From f5e75f845536d36c44d3bf53d0fe1faee86e5f48 Mon Sep 17 00:00:00 2001
From: teastep <teastep@fbd18981-670d-0410-9b5c-8dc0c1a9a2bb>
Date: Tue, 19 Jun 2007 14:05:46 +0000
Subject: [PATCH] Catch HOST(S) errors earlier in routestopped processing;
 handle bridges in routestopped

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@6596 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
---
 Shorewall-perl/Shorewall/Rules.pm | 15 ++++++++++-----
 1 file changed, 10 insertions(+), 5 deletions(-)

diff --git a/Shorewall-perl/Shorewall/Rules.pm b/Shorewall-perl/Shorewall/Rules.pm
index a73b7ee65..7da38bf61 100644
--- a/Shorewall-perl/Shorewall/Rules.pm
+++ b/Shorewall-perl/Shorewall/Rules.pm
@@ -390,6 +390,7 @@ sub process_criticalhosts() {
 	my @hosts;
 
 	for my $host ( split /,/, $hosts ) {
+	    validate_net $host;
 	    push @hosts, "$interface:$host";
 	}
 
@@ -435,6 +436,7 @@ sub process_routestopped() {
 	my @hosts;
 
 	for my $host ( split /,/, $hosts ) {
+	    validate_net $host;
 	    push @hosts, "$interface:$host";
 	}
 
@@ -475,19 +477,21 @@ sub process_routestopped() {
 	my ( $interface, $h ) = split /:/, $host;
 	my $source  = match_source_net $h;
 	my $dest    = match_dest_net $h;
+	my $sourcei = match_source_dev $interface;
+	my $desti   = match_dest_dev $interface;
 
-	emit "\$IPTABLES -A INPUT -i $interface $source -j ACCEPT";
-	emit "\$IPTABLES -A OUTPUT -o $interface $dest -j ACCEPT"    if $config{ADMINISABSENTMINDED};
+	emit "\$IPTABLES -A INPUT $sourcei $source -j ACCEPT";
+	emit "\$IPTABLES -A OUTPUT $desti $dest -j ACCEPT"    if $config{ADMINISABSENTMINDED};
 
 	my $matched = 0;
 
 	if ( $source{$host} ) {
-	    emit "\$IPTABLES -A FORWARD -i $interface $source -j ACCEPT";
+	    emit "\$IPTABLES -A FORWARD $sourcei $source -j ACCEPT";
 	    $matched = 1;
 	}
 
 	if ( $dest{$host} ) {
-	    emit "\$IPTABLES -A FORWARD -o $interface $dest -j ACCEPT";
+	    emit "\$IPTABLES -A FORWARD $desti $dest -j ACCEPT";
 	    $matched = 1;
 	}
 
@@ -496,7 +500,8 @@ sub process_routestopped() {
 		unless ( $host eq $host1 ) {
 		    my ( $interface1, $h1 ) = split /:/, $host1;
 		    my $dest1 = match_dest_net $h1;
-		    emit "\$IPTABLES -A FORWARD -i $interface -o $interface1 $source $dest1 -j ACCEPT";
+		    my $desti1 = match_dest_dev $interface1;
+		    emit "\$IPTABLES -A FORWARD $sourcei $desti1 $source $dest1 -j ACCEPT";
 		    clearrule;
 		}
 	    }