}\r
}\r
\r
+#define IPv4 FALSE\r
+#define IPv6 TRUE\r
+\r
+\r
void run_iptables_restore(void)\r
{\r
char *restor;\r
printf("Running %s <%s ...\n", iptablesrestore, iptablesfile);\r
/*-----------------------------------------------------------------*/\r
\r
- iptables_save_line("COMMIT", FALSE);\r
+ iptables_save_line("COMMIT", IPv4);\r
fclose(iptables_file);\r
if(dry_run) \r
{\r
/*-----------------------------------------------------------------*/\r
printf("Running %s <%s ...\n", ip6tablesrestore, ip6tablesfile);\r
/*-----------------------------------------------------------------*/\r
- iptables_save_line("COMMIT", TRUE);\r
+ iptables_save_line("COMMIT", IPv6);\r
fclose(ip6tables_file);\r
if(dry_run) \r
{\r
perror(iptablesfile);\r
exit(-1);\r
}\r
- iptables_save_line(iptablespreamble, FALSE);\r
+ iptables_save_line(iptablespreamble, IPv4);\r
\r
if(ip6prefix)\r
{\r
perror(ip6tablesfile);\r
exit(-1);\r
}\r
- iptables_save_line(iptablespreamble, TRUE);\r
- iptables_save_line(ip6preamble, TRUE);\r
+ iptables_save_line(iptablespreamble, IPv6);\r
+ iptables_save_line(ip6preamble, IPv6);\r
}\r
\r
run_iptables_restore();\r
}\r
\r
iptables_file=fopen(iptablesfile,"w");\r
- iptables_save_line(iptablespreamble, FALSE);\r
+ iptables_save_line(iptablespreamble, IPv4);\r
if(ip6prefix)\r
{\r
ip6tables_file=fopen(ip6tablesfile,"w");\r
- iptables_save_line(iptablespreamble, TRUE);\r
- iptables_save_line(ip6preamble, TRUE);\r
+ iptables_save_line(iptablespreamble, IPv6);\r
+ iptables_save_line(ip6preamble, IPv6);\r
}\r
\r
if(qos_free_zone && *qos_free_zone!='0') /* this is currently supported only for IPv4 */\r
{\r
for_each(interface, interfaces)\r
{\r
- sprintf(str,"-A %s -s %s -o %s -j ACCEPT", interface->chain, qos_free_zone, interface->name);\r
- iptables_save_line(str, FALSE);\r
+ sprintf(str,"-A %s -%c %s -o %s -j ACCEPT", interface->chain, (interface->is_upstream?'d':'s'), qos_free_zone, interface->name);\r
+ iptables_save_line(str, IPv4);\r
}\r
}\r
\r
printf("Detected %d addresses - indexing iptables rules to improve performance...\n",ip_count);\r
/*-----------------------------------------------------------------*/\r
\r
- iptables_save_line(":post_common - [0:0]", FALSE);\r
- iptables_save_line(":forw_common - [0:0]", FALSE);\r
+ iptables_save_line(":post_common - [0:0]", IPv4);\r
+ iptables_save_line(":forw_common - [0:0]", IPv4);\r
if(ip6prefix)\r
{\r
- iptables_save_line(":post_common - [0:0]", TRUE);\r
- iptables_save_line(":forw_common - [0:0]", TRUE);\r
+ iptables_save_line(":post_common - [0:0]", IPv6);\r
+ iptables_save_line(":forw_common - [0:0]", IPv6);\r
}\r
\r
for_each(ip,ips) if(ip->addr && *(ip->addr) && !eq(ip->addr,"0.0.0.0/0")) \r
buf = interface->chain;\r
}\r
\r
- sprintf(str,"-A %s -d %s/%d -o %s -j %s_%s", buf, subnet, idx->bitmask, interface->name, interface->idxprefix, idx->id);\r
