diff options
| -rw-r--r-- | options.c | 4 | ||||
| -rw-r--r-- | options.h | 15 | ||||
| -rw-r--r-- | zones.c | 16 | ||||
| -rw-r--r-- | zones.h | 3 |
4 files changed, 24 insertions, 14 deletions
@@ -55,6 +55,10 @@ const char *fw3_flag_names[FW3_DEFAULT_DROP_INVALID + 1] = { "NOTRACK", "DNAT", "SNAT", + + "ACCEPT", + "REJECT", + "DROP", }; static const char *limit_units[] = { @@ -70,17 +70,20 @@ enum fw3_target FW3_TARGET_NOTRACK = 9, FW3_TARGET_DNAT = 10, FW3_TARGET_SNAT = 11, - FW3_TARGET_CUSTOM_CNS_V4 = 12, - FW3_TARGET_CUSTOM_CNS_V6 = 13, + FW3_TARGET_SRC_ACCEPT = 12, + FW3_TARGET_SRC_REJECT = 13, + FW3_TARGET_SRC_DROP = 14, + FW3_TARGET_CUSTOM_CNS_V4 = 15, + FW3_TARGET_CUSTOM_CNS_V6 = 16, }; enum fw3_default { FW3_DEFAULT_UNSPEC = 0, - FW3_DEFAULT_CUSTOM_CHAINS = 14, - FW3_DEFAULT_SYN_FLOOD = 15, - FW3_DEFAULT_MTU_FIX = 16, - FW3_DEFAULT_DROP_INVALID = 17, + FW3_DEFAULT_CUSTOM_CHAINS = 17, + FW3_DEFAULT_SYN_FLOOD = 18, + FW3_DEFAULT_MTU_FIX = 19, + FW3_DEFAULT_DROP_INVALID = 20, }; extern const char *fw3_flag_names[FW3_DEFAULT_DROP_INVALID + 1]; @@ -35,9 +35,9 @@ static const struct chain src_chains[] = { C(ANY, FILTER, UNSPEC, "zone_%1$s_output"), C(ANY, FILTER, UNSPEC, "zone_%1$s_forward"), - C(ANY, FILTER, ACCEPT, "zone_%1$s_src_ACCEPT"), - C(ANY, FILTER, REJECT, "zone_%1$s_src_REJECT"), - C(ANY, FILTER, DROP, "zone_%1$s_src_DROP"), + C(ANY, FILTER, SRC_ACCEPT, "zone_%1$s_src_ACCEPT"), + C(ANY, FILTER, SRC_REJECT, "zone_%1$s_src_REJECT"), + C(ANY, FILTER, SRC_DROP, "zone_%1$s_src_DROP"), }; static const struct chain dst_chains[] = { @@ -265,7 +265,7 @@ fw3_load_zones(struct fw3_state *state, struct uci_package *p) setbit(zone->dst_flags, FW3_TARGET_DNAT); } - setbit(zone->src_flags, zone->policy_input); + setbit(zone->dst_flags, fw3_to_src_target(zone->policy_input)); setbit(zone->dst_flags, zone->policy_output); setbit(zone->dst_flags, zone->policy_forward); @@ -300,7 +300,7 @@ print_zone_chain(enum fw3_table table, enum fw3_family family, setbit(zone->dst_flags, FW3_TARGET_NOTRACK); s = print_chains(table, family, ":%s - [0:0]\n", zone->name, - zone->src_flags, + zone->dst_flags, src_chains, ARRAY_SIZE(src_chains)); d = print_chains(table, family, ":%s - [0:0]\n", zone->name, @@ -332,7 +332,7 @@ print_interface_rule(enum fw3_table table, enum fw3_family family, { for (t = FW3_TARGET_ACCEPT; t <= FW3_TARGET_DROP; t++) { - if (hasbit(zone->src_flags, t)) + if (hasbit(zone->dst_flags, fw3_to_src_target(t))) { fw3_pr("-A zone_%s_src_%s", zone->name, fw3_flag_names[t]); fw3_format_in_out(dev, NULL); @@ -474,7 +474,7 @@ print_zone_rule(enum fw3_table table, enum fw3_family family, { for (t = FW3_TARGET_REJECT; t <= FW3_TARGET_DROP; t++) { - if (hasbit(zone->src_flags, t)) + if (hasbit(zone->dst_flags, fw3_to_src_target(t))) { fw3_pr("-A zone_%s_src_%s", zone->name, fw3_flag_names[t]); fw3_format_limit(&zone->log_limit); @@ -555,7 +555,7 @@ fw3_flush_zones(enum fw3_table table, enum fw3_family family, continue; print_chains(table, family, pass2 ? "-X %s\n" : "-F %s\n", - z->name, z->running_src_flags, + z->name, z->running_dst_flags, src_chains, ARRAY_SIZE(src_chains)); print_chains(table, family, pass2 ? "-X %s\n" : "-F %s\n", @@ -39,6 +39,9 @@ void fw3_flush_zones(enum fw3_table table, enum fw3_family family, struct fw3_zone * fw3_lookup_zone(struct fw3_state *state, const char *name, bool running); +#define fw3_to_src_target(t) \ + (FW3_TARGET_SRC_ACCEPT - FW3_TARGET_ACCEPT + t) + #define fw3_free_zone(zone) \ fw3_free_object(zone, fw3_zone_opts) |