From: Mark Wooding <mdw@distorted.org.uk>
Date: Sat, 9 Feb 2013 15:59:12 +0000 (+0000)
Subject: classify.m4: Hook the INPUT and FORWARD chains, not PREROUTING.
X-Git-Url: https://git.distorted.org.uk/~mdw/firewall/commitdiff_plain/5860d5a3f6a5c13d4b943cdd8863ead282ab7bab

classify.m4: Hook the INPUT and FORWARD chains, not PREROUTING.

The latter are done after NAT has resolved the source and destination
addresses, so we can actually do the job right.
---

diff --git a/classify.m4 b/classify.m4
index 5b6f209..bd7ab59 100644
--- a/classify.m4
+++ b/classify.m4
@@ -45,8 +45,9 @@ m4_divert(40)m4_dnl
 ###
 ### The mangle chains are arranged as follows.
 ###
-### The PREROUTING hook simply invokes in-classify and out-classify chains as
-### subroutines.  These will tail-call appropriate classification chains.
+### The INPUT and FORWARD hooks simply invokes in-classify and out-classify
+### chains as subroutines.  These will tail-call appropriate classification
+### chains.
 ###
 ### The in-classify chain is responsible for both source address
 ### classification and verifying that the packet arrived from the correct
@@ -339,12 +340,16 @@ run ip46tables -t mangle -A in-default -g mark-from-$net_class_default
 
 m4_divert(92)m4_dnl
 ## Put the final default decision on the in-default chain, and attach the
-## classification chains to the PREROUTING hook.
+## classification chains to the INPUT and (maybe) FORWARD hooks.
 for iface in $defaultifaces; do
   run ip46tables -t mangle -A in-$iface -g in-default
 done
-run ip46tables -t mangle -A PREROUTING -j in-classify
-run ip46tables -t mangle -A PREROUTING -j out-classify
+chains="INPUT"
+case $forward in 1) chains="$chains FORWARD" ;; esac
+for c in $chains; do
+  run ip46tables -t mangle -A $c -j in-classify
+  run ip46tables -t mangle -A $c -j out-classify
+done
 
 ## Incoming stuff to or from a link-local address is OK.
 run ip46tables -t mangle -A INPUT \