diff options
author | Jo-Philipp Wich <jow@openwrt.org> | 2014-07-18 15:43:56 +0200 |
---|---|---|
committer | Jo-Philipp Wich <jow@openwrt.org> | 2014-07-19 11:48:39 +0200 |
commit | bba31cce0521e014109fc805671d4cff7ee9dbf6 (patch) | |
tree | 2a48c471acb221c85238f53d7266ef88ee217629 /options.h | |
parent | 0aaf63b89efb27bfa370aabc7550de10335abbe3 (diff) | |
download | firewall3-bba31cce0521e014109fc805671d4cff7ee9dbf6.tar.gz |
Use netmasks instead of prefix lengths internally
Iptables supports using non-continuous netmasks like FFFF::FFFF which would
match the first and last 16bit of an IPv6 address while ignoring the parts
in between which is useful fordeclaring rules targeting hosts on rotating
prefixes.
Instead of storing parsed netmasks as bitcount internally, use a full mask
which is passed to iptables as-is.
Also support a new shorthand notation "addr/-N" which will construct a mask
that matches the *last* N bits of an address - useful for matching the host
part only of an IPv4 address, e.g.
option dest_ip '::c23f:eff:fe7a:a094/-64'
This will convert to a netmask of "::ffff:ffff:ffff:ffff".
Signed-off-by: Jo-Philipp Wich <jow@openwrt.org>
Diffstat (limited to 'options.h')
-rw-r--r-- | options.h | 5 |
1 files changed, 2 insertions, 3 deletions
@@ -175,7 +175,6 @@ struct fw3_address bool invert; bool resolved; enum fw3_family family; - int mask; union { struct in_addr v4; struct in6_addr v6; @@ -185,7 +184,7 @@ struct fw3_address struct in_addr v4; struct in6_addr v6; struct ether_addr mac; - } address2; + } mask; }; struct fw3_mac @@ -563,6 +562,6 @@ bool fw3_parse_blob_options(void *s, const struct fw3_option *opts, struct blob_attr *a); const char * fw3_address_to_string(struct fw3_address *address, - bool allow_invert); + bool allow_invert, bool as_cidr); #endif |