diff --git a/sbin/firehol.in b/sbin/firehol.in index 2a0d7ae..302dfa7 100755 --- a/sbin/firehol.in +++ b/sbin/firehol.in @@ -4142,16 +4142,16 @@ rule() { local mac=any local macnot= - local src4=any + local src4=default local src4not= - local dst4=any + local dst4=default local dst4not= - local src6=any + local src6=default local src6not= - local dst6=any + local dst6=default local dst6not= local srctype= @@ -4389,69 +4389,137 @@ rule() { shift ;; - src|SRC|source|SOURCE) + src|SRC|source|SOURCE|src4|src6) + if [ "${1}" = "src4" ] + then + push_namespace ipv4 + elif [ "${1}" = "src6" ] + then + push_namespace ipv6 + else + push_namespace "${FIREHOL_NS_CURR}" + fi shift if [ ${reverse} -eq 0 ] then - src4not= - src6not= + if running_ipv4; then + src4not= + fi + if running_ipv6; then + src6not= + fi if [ "${1}" = "not" -o "${1}" = "NOT" ] then shift - src4not="!" - src6not="!" + if running_ipv4; then + src4not="!" + fi + if running_ipv6; then + src6not="!" + fi + fi + if running_ipv4; then + test ${softwarnings} -eq 1 -a ! "${src4}" = "default" && softwarning "Overwritting param: src4 '${src4}' becomes '${1}'" + src4="${1}" + fi + if running_ipv6; then + test ${softwarnings} -eq 1 -a ! "${src6}" = "default" && softwarning "Overwritting param: src6 '${src6}' becomes '${1}'" + src6="${1}" fi - test ${softwarnings} -eq 1 -a ! "${src4}" = "any" && softwarning "Overwritting param: src4 '${src4}' becomes '${1}'" - test ${softwarnings} -eq 1 -a ! "${src6}" = "any" && softwarning "Overwritting param: src6 '${src6}' becomes '${1}'" - src4="${1}" - src6="${1}" else - dst4not= - dst6not= + if running_ipv4; then + dst4not= + fi + if running_ipv6; then + dst6not= + fi if [ "${1}" = "not" -o "${1}" = "NOT" ] then shift - dst4not="!" - dst6not="!" + if running_ipv4; then + dst4not="!" + fi + if running_ipv6; then + dst6not="!" + fi + fi + if running_ipv4; then + test ${softwarnings} -eq 1 -a ! "${dst4}" = "default" && softwarning "Overwritting param: dst4 '${dst4}' becomes '${1}'" + dst4="${1}" + fi + if running_ipv6; then + test ${softwarnings} -eq 1 -a ! "${dst6}" = "default" && softwarning "Overwritting param: dst6 '${dst6}' becomes '${1}'" + dst6="${1}" fi - test ${softwarnings} -eq 1 -a ! "${dst4}" = "any" && softwarning "Overwritting param: dst4 '${dst4}' becomes '${1}'" - test ${softwarnings} -eq 1 -a ! "${dst6}" = "any" && softwarning "Overwritting param: dst6 '${dst6}' becomes '${1}'" - dst4="${1}" - dst6="${1}" fi + pop_namespace shift ;; dst|DST|destination|DESTINATION) + if [ "${1}" = "dst4" ] + then + push_namespace ipv4 + elif [ "${1}" = "dst6" ] + then + push_namespace ipv6 + else + push_namespace "${FIREHOL_NS_CURR}" + fi shift if [ ${reverse} -eq 0 ] then - dst4not= - dst6not= + if running_ipv4; then + dst4not= + fi + if running_ipv6; then + dst6not= + fi if [ "${1}" = "not" -o "${1}" = "NOT" ] then shift - dst4not="!" - dst6not="!" + if running_ipv4; then + dst4not="!" + fi + if running_ipv6; then + dst6not="!" + fi + fi + if running_ipv4; then + test ${softwarnings} -eq 1 -a ! "${dst4}" = "default" && softwarning "Overwritting param: dst4 '${dst4}' becomes '${1}'" + dst4="${1}" + fi + if running_ipv6; then + test ${softwarnings} -eq 1 -a ! "${dst6}" = "default" && softwarning "Overwritting param: dst6 '${dst6}' becomes '${1}'" + dst6="${1}" fi - test ${softwarnings} -eq 1 -a ! "${dst4}" = "any" && softwarning "Overwritting param: dst4 '${dst4}' becomes '${1}'" - test ${softwarnings} -eq 1 -a ! "${dst6}" = "any" && softwarning "Overwritting param: dst6 '${dst6}' becomes '${1}'" - dst4="${1}" - dst6="${1}" else - src4not= - src6not= + if running_ipv4; then + src4not= + fi + if running_ipv6; then + src6not= + fi if [ "${1}" = "not" -o "${1}" = "NOT" ] then shift - src4not="!" - src6not="!" + if running_ipv4; then + src4not="!" + fi + if running_ipv6; then + src6not="!" + fi + fi + if running_ipv4; then + test ${softwarnings} -eq 1 -a ! "${src4}" = "default" && softwarning "Overwritting param: src6 '${src4}' becomes '${1}'" + src4="${1}" + fi + if running_ipv6; then + test ${softwarnings} -eq 1 -a ! "${src6}" = "default" && softwarning "Overwritting param: src6 '${src6}' becomes '${1}'" + src6="${1}" fi - test ${softwarnings} -eq 1 -a ! "${src4}" = "any" && softwarning "Overwritting param: src6 '${src4}' becomes '${1}'" - test ${softwarnings} -eq 1 -a ! "${src6}" = "any" && softwarning "Overwritting param: src6 '${src6}' becomes '${1}'" - src4="${1}" - src6="${1}" fi + pop_namespace shift ;; @@ -5036,19 +5104,49 @@ rule() { test -z "${sid}" && error "Cannot accept an empty 'sid'." && return 1 test -z "${cmd}" && error "Cannot accept an empty 'cmd'." && return 1 - if [ "${src4not}" != "${src6not}" ] - then - error "Mixed use of 'not' with src4 and src6." && return 1 - fi - local srcnot="${src4not}" + local srcnot= + local dstnot= + if running_both; then + if [ "${src4not}" != "${src6not}" ] + then + error "Mixed use of 'not' with src4 and src6." && return 1 + fi + if [ "${dst4not}" != "${dst6not}" ] + then + error "Mixed use of 'not' with dst4 and dst6." && return 1 + fi + if [ "${src4}" = "default" -a "${src6}" != "default" ] + then + error "Must specify src4 when specifying src6" && return 1 + fi - if [ "${dst4not}" != "${dst6not}" ] - then - error "Mixed use of 'not' with dst4 and dst6." && return 1 + if [ "${dst4}" = "default" -a "${dst6}" != "default" ] + then + error "Must specify dst4 when specifying dst6" && return 1 + fi + + if [ "${src6}" = "default" -a "${src4}" != "default" ] + then + error "Must specify src6 when specifying src4" && return 1 + fi + + if [ "${dst6}" = "default" -a "${dst4}" != "default" ] + then + error "Must specify dst6 when specifying dst4" && return 1 + fi + elif running_ipv6; then + srcnot="${src6not}" + dstnot="${dst6not}" + else + srcnot="${src4not}" + dstnot="${dst4not}" fi - local dstnot="${dst4not}" - - + + test "${src4}" = "default" && src4="any" + test "${dst4}" = "default" && dst4="any" + test "${src6}" = "default" && src6="any" + test "${dst6}" = "default" && dst6="any" + # ---------------------------------------------------------------------------------- # Do we have negative contitions? # If yes, we have to: