Commit 4de7b59a authored by Kaarle Ritvanen's avatar Kaarle Ritvanen
Browse files

support for using externally controlled ipsets in rules

parent 8d6917d7
......@@ -51,8 +51,6 @@ function Zone:optfrags(dir)
iopt, aopt, iprop, aprop = 'o', 'd', 'out', 'dest'
else assert(false) end
-- TODO support for externally controlled ipsets
local aopts = {}
for i, hostdef in util.listpairs(self.addr) do
for i, addr in ipairs( do
......@@ -277,6 +275,22 @@ function Rule:trules()
local res = self:zoneoptfrags()
if self.ipset then
if not then error('Set name not defined') end
if not self.ipset.args then
error('Set direction arguments not defined')
local setopts = '-m set --match-set '' '
for i, arg in util.listpairs(self.ipset.args) do
if i > 1 then setopts = setopts..',' end
if arg == 'in' then setopts = setopts..'src'
elseif arg == 'out' then setopts = setopts..'dst'
else error('Invalid set direction argument') end
res = combinations(res, {{opts=setopts}})
if self.ipsec then
res = combinations(res, {{opts='-m policy --pol ipsec --dir '..self.ipsec}})
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment