## default interface.
trace "nets = $allnets $allnets6"
for net in $allnets; do
- case $net in
- "$defaultiface":*)
- ;;
- *)
- run iptables -t mangle -A in-$defaultiface \
+ defaultp=nil
+ for iface in $defaultifaces; do
+ case $net in $iface:*) defaultp=t ;; esac
+ done
+ case $defaultp in
+ nil)
+ for iface in $defaultifaces; do
+ run iptables -t mangle -A in-$iface \
-s ${net#*:} -g bad-source-address
+ done
;;
esac
done
for net in $allnets6; do
- case $net in
- "$defaultiface":*)
- ;;
- *)
- run ip6tables -t mangle -A in-$defaultiface \
+ defaultp=nil
+ for iface in $defaultifaces; do
+ case $net in $iface:*) defaultp=t ;; esac
+ done
+ case $defaultp in
+ nil)
+ for iface in $defaultifaces; do
+ run ip6tables -t mangle -A in-$iface \
-s ${net#*:} -g bad-source-address
+ done
;;
esac
done
m4_divert(92)m4_dnl
## Put the final default decision on the in-default chain, and attach the
## classification chains to the PREROUTING hook.
-run ip46tables -t mangle -A in-$defaultiface -g mark-from-$defaultclass
+for iface in $defaultifaces; do
+ run ip46tables -t mangle -A in-$iface -g mark-from-$defaultclass
+done
+run ip46tables -t mangle -A out-classify -g mark-to-$defaultclass
run ip46tables -t mangle -A PREROUTING -j in-classify
run ip46tables -t mangle -A PREROUTING -j out-classify
## As a special case, the NETWORK/MASK can be the string `default', which
## indicates that all addresses not matched elsewhere should be considered.
ifaces=:
-defaultiface=none
+defaultifaces=""
allnets= allnets6=
defiface () {
set -e
netclass=${item%:*} addr=${item#*:}
case $addr in
default)
- defaultiface=$name
- defaultclass=$netclass
- run ip46tables -t mangle -A out-classify -g mark-to-$netclass
+ case "$defaultifaces,$defaultclass" in
+ ,* | *,$netclass)
+ defaultifaces="$defaultifaces $name"
+ defaultclass=$netclass
+ ;;
+ *)
+ echo >&2 "$0: inconsistent default netclasses"
+ exit 1
+ ;;
+ esac
;;
*:*)
run ip6tables -t mangle -A in-$name -g mark-from-$netclass \
~mdw / firewall / commitdiff