From 503db4a2e50519802ca6380495d4ecf32894f905 Mon Sep 17 00:00:00 2001 From: Jo-Philipp Wich Date: Wed, 7 Jun 2017 16:20:24 +0200 Subject: [PATCH 1/1] zones: disable masq when resolving of all masq_src or masq_dest items failed Avoid generating 0.0.0.0/0 masquerade rules when resolving of the corresponding symbolic masq_src or masq_dest value failed. Signed-off-by: Jo-Philipp Wich --- zones.c | 34 +++++++++++++++++++++++++++++++++- 1 file changed, 33 insertions(+), 1 deletion(-) diff --git a/zones.c b/zones.c index 2aa7473..514d203 100644 --- a/zones.c +++ b/zones.c @@ -105,6 +105,26 @@ check_policy(struct uci_element *e, enum fw3_flag *pol, enum fw3_flag def, } } +static bool +check_masq_addrs(struct list_head *head) +{ + struct fw3_address *addr; + int n_addr = 0, n_failed = 0; + + list_for_each_entry(addr, head, list) + { + if (addr->invert) + continue; + + n_addr++; + + if (!addr->set && addr->resolved) + n_failed++; + } + + return (n_addr == 0 || n_failed < n_addr); +} + static void resolve_networks(struct uci_element *e, struct fw3_zone *zone) { @@ -209,6 +229,18 @@ fw3_load_zones(struct fw3_state *state, struct uci_package *p) warn_elem(e, "has no device, network, subnet or extra options"); } + if (!check_masq_addrs(&zone->masq_src)) + { + warn_elem(e, "has unresolved masq_src, disabling masq"); + zone->masq = false; + } + + if (!check_masq_addrs(&zone->masq_dest)) + { + warn_elem(e, "has unresolved masq_dest, disabling masq"); + zone->masq = false; + } + check_policy(e, &zone->policy_input, defs->policy_input, "input"); check_policy(e, &zone->policy_output, defs->policy_output, "output"); check_policy(e, &zone->policy_forward, defs->policy_forward, "forward"); @@ -480,7 +512,7 @@ next_addr(struct fw3_address *addr, struct list_head *list, { rv = list_entry(p, struct fw3_address, list); - if (fw3_is_family(rv, family) && rv->invert == invert) + if (fw3_is_family(rv, family) && rv->set && rv->invert == invert) return rv; } -- 2.11.0