functions: Move NTP server list out of line.

Makes the `inbound' chain slightly more efficient in the common case.

diff --git a/functions.m4 b/functions.m4
index d059de6..2267af6 100644 (file)
--- a/functions.m4
+++ b/functions.m4
@@ -289,11 +289,12 @@ allowservices () {
 ## Add rules to CHAIN to allow NTP with NTPSERVERs.
 ntpclient () {
   set -e
-  chain=$1; shift
-  for ntp; do
-    run iptables -A $chain -s $ntp -j ACCEPT \
-           -p udp --source-port 123 --destination-port 123
-  done
+  ntpchain=$1; shift
+
+  clearchain ntp-servers
+  for ntp; do run iptables -A ntp-servers -j ACCEPT -s $ntp; done
+  run iptables -A $ntpchain -j ntp-servers \
+         -p udp --source-port 123 --destination-port 123
 }
 
 ## dnsresolver CHAIN