diff options
author | An-Cheng Huang <ancheng@vyatta.com> | 2008-11-03 18:30:18 -0800 |
---|---|---|
committer | An-Cheng Huang <ancheng@vyatta.com> | 2008-11-03 18:30:18 -0800 |
commit | e01c7f37a29ccc3e8a660c3c9995fd077948cc5d (patch) | |
tree | 1103b427d3dcb234ccb236bb5cc8ea016885561a | |
parent | 69153fc9f6dcaa59e95847214fbab18f43992682 (diff) | |
download | vyatta-nat-e01c7f37a29ccc3e8a660c3c9995fd077948cc5d.tar.gz vyatta-nat-e01c7f37a29ccc3e8a660c3c9995fd077948cc5d.zip |
fix for bug 3717: enforce interface restrictions
-rw-r--r-- | Makefile.am | 2 | ||||
-rw-r--r-- | cfg-version/nat@3 (renamed from cfg-version/nat@2) | 0 | ||||
-rw-r--r-- | scripts/VyattaNatRule.pm | 11 |
3 files changed, 9 insertions, 4 deletions
diff --git a/Makefile.am b/Makefile.am index 63966e0..b6e68e2 100644 --- a/Makefile.am +++ b/Makefile.am @@ -12,7 +12,7 @@ bin_sudo_users_SCRIPTS = scripts/vyatta-clear-nat bin_sudo_users_SCRIPTS += scripts/vyatta-nat-translations.pl share_perl5_DATA = scripts/VyattaNatRule.pm -curver_DATA = cfg-version/nat@2 +curver_DATA = cfg-version/nat@3 cpiop = find . ! -regex '\(.*~\|.*\.bak\|.*\.swp\|.*\#.*\#\)' -print0 | \ cpio -0pd diff --git a/cfg-version/nat@2 b/cfg-version/nat@3 index e69de29..e69de29 100644 --- a/cfg-version/nat@2 +++ b/cfg-version/nat@3 diff --git a/scripts/VyattaNatRule.pm b/scripts/VyattaNatRule.pm index a5a96ae..a648035 100644 --- a/scripts/VyattaNatRule.pm +++ b/scripts/VyattaNatRule.pm @@ -148,6 +148,10 @@ sub rule_str { $can_use_port = 0; } if (($self->{_type} eq "source") || ($self->{_type} eq "masquerade")) { + return (undef, 'cannot specify inbound interface with ' + . '"masquerade" or "source" rules') + if (defined($self->{_inbound_if})); + if ($self->{_exclude}) { $rule_str .= "-j RETURN"; } elsif ($self->{_type} eq "masquerade") { @@ -186,9 +190,6 @@ sub rule_str { $to_src .= "$start-$stop"; } - return (undef, 'cannot specify inbound interface with "masquerade"') - if (defined($self->{_inbound_if}) && ($self->{_type} eq "masquerade")); - if (($to_src ne "") && ($self->{_type} eq "masquerade")) { return (undef, "cannot specify outside IP address with \"masquerade\""); } @@ -227,6 +228,10 @@ sub rule_str { } } elsif ($self->{_type} eq "destination") { # type is destination + return (undef, + 'cannot specify outbound interface with "destination" rules') + if (defined($self->{_outbound_if})); + if ($self->{_exclude}) { $rule_str .= "-j RETURN"; } else { |