From 11410b80eb9c442c4850cfc3034267f3f72a196c Mon Sep 17 00:00:00 2001
From: Jo-Philipp Wich <jo@mein.io>
Date: Tue, 14 Jun 2022 16:23:50 +0200
Subject: [PATCH] ruleset: reorder declarations & output tweaks

 - Omit "Set definitions" header if no sets are declared
 - Always emit ${zone}_devices and ${zone}_subnets defines, even if empty
 - Move CT helper definitions to the top
 - Move ${zone}_helper chain definitions after ${zone}_forward chain defs
 - Consistently use two line spacing for output sections

Signed-off-by: Jo-Philipp Wich <jo@mein.io>
---
 root/usr/share/firewall4/templates/ruleset.uc | 27 ++++++++++---------
 tests/01_configuration/01_ruleset             |  8 +++---
 tests/01_configuration/02_rule_order          |  7 ++---
 tests/02_zones/01_policies                    | 11 ++++----
 tests/02_zones/02_masq                        | 11 ++++----
 tests/02_zones/03_masq_src_dest_restrictions  |  9 +++----
 tests/02_zones/04_wildcard_devices            | 15 +++++++----
 tests/02_zones/05_subnet_mask_matches         | 10 +++----
 tests/02_zones/06_family_selections           | 15 +++++++----
 tests/02_zones/07_helpers                     | 13 +++++----
 tests/03_rules/01_direction                   |  5 ----
 tests/03_rules/02_enabled                     |  5 ----
 tests/03_rules/03_constraints                 |  8 +++---
 tests/03_rules/04_icmp                        |  5 ----
 tests/03_rules/05_mangle                      |  9 +++----
 tests/03_rules/06_subnet_mask_matches         |  8 +++---
 tests/03_rules/07_redirect                    |  9 +++----
 tests/03_rules/08_family_inheritance          |  2 ++
 tests/03_rules/09_time                        |  5 ----
 tests/03_rules/10_notrack                     | 11 ++++----
 tests/04_forwardings/01_family_selections     | 11 ++++----
 21 files changed, 96 insertions(+), 108 deletions(-)

diff --git a/root/usr/share/firewall4/templates/ruleset.uc b/root/usr/share/firewall4/templates/ruleset.uc
index d374984..712697f 100644
--- a/root/usr/share/firewall4/templates/ruleset.uc
+++ b/root/usr/share/firewall4/templates/ruleset.uc
@@ -1,6 +1,7 @@
 {%
 	let flowtable_devices = fw4.resolve_offload_devices();
 	let available_helpers = filter(fw4.helpers(), h => h.available);
+	let defined_ipsets = fw4.ipsets();
 -%}
 
 table inet fw4
@@ -23,6 +24,7 @@ table inet fw4 {
 {% endif %}
 	}
 
+
 {% endif %}
 {% if (length(available_helpers)): %}
 	#
@@ -39,39 +41,38 @@ table inet fw4 {
 {%  endfor %}
 
 {% endif %}
+{% if (length(defined_ipsets)): %}
 	#
 	# Set definitions
 	#
 
-{% for (let set in fw4.ipsets()): %}
+{%  for (let set in defined_ipsets): %}
 	set {{ set.name }} {
 		type {{ fw4.concat(set.types) }}
-{%  if (set.maxelem > 0): %}
+{%   if (set.maxelem > 0): %}
 		size {{ set.maxelem }}
-{%  endif %}
-{%  if (set.timeout >= 0): %}
+{%   endif %}
+{%   if (set.timeout >= 0): %}
 		timeout {{ set.timeout }}s
-{% endif %}
-{%  if (set.interval): %}
+{%   endif %}
+{%   if (set.interval): %}
 		flags interval
 		auto-merge
-{%  endif %}
-{%  fw4.print_setentries(set) %}
+{%   endif %}
+{%   fw4.print_setentries(set) %}
 	}
 
-{% endfor %}
+{%  endfor %}
 
+{% endif %}
 	#
 	# Defines
 	#
 
 {% for (let zone in fw4.zones()): %}
-{%  if (length(zone.match_devices)): %}
 	define {{ zone.name }}_devices = {{ fw4.set(zone.match_devices, true) }}
-{%  endif %}
-{%  if (length(zone.match_subnets)): %}
 	define {{ zone.name }}_subnets = {{ fw4.set(zone.match_subnets, true) }}
-{%  endif %}
+
 {% endfor %}
 
 	#
diff --git a/tests/01_configuration/01_ruleset b/tests/01_configuration/01_ruleset
index 9acb429..dd9750c 100644
--- a/tests/01_configuration/01_ruleset
+++ b/tests/01_configuration/01_ruleset
@@ -30,6 +30,7 @@ table inet fw4 {
 		flags offload;
 	}
 
