet if it matches any of the exclusions
 	    #

Shorewall/Perl/Shorewall/Misc.pm

@@ -1151,17 +1151,17 @@ sub add_interface_jumps {
     # Add Nat jumps
     #
     for my $interface ( @_ ) {
-	addnatjump 'POSTROUTING' , snat_chain( $interface ), match_dest_dev( $interface );
+	addnatjump 'POSTROUTING' , snat_chain( $interface ), imatch_dest_dev( $interface );
     }
 
-    addnatjump 'PREROUTING'  , 'nat_in'  , '';
-    addnatjump 'POSTROUTING' , 'nat_out' , '';
-    addnatjump 'PREROUTING', 'dnat', '';
+    addnatjump 'PREROUTING'  , 'nat_in';
+    addnatjump 'POSTROUTING' , 'nat_out';
+    addnatjump 'PREROUTING', 'dnat';
 
     for my $interface ( grep $_ ne '%vserver%', @_ ) {
-	addnatjump 'PREROUTING'  , input_chain( $interface )  , match_source_dev( $interface );
-	addnatjump 'POSTROUTING' , output_chain( $interface ) , match_dest_dev( $interface );
-	addnatjump 'POSTROUTING' , masq_chain( $interface ) , match_dest_dev( $interface );
+	addnatjump 'PREROUTING'  , input_chain( $interface )  , imatch_source_dev( $interface );
+	addnatjump 'POSTROUTING' , output_chain( $interface ) , imatch_dest_dev( $interface );
+	addnatjump 'POSTROUTING' , masq_chain( $interface ) , imatch_dest_dev( $interface );
     }
     #
     # Add the jumps to the interface chains from filter FORWARD, INPUT, OUTPUT
@@ -1501,7 +1501,7 @@ sub generate_matrix() {
 				#
 				# The jump from the PREROUTING chain to dnat may not have been added above
 				# 
-				addnatjump 'PREROUTING', 'dnat', '' unless $preroutingref->{references}{PREROUTING};
+				addnatjump 'PREROUTING', 'dnat' unless $preroutingref->{references}{PREROUTING};
 			    }
 				
 			    check_optimization( $dnatref ) if @source;
@@ -1839,7 +1839,7 @@ sub setup_mss( ) {
 	#
 	# Send all forwarded SYN packets to the 'settcpmss' chain
 	#
-	add_jump $filter_table->{FORWARD} , $chainref, 0, '-p tcp --tcp-flags SYN,RST SYN ';
+	add_ijump $filter_table->{FORWARD} , j => $chainref, p => 'tcp --tcp-flags SYN,RST SYN';
 
 	my @in_match  = ();
 	my @out_match = ();

Shorewall/Perl/Shorewall/Nat.pm

@@ -413,22 +413,22 @@ sub setup_netmap() {
 
 	    for my $interface ( split_list $interfacelist, 'interface' ) {
 
-		my $rulein = '';
-		my $ruleout = '';
+		my @rulein;
+		my @ruleout;
 		my $iface = $interface;
 
 		fatal_error "Unknown interface ($interface)" unless my $interfaceref = known_interface( $interface );
 
 		unless ( $interfaceref->{root} ) {
-		    $rulein  = match_source_dev( $interface );
-		    $ruleout = match_dest_dev( $interface );
+		    @rulein  = imatch_source_dev( $interface );
+		    @ruleout = imatch_dest_dev( $interface );
 		    $interface = $interfaceref->{name};
 		}
 
 		if ( $type eq 'DNAT' ) {
-		    add_rule ensure_chain( 'nat' , input_chain $interface ) , $rulein   . match_source_net( $net3 ) . "-d $net1 -j NETMAP --to $net2";
+		    add_irule ensure_chain( 'nat' , input_chain $interface ) ,  j => "NETMAP --to $net2", @rulein  , imatch_source_net( $net3 ), d => $net1;
 		} elsif ( $type eq 'SNAT' ) {
-		    add_rule ensure_chain( 'nat' , output_chain $interface ) , $ruleout . match_dest_net( $net3 )   . "-s $net1 -j NETMAP --to $net2";
+		    add_irule ensure_chain( 'nat' , output_chain $interface ) , j => "NETMAP --to $net2", @ruleout , imatch_dest_net( $net3 ) ,  s => $net1;
 		} else {
 		    fatal_error "Invalid type ($type)";
 		}

Shorewall/Perl/Shorewall/Tc.pm

@@ -111,8 +111,6 @@ my  %tosoptions = ( 'tos-minimize-delay'       => '0x10/0x10' ,
 		    'tos-normal-service'       => '0x00/0x1e' );
 my  %classids;
 
