X-Git-Url: https://git.distorted.org.uk/~mdw/firewall/blobdiff_plain/1264e9177da9fb94a1fb85853220dd69a7108f0a..e34a93c12d431953e694db44ef9df0bb79687726:/classify.m4

diff --git a/classify.m4 b/classify.m4
index 819cce6..5b6f209 100644
--- a/classify.m4
+++ b/classify.m4
@@ -234,7 +234,6 @@ trace "ifmap = $ifmap"
 for entry in $ifmap; do
   iface=${entry%=*} q=${entry##*=}
   eval nets=\$ifnets_$q
-  trace "iface $iface [$q] = $nets"
   aa=!
   for n in $nets; do
     eval "addrs=\"\$net_inet_$n \$net_inet6_$n\""
@@ -246,12 +245,12 @@ for entry in $ifmap; do
   done
   eval ifaddrs_$q=\$aa
   trace "iface $q = $iface; nets = $nets; addrs = $aa"
-trace "alladdrs = $alladdrs"
 done
+trace "alladdrs = $alladdrs"
 
 ## Populate the `out-classify' chain, matching networks.
 prepare_to () { mode=goto fail=mark-to-$net_class_default; }
-matchnets -d mark-from : prepare_to out-classify "" 0 $allnets
+matchnets -d mark-to : prepare_to out-classify "" 0 $allnets
 
 ## A `finish' hook for rejecting known address ranges arriving on a
 ## default-reachable interface.
@@ -297,7 +296,7 @@ for entry in $ifmap; do
       ## interfaces.  We should match an address to a particular interface.
       chains=""
       for net in $nets; do
-	eval hosts=\$net_hosts_$net
+	eval hosts=\$net_hosts_$net class=\$net_class_$net
 	for host in $hosts; do
 	  eval ha=\$host_inet_$host ha6=\$host_inet6_$host
 	  trace "$host : $class -> $iface"