Merge branch 'master' into emergency

* master:
  functions: Move NTP server list out of line.
  local.m4: Allow dmz/jump packets on unsafe/colo networks and vice versa.

diff --git a/functions.m4 b/functions.m4
index d059de6..2267af6 100644 (file)
--- a/functions.m4
+++ b/functions.m4
@@ -289,11 +289,12 @@ allowservices () {
 ## Add rules to CHAIN to allow NTP with NTPSERVERs.
 ntpclient () {
   set -e
-  chain=$1; shift
-  for ntp; do
-    run iptables -A $chain -s $ntp -j ACCEPT \
-           -p udp --source-port 123 --destination-port 123
-  done
+  ntpchain=$1; shift
+
+  clearchain ntp-servers
+  for ntp; do run iptables -A ntp-servers -j ACCEPT -s $ntp; done
+  run iptables -A $ntpchain -j ntp-servers \
+         -p udp --source-port 123 --destination-port 123
 }
 
 ## dnsresolver CHAIN

diff --git a/local.m4 b/local.m4
index 36f76b3..0a1617f 100644 (file)
--- a/local.m4
+++ b/local.m4
@@ -75,23 +75,23 @@ defnet housebdry virtual
 ## House hosts.
 defhost radius
        router
-       iface eth0 dmz
-       iface eth1 unsafe
+       iface eth0 dmz unsafe
+       iface eth1 dmz unsafe
        iface eth2 safe
        iface eth3 untrusted
 defhost roadstar
-       iface eth0 dmz
-       iface eth1 unsafe
+       iface eth0 dmz unsafe
+       iface eth1 dmz unsafe
 defhost jem
-       iface eth0 dmz
-       iface eth1 unsafe
+       iface eth0 dmz unsafe
+       iface eth1 dmz unsafe
 defhost artist
-       iface eth0 dmz
-       iface eth1 unsafe
+       iface eth0 dmz unsafe
+       iface eth1 dmz unsafe
 defhost vampire
        router
-       iface eth0.0 dmz
-       iface eth0.1 unsafe
+       iface eth0.0 dmz unsafe
+       iface eth0.1 dmz unsafe
        iface eth0.3 untrusted
        iface dns0 dns
        iface vpn-+ vpn
@@ -118,23 +118,23 @@ defnet colobdry virtual
 
 ## Colocated hosts.
 defhost fender
-       iface br-jump jump
-       iface br-colo colo
+       iface br-jump jump colo
+       iface br-colo jump colo
 defhost precision
        router
-       iface eth0 jump
-       iface eth1 colo
+       iface eth0 jump colo
+       iface eth1 jump colo
        iface vpn-+ vpn
        iface vpn-vampire housebdry vpn
 defhost telecaster
-       iface eth0 jump
-       iface eth1 colo
+       iface eth0 jump colo
+       iface eth1 jump colo
 defhost stratocaster
-       iface eth0 jump
-       iface eth1 colo
+       iface eth0 jump colo
+       iface eth1 jump colo
 defhost jazz
-       iface eth0 jump
-       iface eth1 colo
+       iface eth0 jump colo
+       iface eth1 jump colo
 
 ## Other networks.
 defnet hub virtual