Eliminate superfluous test

Signed-off-by: Tom Eastep <teastep@shorewall.net>

Shorewall-core/lib.cli

@@ -3566,7 +3566,7 @@ blacklist_command() {
 		if [ $VERBOSITY -gt 1 ]; then
 		    echo "$message" | awk '/have been deleted/ { sub( /^.*: /, "" ); sub( / /,  " src " ); }; { print; }'
 		else
-		    echo "$message" | head -n1 | sed '/^.*: //; s/ / src /'
+		    echo "$message" | head -n1 | sed 's/^.*: //; s/ / src /'
 		fi
 	    fi
 
@@ -3576,7 +3576,7 @@ blacklist_command() {
 		    if [ $VERBOSITY -gt 1 ]; then
 			echo "$message" | awk '/have been deleted/ { sub( /^.*: /, "" ); sub( / /,  " dst " ); }; { print; }'
 		    else
-			echo "$message" | head -n1 | sed '/^.*: //; s/ / dst /'
+			echo "$message" | head -n1 | sed 's/^.*: //; s/ / dst /'
 		    fi
 		fi
 	    fi

Shorewall/Perl/Shorewall/Chains.pm

@@ -2747,11 +2747,13 @@ sub accounting_chainrefs() {
     grep $_->{accounting} , values %$filter_table;
 }
 
-sub ensure_mangle_chain($) {
-    my $chain = $_[0];
+sub ensure_mangle_chain($;$$) {
+    my ( $chain, $number, $restriction ) = @_;
 
     my $chainref = ensure_chain 'mangle', $chain;
-    $chainref->{referenced} = 1;
+    $chainref->{referenced}  = 1;
+    $chainref->{chainnumber} = $number if $number;
+    $chainref->{restriction} = $restriction if $restriction;
     $chainref;
 }
 
@@ -7273,6 +7275,7 @@ sub isolate_dest_interface( $$$$ ) {
     my ( $diface, $dnets );
 
     if ( ( $restriction & PREROUTE_RESTRICT ) && $dest =~ /^detect:(.*)$/ ) {
+	my $niladdr = NILIP;
 	#
 	# DETECT_DNAT_IPADDRS=Yes and we're generating the nat rule
 	#
@@ -7289,14 +7292,14 @@ sub isolate_dest_interface( $$$$ ) {
 
 	    push_command( $chainref , "for address in $list; do" , 'done' );
 
-	    push_command( $chainref , 'if [ $address != 0.0.0.0 ]; then' , 'fi' ) if $optional;
+	    push_command( $chainref , "if [ \$address != $niladdr ]; then" , 'fi' ) if $optional;
 
 	    $rule .= '-d $address ';
 	} else {
 	    my $interface = $interfaces[0];
 	    my $variable  = get_interface_address( $interface );
 
-	    push_command( $chainref , "if [ $variable != 0.0.0.0 ]; then" , 'fi') if interface_is_optional( $interface );
+	    push_command( $chainref , "if [ $variable != $niladdr ]; then" , 'fi') if interface_is_optional( $interface );
 
 	    $rule .= "-d $variable ";
 	}
@@ -8265,6 +8268,7 @@ EOF
 
 sub ensure_ipsets( @ ) {
     my $set;
+    my $counters = have_capability( 'IPSET_MATCH_COUNTERS' ) ? ' counters' : '';
 
     if ( $globals{DBL_TIMEOUT} ne '' && $_[0] eq $globals{DBL_IPSET} ) {
 	shift;
@@ -8277,12 +8281,12 @@ sub ensure_ipsets( @ ) {
 	    emit(  q(    #),
 		   q(    # Set the timeout for the dynamic blacklisting ipset),
 		   q(    #),
-		  qq(    \$IPSET -exist create $globals{DBL_IPSET}  hash:net family inet timeout $globals{DBL_TIMEOUT} counters) );
+		  qq(    \$IPSET -exist create $globals{DBL_IPSET}  hash:net family inet timeout $globals{DBL_TIMEOUT}${counters}) );
 	} else {
 	    emit(  q(    #),
 		   q(    # Set the timeout for the dynamic blacklisting ipset),
 		   q(    #),
-		  qq(    \$IPSET -exist create $globals{DBL_IPSET} hash:net family inet6 timeout $globals{DBL_TIMEOUT} counters) );
+		  qq(    \$IPSET -exist create $globals{DBL_IPSET} hash:net family inet6 timeout $globals{DBL_TIMEOUT}${counters}) );
 	}
 
