Allow setting chain variables

Signed-off-by: Tom Eastep <teastep@shorewall.net>

Shorewall/Perl/Shorewall/Chains.pm

@@ -6439,7 +6439,7 @@ sub handle_exclusion( $$$$$$$$$$$$$$$$$$ ) {
 	log_rule_limit( $loglevel ,
 			$echainref ,
 			$chain,
-			$disposition eq 'reject' ? 'REJECT' : $disposition ,
+			$actparms{disposition} || ( $disposition eq 'reject' ? 'REJECT' : $disposition ),
 			'' ,
 			$logtag ,
 			'add' ,
@@ -6484,7 +6484,7 @@ sub expand_rule( $$$$$$$$$$;$ )
 
     my ( $iiface, $diface, $inets, $dnets, $iexcl, $dexcl, $onets , $oexcl, $trivialiexcl, $trivialdexcl ) = 
        ( '',      '',      '',     '',     '',     '',     '',      '',     '',            '' );
-    my  $chain = $chainref->{name};
+    my  $chain = $actparms{chain} || $chainref->{name};
     my $table = $chainref->{table};
     my ( $jump, $mac,  $targetref, $basictarget );
     our @ends = ();
@@ -6653,7 +6653,7 @@ sub expand_rule( $$$$$$$$$$;$ )
 				       $loglevel ,
 				       $chainref ,
 				       $chain,
-				       $disposition eq 'reject' ? 'REJECT' : $disposition ,
+				       $actparms{disposition} || ( $disposition eq 'reject' ? 'REJECT' : $disposition ),
 				       '' ,
 				       $logtag ,
 				       'add' ,
@@ -6664,7 +6664,7 @@ sub expand_rule( $$$$$$$$$$;$ )
 				       $loglevel ,
 				       $chainref ,
 				       $logname || $chain,
-				       $disposition,
+				       $actparms{disposition} || $disposition,
 				       '',
 				       $logtag,
 				       'add',
@@ -6681,7 +6681,12 @@ sub expand_rule( $$$$$$$$$$;$ )
 			# and jump to the log chain if all of the rule's conditions are met
 			#
 			add_expanded_jump( $chainref,
-					   logchain( $chainref, $loglevel, $logtag, $exceptionrule , $disposition, $target ),
+					   logchain( $chainref,
+						     $loglevel,
+						     $logtag,
+						     $exceptionrule,
+						     $actparms{disposition} || $disposition,
+						     $target ),
 					   1,
 					   $matches );
 		    }

Shorewall/Perl/Shorewall/Config.pm

@@ -59,7 +59,9 @@ our @EXPORT = qw(
 
 		 get_action_params
 		 get_action_chain
+		 get_action_chain_name
 		 get_action_logging
+		 get_action_disposition
 		 set_action_param
 
 		 have_capability
@@ -161,6 +163,8 @@ our %EXPORT_TAGS = ( internal => [ qw( create_temp_script
 				       %helpers_map
 				       %helpers_enabled
 				       %helpers_aliases
+
+				       %actparms
 				       
 		                       F_IPV4
 		                       F_IPV6
@@ -483,7 +487,7 @@ our %compiler_params;
 # Action parameters
 #
 our %actparms;
-our $paramsmodified;
+our $parmsmodified;
 
 our $currentline;            # Current config file line image
 our $currentfile;            # File handle reference
@@ -638,7 +642,7 @@ sub initialize( $;$$) {
 		    EXPORT     => 0,
 		    KLUDGEFREE => '',
 		    STATEMATCH => '-m state --state',
-		    VERSION    => "4.5.12-Beta3",
+		    VERSION    => "4.5.13-Beta1",
 		    CAPVERSION => 40512 ,
 		  );
     #
@@ -938,8 +942,8 @@ sub initialize( $;$$) {
 
     %compiler_params = ();
 
-    %actparms = ( 0 => 0, loglevel => '', logtag => '', chain => ''  );
+    %actparms = ( 0 => 0, loglevel => '', logtag => '', chain => '', disposition => ''  );
-    $paramsmodified = 0;
+    $parmsmodified = 0;
 
     %helpers_enabled = (
 			amanda       => 1,
@@ -2156,6 +2160,7 @@ sub evaluate_expression( $$$ ) {
 	#                         $1      $2   $3                     -     $4
 	while ( $expression =~ m( ^(.*?) \@({)? (\d+|[a-zA-Z]\w*) (?(2)}) (.*)$ )x ) {
 	    my ( $first, $var, $rest ) = ( $1, $3, $4);
+	    $var = numeric_value( $var ) if $var;
 	    $val = $var ? $actparms{$var} : $chain;
 	    $expression = join_parts( $first, $val, $rest );
 	    directive_error( "Variable Expansion Loop" , $filename, $linenumber ) if ++$count > 100;
@@ -2272,15 +2277,17 @@ sub process_compiler_directive( $$$$ ) {
 			   unless ( $omitting ) {
 			       directive_error( "Missing SET variable", $filename, $linenumber ) unless supplied $expression;
 			       ( my $var , $expression ) = split ' ', $expression, 2;
-			       directive_error( "Invalid SET variable ($var)", $filename, $linenumber) unless $var =~ /^([$@])?([a-zA-Z]\w*)$/;
+			       directive_error( "Invalid SET variable ($var)", $filename, $linenumber) unless $var =~ /^(\$)?([a-zA-Z]\w*)$/ || $var =~ /^(@)(\d+|[a-zA-Z]\w*)/;
 			       directive_error( "Missing SET expression"     , $filename, $linenumber) unless supplied $expression;
 
