Add infrastructure to delete the %usedactions entry for an action chain if

the chain parameters are modified. Signed-off-by: Tom Eastep <teastep@shorewall.net>
2025-06-30 14:42:01 +02:00 · 2013-01-18 14:54:57 -08:00
parent 4587430e4a
commit 95aab78c0d
2 changed files with 83 additions and 61 deletions
--- a/Shorewall/Perl/Shorewall/Config.pm
+++ b/Shorewall/Perl/Shorewall/Config.pm
@ -483,6 +483,7 @@ our %compiler_params;
 # Action parameters
 #
 our %actparms;
 our $paramsmodified;
 our $currentline;            # Current config file line image
 our $currentfile;            # File handle reference
@ -938,6 +939,7 @@ sub initialize( $;$$) {
    %compiler_params = ();
    %actparms = ( 0 => 0, loglevel => '', logtag => '', chain => ''  );
    $paramsmodified = 0;
    %helpers_enabled = (
 			amanda       => 1,
@ -2762,9 +2764,14 @@ sub embedded_perl( $ ) {
 #
 # Push/pop action params
 #
-sub push_action_params( $$$$ ) {
+sub push_action_params( $$$$$ ) {
    my @params = ( undef , split_list3( $_[1], 'parameter' ) );
-    my %oldparams = %actparms;
+
    $actparms{modified} = $paramsmodified;
    my %oldparms = %actparms;
    $paramsmodified = 0;
    %actparms = ();
@ -2777,17 +2784,25 @@ sub push_action_params( $$$$ ) {
    $actparms{0}          = $_[0];
    $actparms{loglevel}   = $_[2];
    $actparms{logtag}     = $_[3];
    $actparms{caller}     = $_[4];
    #
    # The Shorewall variable '@chain' has the non-word charaters removed
    #
    ( $actparms{chain} = $_[0]->{name} ) =~ s/[^\w]//g;
-    \%oldparams;
+    \%oldparms;
 }
 #
 # Pop the action parameters using the passed hash reference
 # Return true of the popped parameters were modified
 #
 sub pop_action_params( $ ) {
-    my $oldparms = shift;
+    my $oldparms    = shift;
-    %actparms = %$oldparms;
+    %actparms       = %$oldparms;
    my $return      = $paramsmodified;
    ( $paramsmodified ) = delete $actparms{modified};
    $return;
 }
 sub default_action_params {
--- a/Shorewall/Perl/Shorewall/Rules.pm
+++ b/Shorewall/Perl/Shorewall/Rules.pm
@ -1574,81 +1574,86 @@ sub process_rule1 ( $$$$$$$$$$$$$$$$$$ );
 # Populate an action invocation chain. As new action tuples are encountered,
 # the function will be called recursively by process_rule1().
 #
-sub process_action($) {
+sub process_action($$) {
-    my $chainref = shift;
+    my ( $chainref, $caller ) = @_;
    my $wholeaction = $chainref->{action};
    my ( $action, $level, $tag, $param ) = split /:/, $wholeaction, 4;
    if ( $targets{$action} & BUILTIN ) {
 	$level = '' if $level =~ /none!?/;
 	$builtinops{$action}->( $chainref, $level, $tag, $param );
-    } else {
+	return 0;
-	my $actionfile = find_file "action.$action";
+    } 
-	fatal_error "Missing Action File ($actionfile)" unless -f $actionfile;
+    my $actionfile = find_file "action.$action";
-	progress_message2 "$doing $actionfile for chain $chainref->{name}...";
+    fatal_error "Missing Action File ($actionfile)" unless -f $actionfile;
-	push_open $actionfile, 2, 1;
+    progress_message2 "$doing $actionfile for chain $chainref->{name}...";
-	my $oldparms = push_action_params( $chainref, $param, $level, $tag );
+    push_open $actionfile, 2, 1;
-	my $nolog = $actions{$action}{nolog};
+    my $oldparms = push_action_params( $chainref, $param, $level, $tag, $caller );
-	$active{$action}++;
+    my $nolog = $actions{$action}{nolog};
 	push @actionstack, $wholeaction;
-	my $save_comment = push_comment;
+    $active{$action}++;
    push @actionstack, $wholeaction;
-	while ( read_a_line( NORMAL_READ ) ) {
+    my $save_comment = push_comment;
-	    my ($target, $source, $dest, $proto, $ports, $sports, $origdest, $rate, $user, $mark, $connlimit, $time, $headers, $condition, $helper );
+    while ( read_a_line( NORMAL_READ ) ) {
-	    if ( $file_format == 1 ) {
