From ec94ed638ef5a38a56aac0833b2a05f6e4ae43bd Mon Sep 17 00:00:00 2001
From: Tom Eastep <teastep@shorewall.net>
Date: Sat, 5 Sep 2009 08:43:14 -0700
Subject: [PATCH] Better modularization of Chains and Actions

---
 Shorewall/Perl/Shorewall/Actions.pm | 15 ++++++++-----
 Shorewall/Perl/Shorewall/Chains.pm  | 34 +++++++++--------------------
 Shorewall/changelog.txt             |  9 +++++---
 3 files changed, 26 insertions(+), 32 deletions(-)

diff --git a/Shorewall/Perl/Shorewall/Actions.pm b/Shorewall/Perl/Shorewall/Actions.pm
index 64432c002..c5b4b5e71 100644
--- a/Shorewall/Perl/Shorewall/Actions.pm
+++ b/Shorewall/Perl/Shorewall/Actions.pm
@@ -413,8 +413,9 @@ sub process_macro1 ( $$ ) {
 #
 # The functions process_actions1-3() implement the three phases of action processing.
 #
-# The first phase (process_actions1) occurs before the rules file is processed. ${SHAREDIR}/actions.std
-# and ${CONFDIR}/actions are scanned (in that order) and for each action:
+# The first phase (process_actions1) occurs before the rules file is processed. The builtin-actions are added
+# to the target table (%Shorewall::Chains::targets) and actions table, then ${SHAREDIR}/actions.std and
+# ${CONFDIR}/actions are scanned (in that order). For each action:
 #
 #      a) The related action definition file is located and scanned.
 #      b) Forward and unresolved action references are trapped as errors.
@@ -476,9 +477,13 @@ sub process_action1 ( $$ ) {
 sub process_actions1() {
 
     progress_message2 "Preprocessing Action Files...";
-
-    for my $act ( grep $targets{$_} & ACTION , keys %targets ) {
-	new_action $act;
+    #
+    # Add built-in actions to the target table and create those actions
+    #
+    if ( $family == F_IPV4 ) {
+	$targets{$_} = ACTION + BUILTIN, new_action $_ for qw/dropBcast allowBcast dropNotSyn rejNotSyn dropInvalid allowInvalid allowinUPnP forwardUPnP Limit/;
+    } else {
+	$targets{$_} = ACTION + BUILTIN, new_action $_ for qw/dropBcast allowBcast dropNotSyn rejNotSyn dropInvalid allowInvalid/;
     }
 
     for my $file ( qw/actions.std actions/ ) {
diff --git a/Shorewall/Perl/Shorewall/Chains.pm b/Shorewall/Perl/Shorewall/Chains.pm
index 2c280cc73..8e1b41208 100644
--- a/Shorewall/Perl/Shorewall/Chains.pm
+++ b/Shorewall/Perl/Shorewall/Chains.pm
@@ -165,7 +165,7 @@ our %EXPORT_TAGS = (
 
 Exporter::export_ok_tags('internal');
 
-our $VERSION = '4.4_1';
+our $VERSION = '4.4_2';
 
 #
 # Chain Table
@@ -916,15 +916,17 @@ sub ensure_filter_chain( $$ )
 
     my $chainref = ensure_chain 'filter', $chain;
 
-    if ( $populate and ! $chainref->{referenced} ) {
-	if ( $section eq 'NEW' or $section eq 'DONE' ) {
-	    finish_chain_section $chainref , 'ESTABLISHED,RELATED';
-	} elsif ( $section eq 'RELATED' ) {
-	    finish_chain_section $chainref , 'ESTABLISHED';
+    unless ( $chainref->{referenced} ) {
+	if ( $populate ) {
+	    if ( $section eq 'NEW' or $section eq 'DONE' ) {
+		finish_chain_section $chainref , 'ESTABLISHED,RELATED';
+	    } elsif ( $section eq 'RELATED' ) {
+		finish_chain_section $chainref , 'ESTABLISHED';
+	    }
 	}
-    }
 
-    $chainref->{referenced} = 1;
+	$chainref->{referenced} = 1;
+    }
 
     $chainref;
 }
@@ -1018,7 +1020,6 @@ sub ensure_manual_chain($) {
 # Add all builtin chains to the chain table -- it is separate from initialize() because it depends on capabilities and configuration.
 # The function also initializes the target table with the pre-defined targets available for the specfied address family.
 #
-#
 sub initialize_chain_table()
 {
     if ( $family == F_IPV4 ) {
@@ -1045,15 +1046,6 @@ sub initialize_chain_table()
 		    'QUEUE!'          => STANDARD,
 		    'NFQUEUE'         => STANDARD + NFQ,
 		    'NFQUEUE!'        => STANDARD + NFQ,
-		    'dropBcast'       => BUILTIN  + ACTION,
-		    'allowBcast'      => BUILTIN  + ACTION,
-		    'dropNotSyn'      => BUILTIN  + ACTION,
-		    'rejNotSyn'       => BUILTIN  + ACTION,
-		    'dropInvalid'     => BUILTIN  + ACTION,
-		    'allowInvalid'    => BUILTIN  + ACTION,
-		    'allowinUPnP'     => BUILTIN  + ACTION,
-		    'forwardUPnP'     => BUILTIN  + ACTION,
-		    'Limit'           => BUILTIN  + ACTION,
 		   );
 
 	for my $chain qw(OUTPUT PREROUTING) {
@@ -1095,12 +1087,6 @@ sub initialize_chain_table()
 		    'QUEUE!'          => STANDARD,
 		    'NFQUEUE'         => STANDARD + NFQ,
 		    'NFQUEUE!'        => STANDARD + NFQ,
-		    'dropBcast'       => BUILTIN  + ACTION,
-		    'allowBcast'      => BUILTIN  + ACTION,
-		    'dropNotSyn'      => BUILTIN  + ACTION,
-		    'rejNotSyn'       => BUILTIN  + ACTION,
-		    'dropInvalid'     => BUILTIN  + ACTION,
-		    'allowInvalid'    => BUILTIN  + ACTION,
 		   );
 
 	for my $chain qw(OUTPUT PREROUTING) {
diff --git a/Shorewall/changelog.txt b/Shorewall/changelog.txt
index d739dfb56..c90e43d07 100644
--- a/Shorewall/changelog.txt
+++ b/Shorewall/changelog.txt
@@ -1,10 +1,13 @@
 Changes in Shorewall 4.4.2
 
-1)  Correct detection of Persistent SNAT support
+1)  BUGFIX: Correct detection of Persistent SNAT support
 
-2)  Fix chain table initialization
+2)  BUGFIX: Fix chain table initialization
 
-3)  Validate routestopped file on 'check'
+3)  BUGFIX: Validate routestopped file on 'check'
+
+4)  Let the Actions module add the builtin actions to
+    %Shorewall::Chains::targets. Much better modularization that way.
 
 Changes in Shorewall 4.4.1