From 06d3269f7e82dce8f4f1ecab63bdde8325a4fce4 Mon Sep 17 00:00:00 2001
From: teastep <teastep@fbd18981-670d-0410-9b5c-8dc0c1a9a2bb>
Date: Wed, 30 Jan 2008 21:57:39 +0000
Subject: [PATCH] Order interfaces within zone when generating top-level rules

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@8125 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
---
 Shorewall-perl/Shorewall/Rules.pm |  4 ++--
 Shorewall-perl/Shorewall/Zones.pm | 13 ++++++++++++-
 2 files changed, 14 insertions(+), 3 deletions(-)

diff --git a/Shorewall-perl/Shorewall/Rules.pm b/Shorewall-perl/Shorewall/Rules.pm
index ae4248ecd..276269b15 100644
--- a/Shorewall-perl/Shorewall/Rules.pm
+++ b/Shorewall-perl/Shorewall/Rules.pm
@@ -1547,7 +1547,7 @@ sub generate_matrix() {
 		create_zone_dyn_chain $zone, $frwd_ref if (%$source_ref || $type eq 'ipsec4' );
 	    }
 
-	    for my $interface ( keys %$source_ref ) {
+	    for my $interface ( sort { interface_number( $a ) <=> interface_number( $b ) } keys %$source_ref ) {
 		my $sourcechainref;
 		my $interfacematch = '';
 		
@@ -1637,7 +1637,7 @@ sub generate_matrix() {
 	# Take care of PREROUTING, INPUT and OUTPUT jumps
 	#
 	for my $typeref ( values %$source_hosts_ref ) {
-	    for my $interface (keys %$typeref ) {
+	    for my $interface ( sort { interface_number( $a ) <=> interface_number( $b ) } keys %$typeref ) {
 		my $arrayref = $typeref->{$interface};
 		for my $hostref ( @$arrayref ) {
 		    my $ipsec_in_match  = match_ipsec_in  $zone , $hostref;
diff --git a/Shorewall-perl/Shorewall/Zones.pm b/Shorewall-perl/Shorewall/Zones.pm
index 27daa8f0a..c054ea8f0 100644
--- a/Shorewall-perl/Shorewall/Zones.pm
+++ b/Shorewall-perl/Shorewall/Zones.pm
@@ -49,6 +49,7 @@ our @EXPORT = qw( NOTHING
 		  single_interface
 		  validate_interfaces_file
 		  all_interfaces
+		  interface_number
 		  find_interface
 		  known_interface
 		  have_bridges
@@ -128,6 +129,7 @@ our %reservedName = ( all => 1,
 #                                     nets        => <number of nets in interface/hosts records referring to this interface>
 #                                     bridge      => <bridge>
 #                                     broadcasts  => 'none', 'detect' or [ <addr1>, <addr2>, ... ]
+#                                     number      => <ordinal position in the interfaces file>
 #                                   }
 #                 }
 #
@@ -543,6 +545,7 @@ sub firewall_zone() {
 sub validate_interfaces_file( $ )
 {
     my $export = shift;
+    my $num    = 0;
 
     use constant { SIMPLE_IF_OPTION   => 1,
 		   BINARY_IF_OPTION   => 2,
@@ -640,6 +643,7 @@ sub validate_interfaces_file( $ )
 
 	$interfaces{$interface}{name} = $interface;
 	$interfaces{$interface}{nets} = 0;
+	$interfaces{$interface}{number} = ++$num;
 	
 	my $wildcard = 0;
 
@@ -782,13 +786,20 @@ sub known_interface($)
 	    #
 	    # Cache this result for future reference. We set the 'name' to the name of the entry that appears in /etc/shorewall/interfaces.
 	    #
-	    return $interfaces{$interface} = { options => $interfaceref->{options}, bridge => $interfaceref->{bridge} , name => $i };
+	    return $interfaces{$interface} = { options => $interfaceref->{options}, bridge => $interfaceref->{bridge} , name => $i , number => $interfaceref->{number} };
 	}
     }
 
     0;
 }
 
+#
+# Return interface number
+#
+sub interface_number( $ ) {
+    $interfaces{$_[0]}{number} || 256;
+}
+
 #
 # Return the interfaces list
 #