Order interfaces within zone when generating top-level rules

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@8125 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
teastep 2008-01-30 21:57:39 +00:00
parent 8ef198b3a6
commit 06d3269f7e
2 changed files with 14 additions and 3 deletions

View File

@ -1547,7 +1547,7 @@ sub generate_matrix() {
create_zone_dyn_chain $zone, $frwd_ref if (%$source_ref || $type eq 'ipsec4' ); create_zone_dyn_chain $zone, $frwd_ref if (%$source_ref || $type eq 'ipsec4' );
} }
for my $interface ( keys %$source_ref ) { for my $interface ( sort { interface_number( $a ) <=> interface_number( $b ) } keys %$source_ref ) {
my $sourcechainref; my $sourcechainref;
my $interfacematch = ''; my $interfacematch = '';
@ -1637,7 +1637,7 @@ sub generate_matrix() {
# Take care of PREROUTING, INPUT and OUTPUT jumps # Take care of PREROUTING, INPUT and OUTPUT jumps
# #
for my $typeref ( values %$source_hosts_ref ) { for my $typeref ( values %$source_hosts_ref ) {
for my $interface (keys %$typeref ) { for my $interface ( sort { interface_number( $a ) <=> interface_number( $b ) } keys %$typeref ) {
my $arrayref = $typeref->{$interface}; my $arrayref = $typeref->{$interface};
for my $hostref ( @$arrayref ) { for my $hostref ( @$arrayref ) {
my $ipsec_in_match = match_ipsec_in $zone , $hostref; my $ipsec_in_match = match_ipsec_in $zone , $hostref;

View File

@ -49,6 +49,7 @@ our @EXPORT = qw( NOTHING
single_interface single_interface
validate_interfaces_file validate_interfaces_file
all_interfaces all_interfaces
interface_number
find_interface find_interface
known_interface known_interface
have_bridges have_bridges
@ -128,6 +129,7 @@ our %reservedName = ( all => 1,
# nets => <number of nets in interface/hosts records referring to this interface> # nets => <number of nets in interface/hosts records referring to this interface>
# bridge => <bridge> # bridge => <bridge>
# broadcasts => 'none', 'detect' or [ <addr1>, <addr2>, ... ] # broadcasts => 'none', 'detect' or [ <addr1>, <addr2>, ... ]
# number => <ordinal position in the interfaces file>
# } # }
# } # }
# #
@ -543,6 +545,7 @@ sub firewall_zone() {
sub validate_interfaces_file( $ ) sub validate_interfaces_file( $ )
{ {
my $export = shift; my $export = shift;
my $num = 0;
use constant { SIMPLE_IF_OPTION => 1, use constant { SIMPLE_IF_OPTION => 1,
BINARY_IF_OPTION => 2, BINARY_IF_OPTION => 2,
@ -640,6 +643,7 @@ sub validate_interfaces_file( $ )
$interfaces{$interface}{name} = $interface; $interfaces{$interface}{name} = $interface;
$interfaces{$interface}{nets} = 0; $interfaces{$interface}{nets} = 0;
$interfaces{$interface}{number} = ++$num;
my $wildcard = 0; my $wildcard = 0;
@ -782,13 +786,20 @@ sub known_interface($)
# #
# Cache this result for future reference. We set the 'name' to the name of the entry that appears in /etc/shorewall/interfaces. # Cache this result for future reference. We set the 'name' to the name of the entry that appears in /etc/shorewall/interfaces.
# #
return $interfaces{$interface} = { options => $interfaceref->{options}, bridge => $interfaceref->{bridge} , name => $i }; return $interfaces{$interface} = { options => $interfaceref->{options}, bridge => $interfaceref->{bridge} , name => $i , number => $interfaceref->{number} };
} }
} }
0; 0;
} }
#
# Return interface number
#
sub interface_number( $ ) {
$interfaces{$_[0]}{number} || 256;
}
# #
# Return the interfaces list # Return the interfaces list
# #