- /* standard input/output/forward chain */
- fwd_ipt_exec_format("filter", " -N input");
- fwd_ipt_exec_format("filter", " -N output");
- fwd_ipt_exec_format("filter", " -N forward");
- fwd_ipt_exec_format("filter", " -A INPUT -j input");
- fwd_ipt_exec_format("filter", " -A OUTPUT -j output");
- fwd_ipt_exec_format("filter", " -A FORWARD -j forward");
-
- /* standard reject chain */
- fwd_ipt_exec_format("filter", " -N reject");
- fwd_ipt_exec_format("filter", " -A reject -p tcp -j REJECT --reject-with tcp-reset");
- fwd_ipt_exec_format("filter", " -A reject -j REJECT --reject-with icmp-port-unreachable");
+ /* rule container chains */
+ fwd_r_new_chain(h_filter, "mssfix");
+ fwd_r_new_chain(h_filter, "zones");
+ fwd_r_new_chain(h_filter, "rules");
+ fwd_r_new_chain(h_filter, "redirects");
+ fwd_r_new_chain(h_filter, "forwardings");
+ fwd_r_jump_chain(h_filter, "INPUT", "rules");
+ fwd_r_jump_chain(h_filter, "FORWARD", "mssfix");
+ fwd_r_jump_chain(h_filter, "FORWARD", "zones");
+ fwd_r_jump_chain(h_filter, "FORWARD", "rules");
+ fwd_r_jump_chain(h_filter, "FORWARD", "redirects");
+ fwd_r_jump_chain(h_filter, "FORWARD", "forwardings");
+ fwd_r_new_chain(h_nat, "zonemasq");
+ fwd_r_new_chain(h_nat, "redirects");
+ fwd_r_new_chain(h_nat, "loopback");
+ fwd_r_jump_chain(h_nat, "POSTROUTING", "zonemasq");
+ fwd_r_jump_chain(h_nat, "PREROUTING", "redirects");
+ fwd_r_jump_chain(h_nat, "POSTROUTING", "loopback");
+
+ /* standard drop, accept, reject chain */
+ fwd_r_handle_drop(h_filter);
+ fwd_r_handle_accept(h_filter);
+ fwd_r_handle_reject(h_filter);
+
+
+ if( !iptc_commit(h_nat) )
+ fwd_fatal("Cannot commit nat table: %s", iptc_strerror(errno));
+
+ if( !iptc_commit(h_filter) )
+ fwd_fatal("Cannot commit filter table: %s", iptc_strerror(errno));
+
+ iptc_free(h_nat);
+ iptc_free(h_filter);