distinguish local-destined packets before routing decision

2 files changed, 18 insertions, 14 deletions

diff --git a/awall-cli b/awall-cli
index 154fbdd..e8d8f3c 100755
--- a/awall-cli
+++ b/awall-cli
@@ -2,7 +2,7 @@
 
 --[[
 Alpine Wall
-Copyright (C) 2012-2013 Kaarle Ritvanen
+Copyright (C) 2012-2014 Kaarle Ritvanen
 See LICENSE file for license details
 ]]--
 
@@ -14,7 +14,7 @@ require 'stringy'
 function help()
    io.stderr:write([[
 Alpine Wall
-Copyright (C) 2012-2013 Kaarle Ritvanen
+Copyright (C) 2012-2014 Kaarle Ritvanen
 This is free software with ABSOLUTELY NO WARRANTY,
 available under the terms of the GNU General Public License, version 2
 
diff --git a/awall/model.lua b/awall/model.lua
index 65148c4..90fb26f 100644
--- a/awall/model.lua
+++ b/awall/model.lua
@@ -470,22 +470,26 @@ function Rule:trules()
 	    table.insert(res, ofrag)
 
 	 else
-	    local chains
-	    if ofrag.chain == 'PREROUTING' then chains = {'FORWARD', 'INPUT'}
+	    local ofs, recursive
+	    if ofrag.chain == 'PREROUTING' then
+	       ofs = {{chain='FORWARD'}, {chain='INPUT'}}
 	    elseif ofrag.chain == 'POSTROUTING' then
-	       chains = {'FORWARD', 'OUTPUT'}
-	    elseif util.contains({'INPUT', 'FORWARD'}, ofrag.chain) then
-	       chains = {'PREROUTING'}
+	       ofs = {{chain='FORWARD'}, {chain='OUTPUT'}}
+	       recursive = true
+	    elseif ofrag.chain == 'INPUT' then
+	       ofs = {{opts='-m addrtype --dst-type LOCAL', chain='PREROUTING'}}
+	    elseif ofrag.chain == 'FORWARD' then
+	       ofs = {
+		  {opts='-m addrtype ! --dst-type LOCAL', chain='PREROUTING'}
+	       }
 	    end
 
-	    if chains then
+	    if ofs then
 	       ofrag.chain = nil
-	       util.extend(res,
-			   convertchains(combinations({ofrag},
-						      util.map(chains,
-							       function(c)
-								  return {chain=c}
-							       end))))
+	       ofs = combinations(ofs, {ofrag})
+	       if recursive then ofs = convertchains(ofs) end
+	       util.extend(res, ofs)
+
 	    else table.insert(res, ofrag) end
 	 end
       end