From 38de9c1732a166872af1ccadbb250a53fc0cb10c Mon Sep 17 00:00:00 2001
From: Tom Eastep <teastep@shorewall.net>
Date: Sat, 23 Dec 2017 10:24:08 -0800
Subject: [PATCH] Make wildcard/option checks order-independent WRT the options

Signed-off-by: Tom Eastep <teastep@shorewall.net>
---
 Shorewall/Perl/Shorewall/Zones.pm | 20 ++++++++++----------
 1 file changed, 10 insertions(+), 10 deletions(-)

diff --git a/Shorewall/Perl/Shorewall/Zones.pm b/Shorewall/Perl/Shorewall/Zones.pm
index 80bfa7f76..b7003bbb5 100644
--- a/Shorewall/Perl/Shorewall/Zones.pm
+++ b/Shorewall/Perl/Shorewall/Zones.pm
@@ -350,7 +350,7 @@ sub initialize( $$ ) {
 				  arp_ignore  => ENUM_IF_OPTION,
 				  blacklist   => SIMPLE_IF_OPTION + IF_OPTION_HOST,
 				  bridge      => SIMPLE_IF_OPTION,
-				  dbl         => ENUM_IF_OPTION,
+				  dbl         => ENUM_IF_OPTION   + IF_OPTION_WILDOK,
 				  destonly    => SIMPLE_IF_OPTION + IF_OPTION_HOST,
 				  detectnets  => OBSOLETE_IF_OPTION,
 				  dhcp        => SIMPLE_IF_OPTION,
@@ -401,7 +401,7 @@ sub initialize( $$ ) {
 	%validinterfaceoptions = (  accept_ra   => NUMERIC_IF_OPTION,
 				    blacklist   => SIMPLE_IF_OPTION + IF_OPTION_HOST,
 				    bridge      => SIMPLE_IF_OPTION,
-				    dbl         => ENUM_IF_OPTION,
+				    dbl         => ENUM_IF_OPTION   + IF_OPTION_WILDOK,
 				    destonly    => SIMPLE_IF_OPTION + IF_OPTION_HOST,
 				    dhcp        => SIMPLE_IF_OPTION,
 				    ignore      => NUMERIC_IF_OPTION + IF_OPTION_WILDOK,
@@ -1276,8 +1276,6 @@ sub process_interface( $$ ) {
 
 	    my $hostopt = $type & IF_OPTION_HOST;
 
-	    my $fulltype = $type;
-
 	    $type &= MASK_IF_OPTION;
 
 	    unless ( $type == BINARY_IF_OPTION && defined $value && $value eq '0' ) {
@@ -1392,12 +1390,6 @@ sub process_interface( $$ ) {
 	    } else {
 		warning_message "Support for the $option interface option has been removed from Shorewall";
 	    }
-
-	    if ( $root ) {
-		warning_message( "The '$option' option is ignored when used with a wildcard physical name" ), delete $options{$option} if $physwild && $procinterfaceoptions{$option};
-	    } else {
-		warning_message( "The '$option' option is ignored when used with interface name '+'" ), delete $options{$option} unless $fulltype & IF_OPTION_WILDOK;
-	    }
 	}
 
 	fatal_error q(The 'required', 'optional' and 'ignore' options are mutually exclusive)
@@ -1418,6 +1410,14 @@ sub process_interface( $$ ) {
 	    $options{ignore} = 0;
 	}
 
+	for my $option ( keys %options ) {
+	    if ( $root ) {
+		warning_message( "The '$option' option is ignored when used with a wildcard physical name" ), delete $options{$option} if $physwild && $procinterfaceoptions{$option};
+	    } else {
+		warning_message( "The '$option' option is ignored when used with interface name '+'" ), delete $options{$option} unless $validinterfaceoptions{$option} & IF_OPTION_WILDOK;
+	    }
+	}
+
 	if ( $netsref eq 'dynamic' ) {
 	    my $ipset = $family == F_IPV4 ? "${zone}" : "6_${zone}";
 	    $ipset = join( '_', $ipset, var_base1( $physical ) ) unless $zoneref->{options}{in_out}{dynamic_shared};