Simplify Perl from actions even further.

Signed-off-by: Tom Eastep <teastep@shorewall.net>

Shorewall/Perl/Shorewall/Rules.pm

@@ -2655,6 +2655,15 @@ sub process_rule ( $$$$$$$$$$$$$$$$$$$$ ) {
     return 1;
 }
 
+#
+# Helper for the perl_action_xxx functions
+#
+sub merge_target( $$ ) {
+    my ( $ref, $target ) = @_;
+
+    $ref->{inline} ? $target : merge_levels( join( ':', @actparms{'chain','loglevel','logtag'}), $target );
+}
+
 #
 # May be called by Perl code in action bodies (regular and inline) to generate a rule.
 #
@@ -2668,18 +2677,18 @@ sub perl_action_helper($$;$) {
 
     $matches .= ' ' unless $matches =~ /^(?:.+\s)?$/;
 
-    if ( $inlines{$action} ) {
+    if ( my $ref = $inlines{$action} ) {
 	$result = &process_rule( $chainref,
 				 $matches,
 				 $actiontype || 0,
-				 $target,
+				 merge_target( $ref, $target ),
 				 '',                              # CurrentParam
 				 @columns );
     } else {
 	$result = process_rule( $chainref,
 				$matches,
 				$actiontype || 0,
-				$target,
+				merge_target( $actions{$action}, $target ),
 				'',                               # Current Param
 				'-',                              # Source
 				'-',                              # Dest
@@ -2697,6 +2706,7 @@ sub perl_action_helper($$;$) {
 				'-',                              # helper,
 				0,                                # Wildcard
 			      );
+	allow_optimize( $chainref );
     }
     #
     # Record that we generated a rule to avoid bogus warning
@@ -2722,11 +2732,11 @@ sub perl_action_tcp_helper($$) {
 	#
 	# For other protos, a 'no rule generated' warning will be issued
 	#
-	if ( $inlines{$action} ) {
+	if ( my $ref = $inlines{$action} ) {
 	    $result = &process_rule( $chainref,
 				     $proto,
 				     0,
-				     $target,
+				     merge_target( $ref, $target ),
 				     '',
 				     @columns[0,1],
 				     '-',
@@ -2736,7 +2746,7 @@ sub perl_action_tcp_helper($$) {
 	    $result = process_rule( $chainref,
 				    '',
 				    0,
-				    $target,
+				    merge_target( $actions{$action}, $target ),
 				    '',                               # Current Param
 				    '-',                              # Source
 				    '-',                              # Dest
@@ -2754,6 +2764,7 @@ sub perl_action_tcp_helper($$) {
 				    '-',                              # helper,
 				    0,                                # Wildcard
 				  );
+	    allow_optimize( $chainref );
 	}
 	#
 	# Record that we generated a rule to avoid bogus warning

Shorewall/action.Established

@@ -40,17 +40,11 @@ use Shorewall::Rules qw( process_rule1 );
 
 my ( $action ) = get_action_params( 1 );
 
-my ( $level, $tag ) = get_action_logging;
-
-$action = join( ':', $action, $level, $tag ) if "${level}${tag}";
-
 perl_action_helper(
 		   $action,                             # Target
 		   "$globals{STATEMATCH} ESTABLISHED",  # Matches
 		  );
 
-allow_optimize( get_action_chain );
-
 1;
 
 ?END PERL;

Shorewall/action.Invalid

@@ -45,17 +45,11 @@ if ( supplied $audit ) {
      $action = "A_$action";
 }    
 
-my ( $level, $tag ) = get_action_logging;
-
-$action = join( ':', $action, $level, $tag ) if "${level}${tag}";
-
 perl_action_helper(
 		   $action,                         # Target
 		   "$globals{STATEMATCH} INVALID",  # Matches
 		  );
 
-allow_optimize( get_action_chain);
-
 1;
 
 ?END PERL;

Shorewall/action.NotSyn

@@ -33,6 +33,7 @@ DEFAULTS DROP,-
 
 ?BEGIN PERL;
 
+use strict;
 use Shorewall::IPAddrs;
 use Shorewall::Config;
 use Shorewall::Chains;
@@ -45,16 +46,7 @@ if ( supplied $audit ) {
      $action = "A_$action";
 }    
 
-my ( $level, $tag )  = get_action_logging;
-
-$action = join( ':', $action, $level, $tag ) if "${level}${tag}";
-
-perl_action_tcp_helper(
-		       $action,
-		       '-p 6 ! --syn'
-		      );
-
-allow_optimize( get_action_chain );
+perl_action_tcp_helper( $action, '-p 6 ! --syn' );
 
 1;
 

