local.m4: Fix IGMP acceptance (debris from old interface declarations).

The rules which allowed incoming IGMP were written in terms of (a) the
old $if_... variables which have now disappeared, and (b) an explicit
list of the `trusted' networks.  Fix this to use the new system: walk
the list of networks, examine their classes, and determine the
interfaces.

diff --git a/local.m4 b/local.m4
index b31b649..36f76b3 100644 (file)
--- a/local.m4
+++ b/local.m4
@@ -237,18 +237,18 @@ run iptables -A inbound -j ACCEPT \
 ## Incoming multicast on a network interface associated with a trusted
 ## network is OK, since it must have originated there (or been forwarded, but
 ## we don't do that yet).
-for i in $(echo $if_trusted $if_dmz $if_safe | sed 'y/,/ /'); do
-  echo $i
-done | {
-  seen=:
-  while read i; do
-    case "$seen" in *:$i:*) continue ;; esac
-    seen=$seen$i:
+seen=:-:
+for net in $allnets; do
+  eval class=\$net_class_$net
+  case $class in trusted) ;; *) continue ;; esac
+  for iface in $(net_interfaces FWHOST $net); do
+    case "$seen" in *:$iface:*) continue ;; esac
+    seen=$seen$iface:
     run iptables -A inbound -j ACCEPT \
        -s 0.0.0.0 -d 224.0.0.0/24 \
-       -i $i
+       -i $iface
   done
-}
+done
 
 ## Allow incoming ping.  This is the only ICMP left.
 run ip46tables -A inbound -j ACCEPT -p icmp