Do not generate anti-spoof rules for optional interfaces that have other interfaces...

git-svn-id: https://svn.m0n0.ch/wall/trunk@140 e36fee2c-cc09-0410-a7cc-ebac5c6737de

diff --git a/CHANGELOG b/CHANGELOG
index b0b688875755e9fd0abc232377347200f0d7eb93..3955b800d742e2777379a0a2727ea5be761f987c 100644 (file)
--- a/CHANGELOG
+++ b/CHANGELOG
@@ -3,6 +3,10 @@ $Id$
 *** Note: Please add new entries to the top of this file. ***
 -------------------------------------------------------------------------------
 
+- do not generate anti-spoof rules for optional interfaces that have other interfaces
+  bridged to them (as opposed to being bridged to another interface, which was already
+  handled properly) when the filtering bridge is on (mkasper)
+
 - added support for 3rd party extensions in the group management and dynamic menu system. (ptaylor)
   - Thanks to Leo Fante for code modifications
 

diff --git a/phpconf/inc/filter.inc b/phpconf/inc/filter.inc
index 8587748a169de5c00d5e2c189aa47d13f85bce2f..52e210b9c6c0855b6e6d4b2f85b78ad0e5b0e4e1 100644 (file)
--- a/phpconf/inc/filter.inc
+++ b/phpconf/inc/filter.inc
@@ -457,7 +457,15 @@ EOD;
        /* OPT spoof check */
        foreach ($optcfg as $on => $oc) {
                /* omit for bridged interfaces when the filtering bridge is on */
-               if ($oc['ip'] && (!$oc['bridge'] || !isset($config['bridge']['filteringbridge'])))
+               $isbridged = false;
+               foreach ($optcfg as $on2 => $oc2) {
+                       if ($oc2['bridge'] && $oc2['bridge_if'] == $on) {
+                               $isbridged = true;
+                               break;
+                       }
+               }
+               
+               if ($oc['ip'] && !(($oc['bridge'] || $isbridged) && isset($config['bridge']['filteringbridge'])))
                        $ipfrules .= filter_rules_spoofcheck_generate($on, $oc['if'], $oc['sa'], $oc['sn'], $log);
        }