+ sprintf(str, "-A %s -%c %s/%d -o %s -j %s_%s", \r
+ buf, (interface->is_upstream?'s':'d'), subnet, idx->bitmask, interface->name, interface->idxprefix, idx->id);\r
iptables_save_line(str, idx->ipv6);\r
\r
- sprintf(str,"-A %s -d %s/%d -o %s -j %s_common", buf, subnet, idx->bitmask, interface->name, interface->idxprefix);\r
+ sprintf(str, "-A %s -%c %s/%d -o %s -j %s_common",\r
+ buf, (interface->is_upstream?'s':'d'), subnet, idx->bitmask, interface->name, interface->idxprefix);\r
iptables_save_line(str, idx->ipv6);\r
}\r
}\r
for_each(interface, interfaces)\r
{\r
sprintf(str,"-A %s -o %s -j %s_common", interface->chain, interface->name, interface->idxprefix);\r
- iptables_save_line(str, FALSE);\r
+ iptables_save_line(str, IPv4);\r
if(ip6prefix)\r
{\r
sprintf(str,"-A %s -o %s -j %s_common", interface->chain, interface->name, interface->idxprefix);\r
- iptables_save_line(str, TRUE);\r
+ iptables_save_line(str, IPv6);\r
}\r
}\r
}\r
#endif\r
\r
/* ------------------------------------------------ iptables classify */\r
- sprintf(str, "-A %s -d %s/%d -o %s -j %s%d",\r
- chain, ip->addr, ip->mask,\r
+ sprintf(str, "-A %s -%c %s/%d -o %s -j %s%d",\r
+ chain, (interface->is_upstream?'s':'d'), ip->addr, ip->mask,\r
interface->name, mark_iptables, ip->mark);\r
iptables_save_line(str, ip->v6);\r
\r
- sprintf(str, "-A %s -d %s/%d -o %s %s-j ACCEPT",\r
- chain, ip->addr, ip->mask, interface->name, limit_pkts);\r
+ sprintf(str, "-A %s -%c %s/%d -o %s %s-j ACCEPT",\r
+ chain, (interface->is_upstream?'s':'d'),ip->addr, ip->mask,\r
+ interface->name, limit_pkts);\r
iptables_save_line(str, ip->v6);\r
\r
if(limit_pkts)\r
{\r
/* classify overlimit packets to separate overlimit class */\r
- sprintf(str, "-A %s -d %s/%d -o %s -j %s%d",\r
- chain, ip->addr, ip->mask,\r
+ sprintf(str, "-A %s -%c %s/%d -o %s -j %s%d",\r
+ chain, (interface->is_upstream?'s':'d'), ip->addr, ip->mask,\r
interface->name, mark_iptables, OVERLIMIT_CLASS);\r
iptables_save_line(str, ip->v6);\r
\r
- sprintf(str, "-A %s -d %s/%d -o %s -j ACCEPT",\r
- chain, ip->addr, ip->mask, interface->name);\r
+ sprintf(str, "-A %s -%c %s/%d -o %s -j ACCEPT",\r
+ chain, (interface->is_upstream?'s':'d'), ip->addr, ip->mask,\r
+ interface->name);\r
iptables_save_line(str, ip->v6);\r
}\r
\r
\r
sprintf(str, "-A %s -o %s -j %s%d",\r
chain, interface->name, mark_iptables, FREE_CLASS);\r
- iptables_save_line(str, FALSE); /* only for IPv4 */\r
+ iptables_save_line(str, IPv4); /* only for IPv4 */\r
}\r
\r
sprintf(str,"-A %s -o %s -j %s", chain, interface->name, final_chain);\r
- iptables_save_line(str, FALSE);\r
+ iptables_save_line(str, IPv4);\r
if(ip6prefix)\r
{\r
sprintf(str,"-A %s -o %s -j %s", chain, interface->name, final_chain);\r
- iptables_save_line(str, TRUE);\r
+ iptables_save_line(str, IPv6);\r
}\r
\r
if(free_min) /* allocate free bandwith if it is not zero... */ \r