fix for bug 3717: enforce interface restrictions

3 files changed, 9 insertions, 4 deletions

diff --git a/Makefile.am b/Makefile.am
index 63966e0..b6e68e2 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -12,7 +12,7 @@ bin_sudo_users_SCRIPTS  = scripts/vyatta-clear-nat
 bin_sudo_users_SCRIPTS += scripts/vyatta-nat-translations.pl
 
 share_perl5_DATA = scripts/VyattaNatRule.pm
-curver_DATA = cfg-version/nat@2
+curver_DATA = cfg-version/nat@3
 
 cpiop = find  . ! -regex '\(.*~\|.*\.bak\|.*\.swp\|.*\#.*\#\)' -print0 | \
 	cpio -0pd
diff --git a/cfg-version/nat@2 b/cfg-version/nat@3
index e69de29..e69de29 100644
--- a/cfg-version/nat@2
+++ b/cfg-version/nat@3
diff --git a/scripts/VyattaNatRule.pm b/scripts/VyattaNatRule.pm
index a5a96ae..a648035 100644
--- a/scripts/VyattaNatRule.pm
+++ b/scripts/VyattaNatRule.pm
@@ -148,6 +148,10 @@ sub rule_str {
     $can_use_port = 0;
   }
   if (($self->{_type} eq "source") || ($self->{_type} eq "masquerade")) {
+    return (undef, 'cannot specify inbound interface with '
+                   . '"masquerade" or "source" rules')
+      if (defined($self->{_inbound_if}));
+
     if ($self->{_exclude}) {
       $rule_str .= "-j RETURN";
     } elsif ($self->{_type} eq "masquerade") {
@@ -186,9 +190,6 @@ sub rule_str {
       $to_src .= "$start-$stop";
     }
    
-    return (undef, 'cannot specify inbound interface with "masquerade"')
-      if (defined($self->{_inbound_if}) && ($self->{_type} eq "masquerade"));
-
     if (($to_src ne "") && ($self->{_type} eq "masquerade")) {
       return (undef, "cannot specify outside IP address with \"masquerade\"");
     }
@@ -227,6 +228,10 @@ sub rule_str {
     }
   } elsif ($self->{_type} eq "destination") {
     # type is destination
+    return (undef,
+            'cannot specify outbound interface with "destination" rules')
+      if (defined($self->{_outbound_if}));
+
     if ($self->{_exclude}) {
       $rule_str .= "-j RETURN";
     } else {