From: Mark Wooding Date: Sun, 10 Jul 2011 20:35:54 +0000 (+0100) Subject: functions.m4: Allow multiple interfaces to be defined by defiface. X-Git-Url: https://git.distorted.org.uk/~mdw/firewall/commitdiff_plain/46be9bde8faee6672d63d4b56458488c4c46c265 functions.m4: Allow multiple interfaces to be defined by defiface. With the upcoming network reorganization, it will be possible for particular networks to be routed over several different interfaces. It will make describing the individual routers easier if we can get defiface to deal with the commonality. --- diff --git a/functions.m4 b/functions.m4 index 0e57ffa..484c30d 100644 --- a/functions.m4 +++ b/functions.m4 @@ -331,15 +331,15 @@ defnetclass () { netclassindex=$(( $netclassindex + 1 )) } -## defiface NAME NETCLASS:NETWORK/MASK... +## defiface NAME[,NAME,...] NETCLASS:NETWORK/MASK... ## -## Declares a network interface NAME and associates with it a number of -## reachable networks. During source classification, a packet arriving on -## interface NAME from an address in NETWORK/MASK is classified as coming -## from to NETCLASS. During destination classification, all packets going to -## NETWORK/MASK are classified as going to NETCLASS, regardless of interface -## (which is good, because the outgoing interface hasn't been determined -## yet). +## Declares network interfaces with the given NAMEs and associates with them +## a number of reachable networks. During source classification, a packet +## arriving on interface NAME from an address in NETWORK/MASK is classified +## as coming from to NETCLASS. During destination classification, all +## packets going to NETWORK/MASK are classified as going to NETCLASS, +## regardless of interface (which is good, because the outgoing interface +## hasn't been determined yet). ## ## As a special case, the NETWORK/MASK can be the string `default', which ## indicates that all addresses not matched elsewhere should be considered. @@ -348,34 +348,43 @@ defaultiface=none allnets= allnets6= defiface () { set -e - name=$1; shift - case $ifaces in - *:"$name":*) ;; - *) - clearchain mangle:in-$name - run ip46tables -t mangle -A in-classify -i $name -g in-$name - ;; - esac - ifaces=$ifaces$name: - for item; do - netclass=${item%:*} addr=${item#*:} - case $addr in - default) - defaultiface=$name - defaultclass=$netclass - run ip46tables -t mangle -A out-classify -g mark-to-$netclass - ;; - *:*) - run ip6tables -t mangle -A in-$name -s $addr -g mark-from-$netclass - run ip6tables -t mangle -A out-classify -d $addr -g mark-to-$netclass - allnets6="$allnets6 $name:$addr" - ;; + names=$1; shift + seen=: + for name in $(echo $names | sed 'y/,/ /'); do + case $seen in *:"$name":*) continue ;; esac + seen=$seen$name: + case $ifaces in + *:"$name":*) ;; *) - run iptables -t mangle -A in-$name -s $addr -g mark-from-$netclass - run iptables -t mangle -A out-classify -d $addr -g mark-to-$netclass - allnets="$allnets $name:$addr" + clearchain mangle:in-$name + run ip46tables -t mangle -A in-classify -i $name -g in-$name ;; esac + ifaces=$ifaces$name: + for item; do + netclass=${item%:*} addr=${item#*:} + case $addr in + default) + defaultiface=$name + defaultclass=$netclass + run ip46tables -t mangle -A out-classify -g mark-to-$netclass + ;; + *:*) + run ip6tables -t mangle -A in-$name -g mark-from-$netclass \ + -s $addr + run ip6tables -t mangle -A out-classify -g mark-to-$netclass \ + -d $addr + allnets6="$allnets6 $name:$addr" + ;; + *) + run iptables -t mangle -A in-$name -g mark-from-$netclass \ + -s $addr + run iptables -t mangle -A out-classify -g mark-to-$netclass \ + -d $addr + allnets="$allnets $name:$addr" + ;; + esac + done done }