Révision fb0a4e7a
Ajouté par Phil Davis il y a plus de 9 ans
etc/inc/filter.inc | ||
---|---|---|
2091 | 2091 |
function filter_address_add_vips_subnets(&$subnets, $if, $not) { |
2092 | 2092 |
global $FilterIflist; |
2093 | 2093 |
|
2094 |
if (!isset($FilterIflist[$if]['vips']) || !is_array($FilterIflist[$if]['vips'])) |
|
2095 |
return; |
|
2096 |
|
|
2097 | 2094 |
$if_subnets = array($subnets); |
2098 | 2095 |
|
2099 | 2096 |
if ($not == true) |
2100 | 2097 |
$subnets = "!{$subnets}"; |
2101 | 2098 |
|
2099 |
if (!isset($FilterIflist[$if]['vips']) || !is_array($FilterIflist[$if]['vips'])) |
|
2100 |
return; |
|
2101 |
|
|
2102 | 2102 |
foreach ($FilterIflist[$if]['vips'] as $vip) { |
2103 | 2103 |
foreach ($if_subnets as $subnet) |
2104 | 2104 |
if (ip_in_subnet($vip['ip'], $subnet)) |
... | ... | |
2141 | 2141 |
$opt_ip = $FilterIflist["opt{$optmatch[1]}"]['ipv6']; |
2142 | 2142 |
if(!is_ipaddrv6($opt_ip)) |
2143 | 2143 |
return ""; |
2144 |
$src = $opt_ip . "/" . |
|
2145 |
$FilterIflist["opt{$optmatch[1]}"]['snv6']; |
|
2144 |
$src = $opt_ip . "/" . $FilterIflist["opt{$optmatch[1]}"]['snv6']; |
|
2146 | 2145 |
/* check for opt$NUMip here */ |
2147 | 2146 |
} else if(preg_match("/opt([0-9]*)ip/", $rule[$target]['network'], $matches)) { |
2148 | 2147 |
$src = $FilterIflist["opt{$matches[1]}"]['ipv6']; |
... | ... | |
2156 | 2155 |
$opt_ip = $FilterIflist["opt{$optmatch[1]}"]['ip']; |
2157 | 2156 |
if(!is_ipaddrv4($opt_ip)) |
2158 | 2157 |
return ""; |
2159 |
$src = $opt_ip . "/" . |
|
2160 |
$FilterIflist["opt{$optmatch[1]}"]['sn']; |
|
2158 |
$src = $opt_ip . "/" . $FilterIflist["opt{$optmatch[1]}"]['sn']; |
|
2161 | 2159 |
/* check for opt$NUMip here */ |
2162 | 2160 |
} else if(preg_match("/opt([0-9]*)ip/", $rule[$target]['network'], $matches)) { |
2163 | 2161 |
$src = $FilterIflist["opt{$matches[1]}"]['ip']; |
... | ... | |
2262 | 2260 |
(strpos($src, '{') === false)) |
2263 | 2261 |
$src = " !{$src}"; |
2264 | 2262 |
} |
2265 |
if (is_subnet($src)) |
|
2266 |
filter_address_add_vips_subnets($src, $rule[$target]['network'], |
|
2267 |
isset($rule[$target]['not'])); |
|
2268 | 2263 |
} |
2264 |
if (is_subnet($src)) |
|
2265 |
filter_address_add_vips_subnets($src, $rule[$target]['network'], isset($rule[$target]['not'])); |
|
2269 | 2266 |
} else if($rule[$target]['address']) { |
2270 | 2267 |
$expsrc = alias_expand($rule[$target]['address']); |
2271 | 2268 |
if(isset($rule[$target]['not'])) |
Formats disponibles : Unified diff
Fix not rules for OPTn network case
Reported in forum https://forum.pfsense.org/index.php?topic=82319.0
The "if (is_subnet($src)) ... filter_address_add_vips_subnets" code needs to go outside all of the if that checks for opt interfaces (not just in the else part). That makes filter_address_add_vips_subnets get called in all cases, including when optn network is specified. (line 2264, 2265)
Then filter_address_add_vips_subnets needs to process the "not" code early, before checking if there are any VIPs (which was causing the routine to exit early in simple cases) - lines 2093-2100 chunk. This should also fix cases of using "LANnet", "WANnet" and "not" in rules on an interface that has just a plain address (no VIPs).
Lines 2144 and 2158 are no functional change. The formatting of the multi-line statement was odd, so I put it back all on 1 line.