 	pop_indent;
@@ -8303,19 +8307,19 @@ sub ensure_ipsets( @ ) {
 	if ( $family == F_IPV4 ) {
 	    if ( have_capability 'IPSET_V5' ) {
 		emit ( qq(    if ! qt \$IPSET list $set -n; then) ,
-		       qq(        error_message "WARNING: ipset $set does not exist; creating it as an hash:net set") ,
-		       qq(        \$IPSET create $set hash:net family inet timeout 0 counters) ,
+		       qq(        error_message "WARNING: ipset $set does not exist; creating it as a hash:net set") ,
+		       qq(        \$IPSET create $set hash:net family inet timeout 0${counters}) ,
 		       qq(    fi) );
 	    } else {
 		emit ( qq(    if ! qt \$IPSET -L $set -n; then) ,
-		       qq(        error_message "WARNING: ipset $set does not exist; creating it as an iphash set") ,
+		       qq(        error_message "WARNING: ipset $set does not exist; creating it as a iphash set") ,
 		       qq(        \$IPSET -N $set iphash) ,
 		       qq(    fi) );
 	    }
 	} else {
 	    emit ( qq(    if ! qt \$IPSET list $set -n; then) ,
-		   qq(        error_message "WARNING: ipset $set does not exist; creating it as an hash:net set") ,
-		   qq(        \$IPSET create $set hash:net family inet6 timeout 0 counters) ,
+		   qq(        error_message "WARNING: ipset $set does not exist; creating it as a hash:net set") ,
+		   qq(        \$IPSET create $set hash:net family inet6 timeout 0${counters}) ,
 		   qq(    fi) );
 	}
 

Shorewall/Perl/Shorewall/Config.pm

@@ -4544,11 +4544,11 @@ sub IPSet_Match() {
 }
 
 sub IPSet_Match_Nomatch() {
-    have_capability 'IPSET_MATCH' && $capabilities{IPSET_MATCH_NOMATCH};
+    have_capability( 'IPSET_MATCH' ) && $capabilities{IPSET_MATCH_NOMATCH};
 }
 
 sub IPSet_Match_Counters() {
-    have_capability 'IPSET_MATCH' && $capabilities{IPSET_MATCH_COUNTERS};
+    have_capability( 'IPSET_MATCH' ) && $capabilities{IPSET_MATCH_COUNTERS};
 }
 
 sub IPSET_V5() {

Shorewall/Perl/Shorewall/IPAddrs.pm

@@ -436,7 +436,7 @@ sub validate_portpair( $$ ) {
     #
     # Accept '-' as a port-range separator
     #
-    $pair =~ tr/-/:/;
+    $pair =~ tr/-/:/ if $pair =~ /^[-0-9]+$/;
 
     fatal_error "Invalid port range ($portpair)" if $pair =~ tr/:/:/ > 1;
 

Shorewall/Perl/Shorewall/Misc.pm

@@ -134,12 +134,12 @@ sub setup_ecn()
 	    for my $interface ( @interfaces ) {
 		my $chainref = ensure_chain 'mangle', ecn_chain( $interface );
 