Shorewall/action.RST

@@ -44,16 +44,7 @@ if ( supplied $audit ) {
      $action = "A_$action";
 }    
 
-my ( $level, $tag )  = get_action_logging;
-
-$action = join( ':', $action, $level, $tag ) if "${level}${tag}";
-
-perl_action_tcp_helper(
-		       $action,
-		       '-p 6 --tcp-flags RST RST'
-		      );
-
-allow_optimize( get_action_chain );
+perl_action_tcp_helper( $action, '-p 6 --tcp-flags RST RST' );
 
 1;
 

Shorewall/action.Related

@@ -41,17 +41,11 @@ use Shorewall::Rules qw( process_rule1 );
 
 my ( $action ) = get_action_params( 1 );
 
-my ( $level, $tag ) = get_action_logging;
-
-$action = join( ':', $action, $level, $tag ) if "${level}${tag}";
-
 perl_action_helper( 
 		   $action,                         # Target
 		   "$globals{STATEMATCH} RELATED",  # Matches
 		  );
 
-allow_optimize( get_action_chain );
-
 1;
 
 ?END PERL;

Shorewall/action.TCPFlags

@@ -17,43 +17,21 @@ DEFAULTS DROP,-
 use strict;
 use Shorewall::Config qw(:DEFAULT F_IPV4 F_IPV6);
 use Shorewall::Chains;
+use Shorewall::Rules;
 
-my ( $disposition, $audit ) = get_action_params( 2 );
+my ( $action, $audit ) = get_action_params( 2 );
 
 my $chainref        = get_action_chain;
 
-my ( $level, $tag ) = get_action_logging;
+if ( supplied $audit ) {
+     fatal_error "Invalid parameter ($audit) to action Invalid" if $audit ne 'audit';
+     $action = "A_$action";
+}    
 
-fatal_error q(The first argument to 'TCPFlags' must be ACCEPT, REJECT, or DROP) unless $disposition =~ /^(ACCEPT|REJECT|DROP)$/;
-
-if ( $level ne '-' || $audit ne '-' ) {
-    my $logchainref = ensure_filter_chain newlogchain( $chainref->{table} ), 0;
-
-    log_rule_limit( $level,
-		    $logchainref,
-		    $chainref->{name},
-		    $disposition,
-		    '',
-		    $tag,
-		    'add',
-		    '' ) if $level;
-
-    if ( supplied $audit ) {
-	fatal_error "Invalid argument ($audit) to TCPFlags" if $audit ne 'audit';
-	require_capability 'AUDIT_TARGET', q(Passing 'audit' to the TCPFlags action), 's';
-	add_ijump( $logchainref, j => 'AUDIT --type ' . lc $disposition );
-    }
-
-    add_ijump( $logchainref, g => $disposition );
-
-    $disposition = $logchainref;
-}
-
-add_ijump $chainref , g => $disposition, p => 'tcp --tcp-flags ALL FIN,URG,PSH';
-add_ijump $chainref , g => $disposition, p => 'tcp --tcp-flags ALL NONE';
-add_ijump $chainref , g => $disposition, p => 'tcp --tcp-flags SYN,RST SYN,RST';
-add_ijump $chainref , g => $disposition, p => 'tcp --tcp-flags SYN,FIN SYN,FIN';
-add_ijump $chainref , g => $disposition, p => 'tcp --syn --sport 0';
+perl_action_tcp_helper( $action, '-p tcp --tcp-flags ALL FIN,URG,PSH' );
+perl_action_tcp_helper( $action, '-p tcp --tcp-flags SYN,RST SYN,RST' );
+perl_action_tcp_helper( $action, '-p tcp --tcp-flags SYN,FIN SYN,FIN' );
+perl_action_tcp_helper( $action, '-p tcp --syn --sport 0' );
 
 ?END PERL;
 

Shorewall/actions.std

@@ -44,5 +44,5 @@ NotSyn      inline              # Handles TCP packets which do not have SYN=1 an
 Reject                          # Default Action for REJECT policy
 Related     inline              # Handles packets in the RELATED conntrack state
 RST	    inline              # Handle packets with RST set
-TCPFlags    noinline            # Handle bad flag combinations.
+TCPFlags    			# Handle bad flag combinations.
 Untracked   inline              # Handles packets in the UNTRACKED conntrack state

Shorewall6/actions.std

@@ -32,5 +32,5 @@ NotSyn	    inline 		# Handles TCP packets that do not have SYN=1 and ACK=0
 Reject		        	# Default Action for REJECT policy
 Related     inline              # Handles packets in the RELATED conntrack state
 RST	    inline              # Handle packets with RST set
-TCPFlags    noinline		# Handles bad flags combinations
+TCPFlags    			# Handles bad flags combinations
 Untracked   inline              # Handles packets in the UNTRACKED conntrack state