projects / project / firewall4.git / blobdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | inline | side by side
fw4: add device iifname/oifname matches to DSCP and MARK rules
[project/firewall4.git] / root / usr / share / ucode / fw4.uc
diff --git a/root/usr/share/ucode/fw4.uc b/root/usr/share/ucode/fw4.uc
index 9d2a0b49c18c7899b7beb9409764eabf0232aea9..5135ef1e990cf315e31ab51926f0a5c39e2038bb 100644 (file)
--- a/root/usr/share/ucode/fw4.uc
+++ b/root/usr/share/ucode/fw4.uc
@@ -993,9 +993,9 @@ return {
 
        parse_direction: function(val) {
                if (val == 'in' || val == 'ingress')
-                       return true;
-               else if (val == 'out' || val == 'egress')
                        return false;
+               else if (val == 'out' || val == 'egress')
+                       return true;
 
                return null;
        },
@@ -2148,7 +2148,7 @@ return {
                        src: [ "zone_ref" ],
                        dest: [ "zone_ref" ],
 
-                       device: [ "device" ],
+                       device: [ "device", null, NO_INVERT ],
                        direction: [ "direction" ],
 
                        ipset: [ "setmatch" ],
@@ -2215,6 +2215,10 @@ return {
                        this.warn_section(data, "must specify option 'set_helper' for target 'helper'");
                        return;
                }
+               else if (rule.device?.any) {
+                       this.warn_section(data, "must not specify '*' as device");
+                       return;
+               }
 
                let ipset;
 
@@ -2303,11 +2307,15 @@ return {
                                else
                                        r.chain = "mangle_output";
 
-                               if (r.src?.zone)
+                               if (r.src?.zone) {
                                        r.src.zone.dflags[r.target] = true;
+                                       r.iifnames = null_if_empty(r.src.zone.match_devices);
+                               }
 
-                               if (r.dest?.zone)
+                               if (r.dest?.zone) {
                                        r.dest.zone.dflags[r.target] = true;
+                                       r.oifnames = null_if_empty(r.dest.zone.match_devices);
+                               }
                        }
                        else {
                                r.chain = "output";
@@ -2338,6 +2346,9 @@ return {
                                        r.jump_chain = "handle_reject";
                        }
 
+                       if (r.device)
+                               r[r.direction ? "oifnames" : "iifnames"] = [ r.device.device ];
+
                        this.state.rules = this.state.rules || [];
                        push(this.state.rules, r);
                };
OpenWrt nftables firewall