From: Tom Weber Date: Wed, 18 Oct 2017 20:24:10 +0000 (+0200) Subject: remove ruleset_generate_match, ruleset_generate_action X-Git-Url: https://git.proxmox.com/?a=commitdiff_plain;h=bf2fa11471823124b257321617924aa6811aecdf;p=pve-firewall.git remove ruleset_generate_match, ruleset_generate_action ruleset_generate_match and ruleset_generate_action not used anymore Signed-off-by: Tom Weber --- diff --git a/src/PVE/Firewall.pm b/src/PVE/Firewall.pm index 8d36175..c858b85 100644 --- a/src/PVE/Firewall.pm +++ b/src/PVE/Firewall.pm @@ -1952,103 +1952,6 @@ sub ipt_rule_to_cmds { return @iptcmds; } -sub ruleset_generate_match { - my ($ruleset, $chain, $ipversion, $rule, $actions, $goto, $cluster_conf, $fw_conf) = @_; - - return if defined($rule->{enable}) && !$rule->{enable}; - return if $rule->{errors}; - - return $rule->{match} if defined $rule->{match}; - - die "unable to emit macro - internal error" if $rule->{macro}; # should not happen - - my $nbdport = defined($rule->{dport}) ? parse_port_name_number_or_range($rule->{dport}, 1) : 0; - my $nbsport = defined($rule->{sport}) ? parse_port_name_number_or_range($rule->{sport}, 0) : 0; - - my @cmd = (); - - push @cmd, "-i $rule->{iface_in}" if $rule->{iface_in}; - push @cmd, "-o $rule->{iface_out}" if $rule->{iface_out}; - - my $source = $rule->{source}; - my $dest = $rule->{dest}; - - push @cmd, ipt_gen_src_or_dst_match($source, 's', $ipversion, $cluster_conf, $fw_conf) if $source; - push @cmd, ipt_gen_src_or_dst_match($dest, 'd', $ipversion, $cluster_conf, $fw_conf) if $dest; - - if (my $proto = $rule->{proto}) { - push @cmd, "-p $proto"; - - my $multiport = 0; - $multiport++ if $nbdport > 1; - $multiport++ if $nbsport > 1; - - push @cmd, "--match multiport" if $multiport; - - die "multiport: option '--sports' cannot be used together with '--dports'\n" - if ($multiport == 2) && ($rule->{dport} ne $rule->{sport}); - - if ($rule->{dport}) { - if ($proto eq 'icmp') { - # Note: we use dport to store --icmp-type - die "unknown icmp-type '$rule->{dport}'\n" - if $rule->{dport} !~ /^\d+$/ && !defined($icmp_type_names->{$rule->{dport}}); - push @cmd, "-m icmp --icmp-type $rule->{dport}"; - } elsif ($proto eq 'icmpv6') { - # Note: we use dport to store --icmpv6-type - die "unknown icmpv6-type '$rule->{dport}'\n" - if $rule->{dport} !~ /^\d+$/ && !defined($icmpv6_type_names->{$rule->{dport}}); - push @cmd, "-m icmpv6 --icmpv6-type $rule->{dport}"; - } elsif (!$PROTOCOLS_WITH_PORTS->{$proto}) { - die "protocol $proto does not have ports\n"; - } else { - if ($nbdport > 1) { - if ($multiport == 2) { - push @cmd, "--ports $rule->{dport}"; - } else { - push @cmd, "--dports $rule->{dport}"; - } - } else { - push @cmd, "--dport $rule->{dport}"; - } - } - } - - if ($rule->{sport}) { - die "protocol $proto does not have ports\n" - if !$PROTOCOLS_WITH_PORTS->{$proto}; - if ($nbsport > 1) { - push @cmd, "--sports $rule->{sport}" if $multiport != 2; - } else { - push @cmd, "--sport $rule->{sport}"; - } - } - } elsif ($rule->{dport} || $rule->{sport}) { - die "destination port '$rule->{dport}', but no protocol specified\n" if $rule->{dport}; - die "source port '$rule->{sport}', but no protocol specified\n" if $rule->{sport}; - } - - push @cmd, "-m addrtype --dst-type $rule->{dsttype}" if $rule->{dsttype}; - - return scalar(@cmd) ? join(' ', @cmd) : undef; -} - -sub ruleset_generate_action { - my ($ruleset, $chain, $ipversion, $rule, $actions, $goto, $cluster_conf, $fw_conf) = @_; - - return $rule->{target} if defined $rule->{target}; - - my @cmd = (); - - if (my $action = $rule->{action}) { - $action = $actions->{$action} if defined($actions->{$action}); - $goto = 1 if !defined($goto) && $action eq 'PVEFW-SET-ACCEPT-MARK'; - push @cmd, $goto ? "-g $action" : "-j $action"; - } - - return scalar(@cmd) ? join(' ', @cmd) : undef; -} - sub ruleset_generate_rule { my ($ruleset, $chain, $ipversion, $rule, $cluster_conf, $fw_conf) = @_;