makeset () {
set -e
name=$1; shift
- if ipset -nL | grep -q "^Name: $name$"; then
- :
- else
- ipset -N "$name" "$@"
- fi
+ v=$(ipset --version)
+ createp=t
+ case "$v" in
+ "ipset v4"*)
+ if ipset -nL | grep -q "^Name: $name\$"; then createp=nil; fi
+ ;;
+ *)
+ if ipset -n -L | grep -q "^$name\$"; then createp=nil; fi
+ ;;
+ esac
+ case $createp in
+ t) ipset -N "$name" "$@" ;;
+ esac
}
## errorchain CHAIN ACTION ARGS ...
clearchain $table:$chain
run ip46tables -t $table -A $chain -j LOG \
-m limit --limit 3/minute --limit-burst 10 \
- --log-prefix "fw: $chain " --log-level notice
+ --log-prefix "fw: $chain " --log-level notice || :
run ip46tables -t $table -A $chain -j "$@" \
-m limit --limit 20/second --limit-burst 100
run ip46tables -t $table -A $chain -j DROP
### `defnetclass'.
### net_inet_NET List of IPv4 address ranges in the network.
### net_inet6_NET List of IPv6 address ranges in the network.
-### net_fwd_NET List of other networks that this one forwards to.
+### net_via_NET List of other networks that this one forwards via.
### net_hosts_NET List of hosts known to be in the network.
### host_inet_HOST IPv4 address of the named HOST.
### host_inet6_HOST IPv6 address of the named HOST.
## defnet NET CLASS
##
-## Define a network. Follow by calls to `addr', `forwards', etc. to define
+## Define a network. Follow by calls to `addr', `via', etc. to define
## properties of the network. Networks are processed in order, so if their
## addresses overlap then the more specific addresses should be defined
## earlier.
done
}
-## forwards NET ...
+## via NET ...
##
## Declare that packets from this network are forwarded to the other NETs.
-forwards () {
- eval "net_fwd_$net=\"$*\""
+via () {
+ eval "net_via_$net=\"$*\""
}
## noxit NET ...
nextnets=""
any=nil
for net in $nets; do
- eval fwd=\$net_fwd_$net
- for n in $fwd; do
+ eval via=\$net_via_$net
+ for n in $via; do
case $seen in *":$n:"*) continue ;; esac
seen=$seen$n:
eval noxit=\$net_noxit_$n
~mdw / firewall / blobdiff