X-Git-Url: https://git.distorted.org.uk/~mdw/firewall/blobdiff_plain/16838f5907ea531799a81a693667c3d3d03737b0..793937d8ded8d4d7ce6f6ddad5bcc8ecd23b13f6:/functions.m4

diff --git a/functions.m4 b/functions.m4
index d059de6..0ebba30 100644
--- a/functions.m4
+++ b/functions.m4
@@ -289,11 +289,12 @@ allowservices () {
 ## Add rules to CHAIN to allow NTP with NTPSERVERs.
 ntpclient () {
   set -e
-  chain=$1; shift
-  for ntp; do
-    run iptables -A $chain -s $ntp -j ACCEPT \
-	    -p udp --source-port 123 --destination-port 123
-  done
+  ntpchain=$1; shift
+
+  clearchain ntp-servers
+  for ntp; do run iptables -A ntp-servers -j ACCEPT -s $ntp; done
+  run iptables -A $ntpchain -j ntp-servers \
+	  -p udp --source-port 123 --destination-port 123
 }
 
 ## dnsresolver CHAIN
@@ -392,30 +393,30 @@ defnetclass () {
       trace "netclass $name = $netclassindex"
       eval from_$name=$(( $netclassindex << $BIT_FROM ))
       eval to_$name=$(( $netclassindex << $BIT_TO ))
-      eval _mask_$name=$(( 1 << ($netclassindex + $BIT_MASK) ))
+      eval fwd_$name=$(( 1 << ($netclassindex + $BIT_MASK) ))
       nets="$nets $name"
       ;;
     2)
 
-      ## Pass 2.  Compute the actual from and to values.  We're a little bit
-      ## clever during source classification, and set the TO field to
-      ## all-bits-one, so that destination classification needs only a single
-      ## AND operation.
-      from=$(( ($netclassindex << $BIT_FROM) + (0xf << $BIT_TO) ))
+      ## Pass 2.  Compute the actual from and to values.  This is fiddly:
+      ## we want to preserve the other flags.
+      from=$(( ($netclassindex << $BIT_FROM) ))
+      frommask=$(( $MASK_FROM | $MASK_MASK ))
       for net; do
-	eval bit=\$_mask_$net
+	eval bit=\$fwd_$net
 	from=$(( $from + $bit ))
       done
-      to=$(( ($netclassindex << $BIT_TO) + \
-	     (0xf << $BIT_FROM) + \
-	     (1 << ($netclassindex + $BIT_MASK)) ))
-      trace "from $name --> set $(printf %x $from)"
-      trace "  to $name --> and $(printf %x $from)"
+      to=$(( ($netclassindex << $BIT_TO) ))
+      tomask=$(( $MASK_MASK ^ (1 << ($netclassindex + $BIT_MASK)) ))
+      trace "from $name --> set $(printf %08x/%08x $from $frommask)"
+      trace "  to $name --> and $(printf %08x/%08x $to $tomask)"
 
       ## Now establish the mark-from-NAME and mark-to-NAME chains.
       clearchain mangle:mark-from-$name mangle:mark-to-$name
-      run ip46tables -t mangle -A mark-from-$name -j MARK --set-mark $from
-      run ip46tables -t mangle -A mark-to-$name -j MARK --and-mark $to
+      run ip46tables -t mangle -A mark-from-$name -j MARK \
+	      --set-xmark $from/$frommask
+      run ip46tables -t mangle -A mark-to-$name -j MARK \
+	      --set-xmark $to/$tomask
       ;;
   esac
   netclassindex=$(( $netclassindex + 1 ))
@@ -497,7 +498,7 @@ host () {
   for n in $nn; do
     addr=${n%/*}
     base=${addr%::*}
-    case $a in ::*) aa=$addr$a ;; *) aa=$a ;; esac
+    case $a6 in ::*) aa=$base$a6 ;; *) aa=$a6 ;; esac
     eval host_inet6_$name=$aa
   done