[pve-devel] [PATCH v4 firewall 13/13] remove ruleset_generate_match, ruleset_generate_action

Tom Weber pve at junkyard.4t2.com
Wed Oct 18 22:24:10 CEST 2017


ruleset_generate_match and ruleset_generate_action not used anymore

Signed-off-by: Tom Weber <pve at junkyard.4t2.com>
---
 src/PVE/Firewall.pm | 97 -----------------------------------------------------
 1 file changed, 97 deletions(-)

diff --git a/src/PVE/Firewall.pm b/src/PVE/Firewall.pm
index 8d36175..c858b85 100644
--- a/src/PVE/Firewall.pm
+++ b/src/PVE/Firewall.pm
@@ -1952,103 +1952,6 @@ sub ipt_rule_to_cmds {
     return @iptcmds;
 }
 
-sub ruleset_generate_match {
-    my ($ruleset, $chain, $ipversion, $rule, $actions, $goto, $cluster_conf, $fw_conf) = @_;
-
-    return if defined($rule->{enable}) && !$rule->{enable};
-    return if $rule->{errors};
-
-    return $rule->{match} if defined $rule->{match};
-
-    die "unable to emit macro - internal error" if $rule->{macro}; # should not happen
-
-    my $nbdport = defined($rule->{dport}) ? parse_port_name_number_or_range($rule->{dport}, 1) : 0;
-    my $nbsport = defined($rule->{sport}) ? parse_port_name_number_or_range($rule->{sport}, 0) : 0;
-
-    my @cmd = ();
-
-    push @cmd, "-i $rule->{iface_in}" if $rule->{iface_in};
-    push @cmd, "-o $rule->{iface_out}" if $rule->{iface_out};
-
-    my $source = $rule->{source};
-    my $dest = $rule->{dest};
-
-    push @cmd, ipt_gen_src_or_dst_match($source, 's', $ipversion, $cluster_conf, $fw_conf) if $source;
-    push @cmd, ipt_gen_src_or_dst_match($dest, 'd', $ipversion, $cluster_conf, $fw_conf) if $dest;
-
-    if (my $proto = $rule->{proto}) {
-	push @cmd, "-p $proto";
-
-	my $multiport = 0;
-	$multiport++ if $nbdport > 1;
-	$multiport++ if $nbsport > 1;
-
-	push @cmd, "--match multiport" if $multiport;
-
-	die "multiport: option '--sports' cannot be used together with '--dports'\n"
-	    if ($multiport == 2) && ($rule->{dport} ne $rule->{sport});
-
-	if ($rule->{dport}) {
-	    if ($proto eq 'icmp') {
-		# Note: we use dport to store --icmp-type
-		die "unknown icmp-type '$rule->{dport}'\n"
-		    if $rule->{dport} !~ /^\d+$/ && !defined($icmp_type_names->{$rule->{dport}});
-		push @cmd, "-m icmp --icmp-type $rule->{dport}";
-	    } elsif ($proto eq 'icmpv6') {
-		# Note: we use dport to store --icmpv6-type
-		die "unknown icmpv6-type '$rule->{dport}'\n"
-		    if $rule->{dport} !~ /^\d+$/ && !defined($icmpv6_type_names->{$rule->{dport}});
-		push @cmd, "-m icmpv6 --icmpv6-type $rule->{dport}";
-	    } elsif (!$PROTOCOLS_WITH_PORTS->{$proto}) {
-		die "protocol $proto does not have ports\n";
-	    } else {
-		if ($nbdport > 1) {
-		    if ($multiport == 2) {
-			push @cmd,  "--ports $rule->{dport}";
-		    } else {
-			push @cmd, "--dports $rule->{dport}";
-		    }
-		} else {
-		    push @cmd, "--dport $rule->{dport}";
-		}
-	    }
-	}
-
-	if ($rule->{sport}) {
-	    die "protocol $proto does not have ports\n"
-		 if !$PROTOCOLS_WITH_PORTS->{$proto};
-	    if ($nbsport > 1) {
-		push @cmd, "--sports $rule->{sport}" if $multiport != 2;
-	    } else {
-		push @cmd, "--sport $rule->{sport}";
-	    }
-	}
-    } elsif ($rule->{dport} || $rule->{sport}) {
-	die "destination port '$rule->{dport}', but no protocol specified\n" if $rule->{dport};
-	die "source port '$rule->{sport}', but no protocol specified\n" if $rule->{sport};
-    }
-
-    push @cmd, "-m addrtype --dst-type $rule->{dsttype}" if $rule->{dsttype};
-
-    return scalar(@cmd) ? join(' ', @cmd) : undef;
-}
-
-sub ruleset_generate_action {
-    my ($ruleset, $chain, $ipversion, $rule, $actions, $goto, $cluster_conf, $fw_conf) = @_;
-
-    return $rule->{target} if defined $rule->{target};
-
-    my @cmd = ();
-
-    if (my $action = $rule->{action}) {
-	$action = $actions->{$action} if defined($actions->{$action});
-	$goto = 1 if !defined($goto) && $action eq 'PVEFW-SET-ACCEPT-MARK';
-	push @cmd, $goto ? "-g $action" : "-j $action";
-    }
-
-    return scalar(@cmd) ? join(' ', @cmd) : undef;
-}
-
 sub ruleset_generate_rule {
     my ($ruleset, $chain, $ipversion, $rule, $cluster_conf, $fw_conf) = @_;
 
-- 
2.7.4




More information about the pve-devel mailing list