From 3a68f6887e27cd5e9369a9c421e417e59acef08b Mon Sep 17 00:00:00 2001
From: Mark Wooding <mdw@distorted.org.uk>
Date: Sun, 10 Jul 2011 21:42:38 +0100
Subject: [PATCH] classify.m4, functions.m4: Multiple interfaces can have
 default nets.

Following on from the last change: if a net can be reachable through
several interfaces, then logically the default net might be reachable
through several interfaces too.  Therefore, we must be able to cope with
this situation.
---
 classify.m4  | 33 ++++++++++++++++++++++-----------
 functions.m4 | 15 +++++++++++----
 2 files changed, 33 insertions(+), 15 deletions(-)

diff --git a/classify.m4 b/classify.m4
index 25b1693..6ad069c 100644
--- a/classify.m4
+++ b/classify.m4
@@ -119,22 +119,30 @@ m4_divert(46)m4_dnl
 ## default interface.
 trace "nets = $allnets $allnets6"
 for net in $allnets; do
-  case $net in
-    "$defaultiface":*)
-      ;;
-    *)
-      run iptables -t mangle -A in-$defaultiface \
+  defaultp=nil
+  for iface in $defaultifaces; do
+    case $net in $iface:*) defaultp=t ;; esac
+  done
+  case $defaultp in
+    nil)
+      for iface in $defaultifaces; do
+	run iptables -t mangle -A in-$iface \
 	      -s ${net#*:} -g bad-source-address
+      done
       ;;
   esac
 done
 for net in $allnets6; do
-  case $net in
-    "$defaultiface":*)
-      ;;
-    *)
-      run ip6tables -t mangle -A in-$defaultiface \
+  defaultp=nil
+  for iface in $defaultifaces; do
+    case $net in $iface:*) defaultp=t ;; esac
+  done
+  case $defaultp in
+    nil)
+      for iface in $defaultifaces; do
+	run ip6tables -t mangle -A in-$iface \
 	      -s ${net#*:} -g bad-source-address
+      done
       ;;
   esac
 done
@@ -156,7 +164,10 @@ done
 m4_divert(92)m4_dnl
 ## Put the final default decision on the in-default chain, and attach the
 ## classification chains to the PREROUTING hook.
-run ip46tables -t mangle -A in-$defaultiface -g mark-from-$defaultclass
+for iface in $defaultifaces; do
+  run ip46tables -t mangle -A in-$iface -g mark-from-$defaultclass
+done
+run ip46tables -t mangle -A out-classify -g mark-to-$defaultclass
 run ip46tables -t mangle -A PREROUTING -j in-classify
 run ip46tables -t mangle -A PREROUTING -j out-classify
 
diff --git a/functions.m4 b/functions.m4
index 484c30d..ca4519e 100644
--- a/functions.m4
+++ b/functions.m4
@@ -344,7 +344,7 @@ defnetclass () {
 ## As a special case, the NETWORK/MASK can be the string `default', which
 ## indicates that all addresses not matched elsewhere should be considered.
 ifaces=:
-defaultiface=none
+defaultifaces=""
 allnets= allnets6=
 defiface () {
   set -e
@@ -365,9 +365,16 @@ defiface () {
       netclass=${item%:*} addr=${item#*:}
       case $addr in
 	default)
-	  defaultiface=$name
-	  defaultclass=$netclass
-	  run ip46tables -t mangle -A out-classify -g mark-to-$netclass
+	  case "$defaultifaces,$defaultclass" in
+	    ,* | *,$netclass)
+	      defaultifaces="$defaultifaces $name"
+	      defaultclass=$netclass
+	      ;;
+	    *)
+	      echo >&2 "$0: inconsistent default netclasses"
+	      exit 1
+	      ;;
+	  esac
 	  ;;
 	*:*)
 	  run ip6tables -t mangle -A in-$name -g mark-from-$netclass \
-- 
2.11.0