zones: disable masq when resolving of all masq_src or masq_dest items failed

Avoid generating 0.0.0.0/0 masquerade rules when resolving of the
corresponding symbolic masq_src or masq_dest value failed.

Signed-off-by: Jo-Philipp Wich <jo@mein.io>

1 files changed, 33 insertions, 1 deletions

diff --git a/zones.c b/zones.c
index 2aa7473..514d203 100644
--- a/zones.c
+++ b/zones.c
@@ -105,6 +105,26 @@ check_policy(struct uci_element *e, enum fw3_flag *pol, enum fw3_flag def,
 	}
 }
 
+static bool
+check_masq_addrs(struct list_head *head)
+{
+	struct fw3_address *addr;
+	int n_addr = 0, n_failed = 0;
+
+	list_for_each_entry(addr, head, list)
+	{
+		if (addr->invert)
+			continue;
+
+		n_addr++;
+
+		if (!addr->set && addr->resolved)
+			n_failed++;
+	}
+
+	return (n_addr == 0 || n_failed < n_addr);
+}
+
 static void
 resolve_networks(struct uci_element *e, struct fw3_zone *zone)
 {
@@ -209,6 +229,18 @@ fw3_load_zones(struct fw3_state *state, struct uci_package *p)
 			warn_elem(e, "has no device, network, subnet or extra options");
 		}
 
+		if (!check_masq_addrs(&zone->masq_src))
+		{
+			warn_elem(e, "has unresolved masq_src, disabling masq");
+			zone->masq = false;
+		}
+
+		if (!check_masq_addrs(&zone->masq_dest))
+		{
+			warn_elem(e, "has unresolved masq_dest, disabling masq");
+			zone->masq = false;
+		}
+
 		check_policy(e, &zone->policy_input, defs->policy_input, "input");
 		check_policy(e, &zone->policy_output, defs->policy_output, "output");
 		check_policy(e, &zone->policy_forward, defs->policy_forward, "forward");
@@ -480,7 +512,7 @@ next_addr(struct fw3_address *addr, struct list_head *list,
 	{
 		rv = list_entry(p, struct fw3_address, list);
 
-		if (fw3_is_family(rv, family) && rv->invert == invert)
+		if (fw3_is_family(rv, family) && rv->set && rv->invert == invert)
 			return rv;
 	}