From 2f392a3b91c25c94abfc9a7862d908c923f7bf2b Mon Sep 17 00:00:00 2001 From: Steven Barth Date: Sun, 13 Apr 2014 18:41:06 +0200 Subject: [PATCH] Add support for device and direction parameters Signed-off-by: Steven Barth --- iptables.c | 10 ++++++++++ iptables.h | 2 ++ options.c | 16 ++++++++++++++++ options.h | 5 +++++ rules.c | 4 ++++ snats.c | 2 ++ 6 files changed, 39 insertions(+) diff --git a/iptables.c b/iptables.c index 694dd4f..58ec752 100644 --- a/iptables.c +++ b/iptables.c @@ -743,6 +743,16 @@ fw3_ipt_rule_sport_dport(struct fw3_ipt_rule *r, } } +void +fw3_ipt_rule_device(struct fw3_ipt_rule *r, const char *device, bool out) +{ + if (device) { + struct fw3_device dev = { .any = false }; + strncpy(dev.name, device, sizeof(dev.name) - 1); + fw3_ipt_rule_in_out(r, (out) ? NULL : &dev, (out) ? &dev : NULL); + } +} + void fw3_ipt_rule_mac(struct fw3_ipt_rule *r, struct fw3_mac *mac) { diff --git a/iptables.h b/iptables.h index d0b42d8..872ee33 100644 --- a/iptables.h +++ b/iptables.h @@ -143,6 +143,8 @@ void fw3_ipt_rule_src_dest(struct fw3_ipt_rule *r, void fw3_ipt_rule_sport_dport(struct fw3_ipt_rule *r, struct fw3_port *sp, struct fw3_port *dp); +void fw3_ipt_rule_device(struct fw3_ipt_rule *r, const char *device, bool out); + void fw3_ipt_rule_mac(struct fw3_ipt_rule *r, struct fw3_mac *mac); void fw3_ipt_rule_icmptype(struct fw3_ipt_rule *r, struct fw3_icmptype *icmp); diff --git a/options.c b/options.c index 4c42be0..1dbdca8 100644 --- a/options.c +++ b/options.c @@ -854,6 +854,22 @@ fw3_parse_setmatch(void *ptr, const char *val, bool is_list) return true; } +bool +fw3_parse_direction(void *ptr, const char *val, bool is_list) +{ + bool *is_out = ptr; + bool valid = true; + + if (!strcmp(val, "in") || !strcmp(val, "ingress")) + *is_out = false; + else if (!strcmp(val, "out") || !strcmp(val, "egress")) + *is_out = true; + else + valid = false; + + return valid; +} + bool fw3_parse_options(void *s, const struct fw3_option *opts, diff --git a/options.h b/options.h index f0a759a..30c0a95 100644 --- a/options.h +++ b/options.h @@ -328,6 +328,9 @@ struct fw3_rule struct fw3_zone *_src; struct fw3_zone *_dest; + const char *device; + bool direction_out; + struct fw3_device src; struct fw3_device dest; struct fw3_setmatch ipset; @@ -408,6 +411,7 @@ struct fw3_snat struct fw3_device src; struct fw3_setmatch ipset; + const char *device; struct list_head proto; @@ -550,6 +554,7 @@ bool fw3_parse_weekdays(void *ptr, const char *val, bool is_list); bool fw3_parse_monthdays(void *ptr, const char *val, bool is_list); bool fw3_parse_mark(void *ptr, const char *val, bool is_list); bool fw3_parse_setmatch(void *ptr, const char *val, bool is_list); +bool fw3_parse_direction(void *ptr, const char *val, bool is_list); bool fw3_parse_options(void *s, const struct fw3_option *opts, struct uci_section *section); diff --git a/rules.c b/rules.c index 8ecefb0..b41dfac 100644 --- a/rules.c +++ b/rules.c @@ -28,6 +28,9 @@ const struct fw3_option fw3_rule_opts[] = { FW3_OPT("src", device, rule, src), FW3_OPT("dest", device, rule, dest), + FW3_OPT("device", string, rule, device), + FW3_OPT("direction", direction, rule, direction_out), + FW3_OPT("ipset", setmatch, rule, ipset), FW3_LIST("proto", protocol, rule, proto), @@ -350,6 +353,7 @@ print_rule(struct fw3_ipt_handle *handle, struct fw3_state *state, r = fw3_ipt_rule_create(handle, proto, NULL, NULL, sip, dip); fw3_ipt_rule_sport_dport(r, sport, dport); + fw3_ipt_rule_device(r, rule->device, rule->direction_out); fw3_ipt_rule_icmptype(r, icmptype); fw3_ipt_rule_mac(r, mac); fw3_ipt_rule_ipset(r, &rule->ipset); diff --git a/snats.c b/snats.c index c7f29c6..1e01192 100644 --- a/snats.c +++ b/snats.c @@ -26,6 +26,7 @@ const struct fw3_option fw3_snat_opts[] = { FW3_OPT("family", family, snat, family), FW3_OPT("src", device, snat, src), + FW3_OPT("device", string, snat, device), FW3_OPT("ipset", setmatch, snat, ipset), @@ -308,6 +309,7 @@ print_snat(struct fw3_ipt_handle *h, struct fw3_state *state, r = fw3_ipt_rule_create(h, proto, NULL, NULL, src, dst); fw3_ipt_rule_sport_dport(r, spt, dpt); + fw3_ipt_rule_device(r, snat->device, true); fw3_ipt_rule_ipset(r, &snat->ipset); fw3_ipt_rule_limit(r, &snat->limit); fw3_ipt_rule_time(r, &snat->time); -- 2.25.1