Révision fb0a4e7a
Ajouté par Phil Davis il y a plus de 9 ans
| etc/inc/filter.inc | ||
|---|---|---|
| 2091 | 2091 |
function filter_address_add_vips_subnets(&$subnets, $if, $not) {
|
| 2092 | 2092 |
global $FilterIflist; |
| 2093 | 2093 |
|
| 2094 |
if (!isset($FilterIflist[$if]['vips']) || !is_array($FilterIflist[$if]['vips'])) |
|
| 2095 |
return; |
|
| 2096 |
|
|
| 2097 | 2094 |
$if_subnets = array($subnets); |
| 2098 | 2095 |
|
| 2099 | 2096 |
if ($not == true) |
| 2100 | 2097 |
$subnets = "!{$subnets}";
|
| 2101 | 2098 |
|
| 2099 |
if (!isset($FilterIflist[$if]['vips']) || !is_array($FilterIflist[$if]['vips'])) |
|
| 2100 |
return; |
|
| 2101 |
|
|
| 2102 | 2102 |
foreach ($FilterIflist[$if]['vips'] as $vip) {
|
| 2103 | 2103 |
foreach ($if_subnets as $subnet) |
| 2104 | 2104 |
if (ip_in_subnet($vip['ip'], $subnet)) |
| ... | ... | |
| 2141 | 2141 |
$opt_ip = $FilterIflist["opt{$optmatch[1]}"]['ipv6'];
|
| 2142 | 2142 |
if(!is_ipaddrv6($opt_ip)) |
| 2143 | 2143 |
return ""; |
| 2144 |
$src = $opt_ip . "/" . |
|
| 2145 |
$FilterIflist["opt{$optmatch[1]}"]['snv6'];
|
|
| 2144 |
$src = $opt_ip . "/" . $FilterIflist["opt{$optmatch[1]}"]['snv6'];
|
|
| 2146 | 2145 |
/* check for opt$NUMip here */ |
| 2147 | 2146 |
} else if(preg_match("/opt([0-9]*)ip/", $rule[$target]['network'], $matches)) {
|
| 2148 | 2147 |
$src = $FilterIflist["opt{$matches[1]}"]['ipv6'];
|
| ... | ... | |
| 2156 | 2155 |
$opt_ip = $FilterIflist["opt{$optmatch[1]}"]['ip'];
|
| 2157 | 2156 |
if(!is_ipaddrv4($opt_ip)) |
| 2158 | 2157 |
return ""; |
| 2159 |
$src = $opt_ip . "/" . |
|
| 2160 |
$FilterIflist["opt{$optmatch[1]}"]['sn'];
|
|
| 2158 |
$src = $opt_ip . "/" . $FilterIflist["opt{$optmatch[1]}"]['sn'];
|
|
| 2161 | 2159 |
/* check for opt$NUMip here */ |
| 2162 | 2160 |
} else if(preg_match("/opt([0-9]*)ip/", $rule[$target]['network'], $matches)) {
|
| 2163 | 2161 |
$src = $FilterIflist["opt{$matches[1]}"]['ip'];
|
| ... | ... | |
| 2262 | 2260 |
(strpos($src, '{') === false))
|
| 2263 | 2261 |
$src = " !{$src}";
|
| 2264 | 2262 |
} |
| 2265 |
if (is_subnet($src)) |
|
| 2266 |
filter_address_add_vips_subnets($src, $rule[$target]['network'], |
|
| 2267 |
isset($rule[$target]['not'])); |
|
| 2268 | 2263 |
} |
| 2264 |
if (is_subnet($src)) |
|
| 2265 |
filter_address_add_vips_subnets($src, $rule[$target]['network'], isset($rule[$target]['not'])); |
|
| 2269 | 2266 |
} else if($rule[$target]['address']) {
|
| 2270 | 2267 |
$expsrc = alias_expand($rule[$target]['address']); |
| 2271 | 2268 |
if(isset($rule[$target]['not'])) |
Formats disponibles : Unified diff
Fix not rules for OPTn network case
Reported in forum https://forum.pfsense.org/index.php?topic=82319.0
The "if (is_subnet($src)) ... filter_address_add_vips_subnets" code needs to go outside all of the if that checks for opt interfaces (not just in the else part). That makes filter_address_add_vips_subnets get called in all cases, including when optn network is specified. (line 2264, 2265)
Then filter_address_add_vips_subnets needs to process the "not" code early, before checking if there are any VIPs (which was causing the routine to exit early in simple cases) - lines 2093-2100 chunk. This should also fix cases of using "LANnet", "WANnet" and "not" in rules on an interface that has just a plain address (no VIPs).
Lines 2144 and 2158 are no functional change. The formatting of the multi-line statement was odd, so I put it back all on 1 line.