-		add_ijump $mangle_table->{POSTROUTING} , j => $chainref, $interfaces{$interface}, p => 'tcp', imatch_dest_dev( $interface ) if have_capability 'MANGLE_FORWARD';
-		add_ijump $mangle_table->{OUTPUT},       j => $chainref, $interfaces{$interface}, p => 'tcp', imatch_dest_dev( $interface );
+		add_ijump_extended $mangle_table->{POSTROUTING} , j => $chainref, $interfaces{$interface}, p => 'tcp', imatch_dest_dev( $interface ) if have_capability 'MANGLE_FORWARD';
+		add_ijump_extended $mangle_table->{OUTPUT},       j => $chainref, $interfaces{$interface}, p => 'tcp', imatch_dest_dev( $interface );
 	    }
 
 	    for my $host ( @hosts ) {
-		add_ijump( $mangle_table->{ecn_chain $host->[0]}, j => 'ECN', $host->[1], targetopts => '--ecn-tcp-remove', p => 'tcp',  imatch_dest_net( $host->[2] ) );
+		add_ijump_extended( $mangle_table->{ecn_chain $host->[0]}, j => 'ECN', $host->[1], targetopts => '--ecn-tcp-remove', p => 'tcp',  imatch_dest_net( $host->[2] ) );
 	    }
 	}
     }

Shorewall/Perl/Shorewall/Rules.pm

@@ -3958,14 +3958,14 @@ sub process_mangle_inline( $$$$$$$$$$$$$$$$$$$ ) {
 	}
 
 	$msource = $source if $msource eq '-';
-	$mdest   = $dest   if $msource eq '-';
+	$mdest   = $dest   if $mdest   eq '-';
 	$mprotos = $protos if $mprotos eq '-';
 
 	for my $proto (split_list( $mprotos, 'Protocol' ) ) {
 	    process_mangle_rule1( $chainref,
 				  $moriginalmark,
 				  $msource,
-				  $dest,
+				  $mdest,
 				  $proto,
 				  merge_macro_column( $mports,          $ports ),
 				  merge_macro_column( $msports,         $sports ),
@@ -4098,11 +4098,13 @@ sub process_mangle_rule1( $$$$$$$$$$$$$$$$$$ ) {
 
 	    my $chainref = ensure_chain( 'mangle', $chain = $chainnames{$chain} );
 
+	    $restriction |= $chainref->{restriction};
+
 	    for ( my $packet = 0; $packet < $marks; $packet++, $markval += $increment ) {
 		my $match = "-m statistic --mode nth --every $marks --packet $packet ";
 
 		expand_rule( $chainref,
-			     $restrictions{$chain} | $restriction,
+			     $restriction,
 			     $prerule ,
 			     $match .
 			     do_user( $user ) .
@@ -4845,8 +4847,10 @@ sub process_mangle_rule1( $$$$$$$$$$$$$$$$$$ ) {
 	    $chainref = ensure_chain( 'mangle', $chainnames{$chain} );
 	}
 
+	$restriction |= $chainref->{restriction};
+
 	if ( ( my $result = expand_rule( $chainref ,
-					 ( $restrictions{$chain} || 0 ) | $restriction,
+					 $restriction,
 					 $prerule,
 					 do_proto( $proto, $ports, $sports) . $matches .
 					 do_user( $user ) .

Shorewall/Perl/Shorewall/Tc.pm

@@ -827,7 +827,7 @@ sub validate_tc_class( ) {
 		fatal_error "Invalid 'occurs' ($val)"                               unless defined $occurs && $occurs > 1 && $occurs <= 256;
 		fatal_error "Invalid 'occurs' ($val)"                               if $occurs > $globals{TC_MAX};
 		fatal_error q(Duplicate 'occurs')                                   if $tcref->{occurs} > 1;
-		fatal_error q(The 'occurs' option is not valid with 'default')      if $devref->{default} == $classnumber;
+               fatal_error q(The 'occurs' option is not valid with 'default')      if defined($devref->{default}) && $devref->{default} == $classnumber;
 		fatal_error q(The 'occurs' option is not valid with 'tos')          if @{$tcref->{tos}};
 		warning_message "MARK ($mark) is ignored on an occurring class"     if $mark ne '-';
 
@@ -1308,6 +1308,8 @@ sub handle_ematch( $$ ) {
 
     $setname =~ s/\+//;
 
+    add_ipset($setname);
+
     return "ipset\\($setname $options\\)";
 }
 
@@ -1518,7 +1520,7 @@ sub process_tc_filter2( $$$$$$$$$ ) {
 	$rule .= ' and' if $have_rule;
 
 	if ( $source =~ /^\+/ ) {
-	    $rule = join( '', "\\\n   ", handle_ematch( $source, 'src' ) );
+	    $rule .= join( '', "\\\n   ", handle_ematch( $source, 'src' ) );
 	} else {
 	    my @parts = decompose_net_u32( $source );
 