+
 	#
 	# CT helper definitions
 	#
@@ -83,20 +84,17 @@ table inet fw4 {
 	}
 
 
-	#
-	# Set definitions
-	#
-
-
 	#
 	# Defines
 	#
 
 	define lan_devices = { "br-lan" }
 	define lan_subnets = { 10.0.0.0/24, 192.168.26.0/24, 2001:db8:1000::/60, fd63:e2f:f706::/60 }
+
 	define wan_devices = { "pppoe-wan" }
 	define wan_subnets = { 10.11.12.0/24, 2001:db8:54:321::/64 }
 
+
 	#
 	# User includes
 	#
diff --git a/tests/01_configuration/02_rule_order b/tests/01_configuration/02_rule_order
index fd37adf..3c1546e 100644
--- a/tests/01_configuration/02_rule_order
+++ b/tests/01_configuration/02_rule_order
@@ -66,20 +66,17 @@ table inet fw4
 flush table inet fw4
 
 table inet fw4 {
-	#
-	# Set definitions
-	#
-
-
 	#
 	# Defines
 	#
 
 	define lan_devices = { "br-lan" }
 	define lan_subnets = { 10.0.0.0/24, 192.168.26.0/24, 2001:db8:1000::/60, fd63:e2f:f706::/60 }
+
 	define wan_devices = { "pppoe-wan" }
 	define wan_subnets = { 10.11.12.0/24 }
 
+
 	#
 	# User includes
 	#
diff --git a/tests/02_zones/01_policies b/tests/02_zones/01_policies
index 5a2eeac..03be7af 100644
--- a/tests/02_zones/01_policies
+++ b/tests/02_zones/01_policies
@@ -65,18 +65,19 @@ table inet fw4
 flush table inet fw4
 
 table inet fw4 {
-	#
-	# Set definitions
-	#
-
-
 	#
 	# Defines
 	#
 
 	define test1_devices = { "zone1" }
+	define test1_subnets = {  }
+
 	define test2_devices = { "zone2" }
+	define test2_subnets = {  }
+
 	define test3_devices = { "zone3" }
+	define test3_subnets = {  }
+
 
 	#
 	# User includes
diff --git a/tests/02_zones/02_masq b/tests/02_zones/02_masq
index e789fde..369cdd6 100644
--- a/tests/02_zones/02_masq
+++ b/tests/02_zones/02_masq
@@ -69,18 +69,19 @@ table inet fw4
 flush table inet fw4
 
 table inet fw4 {
-	#
-	# Set definitions
-	#
-
-
 	#
 	# Defines
 	#
 
 	define test1_devices = { "zone1" }
+	define test1_subnets = {  }
+
 	define test2_devices = { "zone2" }
+	define test2_subnets = {  }
+
 	define test3_devices = { "zone3" }
+	define test3_subnets = {  }
+
 
 	#
 	# User includes
diff --git a/tests/02_zones/03_masq_src_dest_restrictions b/tests/02_zones/03_masq_src_dest_restrictions
index 9129c60..2cb0ce4 100644
--- a/tests/02_zones/03_masq_src_dest_restrictions
+++ b/tests/02_zones/03_masq_src_dest_restrictions
@@ -95,17 +95,16 @@ table inet fw4
 flush table inet fw4
 
 table inet fw4 {
-	#
-	# Set definitions
-	#
-
-
 	#
 	# Defines
 	#
 
 	define test1_devices = { "zone1" }
+	define test1_subnets = {  }
+
 	define test2_devices = { "zone2" }
+	define test2_subnets = {  }
+
 
 	#
 	# User includes
diff --git a/tests/02_zones/04_wildcard_devices b/tests/02_zones/04_wildcard_devices
index b7e01e1..292fd11 100644
--- a/tests/02_zones/04_wildcard_devices
+++ b/tests/02_zones/04_wildcard_devices
@@ -86,20 +86,25 @@ table inet fw4
 flush table inet fw4
 
 table inet fw4 {
-	#
-	# Set definitions
-	#
-
-
 	#
 	# Defines
 	#
 
 	define test1_devices = { "+" }
+	define test1_subnets = {  }
+
 	define test2_devices = { "/never/" }
+	define test2_subnets = {  }
+
 	define test3_devices = { "test*" }
+	define test3_subnets = {  }
+
 	define test4_devices = { "foo*", "bar*", "test1", "test2" }
+	define test4_subnets = {  }
+
 	define test5_devices = { "foo*", "bar*", "test1", "test2" }
+	define test5_subnets = {  }
+
 