+	my ($target, $source, $dest, $proto, $ports, $sports, $origdest, $rate, $user, $mark, $connlimit, $time, $headers, $condition, $helper );
 		($target, $source, $dest, $proto, $ports, $sports, $rate, $user, $mark ) =
 		    split_line1 'action file', { target => 0, source => 1, dest => 2, proto => 3, dport => 4, sport => 5, rate => 6, user => 7, mark => 8 }, $rule_commands;
 		$origdest = $connlimit = $time = $headers = $condition = $helper = '-';
 	    } else {
 		($target, $source, $dest, $proto, $ports, $sports, $origdest, $rate, $user, $mark, $connlimit, $time, $headers, $condition, $helper )
 		    = split_line1 'action file', \%rulecolumns, $action_commands;
 	    }
-	    fatal_error 'TARGET must be specified' if $target eq '-';
+	if ( $file_format == 1 ) {
-
+	    ($target, $source, $dest, $proto, $ports, $sports, $rate, $user, $mark ) =
-	    if ( $target eq 'DEFAULTS' ) {
+		split_line1 'action file', { target => 0, source => 1, dest => 2, proto => 3, dport => 4, sport => 5, rate => 6, user => 7, mark => 8 }, $rule_commands;
-		default_action_params( $action, split_list $source, 'defaults' ), next if $file_format == 2;
+	    $origdest = $connlimit = $time = $headers = $condition = $helper = '-';
-		fatal_error 'DEFAULTS only allowed in FORMAT-2 actions';
+	} else {
-	    }
+	    ($target, $source, $dest, $proto, $ports, $sports, $origdest, $rate, $user, $mark, $connlimit, $time, $headers, $condition, $helper )
-
+		= split_line1 'action file', \%rulecolumns, $action_commands;
 	    process_rule1( $chainref,
 			   $nolog ? $target : merge_levels( "$action:$level:$tag", $target ),
 			   '',
 			   $source,
 			   $dest,
 			   $proto,
 			   $ports,
 			   $sports,
 			   $origdest,
 			   $rate,
 			   $user,
 			   $mark,
 			   $connlimit,
 			   $time,
 			   $headers,
 			   $condition,
 			   $helper,
 			   0 );
 	}
-	pop_comment( $save_comment );
+	fatal_error 'TARGET must be specified' if $target eq '-';
-	$active{$action}--;
+	if ( $target eq 'DEFAULTS' ) {
-	pop @actionstack;
+	    default_action_params( $action, split_list $source, 'defaults' ), next if $file_format == 2;
 	    fatal_error 'DEFAULTS only allowed in FORMAT-2 actions';
 	}
-	pop_open;
+	process_rule1( $chainref,
-
+		       $nolog ? $target : merge_levels( "$action:$level:$tag", $target ),
-	pop_action_params( $oldparms );
+		       '',
 		       $source,
 		       $dest,
 		       $proto,
 		       $ports,
 		       $sports,
 		       $origdest,
 		       $rate,
 		       $user,
 		       $mark,
 		       $connlimit,
 		       $time,
 		       $headers,
 		       $condition,
 		       $helper,
 		       0 );
    }
    pop_comment( $save_comment );
    $active{$action}--;
    pop @actionstack;
    pop_open;
    #
    # Pop the action parameters and delete record of this chain if the action parameters
    # were modified
    #
    delete $usedactions{$wholeaction} if pop_action_params( $oldparms );
 }
 #
@ -1657,7 +1662,7 @@ sub process_action($) {
 sub use_policy_action( $ ) {
    my $ref = use_action( $_[0] );
-    process_action( $ref ) if $ref;
+    process_action( $ref, 'POLICY' ) if $ref; 
 }
 ################################################################################
@ -1797,7 +1802,9 @@ sub process_inline ($$$$$$$$$$$$$$$$$$$$) {
    my $oldparms   = push_action_params( $chainref,
 					 $param,
 					 supplied $level ? $level : 'none',
-					 defined  $tag   ? $tag   : '');
+					 defined  $tag   ? $tag   : '' ,
 					 $chainref->{name} ,
 				       );
    my $inlinefile = $inlines{$inline}{file};
    my $nolog      = $inlines{$inline}{nolog};
@ -2288,7 +2295,7 @@ sub process_rule1 ( $$$$$$$$$$$$$$$$$$ ) {
 	    #
 	    # First reference to this tuple
 	    #
-	    process_action( $ref );
+	    process_action( $ref, $chain );
 	    #
 	    # Processing the action may determine that the action or one of it's dependents does NAT or HELPER, so:
 	    #