Cleanup of process_rules1() breakup

Signed-off-by: Tom Eastep <teastep@shorewall.net>

Shorewall/Perl/Shorewall/Chains.pm

@@ -5763,7 +5763,6 @@ sub isolate_source_interface( $ ) {
     }
 
     ( $iiface, $inets );
-
 }
 
 #

Shorewall/Perl/Shorewall/Nat.pm

@@ -521,41 +521,35 @@ sub setup_netmap() {
 #
 # Called from process_rule1 to add a rule to the NAT table
 #
-sub handle_nat_rule( $$$$$$$$$$$$$ ) {
+sub handle_nat_rule( $$$$$$$$$$$$ ) {
     my ( $dest,           # <server>[:port]
 	 $proto,          # Protocol
 	 $ports,          # Destination port list
 	 $origdest,       # Original Destination
 	 $action_target,  # If the target is an action, the name of the log action chain to jump to
 	 $action,         # The Action
-	 $sourcezone,     # The Source Zone name
+	 $sourceref,      # Reference to the Source Zone's table entry in the Zones module
-	 $sourceref,      # Reference to the Soruce Zone's table entry in the Zones module
+	 $action_chain,   # Name of the action chain if the rule is in an action
-	 $chain,          # Name of the action chain if the rule is in an action
 	 $rule,           # Matches 
 	 $source,         # Source Address
-	 $loglevel,       # [ <level>[:<tag>]]
+	 $loglevel,       # [<level>[:<tag>]]
 	 $log_action,     # Action name to include in the log message
        ) = @_;
 
-    my ( $server, $serverport , $origdstports );
+    my ( $server, $serverport , $origdstports ) = ( '', '', '' );
     my $randomize = $dest =~ s/:random$// ? ' --random' : '';
 
     #
     # Isolate server port
     #
-    if ( $dest =~ /^(.*)(:(.+))$/ ) {
+    if ( $dest =~ /^(.*)(?::(.+))$/ ) {
 	#
 	# Server IP and Port
 	#
 	$server = $1;      # May be empty
-	$serverport = $3;  # Not Empty due to RE
+	$serverport = $2;  # Not Empty due to RE
-	$origdstports = $ports;
 
-	if ( $origdstports && $origdstports ne '-' && port_count( $origdstports ) == 1 ) {
+	$origdstports = validate_port( $proto, $ports )	if $ports && $ports ne '-' && port_count( $ports ) == 1;
-	    $origdstports = validate_port( $proto, $origdstports );
-	} else {
-	    $origdstports = '';
-	}
 
 	if ( $serverport =~ /^(\d+)-(\d+)$/ ) {
 	    #
@@ -568,17 +562,11 @@ sub handle_nat_rule( $$$$$$$$$$$$$ ) {
 	} else {
 	    $serverport = $ports = validate_port( proto_name( $proto ), $serverport );
 	}
-    } elsif ( $dest eq ':' ) {
+    } elsif ( $dest ne ':' ) {
-	#
-	# Rule with no server IP or port ( zone:: )
-	#
-	$server = $serverport = '';
-    } else {
 	#
 	# Simple server IP address (may be empty or "-")
 	#
 	$server = $dest;
-	$serverport = '';
     }
     #
     # Generate the target
@@ -592,9 +580,9 @@ sub handle_nat_rule( $$$$$$$$$$$$$ ) {
 	if ( $origdest eq '' || $origdest eq '-' ) {
 	    $origdest = ALLIP;
 	} elsif ( $origdest eq 'detect' ) {
-	    fatal_error 'ORIGINAL DEST "detect" is invalid in an action' if $chain;
+	    fatal_error 'ORIGINAL DEST "detect" is invalid in an action' if $action_chain;
 
-	    if ( $config{DETECT_DNAT_IPADDRS} && $sourcezone ne firewall_zone ) {
+	    if ( $config{DETECT_DNAT_IPADDRS} ) {
 		my $interfacesref = $sourceref->{interfaces};
 		my @interfaces = keys %$interfacesref;
 		$origdest = @interfaces ? "detect:@interfaces" : ALLIP;
@@ -605,21 +593,20 @@ sub handle_nat_rule( $$$$$$$$$$$$$ ) {
     } elsif ( $action_target ) {
 	fatal_error "A server port ($serverport) is not allowed in $action rule" if $serverport;
 	$target = $action_target;
-	$loglevel = '';
     } else {
 	if ( $server eq '' ) {
 	    fatal_error "A server and/or port must be specified in the DEST column in $action rules" unless $serverport;
 	} elsif ( $server =~ /^(.+)-(.+)$/ ) {
 	    validate_range( $1, $2 );
 	} else {
-	    unless ( $action_target && $server eq ALLIP ) {
+	    unless ( $server eq ALLIP ) {
 		my @servers = validate_address $server, 1;
 		$server = join ',', @servers;
 	    }
 	}
 
