Introduce variable for expected input chains.

Saves lots of messing with $forward.

diff --git a/bookends.m4 b/bookends.m4
index 69a721e31510168cf54309753839334187bcd67c..6faa91b161398dccfcf82c73a6c5fb5db704e96e 100644 (file)
--- a/bookends.m4
+++ b/bookends.m4
@@ -111,6 +111,10 @@ case $host_type_<::>FWHOST in
 esac
 setopt ip_forward $forward
 setdevopt forwarding $forward
+case $forward in
+  0) inchains="INPUT" ;;
+  1) inchains="INPUT FORWARD" ;;
+esac
 
 ## Set dynamic port allocation.
 setopt ip_local_port_range $open_port_min $open_port_max

diff --git a/icmp.m4 b/icmp.m4
index 3de048329d3ff8d568e320ed21a553214591ecaf..d3a7507086ecdb7cbbbc4ade27cb83528e258f9f 100644 (file)
--- a/icmp.m4
+++ b/icmp.m4
@@ -42,9 +42,7 @@ m4_divert(58)m4_dnl
 run iptables -A check-icmp -j ACCEPT
 
 ## Done.
-for i in INPUT FORWARD; do
-  run iptables -A $i -p icmp -j check-icmp
-done
+for i in $inchains; do run ip46tables -A $i -p icmp -j check-icmp; done
 
 m4_divert(-1)
 ###----- That's all, folks --------------------------------------------------

diff --git a/local.m4 b/local.m4
index f139f0036b57392efa71ccabe4c4cbdd024bb3ac..d91b1716ea087df43a197b4ba81b50790d8bb479 100644 (file)
--- a/local.m4
+++ b/local.m4
@@ -264,12 +264,9 @@ run ip46tables -A inbound -j forbidden
 run ip46tables -A INPUT -m mark --mark $from_untrusted/$MASK_FROM -g inbound
 
 ## Otherwise process as indicated by the mark.
-run ip46tables -A INPUT -m mark ! --mark 0/$MASK_MASK -j ACCEPT
-case $forward in
-  1)
-    run ip46tables -A FORWARD -m mark ! --mark 0/$MASK_MASK -j ACCEPT
-    ;;
-esac
+for i in $inchains; do
+  run ip46tables -A $i -m mark ! --mark 0/$MASK_MASK -j ACCEPT
+done
 
 m4_divert(-1)
 ###----- That's all, folks --------------------------------------------------