From a432511b04b0fa0005138adba9306b90044413d9 Mon Sep 17 00:00:00 2001
From: Tristan PILAT <tpilat@evolix.fr>
Date: Wed, 18 Nov 2020 18:10:27 +0100
Subject: [PATCH] Add per host output autorisation capability

---
 minifirewall-start.sh | 11 +++++++++++
 minifirewall.conf     |  3 +++
 2 files changed, 14 insertions(+)

diff --git a/minifirewall-start.sh b/minifirewall-start.sh
index b294eae..5accf03 100755
--- a/minifirewall-start.sh
+++ b/minifirewall-start.sh
@@ -380,6 +380,17 @@ then
     fi
 fi
 
+# If specified, we add per host output autorisation
+if [ -n $OUTPUTOK ]
+then
+    for item in $(echo $OUTPUTOK)
+        do
+            ip=$(echo $item | awk -F'!' '{print $1}')
+            port=$(echo $item | awk -F'!' '{print $2}')
+            $NFT add rule inet minifirewall minifirewall_output ip daddr $ip tcp dport $port counter accept
+        done
+fi
+
 # Related and established traffic is accepted
 $NFT add rule inet minifirewall minifirewall_output ct state established,related accept
 
diff --git a/minifirewall.conf b/minifirewall.conf
index da9b7a7..1e272d5 100644
--- a/minifirewall.conf
+++ b/minifirewall.conf
@@ -75,3 +75,6 @@ SMTPSECUREOK=''
 # NTP authorizations
 NTPOK='0.0.0.0/0'
 
+# Per host output autorisations (IP!Port)
+# OUTPUTOK='203.0.113.1!42 203.0.113.2!43'
+OUTPUTOK=''