return (($address_bin ge $network_bin) && ($address_bin le $broadcast_bin));
}
+sub ip_address_is_multicast($) {
+ my $network = shift;
+
+ # Get the first IP address from the network
+ unless (&check_ip_address($network)) {
+ $network = &get_netaddress($network);
+ }
+
+ return &ip_address_in_network($network, "224.0.0.0/4");
+}
+
sub setup_upstream_proxy() {
my %proxysettings = ();
&General::readhash("${General::swroot}/proxy/settings", \%proxysettings);
$result = &ip_address_in_network("10.0.1.4", "10.0.0.0/8");
assert($result);
+ $result = &ip_address_is_multicast("224.0.0.0");
+ assert($result);
+
+ $result = &ip_address_is_multicast("224.1.2.3/30");
+ assert($result);
+
return 0;
}
# Add ratelimiting option
push(@options, @ratelimit_options);
+ # Check for multicast destination
+ my $is_multicast = 0;
+ if ($destination) {
+ $is_multicast = &Network::ip_address_is_multicast($destination);
+ }
+
my $firewall_is_in_source_subnet = 1;
if ($source) {
$firewall_is_in_source_subnet = &firewall_is_in_subnet($source);
}
my $firewall_is_in_destination_subnet = 1;
- if ($destination) {
+ if ($destination && !$is_multicast) {
$firewall_is_in_destination_subnet = &firewall_is_in_subnet($destination);
}
# If the firewall is part of the destination subnet and access to the destination network
# is granted/forbidden for any network that the firewall itself is part of, we grant/forbid access
# for the firewall, too.
- if ($firewall_is_in_destination_subnet && ($target ~~ @special_input_targets)) {
+ # Multicast packages will also always be received by the firewall.
+ if (($firewall_is_in_destination_subnet && ($target ~~ @special_input_targets)) || $is_multicast) {
if ($LOG && !$NAT) {
run("$IPTABLES -A $CHAIN_INPUT @options @log_limit_options -j LOG --log-prefix '$CHAIN_INPUT '");
}
projects / people / ms / ipfire-2.x.git / commitdiff
