X-Git-Url: https://git.distorted.org.uk/~mdw/firewall/blobdiff_plain/46be9bde8faee6672d63d4b56458488c4c46c265..42dae9aeec781a3f02a87673e7b64d20facb9659:/functions.m4

diff --git a/functions.m4 b/functions.m4
index 484c30d..b2e3cb6 100644
--- a/functions.m4
+++ b/functions.m4
@@ -50,6 +50,14 @@ defport () {
   eval port_$name=$number
 }
 
+## defproto NAME NUMBER
+##
+## Define $proto_NAME to be NUMBER.
+defproto () {
+  name=$1 number=$2
+  eval proto_$name=$number
+}
+
 m4_divert(38)m4_dnl
 ###--------------------------------------------------------------------------
 ### Utility chains (used by function definitions).
@@ -96,7 +104,9 @@ errorchain () {
   run ip46tables -t $table -A $chain -j LOG \
 	  -m limit --limit 3/minute --limit-burst 10 \
 	  --log-prefix "fw: $chain " --log-level notice
-  run ip46tables -t $table -A $chain -j "$@"
+  run ip46tables -t $table -A $chain -j "$@" \
+	  -m limit --limit 20/second --limit-burst 100
+  run ip46tables -t $table -A $chain -j DROP
 }
 
 m4_divert(24)m4_dnl
@@ -108,19 +118,50 @@ m4_divert(24)m4_dnl
 ## Set an IP sysctl.
 setopt () {
   set -e
-  opt=$1; shift; val=$*
-  run sysctl -q net/ipv4/$opt="$val"
+  opt=$1 val=$2
+  any=nil
+  for ver in ipv4 ipv6; do
+    if [ -f /proc/sys/net/$ver/$opt ]; then
+      run sysctl -q net/$ver/$opt="$val"
+      any=t
+    fi
+  done
+  case $any in
+    nil) echo >&2 "$0: unknown IP option $opt"; exit 1 ;;
+  esac
 }
 
-## setdevopt OPTION VALUE
+## setdevopt OPTION VALUE [INTERFACES ...]
 ##
 ## Set an IP interface-level sysctl.
 setdevopt () {
   set -e
-  opt=$1; shift; val=$*
-  for i in /proc/sys/net/ipv4/conf/*; do
-    [ -f $i/$opt ] &&
-      run sysctl -q net/ipv4/conf/${i#/proc/sys/net/ipv4/conf/}/$opt="$val"
+  opt=$1 val=$2; shift 2
+  case "$#,$1" in
+    0, | 1,all)
+      set -- $(
+	seen=:
+	for ver in ipv4 ipv6; do
+	  cd /proc/sys/net/$ver/conf
+	  for i in *; do
+	    [ -f $i/$opt ] || continue
+	    case "$seen" in (*:$i:*) continue ;; esac
+	    echo $i
+	  done
+	done)
+      ;;
+  esac
+  for i in "$@"; do
+    any=nil
+    for ver in ipv4 ipv6; do
+      if [ -f /proc/sys/net/$ver/conf/$i/$opt ]; then
+	any=t
+	run sysctl -q net/ipv4/conf/$i/$opt="$val"
+      fi
+    done
+    case $any in
+      nil) echo >&2 "$0: unknown device option $opt"; exit 1 ;;
+    esac
   done
 }
 
@@ -344,7 +385,7 @@ defnetclass () {
 ## As a special case, the NETWORK/MASK can be the string `default', which
 ## indicates that all addresses not matched elsewhere should be considered.
 ifaces=:
-defaultiface=none
+defaultifaces=""
 allnets= allnets6=
 defiface () {
   set -e
@@ -365,9 +406,16 @@ defiface () {
       netclass=${item%:*} addr=${item#*:}
       case $addr in
 	default)
-	  defaultiface=$name
-	  defaultclass=$netclass
-	  run ip46tables -t mangle -A out-classify -g mark-to-$netclass
+	  case "$defaultifaces,$defaultclass" in
+	    ,* | *,$netclass)
+	      defaultifaces="$defaultifaces $name"
+	      defaultclass=$netclass
+	      ;;
+	    *)
+	      echo >&2 "$0: inconsistent default netclasses"
+	      exit 1
+	      ;;
+	  esac
 	  ;;
 	*:*)
 	  run ip6tables -t mangle -A in-$name -g mark-from-$netclass \