ruleset: reorder declarations & output tweaks

 - Omit "Set definitions" header if no sets are declared
 - Always emit ${zone}_devices and ${zone}_subnets defines, even if empty
 - Move CT helper definitions to the top
 - Move ${zone}_helper chain definitions after ${zone}_forward chain defs
 - Consistently use two line spacing for output sections

Signed-off-by: Jo-Philipp Wich <jo@mein.io>

21 files changed, 96 insertions, 108 deletions

diff --git a/root/usr/share/firewall4/templates/ruleset.uc b/root/usr/share/firewall4/templates/ruleset.uc
index d374984..712697f 100644
--- a/root/usr/share/firewall4/templates/ruleset.uc
+++ b/root/usr/share/firewall4/templates/ruleset.uc
@@ -1,6 +1,7 @@
 {%
 	let flowtable_devices = fw4.resolve_offload_devices();
 	let available_helpers = filter(fw4.helpers(), h => h.available);
+	let defined_ipsets = fw4.ipsets();
 -%}
 
 table inet fw4
@@ -23,6 +24,7 @@ table inet fw4 {
 {% endif %}
 	}
 
+
 {% endif %}
 {% if (length(available_helpers)): %}
 	#
@@ -39,39 +41,38 @@ table inet fw4 {
 {%  endfor %}
 
 {% endif %}
+{% if (length(defined_ipsets)): %}
 	#
 	# Set definitions
 	#
 
-{% for (let set in fw4.ipsets()): %}
+{%  for (let set in defined_ipsets): %}
 	set {{ set.name }} {
 		type {{ fw4.concat(set.types) }}
-{%  if (set.maxelem > 0): %}
+{%   if (set.maxelem > 0): %}
 		size {{ set.maxelem }}
-{%  endif %}
-{%  if (set.timeout >= 0): %}
+{%   endif %}
+{%   if (set.timeout >= 0): %}
 		timeout {{ set.timeout }}s
-{% endif %}
-{%  if (set.interval): %}
+{%   endif %}
+{%   if (set.interval): %}
 		flags interval
 		auto-merge
-{%  endif %}
-{%  fw4.print_setentries(set) %}
+{%   endif %}
+{%   fw4.print_setentries(set) %}
 	}
 
-{% endfor %}
+{%  endfor %}
 
+{% endif %}
 	#
 	# Defines
 	#
 
 {% for (let zone in fw4.zones()): %}
-{%  if (length(zone.match_devices)): %}
 	define {{ zone.name }}_devices = {{ fw4.set(zone.match_devices, true) }}
-{%  endif %}
-{%  if (length(zone.match_subnets)): %}
 	define {{ zone.name }}_subnets = {{ fw4.set(zone.match_subnets, true) }}
-{%  endif %}
+
 {% endfor %}
 
 	#
diff --git a/tests/01_configuration/01_ruleset b/tests/01_configuration/01_ruleset
index 9acb429..dd9750c 100644
--- a/tests/01_configuration/01_ruleset
+++ b/tests/01_configuration/01_ruleset
@@ -30,6 +30,7 @@ table inet fw4 {
 		flags offload;
 	}
 
+
 	#
 	# CT helper definitions
 	#
@@ -84,19 +85,16 @@ table inet fw4 {
 
 
 	#
-	# Set definitions
-	#
-
-
-	#
 	# Defines
 	#
 
 	define lan_devices = { "br-lan" }
 	define lan_subnets = { 10.0.0.0/24, 192.168.26.0/24, 2001:db8:1000::/60, fd63:e2f:f706::/60 }
+
 	define wan_devices = { "pppoe-wan" }
 	define wan_subnets = { 10.11.12.0/24, 2001:db8:54:321::/64 }
 
+
 	#
 	# User includes
 	#
diff --git a/tests/01_configuration/02_rule_order b/tests/01_configuration/02_rule_order
index fd37adf..3c1546e 100644
--- a/tests/01_configuration/02_rule_order
+++ b/tests/01_configuration/02_rule_order
@@ -67,19 +67,16 @@ flush table inet fw4
 
 table inet fw4 {
 	#
-	# Set definitions
-	#
-
-
-	#
 	# Defines
 	#
 
 	define lan_devices = { "br-lan" }
 	define lan_subnets = { 10.0.0.0/24, 192.168.26.0/24, 2001:db8:1000::/60, fd63:e2f:f706::/60 }
+
 	define wan_devices = { "pppoe-wan" }
 	define wan_subnets = { 10.11.12.0/24 }
 
