fix on firewall rule building
All checks were successful
continuous-integration/drone/tag Build is passing
continuous-integration/drone/push Build is passing

This commit is contained in:
Paul 2023-11-12 17:13:47 +01:00
parent cd67b0d602
commit 77ee68c081

View File

@ -26,7 +26,6 @@ macro_rules! initrules {
$chain.set_policy(nftnl::Policy::Accept);
$batch.add(&$chain, nftnl::MsgType::Add);
$batch.add(&Rule::new(&$chain), nftnl::MsgType::Del);
let mut rule = Rule::new(&$chain);
@ -38,28 +37,16 @@ macro_rules! initrules {
rule.add_expr(&nft_expr!(verdict accept));
$batch.add(&rule, nftnl::MsgType::Add);
};}
macro_rules! createrules {
($ipdata:ident, $chain:ident, $batch:ident) => {
let mut rule = Rule::new(&$chain);
match $ipdata.t {
4 => {
let ip = $ipdata.ip.parse::<Ipv4Addr>().unwrap();
rule.add_expr(&nft_expr!(payload ipv4 saddr));
rule.add_expr(&nft_expr!(cmp == ip));
},
6 => {
let ip = $ipdata.ip.parse::<Ipv6Addr>().unwrap();
rule.add_expr(&nft_expr!(payload ipv6 saddr));
rule.add_expr(&nft_expr!(cmp == ip));
},
_ => {
let ip = $ipdata.ip.parse::<Ipv4Addr>().unwrap();
rule.add_expr(&nft_expr!(payload ipv4 saddr));
rule.add_expr(&nft_expr!(cmp == ip));
},
};
}
macro_rules! createrules {
($ipdata:ident, $chain:ident, $batch:ident, $t:ty, $ip_t:ident) => {
let mut rule = Rule::new(&$chain);
let ip = $ipdata.ip.parse::<$t>().unwrap();
rule.add_expr(&nft_expr!(payload $ip_t saddr));
rule.add_expr(&nft_expr!(cmp == ip));
rule.add_expr(&nft_expr!(ct state));
rule.add_expr(&nft_expr!(bitwise mask 10u32, xor 0u32));
rule.add_expr(&nft_expr!(cmp != 0u32));
@ -110,8 +97,15 @@ pub fn fwblock(
// build and add rules
for ipdata in ips_add.clone() {
createrules!(ipdata, chain4, batch4);
createrules!(ipdata, chain6, batch6);
match ipdata.t {
4 => {
createrules!(ipdata, chain4, batch4, Ipv4Addr, ipv4);
}
6 => {
createrules!(ipdata, chain6, batch6, Ipv6Addr, ipv6);
}
_ => {}
}
}
// validate and send batch