X-Git-Url: https://git.distorted.org.uk/~mdw/firewall/blobdiff_plain/7dde20fa84bad82640c029a7c41e213a576d777a..6fd217ae2465d315d507e1a58a53d4afa53bde25:/functions.m4 diff --git a/functions.m4 b/functions.m4 index 03f6af5..ebc1661 100644 --- a/functions.m4 +++ b/functions.m4 @@ -130,7 +130,7 @@ errorchain () { clearchain $table:$chain run ip46tables -t $table -A $chain -j LOG \ -m limit --limit 3/minute --limit-burst 10 \ - --log-prefix "fw: $chain " --log-level notice + --log-prefix "fw: $chain " --log-level notice || : run ip46tables -t $table -A $chain -j "$@" \ -m limit --limit 20/second --limit-burst 100 run ip46tables -t $table -A $chain -j DROP @@ -427,9 +427,9 @@ defnetclass () { from=$(( $from + $bit )) done to=$(( ($netclassindex << $BIT_TO) )) - tomask=$(( $MASK_MASK ^ (1 << ($netclassindex + $BIT_MASK)) )) + tomask=$(( $MASK_TO | $MASK_MASK ^ (1 << ($netclassindex + $BIT_MASK)) )) trace "from $name --> set $(printf %08x/%08x $from $frommask)" - trace " to $name --> and $(printf %08x/%08x $to $tomask)" + trace " to $name --> set $(printf %08x/%08x $to $tomask)" ## Now establish the mark-from-NAME and mark-to-NAME chains. clearchain mangle:mark-from-$name mangle:mark-to-$name @@ -559,15 +559,18 @@ iface () { done } +## matchnets OPT WIN FLAGS PREPARE BASE SUFFIX NEXT NET [NET ...] +## ## Build rules which match a particular collection of networks. +## ## Specifically, use the address-comparison operator OPT (typically `-s' or -## `-d') to match the addresses of NOT, writing the rules to the chain -## BASESUFFIX. If we find a match, dispatch to WIN-CLASS, where CLASS is -## the class of the matching network. In order to deal with networks -## containing negative address ranges, more chains may need to be -## constructed; they will be named BASE#Q for sequence numbers Q starting -## with NEXT. All of this happens on the `mangle' table, and there isn't -## (currently) a way to tweak this. +## `-d') to match the addresses of each NET, writing the rules to the chain +## BASESUFFIX. If we find a match, dispatch to WIN-CLASS, where CLASS is the +## class of the matching network. In order to deal with networks containing +## negative address ranges, more chains may need to be constructed; they will +## be named BASE#Q for sequence numbers Q starting with NEXT. All of this +## happens on the `mangle' table, and there isn't (currently) a way to tweak +## this. ## ## The FLAGS gather additional interesting information about the job, ## separated by colons. The only flag currently is :default: which means