+
 	#
 	# User includes
 	#
diff --git a/tests/02_zones/01_policies b/tests/02_zones/01_policies
index 5a2eeac..03be7af 100644
--- a/tests/02_zones/01_policies
+++ b/tests/02_zones/01_policies
@@ -66,17 +66,18 @@ flush table inet fw4
 
 table inet fw4 {
 	#
-	# Set definitions
-	#
-
-
-	#
 	# Defines
 	#
 
 	define test1_devices = { "zone1" }
+	define test1_subnets = {  }
+
 	define test2_devices = { "zone2" }
+	define test2_subnets = {  }
+
 	define test3_devices = { "zone3" }
+	define test3_subnets = {  }
+
 
 	#
 	# User includes
diff --git a/tests/02_zones/02_masq b/tests/02_zones/02_masq
index e789fde..369cdd6 100644
--- a/tests/02_zones/02_masq
+++ b/tests/02_zones/02_masq
@@ -70,17 +70,18 @@ flush table inet fw4
 
 table inet fw4 {
 	#
-	# Set definitions
-	#
-
-
-	#
 	# Defines
 	#
 
 	define test1_devices = { "zone1" }
+	define test1_subnets = {  }
+
 	define test2_devices = { "zone2" }
+	define test2_subnets = {  }
+
 	define test3_devices = { "zone3" }
+	define test3_subnets = {  }
+
 
 	#
 	# User includes
diff --git a/tests/02_zones/03_masq_src_dest_restrictions b/tests/02_zones/03_masq_src_dest_restrictions
index 9129c60..2cb0ce4 100644
--- a/tests/02_zones/03_masq_src_dest_restrictions
+++ b/tests/02_zones/03_masq_src_dest_restrictions
@@ -96,16 +96,15 @@ flush table inet fw4
 
 table inet fw4 {
 	#
-	# Set definitions
-	#
-
-
-	#
 	# Defines
 	#
 
 	define test1_devices = { "zone1" }
+	define test1_subnets = {  }
+
 	define test2_devices = { "zone2" }
+	define test2_subnets = {  }
+
 
 	#
 	# User includes
diff --git a/tests/02_zones/04_wildcard_devices b/tests/02_zones/04_wildcard_devices
index b7e01e1..292fd11 100644
--- a/tests/02_zones/04_wildcard_devices
+++ b/tests/02_zones/04_wildcard_devices
@@ -87,19 +87,24 @@ flush table inet fw4
 
 table inet fw4 {
 	#
-	# Set definitions
-	#
-
-
-	#
 	# Defines
 	#
 
 	define test1_devices = { "+" }
+	define test1_subnets = {  }
+
 	define test2_devices = { "/never/" }
+	define test2_subnets = {  }
+
 	define test3_devices = { "test*" }
+	define test3_subnets = {  }
+
 	define test4_devices = { "foo*", "bar*", "test1", "test2" }
+	define test4_subnets = {  }
+
 	define test5_devices = { "foo*", "bar*", "test1", "test2" }
+	define test5_subnets = {  }
+
 
 	#
 	# User includes
diff --git a/tests/02_zones/05_subnet_mask_matches b/tests/02_zones/05_subnet_mask_matches
index 27f9dbc..c171ac7 100644
--- a/tests/02_zones/05_subnet_mask_matches
+++ b/tests/02_zones/05_subnet_mask_matches
@@ -55,16 +55,16 @@ flush table inet fw4
 
 table inet fw4 {
 	#
-	# Set definitions
-	#
-
-
-	#
 	# Defines
 	#
 
+	define test1_devices = {  }
+	define test1_subnets = {  }
+
+	define test2_devices = {  }
 	define test2_subnets = { ::3, ::4 }
 