@@ -1557,9 +1559,9 @@ sub process_tc_filter2( $$$$$$$$$ ) {
 		    $rule .= ' and' if @parts;
 		}
 	    }
-
-	    $have_rule = 1;
 	}
+
+	$have_rule = 1;
     }
 
     if ( $have_rule ) {
@@ -2276,13 +2278,13 @@ sub setup_tc( $ ) {
     $convert = $_[0];
 
     if ( $config{MANGLE_ENABLED} ) {
-	ensure_mangle_chain 'tcpre';
-	ensure_mangle_chain 'tcout';
+	ensure_mangle_chain( 'tcpre', PREROUTING, PREROUTE_RESTRICT );
+	ensure_mangle_chain( 'tcout', OUTPUT    , OUTPUT_RESTRICT );
 
 	if ( have_capability( 'MANGLE_FORWARD' ) ) {
-	    ensure_mangle_chain 'tcfor';
-	    ensure_mangle_chain 'tcpost';
-	    ensure_mangle_chain 'tcin';
+	    ensure_mangle_chain( 'tcfor',  FORWARD    , NO_RESTRICT );
+	    ensure_mangle_chain( 'tcpost', POSTROUTING, POSTROUTE_RESTRICT );
+	    ensure_mangle_chain( 'tcin',   INPUT      , INPUT_RESTRICT );
 	}
 
 	my @mark_part;

Shorewall/manpages/shorewall.conf.xml

@@ -798,7 +798,7 @@
                 <para>Normally, only packets whose source address matches an
                 entry in the ipset are dropped. If <option>src-dst</option> is
                 included, then packets whose destination address matches an
-                entry in the ipset are also dropped. </para>
+                entry in the ipset are also dropped.</para>
               </listitem>
             </varlistentry>
 
@@ -920,7 +920,8 @@ net     all  DROP   info</programlisting>then the chain name is 'net-all'
           an administrative system in directories containing the
           configurations of remote firewalls. The contents of the variable are
           the default value for the <replaceable>system</replaceable>
-          parameter to the <command>remote-reload</command> and
+          parameter to the <command>remote-start</command>,
+          <command>remote-reload</command> and
           <command>remote-restart</command> commands.</para>
         </listitem>
       </varlistentry>

Shorewall6/manpages/shorewall6.conf.xml

@@ -647,7 +647,7 @@
           is SW_DBL6 and the default log level is <option>none</option> (no
           logging). if <option>ipset-only</option> is given, then chain-based
           dynamic blacklisting is disabled just as if DYNAMIC_BLACKLISTING=No
-          had been specified. </para>
+          had been specified.</para>
 
           <para>Possible <replaceable>option</replaceable>s are:</para>
 
@@ -781,7 +781,8 @@ net     all  DROP   info</programlisting>then the chain name is 'net-all'
           an administrative system in directories containing the
           configurations of remote firewalls. The contents of the variable are
           the default value for the <replaceable>system</replaceable>
-          parameter to the <command>remote-reload</command> and
+          parameter to the <command>remote-start</command>,
+          <command>remote-reload</command> and
           <command>remote-restart</command> commands.</para>
         </listitem>
       </varlistentry>

docs/configuration_file_basics.xml

@@ -2621,7 +2621,8 @@ DNAT       net        loc:192.168.1.3 tcp       <emphasis role="bold">4000:4100<
     "!4000:4100").</para>
 
     <para>Beginning with Shorewall 5.0.14, a hyphen ("-") may also be used to
-    separate the two port numbers.</para>
+    separate the two port numbers; when using service names, the colon must
+    still be used.</para>
 
     <programlisting>#ACTION    SOURCE     DESTINATION     PROTO     DPORT
 DNAT       net        loc:192.168.1.3 tcp       <emphasis role="bold">4000-4100</emphasis></programlisting>