1 files changed, 18 insertions, 0 deletions

diff --git a/src/Propellor/Property/Firewall.hs b/src/Propellor/Property/Firewall.hs
index a851f885..13db38df 100644
--- a/src/Propellor/Property/Firewall.hs
+++ b/src/Propellor/Property/Firewall.hs
@@ -54,8 +54,24 @@ toIpTableArg (Ctstate states) =
 	, "conntrack"
 	, "--ctstate", concat $ intersperse "," (map show states)
 	]
+toIpTableArg (Source ipwm) =
+	[ "-s"
+	, concat $ intersperse "," (map fromIPWithMask ipwm)
+	]
+toIpTableArg (Destination ipwm) =
+	[ "-d"
+	, concat $ intersperse "," (map fromIPWithMask ipwm)
+	]
 toIpTableArg (r :- r') = toIpTableArg r <> toIpTableArg r'
 
+data IPWithMask = IPWithNoMask IPAddr | IPWithIPMask IPAddr IPAddr | IPWithNumMask IPAddr Int
+	deriving (Eq, Show)
+
+fromIPWithMask :: IPWithMask -> String
+fromIPWithMask (IPWithNoMask ip) = fromIPAddr ip
+fromIPWithMask (IPWithIPMask ip ipm) = fromIPAddr ip ++ "/" ++ fromIPAddr ipm
+fromIPWithMask (IPWithNumMask ip m) = fromIPAddr ip ++ "/" ++ show m
+
 data Rule = Rule
 	{ ruleChain :: Chain
 	, ruleTarget :: Target
@@ -84,6 +100,8 @@ data Rules
 	| InIFace Network.Interface
 	| OutIFace Network.Interface
 	| Ctstate [ ConnectionState ]
+	| Source [ IPWithMask ]
+	| Destination [ IPWithMask ]
 	| Rules :- Rules   -- ^Combine two rules
 	deriving (Eq, Show)