+
 	#
 	# User includes
 	#
diff --git a/tests/02_zones/06_family_selections b/tests/02_zones/06_family_selections
index 29af97d..a2d48b5 100644
--- a/tests/02_zones/06_family_selections
+++ b/tests/02_zones/06_family_selections
@@ -70,19 +70,24 @@ flush table inet fw4
 
 table inet fw4 {
 	#
-	# Set definitions
-	#
-
-
-	#
 	# Defines
 	#
 
+	define test1_devices = {  }
 	define test1_subnets = { 10.0.0.0/8 }
+
+	define test2_devices = {  }
 	define test2_subnets = { 2001:db8:1234::/64 }
+
+	define test3_devices = {  }
 	define test3_subnets = { 2001:db8:1234::/64 }
+
+	define test4_devices = {  }
 	define test4_subnets = { 2001:db8:1234::/64 }
+
 	define test5_devices = { "eth0" }
+	define test5_subnets = {  }
+
 
 	#
 	# User includes
diff --git a/tests/02_zones/07_helpers b/tests/02_zones/07_helpers
index ceef65a..1a5a24a 100644
--- a/tests/02_zones/07_helpers
+++ b/tests/02_zones/07_helpers
@@ -136,18 +136,21 @@ table inet fw4 {
 
 
 	#
-	# Set definitions
-	#
-
-
-	#
 	# Defines
 	#
 
 	define test1_devices = { "zone1" }
+	define test1_subnets = {  }
+
 	define test2_devices = { "zone2" }
+	define test2_subnets = {  }
+
 	define test3_devices = { "zone3" }
+	define test3_subnets = {  }
+
 	define test4_devices = { "zone4" }
+	define test4_subnets = {  }
+
 
 	#
 	# User includes
diff --git a/tests/03_rules/01_direction b/tests/03_rules/01_direction
index 4c33868..7751a23 100644
--- a/tests/03_rules/01_direction
+++ b/tests/03_rules/01_direction
@@ -51,11 +51,6 @@ flush table inet fw4
 
 table inet fw4 {
 	#
-	# Set definitions
-	#
-
-
-	#
 	# Defines
 	#
 
diff --git a/tests/03_rules/02_enabled b/tests/03_rules/02_enabled
index f9eb3bf..c5ef8c6 100644
--- a/tests/03_rules/02_enabled
+++ b/tests/03_rules/02_enabled
@@ -48,11 +48,6 @@ flush table inet fw4
 
 table inet fw4 {
 	#
-	# Set definitions
-	#
-
-
-	#
 	# Defines
 	#
 
diff --git a/tests/03_rules/03_constraints b/tests/03_rules/03_constraints
index 51b1ab9..05fb379 100644
--- a/tests/03_rules/03_constraints
+++ b/tests/03_rules/03_constraints
@@ -84,14 +84,12 @@ flush table inet fw4
 
 table inet fw4 {
 	#
-	# Set definitions
-	#
-
-
-	#
 	# Defines
 	#
 
+	define lan_devices = {  }
+	define lan_subnets = {  }
+
 
 	#
 	# User includes
diff --git a/tests/03_rules/04_icmp b/tests/03_rules/04_icmp
index 0c615a7..c355375 100644
--- a/tests/03_rules/04_icmp
+++ b/tests/03_rules/04_icmp
@@ -57,11 +57,6 @@ flush table inet fw4
 
 table inet fw4 {
 	#
-	# Set definitions
-	#
-
-
-	#
 	# Defines
 	#
 
diff --git a/tests/03_rules/05_mangle b/tests/03_rules/05_mangle
index 04ae461..57444de 100644
--- a/tests/03_rules/05_mangle
+++ b/tests/03_rules/05_mangle
@@ -152,16 +152,15 @@ flush table inet fw4
 
 table inet fw4 {
 	#
-	# Set definitions
-	#
-
-
-	#
 	# Defines
 	#
 
 	define lan_devices = { "eth0", "eth1" }
+	define lan_subnets = {  }
+
 	define wan_devices = { "eth2", "eth3" }
+	define wan_subnets = {  }
+
 