 	#
 	# User includes
diff --git a/tests/02_zones/05_subnet_mask_matches b/tests/02_zones/05_subnet_mask_matches
index 27f9dbc..c171ac7 100644
--- a/tests/02_zones/05_subnet_mask_matches
+++ b/tests/02_zones/05_subnet_mask_matches
@@ -54,17 +54,17 @@ table inet fw4
 flush table inet fw4
 
 table inet fw4 {
-	#
-	# Set definitions
-	#
-
-
 	#
 	# Defines
 	#
 
+	define test1_devices = {  }
+	define test1_subnets = {  }
+
+	define test2_devices = {  }
 	define test2_subnets = { ::3, ::4 }
 
+
 	#
 	# User includes
 	#
diff --git a/tests/02_zones/06_family_selections b/tests/02_zones/06_family_selections
index 29af97d..a2d48b5 100644
--- a/tests/02_zones/06_family_selections
+++ b/tests/02_zones/06_family_selections
@@ -69,20 +69,25 @@ table inet fw4
 flush table inet fw4
 
 table inet fw4 {
-	#
-	# Set definitions
-	#
-
-
 	#
 	# Defines
 	#
 
+	define test1_devices = {  }
 	define test1_subnets = { 10.0.0.0/8 }
+
+	define test2_devices = {  }
 	define test2_subnets = { 2001:db8:1234::/64 }
+
+	define test3_devices = {  }
 	define test3_subnets = { 2001:db8:1234::/64 }
+
+	define test4_devices = {  }
 	define test4_subnets = { 2001:db8:1234::/64 }
+
 	define test5_devices = { "eth0" }
+	define test5_subnets = {  }
+
 
 	#
 	# User includes
diff --git a/tests/02_zones/07_helpers b/tests/02_zones/07_helpers
index ceef65a..1a5a24a 100644
--- a/tests/02_zones/07_helpers
+++ b/tests/02_zones/07_helpers
@@ -135,19 +135,22 @@ table inet fw4 {
 	}
 
 
-	#
-	# Set definitions
-	#
-
-
 	#
 	# Defines
 	#
 
 	define test1_devices = { "zone1" }
+	define test1_subnets = {  }
+
 	define test2_devices = { "zone2" }
+	define test2_subnets = {  }
+
 	define test3_devices = { "zone3" }
+	define test3_subnets = {  }
+
 	define test4_devices = { "zone4" }
+	define test4_subnets = {  }
+
 
 	#
 	# User includes
diff --git a/tests/03_rules/01_direction b/tests/03_rules/01_direction
index 4c33868..7751a23 100644
--- a/tests/03_rules/01_direction
+++ b/tests/03_rules/01_direction
@@ -50,11 +50,6 @@ table inet fw4
 flush table inet fw4
 
 table inet fw4 {
-	#
-	# Set definitions
-	#
-
-
 	#
 	# Defines
 	#
diff --git a/tests/03_rules/02_enabled b/tests/03_rules/02_enabled
index f9eb3bf..c5ef8c6 100644
--- a/tests/03_rules/02_enabled
+++ b/tests/03_rules/02_enabled
@@ -47,11 +47,6 @@ table inet fw4
 flush table inet fw4
 
 table inet fw4 {
-	#
-	# Set definitions
-	#
-
-
 	#
 	# Defines
 	#
diff --git a/tests/03_rules/03_constraints b/tests/03_rules/03_constraints
index 51b1ab9..05fb379 100644
--- a/tests/03_rules/03_constraints
+++ b/tests/03_rules/03_constraints
@@ -83,15 +83,13 @@ table inet fw4
 flush table inet fw4
 
 table inet fw4 {
-	#
-	# Set definitions
-	#
-
-
 	#
 	# Defines
 	#
 
+	define lan_devices = {  }
+	define lan_subnets = {  }
+
 
 	#
 	# User includes
diff --git a/tests/03_rules/04_icmp b/tests/03_rules/04_icmp
index 0c615a7..c355375 100644
--- a/tests/03_rules/04_icmp
+++ b/tests/03_rules/04_icmp
@@ -56,11 +56,6 @@ table inet fw4
 flush table inet fw4
 
 table inet fw4 {
-	#
-	# Set definitions
-	#
-
-
 	#
 	# Defines
 	#
diff --git a/tests/03_rules/05_mangle b/tests/03_rules/05_mangle
index 04ae461..57444de 100644
--- a/tests/03_rules/05_mangle
+++ b/tests/03_rules/05_mangle
@@ -151,17 +151,16 @@ table inet fw4
 flush table inet fw4
 
 table inet fw4 {
-	#
-	# Set definitions
-	#
-
-
 	#
 	# Defines
 	#
 
 	define lan_devices = { "eth0", "eth1" }
+	define lan_subnets = {  }
+
 	define wan_devices = { "eth2", "eth3" }
+	define wan_subnets = {  }
+
 