 			       if ( ( $1 || '' ) eq '@' ) {
-				   directive_error( "Invalid SET variable", $filename, $linenumber ) unless exists $actparms{$2};
+				   $var = numeric_value( $var ) if $var =~ /^\d/;
-				   $actparms{$2} = evaluate_expression ( $expression,
+				   $var = $2 || 'chain';
-									 $filename,
+				   directive_error( "Action variables may only be SET in the body of an action", $filename, $linenumber ) unless $actparms{0};
-									 $linenumber );
+				   my $val = $actparms{$var} = evaluate_expression ( $expression,
-				   $paramsmodified = 1;
+										     $filename,
+										     $linenumber );
+				   $parmsmodified = 1;
 			       } else {
 				   $variables{$1} = evaluate_expression( $expression,
 									 $filename,
@@ -2774,30 +2781,32 @@ sub embedded_perl( $ ) {
 # Push/pop action params
 #
 sub push_action_params( $$$$$ ) {
-    my @params = ( undef , split_list3( $_[1], 'parameter' ) );
+    my ( $chainref, $parms, $loglevel, $logtag, $caller ) = @_;
+    my @parms = ( undef , split_list3( $parms , 'parameter' ) );
 
-    $actparms{modified} = $paramsmodified;
+    $actparms{modified} = $parmsmodified;
 
     my %oldparms = %actparms;
 
-    $paramsmodified = 0;
+    $parmsmodified = 0;
 
     %actparms = ();
 
-    for ( my $i = 1; $i < @params; $i++ ) {
+    for ( my $i = 1; $i < @parms; $i++ ) {
-	my $val = $params[$i];
+	my $val = $parms[$i];
 
 	$actparms{$i} = $val eq '-' ? '' : $val eq '--' ? '-' : $val;
     }
 
-    $actparms{0}          = $_[0];
+    $actparms{0}           = $chainref;
-    $actparms{loglevel}   = $_[2];
+    $actparms{loglevel}    = $loglevel;
-    $actparms{logtag}     = $_[3];
+    $actparms{logtag}      = $logtag;
-    $actparms{caller}     = $_[4];
+    $actparms{caller}      = $caller;
+    $actparms{disposition} = '' if $chainref->{action};
     #
     # The Shorewall variable '@chain' has the non-word charaters removed
     #
-    ( $actparms{chain} = $_[0]->{name} ) =~ s/[^\w]//g;
+    ( $actparms{chain} = $chainref->{name} ) =~ s/[^\w]//g;
 
     \%oldparms;
 }
@@ -2807,10 +2816,10 @@ sub push_action_params( $$$$$ ) {
 # Return true of the popped parameters were modified
 #
 sub pop_action_params( $ ) {
-    my $oldparms    = shift;
+    my $oldparms       = shift;
-    %actparms       = %$oldparms;
+    %actparms          = %$oldparms;
-    my $return      = $paramsmodified;
+    my $return         = $parmsmodified;
-    ( $paramsmodified ) = delete $actparms{modified};
+    ( $parmsmodified ) = delete $actparms{modified};
     $return;
 }
 
@@ -2853,6 +2862,14 @@ sub get_action_chain() {
     $actparms{0};
 }
 
+sub get_action_chain_name() {
+    $actparms{chain};
+}
+
+sub get_action_disposition() {
+    $actparms{disposition};
+}
+
 sub set_action_param( $$ ) {
     my $i = shift;
 

Shorewall/Perl/Shorewall/Rules.pm

@@ -1623,7 +1623,7 @@ sub process_action($$) {
 	}
 
 	process_rule1( $chainref,
-		       $nolog ? $target : merge_levels( "$action:$level:$tag", $target ),
+		       $nolog ? $target : merge_levels( join(':', @actparms{'chain','loglevel','logtag'}), $target ),
 		       '',
 		       $source,
 		       $dest,
@@ -1839,7 +1839,7 @@ sub process_inline ($$$$$$$$$$$$$$$$$$$$) {
 	    next;
 	}
 
-	$mtarget = merge_levels( $target, $mtarget ) unless $nolog;
+	$mtarget = merge_levels( join(':', @actparms{'chain','loglevel','logtag'}), $mtarget ) unless $nolog;
 
 	my $action = isolate_basic_target $mtarget;
 

docs/configuration_file_basics.xml

@@ -1802,6 +1802,10 @@ SHELL cat /etc/shorewall/rules.d/*.rules 2&gt; /dev/null || true</programlisting
     alias @chain), Shorewall variables may only be used within an action
     body.</para>
 
+    <para>Prior to Shorewall 4.5.13, Shorewall variables are read-only.
+    Beginning with Shorewall 4.5.13, their values may be altered using the
+    ?SET directive.</para>
+
     <para>The Shorewall variables are:</para>
 
     <variablelist>
@@ -1842,7 +1846,22 @@ SHELL cat /etc/shorewall/rules.d/*.rules 2&gt; /dev/null || true</programlisting
           invoked.</para>
         </listitem>
       </varlistentry>
+
+      <varlistentry>
+        <term>@disposition (@{disposition})</term>
+
+        <listitem>
+          <para>Added in Shorewall 4.5.13. When a non-inlined action is
+          entered, this variable is set to the empty value. When an inline
+          action is entered, the variable's value is unchanged.</para>
+        </listitem>
+      </varlistentry>
     </variablelist>
+
+    <para>Beginning with Shorewall 4.5.13, the values of @chain and
+    @disposition are used to generated the --log-prefix in logging rules. When
+    either is empty, the historical value is used to generate the
+    --log-prefix. </para>
   </section>
 
   <section id="Conditional">