Order interfaces within zone when generating top-level rules

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@8125 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
2008-01-30 21:57:39 +00:00 · 2008-01-30 21:57:39 +00:00 · 06d3269f7e
commit 06d3269f7e
parent 8ef198b3a6
2 changed files with 14 additions and 3 deletions
--- a/Shorewall-perl/Shorewall/Rules.pm
+++ b/Shorewall-perl/Shorewall/Rules.pm
@ -1547,7 +1547,7 @@ sub generate_matrix() {
 		create_zone_dyn_chain $zone, $frwd_ref if (%$source_ref || $type eq 'ipsec4' );
 	    }

-	    for my $interface ( keys %$source_ref ) {
+	    for my $interface ( sort { interface_number( $a ) <=> interface_number( $b ) } keys %$source_ref ) {
 		my $sourcechainref;
 		my $interfacematch = '';
 		
@ -1637,7 +1637,7 @@ sub generate_matrix() {
 	# Take care of PREROUTING, INPUT and OUTPUT jumps
 	#
 	for my $typeref ( values %$source_hosts_ref ) {
-	    for my $interface (keys %$typeref ) {
+	    for my $interface ( sort { interface_number( $a ) <=> interface_number( $b ) } keys %$typeref ) {
 		my $arrayref = $typeref->{$interface};
 		for my $hostref ( @$arrayref ) {
 		    my $ipsec_in_match  = match_ipsec_in  $zone , $hostref;
--- a/Shorewall-perl/Shorewall/Zones.pm
+++ b/Shorewall-perl/Shorewall/Zones.pm
@ -49,6 +49,7 @@ our @EXPORT = qw( NOTHING
 		  single_interface
 		  validate_interfaces_file
 		  all_interfaces
+		  interface_number
 		  find_interface
 		  known_interface
 		  have_bridges
@ -128,6 +129,7 @@ our %reservedName = ( all => 1,
 #                                     nets        => <number of nets in interface/hosts records referring to this interface>
 #                                     bridge      => <bridge>
 #                                     broadcasts  => 'none', 'detect' or [ <addr1>, <addr2>, ... ]
+#                                     number      => <ordinal position in the interfaces file>
 #                                   }
 #                 }
 #
@ -543,6 +545,7 @@ sub firewall_zone() {
 sub validate_interfaces_file( $ )
 {
    my $export = shift;
+    my $num    = 0;

    use constant { SIMPLE_IF_OPTION   => 1,
 		   BINARY_IF_OPTION   => 2,
@ -640,6 +643,7 @@ sub validate_interfaces_file( $ )

 	$interfaces{$interface}{name} = $interface;
 	$interfaces{$interface}{nets} = 0;
+	$interfaces{$interface}{number} = ++$num;
 	
 	my $wildcard = 0;

@ -782,13 +786,20 @@ sub known_interface($)
 	    #
 	    # Cache this result for future reference. We set the 'name' to the name of the entry that appears in /etc/shorewall/interfaces.
 	    #
-	    return $interfaces{$interface} = { options => $interfaceref->{options}, bridge => $interfaceref->{bridge} , name => $i };
+	    return $interfaces{$interface} = { options => $interfaceref->{options}, bridge => $interfaceref->{bridge} , name => $i , number => $interfaceref->{number} };
 	}
    }

    0;
 }

+#
+# Return interface number
+#
+sub interface_number( $ ) {
+    $interfaces{$_[0]}{number} || 256;
+}
+
 #
 # Return the interfaces list
 #