generalize pruning based on address family

eliminates source chains without proper destination chains (e.g. IPv6 addresses
with pass action and ulog)

2 files changed, 39 insertions, 38 deletions

diff --git a/awall/model.lua b/awall/model.lua
index 0a65036..8f650ab 100644
--- a/awall/model.lua
+++ b/awall/model.lua
@@ -16,6 +16,7 @@ local builtin = require('awall.iptables').builtin
 local optfrag = require('awall.optfrag')
 local FAMILIES = optfrag.FAMILIES
 local combinations = optfrag.combinations
+local prune = optfrag.prune
 
 local raise = require('awall.uerror').raise
 
@@ -462,6 +463,8 @@ function M.Rule:combine(ofs1, ofs2, key, unique)
       return extend(map(ofs1, setvar('target')), map(ofs2, setvar('chain')))
    end
 
+   ofs1, ofs2 = prune(ofs1, ofs2)
+
    local chainless = filter(ofs2, function(of) return not of.chain end)
    local created
    local res = {}
@@ -510,31 +513,6 @@ function M.Rule:trules()
       end
    end
 
-   local families
-
-   local function setfamilies(ofrags)
-      if ofrags then
-	 families = {}
-	 for i, ofrag in ipairs(ofrags) do
-	    if not ofrag.family then
-	       families = nil
-	       return
-	    end
-	    table.insert(families, ofrag.family)
-	 end
-      else families = nil end
-   end
-
-   local function ffilter(ofrags)
-      if not ofrags or not ofrags[1] or not families then return ofrags end
-      return filter(
-	 ofrags,
-	 function(of)
-	    return not of.family or contains(families, of.family)
-	 end
-      )
-   end
-
    local ofrags = self:zoneoptfrags()
 
    if self.ipset then
@@ -587,26 +565,20 @@ function M.Rule:trules()
 
    tag(ofrags, 'position', self:position())
 
-   setfamilies(ofrags)
-
    local addrofrags = combinations(
       self:create(M.Zone, {addr=self.src}):optfrags(self:direction('in')),
       self:destoptfrags()
    )
-   if addrofrags then
-      addrofrags = ffilter(addrofrags)
-      setfamilies(addrofrags)
-      ofrags = self:combine(ffilter(ofrags), addrofrags, 'address')
-   end
+   if addrofrags then ofrags = self:combine(ofrags, addrofrags, 'address') end
 
-   ofrags = self:mangleoptfrags(ofrags)
+   ofrags = prune(self:mangleoptfrags(ofrags), ofrags)
 
    local custom = self:customtarget()
    for _, ofrag in ipairs(ofrags) do
       setdefault(ofrag, 'target', custom or self:target())
    end
 
-   ofrags = self:convertchains(ffilter(ofrags))
+   ofrags = self:convertchains(ofrags)
    tag(ofrags, 'table', self:table(), false)
 
    local function checkzof(ofrag, dir, chains)
@@ -621,7 +593,7 @@ function M.Rule:trules()
    end
    
    ofrags = filter(
-      combinations(ofrags, ffilter(optfrag.FAMILYFRAGS)),
+      combinations(ofrags, optfrag.FAMILYFRAGS),
       function(r) return self:trulefilter(r) end
    )
 
diff --git a/awall/optfrag.lua b/awall/optfrag.lua
index b01672f..7fd3695 100644
--- a/awall/optfrag.lua
+++ b/awall/optfrag.lua
@@ -7,10 +7,15 @@ See LICENSE file for license details
 
 local M = {}
 
+local util = require('awall.util')
+local map = util.map
+
+local function ffrags(families)
+   return map(families, function(f) return {family=f} end)
+end
+
 M.FAMILIES = {'inet', 'inet6'}
-M.FAMILYFRAGS = require('awall.util').map(
-   M.FAMILIES, function(f) return {family=f} end
-)
+M.FAMILYFRAGS = ffrags(M.FAMILIES)
 
 function M.combinations(of1, ...)
    local arg = {...}
@@ -56,6 +61,30 @@ function M.combinations(of1, ...)
    return M.combinations(res, table.unpack(arg))
 end
 
+function M.prune(...)
+   local arg = {...}
+   local families = {}
+
+   for i, ofrags in ipairs(arg) do
+      families[i] = {}
+      for _, ofrag in ipairs(ofrags) do
+	 if not ofrag.family then
+	    families[i] = false
+	    break
+	 end
+	 families[i][ofrag.family] = true
+      end
+   end
+
+   local ff
+   for _, f in ipairs(families) do
+      ff = M.combinations(ff, f and ffrags(util.keys(f)) or nil)
+   end
+   return table.unpack(
+      map(arg, function(ofs) return M.combinations(ofs, ff) end)
+   )
+end
+
 function M.location(of) return of.family..'/'..of.table..'/'..of.chain end
 
 function M.command(of)