X-Git-Url: https://git.distorted.org.uk/~mdw/firewall/blobdiff_plain/c70bfbbb00e967323531c7c21ec7db08531be988..46be9bde8faee6672d63d4b56458488c4c46c265:/functions.m4 diff --git a/functions.m4 b/functions.m4 index 0e57ffa..484c30d 100644 --- a/functions.m4 +++ b/functions.m4 @@ -331,15 +331,15 @@ defnetclass () { netclassindex=$(( $netclassindex + 1 )) } -## defiface NAME NETCLASS:NETWORK/MASK... +## defiface NAME[,NAME,...] NETCLASS:NETWORK/MASK... ## -## Declares a network interface NAME and associates with it a number of -## reachable networks. During source classification, a packet arriving on -## interface NAME from an address in NETWORK/MASK is classified as coming -## from to NETCLASS. During destination classification, all packets going to -## NETWORK/MASK are classified as going to NETCLASS, regardless of interface -## (which is good, because the outgoing interface hasn't been determined -## yet). +## Declares network interfaces with the given NAMEs and associates with them +## a number of reachable networks. During source classification, a packet +## arriving on interface NAME from an address in NETWORK/MASK is classified +## as coming from to NETCLASS. During destination classification, all +## packets going to NETWORK/MASK are classified as going to NETCLASS, +## regardless of interface (which is good, because the outgoing interface +## hasn't been determined yet). ## ## As a special case, the NETWORK/MASK can be the string `default', which ## indicates that all addresses not matched elsewhere should be considered. @@ -348,34 +348,43 @@ defaultiface=none allnets= allnets6= defiface () { set -e - name=$1; shift - case $ifaces in - *:"$name":*) ;; - *) - clearchain mangle:in-$name - run ip46tables -t mangle -A in-classify -i $name -g in-$name - ;; - esac - ifaces=$ifaces$name: - for item; do - netclass=${item%:*} addr=${item#*:} - case $addr in - default) - defaultiface=$name - defaultclass=$netclass - run ip46tables -t mangle -A out-classify -g mark-to-$netclass - ;; - *:*) - run ip6tables -t mangle -A in-$name -s $addr -g mark-from-$netclass - run ip6tables -t mangle -A out-classify -d $addr -g mark-to-$netclass - allnets6="$allnets6 $name:$addr" - ;; + names=$1; shift + seen=: + for name in $(echo $names | sed 'y/,/ /'); do + case $seen in *:"$name":*) continue ;; esac + seen=$seen$name: + case $ifaces in + *:"$name":*) ;; *) - run iptables -t mangle -A in-$name -s $addr -g mark-from-$netclass - run iptables -t mangle -A out-classify -d $addr -g mark-to-$netclass - allnets="$allnets $name:$addr" + clearchain mangle:in-$name + run ip46tables -t mangle -A in-classify -i $name -g in-$name ;; esac + ifaces=$ifaces$name: + for item; do + netclass=${item%:*} addr=${item#*:} + case $addr in + default) + defaultiface=$name + defaultclass=$netclass + run ip46tables -t mangle -A out-classify -g mark-to-$netclass + ;; + *:*) + run ip6tables -t mangle -A in-$name -g mark-from-$netclass \ + -s $addr + run ip6tables -t mangle -A out-classify -g mark-to-$netclass \ + -d $addr + allnets6="$allnets6 $name:$addr" + ;; + *) + run iptables -t mangle -A in-$name -g mark-from-$netclass \ + -s $addr + run iptables -t mangle -A out-classify -g mark-to-$netclass \ + -d $addr + allnets="$allnets $name:$addr" + ;; + esac + done done }