paulbsd/ipblc
1
0
Fork 0
Code Issues Pull Requests Projects Releases 15 Wiki Activity

fix on firewall rule building
All checks were successful
continuous-integration/drone/tag Build is passing
Details
continuous-integration/drone/push Build is passing
Details

Browse Source
This commit is contained in:
Paul 2023-11-12 17:13:47 +01:00
parent cd67b0d602
commit 77ee68c081
1 changed files with 18 additions and 24 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

42
src/fw.rs
View File

@ -26,7 +26,6 @@ macro_rules! initrules {
$chain.set_policy(nftnl::Policy::Accept); $chain.set_policy(nftnl::Policy::Accept);
$batch.add(&$chain, nftnl::MsgType::Add); $batch.add(&$chain, nftnl::MsgType::Add);
$batch.add(&Rule::new(&$chain), nftnl::MsgType::Del); $batch.add(&Rule::new(&$chain), nftnl::MsgType::Del);
let mut rule = Rule::new(&$chain); let mut rule = Rule::new(&$chain);
@ -38,28 +37,16 @@ macro_rules! initrules {
rule.add_expr(&nft_expr!(verdict accept)); rule.add_expr(&nft_expr!(verdict accept));
$batch.add(&rule, nftnl::MsgType::Add); $batch.add(&rule, nftnl::MsgType::Add);
};} };
macro_rules! createrules { }
($ipdata:ident, $chain:ident, $batch:ident) => {
let mut rule = Rule::new(&$chain);
match $ipdata.t {
4 => {
let ip = $ipdata.ip.parse::<Ipv4Addr>().unwrap();
rule.add_expr(&nft_expr!(payload ipv4 saddr));
rule.add_expr(&nft_expr!(cmp == ip));
},
6 => {
let ip = $ipdata.ip.parse::<Ipv6Addr>().unwrap();
rule.add_expr(&nft_expr!(payload ipv6 saddr));
rule.add_expr(&nft_expr!(cmp == ip));
},
_ => {
let ip = $ipdata.ip.parse::<Ipv4Addr>().unwrap();
rule.add_expr(&nft_expr!(payload ipv4 saddr));
rule.add_expr(&nft_expr!(cmp == ip));
},
};
macro_rules! createrules {
($ipdata:ident, $chain:ident, $batch:ident, $t:ty, $ip_t:ident) => {
let mut rule = Rule::new(&$chain);
let ip = $ipdata.ip.parse::<$t>().unwrap();
rule.add_expr(&nft_expr!(payload $ip_t saddr));
rule.add_expr(&nft_expr!(cmp == ip));
rule.add_expr(&nft_expr!(ct state)); rule.add_expr(&nft_expr!(ct state));
rule.add_expr(&nft_expr!(bitwise mask 10u32, xor 0u32)); rule.add_expr(&nft_expr!(bitwise mask 10u32, xor 0u32));
rule.add_expr(&nft_expr!(cmp != 0u32)); rule.add_expr(&nft_expr!(cmp != 0u32));
@ -110,8 +97,15 @@ pub fn fwblock(
// build and add rules // build and add rules
for ipdata in ips_add.clone() { for ipdata in ips_add.clone() {
createrules!(ipdata, chain4, batch4); match ipdata.t {
createrules!(ipdata, chain6, batch6); 4 => {
createrules!(ipdata, chain4, batch4, Ipv4Addr, ipv4);
}
6 => {
createrules!(ipdata, chain6, batch6, Ipv6Addr, ipv6);
}
_ => {}
}
} }
// validate and send batch // validate and send batch