projects
/
oweals
/
firewall3.git
/ blobdiff
commit
grep
author
committer
pickaxe
?
search:
re
summary
|
shortlog
|
log
|
commit
|
commitdiff
|
tree
raw
|
inline
| side by side
Infer destination zone of DNAT redirects from dest_ip option
[oweals/firewall3.git]
/
rules.c
diff --git
a/rules.c
b/rules.c
index 53268e29d3cebd7c5d36e3dce0cba1d188901afb..eea872496e5e42c25d9116d8aa755637161b710f 100644
(file)
--- a/
rules.c
+++ b/
rules.c
@@
-32,11
+32,11
@@
const struct fw3_option fw3_rule_opts[] = {
FW3_LIST("proto", protocol, rule, proto),
FW3_LIST("proto", protocol, rule, proto),
- FW3_LIST("src_ip",
address
, rule, ip_src),
+ FW3_LIST("src_ip",
network
, rule, ip_src),
FW3_LIST("src_mac", mac, rule, mac_src),
FW3_LIST("src_port", port, rule, port_src),
FW3_LIST("src_mac", mac, rule, mac_src),
FW3_LIST("src_port", port, rule, port_src),
- FW3_LIST("dest_ip",
address
, rule, ip_dest),
+ FW3_LIST("dest_ip",
network
, rule, ip_dest),
FW3_LIST("dest_port", port, rule, port_dest),
FW3_LIST("icmp_type", icmptype, rule, icmp_type),
FW3_LIST("dest_port", port, rule, port_dest),
FW3_LIST("icmp_type", icmptype, rule, icmp_type),
@@
-245,7
+245,13
@@
append_chain(struct fw3_ipt_rule *r, struct fw3_rule *rule)
}
if (rule->dest.set && !rule->src.set)
}
if (rule->dest.set && !rule->src.set)
- snprintf(chain, sizeof(chain), "zone_%s_output", rule->dest.name);
+ {
+ if (rule->dest.any)
+ snprintf(chain, sizeof(chain), "delegate_output");
+ else
+ snprintf(chain, sizeof(chain), "zone_%s_output",
+ rule->dest.name);
+ }
}
fw3_ipt_rule_append(r, chain);
}
fw3_ipt_rule_append(r, chain);
@@
-287,9
+293,18
@@
static void set_target(struct fw3_ipt_rule *r, struct fw3_rule *rule)
fw3_ipt_rule_target(r, name);
}
fw3_ipt_rule_target(r, name);
}
+static void
+set_comment(struct fw3_ipt_rule *r, const char *name, int num)
+{
+ if (name)
+ fw3_ipt_rule_comment(r, name);
+ else
+ fw3_ipt_rule_comment(r, "@rule[%u]", num);
+}
+
static void
print_rule(struct fw3_ipt_handle *handle, struct fw3_state *state,
static void
print_rule(struct fw3_ipt_handle *handle, struct fw3_state *state,
- struct fw3_rule *rule, struct fw3_protocol *proto,
+ struct fw3_rule *rule,
int num,
struct fw3_protocol *proto,
struct fw3_address *sip, struct fw3_address *dip,
struct fw3_port *sport, struct fw3_port *dport,
struct fw3_mac *mac, struct fw3_icmptype *icmptype)
struct fw3_address *sip, struct fw3_address *dip,
struct fw3_port *sport, struct fw3_port *dport,
struct fw3_mac *mac, struct fw3_icmptype *icmptype)
@@
-319,7
+334,7
@@
print_rule(struct fw3_ipt_handle *handle, struct fw3_state *state,
fw3_ipt_rule_mark(r, &rule->mark);
set_target(r, rule);
fw3_ipt_rule_extra(r, rule->extra);
fw3_ipt_rule_mark(r, &rule->mark);
set_target(r, rule);
fw3_ipt_rule_extra(r, rule->extra);
-
fw3_ipt_rule_comment(r, rule->name
);
+
set_comment(r, rule->name, num
);
append_chain(r, rule);
}
append_chain(r, rule);
}
@@
-403,7
+418,7
@@
expand_rule(struct fw3_ipt_handle *handle, struct fw3_state *state,
fw3_foreach(dport, dports)
fw3_foreach(mac, &rule->mac_src)
fw3_foreach(icmptype, icmptypes)
fw3_foreach(dport, dports)
fw3_foreach(mac, &rule->mac_src)
fw3_foreach(icmptype, icmptypes)
- print_rule(handle, state, rule, proto, sip, dip,
+ print_rule(handle, state, rule,
num,
proto, sip, dip,
sport, dport, mac, icmptype);
}
}
sport, dport, mac, icmptype);
}
}