X-Git-Url: https://git.distorted.org.uk/~mdw/firewall/blobdiff_plain/beb4f0eeafb386d83f2593fec489f4291583e08b..e2c5d32a16fdcf56738c022a2be48e14636bbe85:/functions.m4

diff --git a/functions.m4 b/functions.m4
index 891b037..b78dcbe 100644
--- a/functions.m4
+++ b/functions.m4
@@ -289,11 +289,12 @@ allowservices () {
 ## Add rules to CHAIN to allow NTP with NTPSERVERs.
 ntpclient () {
   set -e
-  chain=$1; shift
-  for ntp; do
-    run iptables -A $chain -s $ntp -j ACCEPT \
-	    -p udp --source-port 123 --destination-port 123
-  done
+  ntpchain=$1; shift
+
+  clearchain ntp-servers
+  for ntp; do run iptables -A ntp-servers -j ACCEPT -s $ntp; done
+  run iptables -A $ntpchain -j ntp-servers \
+	  -p udp --source-port 123 --destination-port 123
 }
 
 ## dnsresolver CHAIN
@@ -389,6 +390,7 @@ defnetclass () {
 
       ## Pass 1.  Establish the from_NAME and to_NAME constants, and the
       ## netclass's mask bit.
+      trace "netclass $name = $netclassindex"
       eval from_$name=$(( $netclassindex << $BIT_FROM ))
       eval to_$name=$(( $netclassindex << $BIT_TO ))
       eval _mask_$name=$(( 1 << ($netclassindex + $BIT_MASK) ))
@@ -496,7 +498,7 @@ host () {
   for n in $nn; do
     addr=${n%/*}
     base=${addr%::*}
-    case $a in ::*) aa=$addr$a ;; *) aa=$a ;; esac
+    case $a6 in ::*) aa=$base$a6 ;; *) aa=$a6 ;; esac
     eval host_inet6_$name=$aa
   done