 	if ( $action eq 'DNAT' ) {
-	    $target = 'DNAT';
+	    $target = $action;
 	    if ( $server ) {
 		$serverport = ":$serverport" if $serverport;
 		for my $serv ( split /,/, $server ) {
@@ -631,7 +618,7 @@ sub handle_nat_rule( $$$$$$$$$$$$$ ) {
 	}
 
 	unless ( $origdest && $origdest ne '-' && $origdest ne 'detect' ) {
-	    if ( ! $chain && $config{DETECT_DNAT_IPADDRS} && $sourcezone ne firewall_zone ) {
+	    if ( ! $action_chain && $config{DETECT_DNAT_IPADDRS} ) {
 		my $interfacesref = $sourceref->{interfaces};
 		my @interfaces = keys %$interfacesref;
 		$origdest = @interfaces ? "detect:@interfaces" : ALLIP;
@@ -645,7 +632,11 @@ sub handle_nat_rule( $$$$$$$$$$$$$ ) {
     #
     # And generate the nat table rule(s)
     #
-    expand_rule ( ensure_chain ('nat' , $chain ? $chain : $sourceref->{type} == FIREWALL ? 'OUTPUT' : dnat_chain $sourcezone ),
+    expand_rule ( ensure_chain ('nat' ,
+				( $action_chain ?
+				  $action_chain :
+				  ( $sourceref->{type} == FIREWALL ? 'OUTPUT' : 
+				    dnat_chain $sourceref->{name} ) ) ),
 		  PREROUTE_RESTRICT ,
 		  $rule ,
 		  $source ,
@@ -663,8 +654,10 @@ sub handle_nat_rule( $$$$$$$$$$$$$ ) {
 #
 # Called from process_rule1() to handle the nat table part of the NONAT and ACCEPT+ actions
 #
-sub handle_nonat_rule( $$$$$$$$$$$ ) {
+sub handle_nonat_rule( $$$$$$$$$$ ) {
-    my ( $action, $source, $dest, $origdest, $sourcezone, $sourceref, $inaction, $chain, $loglevel, $log_action, $rule ) = @_;
+    my ( $action, $source, $dest, $origdest, $sourceref, $inaction, $chain, $loglevel, $log_action, $rule ) = @_;
+
+    my $sourcezone = $sourceref->{name};
     #
     # NONAT or ACCEPT+ may not specify a destination interface
     #

Shorewall/Perl/Shorewall/Rules.pm

@@ -2035,24 +2035,25 @@ sub process_rule1 ( $$$$$$$$$$$$$$$$$ ) {
 	#
 	# Add the appropriate rule to the nat table
 	#
-	( $ports, $origdstports, $dest ) = handle_nat_rule( $dest,
+	( $ports,
-							    $proto,
+	  $origdstports,
-							    $ports,
+	  $dest ) = handle_nat_rule( $dest,
-							    $origdest,
+				     $proto,
-							    ($actiontype & ACTION ) ? $usedactions{$normalized_target}->{name} : '',
+				     $ports,
-							    $action,
+				     $origdest,
-							    $sourcezone,
+				     ( $actiontype & ACTION ) ? $usedactions{$normalized_target}->{name} : '',
-							    $sourceref,
+				     $action,
-							    $inaction ? $chain : '',
+				     $sourceref,
-							    $rule,
+				     $inaction ? $chain : '',
-							    $source,
+				     $rule,
-							    $loglevel,
+				     $source,
-							    $log_action
+				     ( $actiontype & ACTION ) ? '' : $loglevel,
-							  );		 
+				     $log_action
+				   );		 
 	#
 	# After NAT:
 	#   - the destination port will be the server port ($ports) -- we did that above
-	#   - the destination IP   will be the server IP   ($dest)  -- also done above
+	#   - the destination IP will be the server IP   ($dest)  -- also done above
 	#   - there will be no log level (we log NAT rules in the nat table rather than in the filter table).
 	#   - the target will be ACCEPT.
 	#
@@ -2076,7 +2077,6 @@ sub process_rule1 ( $$$$$$$$$$$$$$$$$ ) {
 			   $source,
 			   $dest,
 			   $origdest,
-			   $sourcezone,
 			   $sourceref,
 			   $inaction,
 			   $chain,

Shorewall/Perl/Shorewall/Zones.pm

@@ -483,7 +483,8 @@ sub process_zone( \$ ) {
 
     my $complex = 0;
 
-    my $zoneref = $zones{$zone} = { type       => $type,
+    my $zoneref = $zones{$zone} = { name       => $zone,
+				    type       => $type,
 				    parents    => \@parents,
 				    bridge     => '',
 				    options    => { in_out  => parse_zone_option_list( $options , $type, $complex , IN_OUT ) ,