Factor out invariant parts of a loop

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@8071 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
2024-11-14 19:54:06 +01:00 · 2008-01-15 19:02:00 +00:00 · 2008-01-15 19:02:00 +00:00 · 6b564e0eb3
commit 6b564e0eb3
parent d189364d9a
1 changed files with 32 additions and 29 deletions
--- a/Shorewall-perl/Shorewall/Nat.pm
+++ b/Shorewall-perl/Shorewall/Nat.pm
@ -120,6 +120,7 @@ sub setup_one_masq($$$$$$$)
    my $pre_nat;
    my $add_snat_aliases = $config{ADD_SNAT_ALIASES};
    my $destnets = '';
+    my $baserule = '';

    #
    # Leading '+'
@ -151,6 +152,33 @@ sub setup_one_masq($$$$$$$)
    $networks = ALLIPv4 if $networks eq '-';
    $destnets = ALLIPv4 if $destnets eq '-';
    
+    #
+    # Handle IPSEC options, if any
+    #
+    if ( $ipsec ne '-' ) {
+	fatal_error "Non-empty IPSEC column requires policy match support in your kernel and iptables"  unless $globals{ORIGINAL_POLICY_MATCH};
+	
+	if ( $ipsec =~ /^yes$/i ) {
+	    $baserule .= '-m policy --pol ipsec --dir out ';
+	} elsif ( $ipsec =~ /^no$/i ) {
+	    $baserule .= '-m policy --pol none --dir out ';
+	} else {
+	    $baserule .= do_ipsec_options $ipsec;
+	}
+    } elsif ( $capabilities{POLICY_MATCH} ) {
+	$baserule .= '-m policy --pol none --dir out ';
+    }
+
+    #
+    # Handle Protocol and Ports
+    #
+    $baserule .= do_proto $proto, $ports, '';
+
+    #
+    # Handle Mark
+    #
+    $baserule .= do_test( $mark, 0xFF) if $mark ne '-';
+	
    for my $fullinterface (split /,/, $interfacelist ) {
 	my $rule = '';
 	my $target = '-j MASQUERADE ';
@ -171,31 +199,6 @@ sub setup_one_masq($$$$$$$)
 	fatal_error "Unknown interface ($interface)" unless find_interface( $interface )->{root};

 	my $chainref = ensure_chain('nat', $pre_nat ? snat_chain $interface : masq_chain $interface);
-	#
-	# Handle IPSEC options, if any
-	#
-	if ( $ipsec ne '-' ) {
-	    fatal_error "Non-empty IPSEC column requires policy match support in your kernel and iptables"  unless $globals{ORIGINAL_POLICY_MATCH};
-	    
-	    if ( $ipsec =~ /^yes$/i ) {
-		$rule .= '-m policy --pol ipsec --dir out ';
-	    } elsif ( $ipsec =~ /^no$/i ) {
-		$rule .= '-m policy --pol none --dir out ';
-	    } else {
-		$rule .= do_ipsec_options $ipsec;
-	    }
-	} elsif ( $capabilities{POLICY_MATCH} ) {
-	    $rule .= '-m policy --pol none --dir out ';
-	}
-	
-	#
-	# Handle Protocol and Ports
-	#
-	$rule .= do_proto $proto, $ports, '';
-	#
-	# Handle Mark
-	#
-	$rule .= do_test( $mark, 0xFF) if $mark ne '-';

 	my $detectaddress = 0;
 	my $exceptionrule = '';
@ -261,7 +264,7 @@ sub setup_one_masq($$$$$$$)
 	#
 	expand_rule( $chainref ,
 		     POSTROUTE_RESTRICT ,
-		     $rule ,
+		     $baserule . $rule ,
 		     $networks ,
 		     $destnets ,
 		     '' ,