[pve-devel] [PATCH v4 firewall 13/13] remove ruleset_generate_match, ruleset_generate_action
Tom Weber
pve at junkyard.4t2.com
Wed Oct 18 22:24:10 CEST 2017
ruleset_generate_match and ruleset_generate_action not used anymore
Signed-off-by: Tom Weber <pve at junkyard.4t2.com>
---
src/PVE/Firewall.pm | 97 -----------------------------------------------------
1 file changed, 97 deletions(-)
diff --git a/src/PVE/Firewall.pm b/src/PVE/Firewall.pm
index 8d36175..c858b85 100644
--- a/src/PVE/Firewall.pm
+++ b/src/PVE/Firewall.pm
@@ -1952,103 +1952,6 @@ sub ipt_rule_to_cmds {
return @iptcmds;
}
-sub ruleset_generate_match {
- my ($ruleset, $chain, $ipversion, $rule, $actions, $goto, $cluster_conf, $fw_conf) = @_;
-
- return if defined($rule->{enable}) && !$rule->{enable};
- return if $rule->{errors};
-
- return $rule->{match} if defined $rule->{match};
-
- die "unable to emit macro - internal error" if $rule->{macro}; # should not happen
-
- my $nbdport = defined($rule->{dport}) ? parse_port_name_number_or_range($rule->{dport}, 1) : 0;
- my $nbsport = defined($rule->{sport}) ? parse_port_name_number_or_range($rule->{sport}, 0) : 0;
-
- my @cmd = ();
-
- push @cmd, "-i $rule->{iface_in}" if $rule->{iface_in};
- push @cmd, "-o $rule->{iface_out}" if $rule->{iface_out};
-
- my $source = $rule->{source};
- my $dest = $rule->{dest};
-
- push @cmd, ipt_gen_src_or_dst_match($source, 's', $ipversion, $cluster_conf, $fw_conf) if $source;
- push @cmd, ipt_gen_src_or_dst_match($dest, 'd', $ipversion, $cluster_conf, $fw_conf) if $dest;
-
- if (my $proto = $rule->{proto}) {
- push @cmd, "-p $proto";
-
- my $multiport = 0;
- $multiport++ if $nbdport > 1;
- $multiport++ if $nbsport > 1;
-
- push @cmd, "--match multiport" if $multiport;
-
- die "multiport: option '--sports' cannot be used together with '--dports'\n"
- if ($multiport == 2) && ($rule->{dport} ne $rule->{sport});
-
- if ($rule->{dport}) {
- if ($proto eq 'icmp') {
- # Note: we use dport to store --icmp-type
- die "unknown icmp-type '$rule->{dport}'\n"
- if $rule->{dport} !~ /^\d+$/ && !defined($icmp_type_names->{$rule->{dport}});
- push @cmd, "-m icmp --icmp-type $rule->{dport}";
- } elsif ($proto eq 'icmpv6') {
- # Note: we use dport to store --icmpv6-type
- die "unknown icmpv6-type '$rule->{dport}'\n"
- if $rule->{dport} !~ /^\d+$/ && !defined($icmpv6_type_names->{$rule->{dport}});
- push @cmd, "-m icmpv6 --icmpv6-type $rule->{dport}";
- } elsif (!$PROTOCOLS_WITH_PORTS->{$proto}) {
- die "protocol $proto does not have ports\n";
- } else {
- if ($nbdport > 1) {
- if ($multiport == 2) {
- push @cmd, "--ports $rule->{dport}";
- } else {
- push @cmd, "--dports $rule->{dport}";
- }
- } else {
- push @cmd, "--dport $rule->{dport}";
- }
- }
- }
-
- if ($rule->{sport}) {
- die "protocol $proto does not have ports\n"
- if !$PROTOCOLS_WITH_PORTS->{$proto};
- if ($nbsport > 1) {
- push @cmd, "--sports $rule->{sport}" if $multiport != 2;
- } else {
- push @cmd, "--sport $rule->{sport}";
- }
- }
- } elsif ($rule->{dport} || $rule->{sport}) {
- die "destination port '$rule->{dport}', but no protocol specified\n" if $rule->{dport};
- die "source port '$rule->{sport}', but no protocol specified\n" if $rule->{sport};
- }
-
- push @cmd, "-m addrtype --dst-type $rule->{dsttype}" if $rule->{dsttype};
-
- return scalar(@cmd) ? join(' ', @cmd) : undef;
-}
-
-sub ruleset_generate_action {
- my ($ruleset, $chain, $ipversion, $rule, $actions, $goto, $cluster_conf, $fw_conf) = @_;
-
- return $rule->{target} if defined $rule->{target};
-
- my @cmd = ();
-
- if (my $action = $rule->{action}) {
- $action = $actions->{$action} if defined($actions->{$action});
- $goto = 1 if !defined($goto) && $action eq 'PVEFW-SET-ACCEPT-MARK';
- push @cmd, $goto ? "-g $action" : "-j $action";
- }
-
- return scalar(@cmd) ? join(' ', @cmd) : undef;
-}
-
sub ruleset_generate_rule {
my ($ruleset, $chain, $ipversion, $rule, $cluster_conf, $fw_conf) = @_;
--
2.7.4
More information about the pve-devel
mailing list