From 1693cdf87f883464a10d4a91bdc32e8a595444a2 Mon Sep 17 00:00:00 2001
From: Michael Larson <slioch@eng-140.vyatta.com>
Date: Thu, 20 Mar 2008 14:31:00 -0700
Subject: added final validation to address ranges and negation operators. now
 behavior is the same as firewall and nat.

---
 src/lbdecision.cc | 36 ++++++++++++++++++++++++++++++++++--
 1 file changed, 34 insertions(+), 2 deletions(-)

(limited to 'src')

diff --git a/src/lbdecision.cc b/src/lbdecision.cc
index fb79994..66f458b 100644
--- a/src/lbdecision.cc
+++ b/src/lbdecision.cc
@@ -281,11 +281,43 @@ LBDecision::get_application_cmd(LBRule &rule)
   }
 
   if (rule._s_addr.empty() == false) {
-    filter += "--source " + rule._s_addr + " ";
+    bool negate_flag = false;
+    string tmp(rule._s_addr);
+    if (tmp.find("!") != string::npos) {
+      negate_flag = true;
+      tmp = tmp.substr(1,tmp.length()-1);
+    }
+
+    if (tmp.find("-") != string::npos) {
+      if (negate_flag) {
+	filter += "-m iprange ! --src-range " + tmp + " ";
+      }
+      else {
+	filter += "-m iprange --src-range " + tmp + " ";
+      }
+    }
+    else {
+      if (negate_flag) {
+	filter += "--source ! " + tmp + " ";
+      }
+      else {
+	filter += "--source " + tmp + " ";
+      }
+    }
   }
   
   if (rule._d_addr.empty() == false) {
-    filter += "--destination " + rule._d_addr + " ";
+    string tmp(rule._d_addr);
+    if (tmp.find("!") != string::npos) {
+      tmp = "! " + tmp.substr(1,tmp.length()-1);
+    }
+
+    if (tmp.find("-") != string::npos) {
+      filter += "-m iprange --dst-range " + tmp + " ";
+    }
+    else {
+      filter += "--destination " + tmp + " ";
+    }
   }
 
   if (rule._proto == "udp" || rule._proto == "tcp") {
-- 
cgit v1.2.3