Introduce variable for expected input chains.

Saves lots of messing with $forward.

diff --git a/bookends.m4 b/bookends.m4
index 69a721e..6faa91b 100644 (file)
--- a/bookends.m4
+++ b/bookends.m4
@@ -111,6 +111,10 @@ case $host_type_<::>FWHOST in
 esac
 setopt ip_forward $forward
 setdevopt forwarding $forward
+case $forward in
+  0) inchains="INPUT" ;;
+  1) inchains="INPUT FORWARD" ;;
+esac
 
 ## Set dynamic port allocation.
 setopt ip_local_port_range $open_port_min $open_port_max

diff --git a/icmp.m4 b/icmp.m4
index 3de0483..d3a7507 100644 (file)
--- a/icmp.m4
+++ b/icmp.m4
@@ -42,9 +42,7 @@ m4_divert(58)m4_dnl
 run iptables -A check-icmp -j ACCEPT
 
 ## Done.
-for i in INPUT FORWARD; do
-  run iptables -A $i -p icmp -j check-icmp
-done
+for i in $inchains; do run ip46tables -A $i -p icmp -j check-icmp; done
 
 m4_divert(-1)
 ###----- That's all, folks --------------------------------------------------

diff --git a/local.m4 b/local.m4
index f139f00..d91b171 100644 (file)
--- a/local.m4
+++ b/local.m4
@@ -264,12 +264,9 @@ run ip46tables -A inbound -j forbidden
 run ip46tables -A INPUT -m mark --mark $from_untrusted/$MASK_FROM -g inbound
 
 ## Otherwise process as indicated by the mark.
-run ip46tables -A INPUT -m mark ! --mark 0/$MASK_MASK -j ACCEPT
-case $forward in
-  1)
-    run ip46tables -A FORWARD -m mark ! --mark 0/$MASK_MASK -j ACCEPT
-    ;;
-esac
+for i in $inchains; do
+  run ip46tables -A $i -m mark ! --mark 0/$MASK_MASK -j ACCEPT
+done
 
 m4_divert(-1)
 ###----- That's all, folks --------------------------------------------------