diff --git a/src/fw.rs b/src/fw.rs index 5e34afd..d8f41a5 100644 --- a/src/fw.rs +++ b/src/fw.rs @@ -26,7 +26,6 @@ macro_rules! initrules { $chain.set_policy(nftnl::Policy::Accept); $batch.add(&$chain, nftnl::MsgType::Add); - $batch.add(&Rule::new(&$chain), nftnl::MsgType::Del); let mut rule = Rule::new(&$chain); @@ -38,28 +37,16 @@ macro_rules! initrules { rule.add_expr(&nft_expr!(verdict accept)); $batch.add(&rule, nftnl::MsgType::Add); - };} -macro_rules! createrules { - ($ipdata:ident, $chain:ident, $batch:ident) => { - let mut rule = Rule::new(&$chain); - match $ipdata.t { - 4 => { - let ip = $ipdata.ip.parse::().unwrap(); - rule.add_expr(&nft_expr!(payload ipv4 saddr)); - rule.add_expr(&nft_expr!(cmp == ip)); - }, - 6 => { - let ip = $ipdata.ip.parse::().unwrap(); - rule.add_expr(&nft_expr!(payload ipv6 saddr)); - rule.add_expr(&nft_expr!(cmp == ip)); - }, - _ => { - let ip = $ipdata.ip.parse::().unwrap(); - rule.add_expr(&nft_expr!(payload ipv4 saddr)); - rule.add_expr(&nft_expr!(cmp == ip)); - }, - }; + }; +} +macro_rules! createrules { + ($ipdata:ident, $chain:ident, $batch:ident, $t:ty, $ip_t:ident) => { + let mut rule = Rule::new(&$chain); + let ip = $ipdata.ip.parse::<$t>().unwrap(); + + rule.add_expr(&nft_expr!(payload $ip_t saddr)); + rule.add_expr(&nft_expr!(cmp == ip)); rule.add_expr(&nft_expr!(ct state)); rule.add_expr(&nft_expr!(bitwise mask 10u32, xor 0u32)); rule.add_expr(&nft_expr!(cmp != 0u32)); @@ -110,8 +97,15 @@ pub fn fwblock( // build and add rules for ipdata in ips_add.clone() { - createrules!(ipdata, chain4, batch4); - createrules!(ipdata, chain6, batch6); + match ipdata.t { + 4 => { + createrules!(ipdata, chain4, batch4, Ipv4Addr, ipv4); + } + 6 => { + createrules!(ipdata, chain6, batch6, Ipv6Addr, ipv6); + } + _ => {} + } } // validate and send batch