 	#
 	# User includes
diff --git a/tests/03_rules/06_subnet_mask_matches b/tests/03_rules/06_subnet_mask_matches
index c5b90bd..6423398 100644
--- a/tests/03_rules/06_subnet_mask_matches
+++ b/tests/03_rules/06_subnet_mask_matches
@@ -103,22 +103,20 @@ table inet fw4
 flush table inet fw4
 
 table inet fw4 {
-	#
-	# Set definitions
-	#
-
-
 	#
 	# Defines
 	#
 
 	define wan_devices = { "pppoe-wan" }
 	define wan_subnets = { 2001:db8:54:321::/64 }
+
 	define lan_devices = { "br-lan" }
 	define lan_subnets = { 10.0.0.0/24, 192.168.26.0/24, 2001:db8:1000::/60, fd63:e2f:f706::/60 }
+
 	define guest_devices = { "br-guest" }
 	define guest_subnets = { 10.1.0.0/24, 192.168.27.0/24, 2001:db8:1000::/60, fd63:e2f:f706::/60 }
 
+
 	#
 	# User includes
 	#
diff --git a/tests/03_rules/07_redirect b/tests/03_rules/07_redirect
index 471b043..e6057fd 100644
--- a/tests/03_rules/07_redirect
+++ b/tests/03_rules/07_redirect
@@ -135,20 +135,19 @@ table inet fw4
 flush table inet fw4
 
 table inet fw4 {
-	#
-	# Set definitions
-	#
-
-
 	#
 	# Defines
 	#
 
 	define wan_devices = { "pppoe-wan" }
 	define wan_subnets = { 10.11.12.0/24, 2001:db8:54:321::/64 }
+
 	define lan_devices = { "br-lan" }
 	define lan_subnets = { 10.0.0.0/24, 192.168.26.0/24, 2001:db8:1000::/60, fd63:e2f:f706::/60 }
+
 	define noaddr_devices = { "wwan0" }
+	define noaddr_subnets = {  }
+
 
 	#
 	# User includes
diff --git a/tests/03_rules/08_family_inheritance b/tests/03_rules/08_family_inheritance
index b33d01f..fc489b5 100644
--- a/tests/03_rules/08_family_inheritance
+++ b/tests/03_rules/08_family_inheritance
@@ -182,8 +182,10 @@ table inet fw4 {
 	# Defines
 	#
 
+	define ipv4only_devices = {  }
 	define ipv4only_subnets = { 192.168.1.0/24 }
 
+
 	#
 	# User includes
 	#
diff --git a/tests/03_rules/09_time b/tests/03_rules/09_time
index e7c55db..7a7471b 100644
--- a/tests/03_rules/09_time
+++ b/tests/03_rules/09_time
@@ -118,11 +118,6 @@ table inet fw4
 flush table inet fw4
 
 table inet fw4 {
-	#
-	# Set definitions
-	#
-
-
 	#
 	# Defines
 	#
diff --git a/tests/03_rules/10_notrack b/tests/03_rules/10_notrack
index 717894b..e2b6acc 100644
--- a/tests/03_rules/10_notrack
+++ b/tests/03_rules/10_notrack
@@ -73,19 +73,20 @@ table inet fw4
 flush table inet fw4
 
 table inet fw4 {
-	#
-	# Set definitions
-	#
-
-
 	#
 	# Defines
 	#
 
 	define zone1_devices = { "eth0" }
+	define zone1_subnets = {  }
+
 	define zone2_devices = { "lo" }
+	define zone2_subnets = {  }
+
+	define zone3_devices = {  }
 	define zone3_subnets = { 127.0.0.0/8, ::1 }
 
+
 	#
 	# User includes
 	#
diff --git a/tests/04_forwardings/01_family_selections b/tests/04_forwardings/01_family_selections
index f936286..6f2ddae 100644
--- a/tests/04_forwardings/01_family_selections
+++ b/tests/04_forwardings/01_family_selections
@@ -62,18 +62,19 @@ table inet fw4
 flush table inet fw4
 
 table inet fw4 {
-	#
-	# Set definitions
-	#
-
-
 	#
 	# Defines
 	#
 
 	define wanA_devices = { "eth0" }
+	define wanA_subnets = {  }
+
 	define wanB_devices = { "eth1" }
+	define wanB_subnets = {  }
+
 	define lan_devices = { "eth2" }
+	define lan_subnets = {  }
+
 
 	#
 	# User includes
-- 
2.30.2