From 1350d8bc30445a41e60f55b94a92a08984026a30 Mon Sep 17 00:00:00 2001
From: Clinton Ebadi <clinton@unknownlamer.org>
Date: Thu, 19 Apr 2018 22:23:27 -0400
Subject: [PATCH 1/1] firewall: fix generation of outgoing rules on webserver

Was not concatenating domain suffix and was filtered out.
---
 src/plugins/firewall.sml | 30 +++++++++++++++++-------------
 1 file changed, 17 insertions(+), 13 deletions(-)

diff --git a/src/plugins/firewall.sml b/src/plugins/firewall.sml
index bb58a84..1131f20 100644
--- a/src/plugins/firewall.sml
+++ b/src/plugins/firewall.sml
@@ -158,19 +158,23 @@ fun generateNodeFermRules rules  =
 	fun confLine_out_v6 (uname, rule) = confLine outputLines_v6 (uname, formatOutputRule (rule, FwIPv6))
 
 	fun insertConfLine (uname, ruleNode, rule) =
-	    case rule of
-		Client (ports, hosts) => (confLine_out (uname, rule); confLine_out_v6 (uname, rule))
-	      | Server (ports, hosts) => (confLine_in (uname, rule); confLine_in_v6 (uname, rule))
-	      | LocalServer ports => (insertConfLine (uname, ruleNode, Client (ports, ["127.0.0.1/8"]));
-				      insertConfLine (uname, ruleNode, Server (ports, ["127.0.0.1/8"]));
-				      insertConfLine (uname, ruleNode, Client (ports, [":::1"]));
-				      insertConfLine (uname, ruleNode, Server (ports, [":::1"])))
-	      | ProxiedServer ports => if (fn FirewallNode r => r) ruleNode = Slave.hostname () then
-					   (insertConfLine (uname, ruleNode, Server (ports, ["$WEBNODES"]));
-					    insertConfLine (uname, ruleNode, Client (ports, [(fn FirewallNode r => r ^ "." ^ Config.defaultDomain) ruleNode])))
-				       else (* we are a web server *)
-					   (insertConfLine (uname, ruleNode, Client (ports, [(fn FirewallNode r => r ^ "." ^ Config.defaultDomain) ruleNode]));
-					    insertConfLine (User "www-data", ruleNode, Client (ports, [(fn FirewallNode r => r) ruleNode])))
+	    let
+		val fwnode_domain = fn FirewallNode node => node ^ "." ^ Config.defaultDomain
+	    in
+		case rule of
+		    Client (ports, hosts) => (confLine_out (uname, rule); confLine_out_v6 (uname, rule))
+		  | Server (ports, hosts) => (confLine_in (uname, rule); confLine_in_v6 (uname, rule))
+		  | LocalServer ports => (insertConfLine (uname, ruleNode, Client (ports, ["127.0.0.1/8"]));
+					  insertConfLine (uname, ruleNode, Server (ports, ["127.0.0.1/8"]));
+					  insertConfLine (uname, ruleNode, Client (ports, [":::1"]));
+					  insertConfLine (uname, ruleNode, Server (ports, [":::1"])))
+		  | ProxiedServer ports => if (fn FirewallNode r => r) ruleNode = Slave.hostname () then
+					       (insertConfLine (uname, ruleNode, Server (ports, ["$WEBNODES"]));
+						insertConfLine (uname, ruleNode, Client (ports, [fwnode_domain ruleNode])))
+					   else (* we are a web server *)
+					       (insertConfLine (uname, ruleNode, Client (ports, [fwnode_domain ruleNode]));
+						insertConfLine (User "www-data", ruleNode, Client (ports, [fwnode_domain ruleNode])))
+	    end
 
 	val _ = map insertConfLine (filter_node_rules rules)
     in
-- 
2.20.1