classify.m4, functions.m4: Multiple interfaces can have default nets.

Following on from the last change: if a net can be reachable through
several interfaces, then logically the default net might be reachable
through several interfaces too.  Therefore, we must be able to cope with
this situation.

diff --git a/classify.m4 b/classify.m4
index 25b16938f763cb3bb955454434ae6a15aa53471d..6ad069c6697600f812c3dd815f06d4165fbb4294 100644 (file)
--- a/classify.m4
+++ b/classify.m4
@@ -119,22 +119,30 @@ m4_divert(46)m4_dnl
 ## default interface.
 trace "nets = $allnets $allnets6"
 for net in $allnets; do
 ## default interface.
 trace "nets = $allnets $allnets6"
 for net in $allnets; do

-  case $net in
-    "$defaultiface":*)
-      ;;
-    *)
-      run iptables -t mangle -A in-$defaultiface \
+  defaultp=nil
+  for iface in $defaultifaces; do
+    case $net in $iface:*) defaultp=t ;; esac
+  done
+  case $defaultp in
+    nil)
+      for iface in $defaultifaces; do
+       run iptables -t mangle -A in-$iface \

              -s ${net#*:} -g bad-source-address
              -s ${net#*:} -g bad-source-address

+      done

       ;;
   esac
 done
 for net in $allnets6; do
       ;;
   esac
 done
 for net in $allnets6; do

-  case $net in
-    "$defaultiface":*)
-      ;;
-    *)
-      run ip6tables -t mangle -A in-$defaultiface \
+  defaultp=nil
+  for iface in $defaultifaces; do
+    case $net in $iface:*) defaultp=t ;; esac
+  done
+  case $defaultp in
+    nil)
+      for iface in $defaultifaces; do
+       run ip6tables -t mangle -A in-$iface \

              -s ${net#*:} -g bad-source-address
              -s ${net#*:} -g bad-source-address

+      done

       ;;
   esac
 done
       ;;
   esac
 done


@@ -156,7 +164,10 @@ done
 m4_divert(92)m4_dnl
 ## Put the final default decision on the in-default chain, and attach the
 ## classification chains to the PREROUTING hook.
 m4_divert(92)m4_dnl
 ## Put the final default decision on the in-default chain, and attach the
 ## classification chains to the PREROUTING hook.

-run ip46tables -t mangle -A in-$defaultiface -g mark-from-$defaultclass
+for iface in $defaultifaces; do
+  run ip46tables -t mangle -A in-$iface -g mark-from-$defaultclass
+done
+run ip46tables -t mangle -A out-classify -g mark-to-$defaultclass

 run ip46tables -t mangle -A PREROUTING -j in-classify
 run ip46tables -t mangle -A PREROUTING -j out-classify
 
 run ip46tables -t mangle -A PREROUTING -j in-classify
 run ip46tables -t mangle -A PREROUTING -j out-classify
 

diff --git a/functions.m4 b/functions.m4
index 484c30d9511ae05424e16e711c66a34d9b638ccd..ca4519ec797b0d736beef8c9ee4f80e9e9ff3f1c 100644 (file)
--- a/functions.m4
+++ b/functions.m4
@@ -344,7 +344,7 @@ defnetclass () {
 ## As a special case, the NETWORK/MASK can be the string `default', which
 ## indicates that all addresses not matched elsewhere should be considered.
 ifaces=:
 ## As a special case, the NETWORK/MASK can be the string `default', which
 ## indicates that all addresses not matched elsewhere should be considered.
 ifaces=:

-defaultiface=none
+defaultifaces=""

 allnets= allnets6=
 defiface () {
   set -e
 allnets= allnets6=
 defiface () {
   set -e


@@ -365,9 +365,16 @@ defiface () {
       netclass=${item%:*} addr=${item#*:}
       case $addr in
        default)
       netclass=${item%:*} addr=${item#*:}
       case $addr in
        default)

-         defaultiface=$name
-         defaultclass=$netclass
-         run ip46tables -t mangle -A out-classify -g mark-to-$netclass
+         case "$defaultifaces,$defaultclass" in
+           ,* | *,$netclass)
+             defaultifaces="$defaultifaces $name"
+             defaultclass=$netclass
+             ;;
+           *)
+             echo >&2 "$0: inconsistent default netclasses"
+             exit 1
+             ;;
+         esac

          ;;
        *:*)
          run ip6tables -t mangle -A in-$name -g mark-from-$netclass \
          ;;
        *:*)
          run ip6tables -t mangle -A in-$name -g mark-from-$netclass \