 	#
 	# User includes
diff --git a/tests/03_rules/06_subnet_mask_matches b/tests/03_rules/06_subnet_mask_matches
index c5b90bd..6423398 100644
--- a/tests/03_rules/06_subnet_mask_matches
+++ b/tests/03_rules/06_subnet_mask_matches
@@ -104,21 +104,19 @@ flush table inet fw4
 
 table inet fw4 {
 	#
-	# Set definitions
-	#
-
-
-	#
 	# Defines
 	#
 
 	define wan_devices = { "pppoe-wan" }
 	define wan_subnets = { 2001:db8:54:321::/64 }
+
 	define lan_devices = { "br-lan" }
 	define lan_subnets = { 10.0.0.0/24, 192.168.26.0/24, 2001:db8:1000::/60, fd63:e2f:f706::/60 }
+
 	define guest_devices = { "br-guest" }
 	define guest_subnets = { 10.1.0.0/24, 192.168.27.0/24, 2001:db8:1000::/60, fd63:e2f:f706::/60 }
 
+
 	#
 	# User includes
 	#
diff --git a/tests/03_rules/07_redirect b/tests/03_rules/07_redirect
index 471b043..e6057fd 100644
--- a/tests/03_rules/07_redirect
+++ b/tests/03_rules/07_redirect
@@ -136,19 +136,18 @@ flush table inet fw4
 
 table inet fw4 {
 	#
-	# Set definitions
-	#
-
-
-	#
 	# Defines
 	#
 
 	define wan_devices = { "pppoe-wan" }
 	define wan_subnets = { 10.11.12.0/24, 2001:db8:54:321::/64 }
+
 	define lan_devices = { "br-lan" }
 	define lan_subnets = { 10.0.0.0/24, 192.168.26.0/24, 2001:db8:1000::/60, fd63:e2f:f706::/60 }
+
 	define noaddr_devices = { "wwan0" }
+	define noaddr_subnets = {  }
+
 
 	#
 	# User includes
diff --git a/tests/03_rules/08_family_inheritance b/tests/03_rules/08_family_inheritance
index b33d01f..fc489b5 100644
--- a/tests/03_rules/08_family_inheritance
+++ b/tests/03_rules/08_family_inheritance
@@ -182,8 +182,10 @@ table inet fw4 {
 	# Defines
 	#
 
+	define ipv4only_devices = {  }
 	define ipv4only_subnets = { 192.168.1.0/24 }
 
+
 	#
 	# User includes
 	#
diff --git a/tests/03_rules/09_time b/tests/03_rules/09_time
index e7c55db..7a7471b 100644
--- a/tests/03_rules/09_time
+++ b/tests/03_rules/09_time
@@ -119,11 +119,6 @@ flush table inet fw4
 
 table inet fw4 {
 	#
-	# Set definitions
-	#
-
-
-	#
 	# Defines
 	#
 
diff --git a/tests/03_rules/10_notrack b/tests/03_rules/10_notrack
index 717894b..e2b6acc 100644
--- a/tests/03_rules/10_notrack
+++ b/tests/03_rules/10_notrack
@@ -74,18 +74,19 @@ flush table inet fw4
 
 table inet fw4 {
 	#
-	# Set definitions
-	#
-
-
-	#
 	# Defines
 	#
 
 	define zone1_devices = { "eth0" }
+	define zone1_subnets = {  }
+
 	define zone2_devices = { "lo" }
+	define zone2_subnets = {  }
+
+	define zone3_devices = {  }
 	define zone3_subnets = { 127.0.0.0/8, ::1 }
 
+
 	#
 	# User includes
 	#
diff --git a/tests/04_forwardings/01_family_selections b/tests/04_forwardings/01_family_selections
index f936286..6f2ddae 100644
--- a/tests/04_forwardings/01_family_selections
+++ b/tests/04_forwardings/01_family_selections
@@ -63,17 +63,18 @@ flush table inet fw4
 
 table inet fw4 {
 	#
-	# Set definitions
-	#
-
-
-	#
 	# Defines
 	#
 
 	define wanA_devices = { "eth0" }
+	define wanA_subnets = {  }
+
 	define wanB_devices = { "eth1" }
+	define wanB_subnets = {  }
+
 	define lan_devices = { "eth2" }
+	define lan_subnets = {  }
+
 
 	#
 	# User includes