die "please implement cstate test '$cstate'";
}
- if ($rule =~ s/^-m addrtype\s*//) {
- return undef; # simply ignore
+ if ($rule =~ s/^-m addrtype --src-type (\S+)\s*//) {
+ my $atype = $1;
+ die "missing srctype" if !$pkg->{srctype};
+ return undef if $atype ne $pkg->{srctype};
+ }
+
+ if ($rule =~ s/^-m addrtype --dst-type (\S+)\s*//) {
+ my $atype = $1;
+ die "missing dsttype" if !$pkg->{dsttype};
+ return undef if $atype ne $pkg->{dsttype};
}
if ($rule =~ s/^-i (\S+)\s*//) {
dport => undef,
source => undef,
dest => undef,
+ srctype => 'UNICAST',
+ dsttype => 'UNICAST',
};
while (my ($k,$v) = each %$test) {
{ from => 'host', to => 'outside', dest => '172.16.1.3', proto => 'udp', dport => 5404, action => 'ACCEPT' }
{ from => 'host', to => 'outside', dest => '172.16.1.3', proto => 'udp', dport => 5405, action => 'ACCEPT' }
{ from => 'host', to => 'outside', dest => '172.16.1.3', proto => 'udp', dport => 5406, action => 'DROP' }
+{ from => 'host', to => 'outside', dest => '239.192.158.83', proto => 'udp', dport => 5404, dsttype => 'UNICAST', action => 'DROP' }
+{ from => 'host', to => 'outside', dest => '239.192.158.83', proto => 'udp', dport => 5404, dsttype => 'MULTICAST', action => 'ACCEPT' }
# traffic from other node
{ from => 'outside', to => 'host', source => '172.16.1.3', proto => 'udp', dport => 5404, action => 'ACCEPT' }
{ from => 'outside', to => 'host', source => '172.16.1.3', proto => 'udp', dport => 5405, action => 'ACCEPT' }
{ from => 'outside', to => 'host', source => '172.16.1.3', proto => 'udp', dport => 5406, action => 'DROP' }
+{ from => 'outside', to => 'host', source => '172.16.1.3', dest => '239.192.158.83', proto => 'udp', dport => 5404, dsttype => 'UNICAST', action => 'DROP' }
+{ from => 'outside', to => 'host', source => '172.16.1.3', dest => '239.192.158.83', proto => 'udp', dport => 5404, dsttype => 'MULTICAST', action => 'ACCEPT' }
{ from => 'host', to => 'ct200', action => 'DROP' }
projects / pve-firewall.git / commitdiff