-my  @deferred_rules;
-
 #
 # Perl version of Arn Bernin's 'tc4shorewall'.
 #
@@ -182,7 +180,6 @@ my $family;
 sub initialize( $ ) {
     $family   = shift;
     %classids = ();
-    @deferred_rules = ();
     @tcdevices = ();
     %tcdevices = ();
     @tcclasses = ();
@@ -1402,8 +1399,16 @@ sub setup_simple_traffic_shaping() {
 	clear_comment;
 
 	if ( $ipp2p ) {
-	    insert_rule1 $mangle_table->{tcpost} , 0 , '-m mark --mark 0/'   . in_hex( $globals{TC_MASK} ) . ' -j CONNMARK --restore-mark --ctmask ' . in_hex( $globals{TC_MASK} );
-	    add_rule     $mangle_table->{tcpost} ,     '-m mark ! --mark 0/' . in_hex( $globals{TC_MASK} ) . ' -j CONNMARK --save-mark --ctmask '    . in_hex( $globals{TC_MASK} );
+	    insert_irule( $mangle_table->{tcpost} ,
+			  j => 'CONNMARK --restore-mark --ctmask ' . in_hex( $globals{TC_MASK} ) ,
+			  0 ,
+			  mark => '--mark 0/'   . in_hex( $globals{TC_MASK} )
+			);
+
+	    add_irule( $mangle_table->{tcpost} ,
+		       j    => 'CONNMARK --save-mark --ctmask '    . in_hex( $globals{TC_MASK} ),
+		       mark => '! --mark 0/' . in_hex( $globals{TC_MASK} ) 
+		     );
 	}
     }
 }
@@ -1687,31 +1692,31 @@ sub setup_tc() {
 	    ensure_mangle_chain 'tcin';
 	}
 
-	my $mark_part = '';
+	my @mark_part;
 
 	if ( @routemarked_interfaces && ! $config{TC_EXPERT} ) {
-	    $mark_part = '-m mark --mark 0/' . in_hex( $globals{PROVIDER_MASK} ) . ' ';
+	    @mark_part = ( mark => '--mark 0/' . in_hex( $globals{PROVIDER_MASK} ) );
 
 	    unless ( $config{TRACK_PROVIDERS} ) {
 		#
 		# This is overloading TRACK_PROVIDERS a bit but sending tracked packets through PREROUTING is a PITA for users
 		#
 		for my $interface ( @routemarked_interfaces ) {
-		    add_jump $mangle_table->{PREROUTING} , 'tcpre', 0, match_source_dev( $interface );
+		    add_ijump $mangle_table->{PREROUTING} , j => 'tcpre', imatch_source_dev( $interface );
 		}
 	    }
 	}
 
-	add_jump $mangle_table->{PREROUTING} , 'tcpre', 0, $mark_part;
-	add_jump $mangle_table->{OUTPUT} ,     'tcout', 0, $mark_part;
+	add_ijump $mangle_table->{PREROUTING} , j => 'tcpre', @mark_part;
+	add_ijump $mangle_table->{OUTPUT} ,     j => 'tcout', @mark_part;
 
 	if ( have_capability( 'MANGLE_FORWARD' ) ) {
 	    my $mask = have_capability 'EXMARK' ? have_capability 'FWMARK_RT_MASK' ? '/' . in_hex $globals{PROVIDER_MASK} : '' : '';
 
-	    add_rule( $mangle_table->{FORWARD},     "-j MARK --set-mark 0${mask}" ) if $config{FORWARD_CLEAR_MARK};
-	    add_jump $mangle_table->{FORWARD} ,     'tcfor',  0;
-	    add_jump $mangle_table->{POSTROUTING} , 'tcpost', 0;
-	    add_jump $mangle_table->{INPUT} ,       'tcin' ,  0;
+	    add_irule $mangle_table->{FORWARD},      j => "MARK --set-mark 0${mask}" if $config{FORWARD_CLEAR_MARK};
+	    add_ijump $mangle_table->{FORWARD} ,     j => 'tcfor';
+	    add_ijump $mangle_table->{POSTROUTING} , j => 'tcpost';
+	    add_ijump $mangle_table->{INPUT} ,       j => 'tcin';
 	}
     }
 
@@ -1792,8 +1797,6 @@ sub setup_tc() {
 	    clear_comment;
 	}
 
-	add_rule ensure_chain( 'mangle' , 'tcpost' ), $_ for @deferred_rules;
-
 	handle_stickiness( $sticky );
     }
 }