Add support for device and direction parameters

Signed-off-by: Steven Barth <steven@midlink.org>

diff --git a/iptables.c b/iptables.c
index 694dd4f6ab9a94bf58863a5acd9b1e11c8390239..58ec752af8df55e68f0cc1fd3215f412dd7c781c 100644 (file)
--- a/iptables.c
+++ b/iptables.c
@@ -743,6 +743,16 @@ fw3_ipt_rule_sport_dport(struct fw3_ipt_rule *r,
        }
 }
 
+void
+fw3_ipt_rule_device(struct fw3_ipt_rule *r, const char *device, bool out)
+{
+       if (device) {
+               struct fw3_device dev = { .any = false };
+               strncpy(dev.name, device, sizeof(dev.name) - 1);
+               fw3_ipt_rule_in_out(r, (out) ? NULL : &dev, (out) ? &dev : NULL);
+       }
+}
+
 void
 fw3_ipt_rule_mac(struct fw3_ipt_rule *r, struct fw3_mac *mac)
 {

diff --git a/iptables.h b/iptables.h
index d0b42d89d358ed57553d4e75a30306e9b105a3d0..872ee339ff0af01a2c6a46f82f8041e09c961156 100644 (file)
--- a/iptables.h
+++ b/iptables.h
@@ -143,6 +143,8 @@ void fw3_ipt_rule_src_dest(struct fw3_ipt_rule *r,
 void fw3_ipt_rule_sport_dport(struct fw3_ipt_rule *r,
                               struct fw3_port *sp, struct fw3_port *dp);
 
+void fw3_ipt_rule_device(struct fw3_ipt_rule *r, const char *device, bool out);
+
 void fw3_ipt_rule_mac(struct fw3_ipt_rule *r, struct fw3_mac *mac);
 
 void fw3_ipt_rule_icmptype(struct fw3_ipt_rule *r, struct fw3_icmptype *icmp);

diff --git a/options.c b/options.c
index 4c42be023371585e410235eee41ea72c1ffac11b..1dbdca8b9169d4f8411d5965ef7c1ed6775acb54 100644 (file)
--- a/options.c
+++ b/options.c
@@ -854,6 +854,22 @@ fw3_parse_setmatch(void *ptr, const char *val, bool is_list)
        return true;
 }
 
+bool
+fw3_parse_direction(void *ptr, const char *val, bool is_list)
+{
+       bool *is_out = ptr;
+       bool valid = true;
+
+       if (!strcmp(val, "in") || !strcmp(val, "ingress"))
+               *is_out = false;
+       else if (!strcmp(val, "out") || !strcmp(val, "egress"))
+               *is_out = true;
+       else
+               valid = false;
+
+       return valid;
+}
+
 
 bool
 fw3_parse_options(void *s, const struct fw3_option *opts,

diff --git a/options.h b/options.h
index f0a759aaef8c872d11f1e91611cae80dcdf3ba82..30c0a95bdd57f2201c7442408f0b8b5689dc9951 100644 (file)
--- a/options.h
+++ b/options.h
@@ -328,6 +328,9 @@ struct fw3_rule
        struct fw3_zone *_src;
        struct fw3_zone *_dest;
 
+       const char *device;
+       bool direction_out;
+
        struct fw3_device src;
        struct fw3_device dest;
        struct fw3_setmatch ipset;
@@ -408,6 +411,7 @@ struct fw3_snat
 
        struct fw3_device src;
        struct fw3_setmatch ipset;
+       const char *device;
 
        struct list_head proto;
 
@@ -550,6 +554,7 @@ bool fw3_parse_weekdays(void *ptr, const char *val, bool is_list);
 bool fw3_parse_monthdays(void *ptr, const char *val, bool is_list);
 bool fw3_parse_mark(void *ptr, const char *val, bool is_list);
 bool fw3_parse_setmatch(void *ptr, const char *val, bool is_list);
+bool fw3_parse_direction(void *ptr, const char *val, bool is_list);
 
 bool fw3_parse_options(void *s, const struct fw3_option *opts,
                        struct uci_section *section);

diff --git a/rules.c b/rules.c
index 8ecefb03bfed279ca2c85a28fb492ff30d91c182..b41dfac5e6d981e4d032de4cfa0239a09f174526 100644 (file)
--- a/rules.c
+++ b/rules.c
@@ -28,6 +28,9 @@ const struct fw3_option fw3_rule_opts[] = {
        FW3_OPT("src",                 device,    rule,     src),
        FW3_OPT("dest",                device,    rule,     dest),
 
+       FW3_OPT("device",              string,    rule,     device),
+       FW3_OPT("direction",           direction, rule,     direction_out),
+
        FW3_OPT("ipset",               setmatch,  rule,     ipset),
 
        FW3_LIST("proto",              protocol,  rule,     proto),
@@ -350,6 +353,7 @@ print_rule(struct fw3_ipt_handle *handle, struct fw3_state *state,
 
        r = fw3_ipt_rule_create(handle, proto, NULL, NULL, sip, dip);
        fw3_ipt_rule_sport_dport(r, sport, dport);
+       fw3_ipt_rule_device(r, rule->device, rule->direction_out);
        fw3_ipt_rule_icmptype(r, icmptype);
        fw3_ipt_rule_mac(r, mac);
        fw3_ipt_rule_ipset(r, &rule->ipset);

diff --git a/snats.c b/snats.c
index c7f29c617b6cf9512e74399c0d1c0da0f5c816f2..1e0119265e6ddb896f0da68b2ab043c27dd1e3c3 100644 (file)
--- a/snats.c
+++ b/snats.c
@@ -26,6 +26,7 @@ const struct fw3_option fw3_snat_opts[] = {
        FW3_OPT("family",              family,    snat,     family),
 
        FW3_OPT("src",                 device,    snat,     src),
+       FW3_OPT("device",              string,    snat,     device),
 
        FW3_OPT("ipset",               setmatch,  snat,     ipset),
 
@@ -308,6 +309,7 @@ print_snat(struct fw3_ipt_handle *h, struct fw3_state *state,
 
                r = fw3_ipt_rule_create(h, proto, NULL, NULL, src, dst);
                fw3_ipt_rule_sport_dport(r, spt, dpt);
+               fw3_ipt_rule_device(r, snat->device, true);
                fw3_ipt_rule_ipset(r, &snat->ipset);
                fw3_ipt_rule_limit(r, &snat->limit);
                fw3_ipt_rule_time(r, &snat->time);