From 794c19eafcc1c1a8aed86d23a06906ded060c111 Mon Sep 17 00:00:00 2001
From: Clinton Ebadi <clinton@unknownlamer.org>
Date: Thu, 19 Apr 2018 21:22:13 -0400
Subject: [PATCH] fwtool: filterHosts fixes

* Use FQDN for domtool nodes in case they have IPv6 addresses
* Allow ferm variables in hosts lists (for `$WEBNODES')
* Split 127.0.0.1 and :::1 rules (filterHosts will remove the one we
  don't want)
---
 src/plugins/firewall.sml | 20 +++++++++++---------
 1 file changed, 11 insertions(+), 9 deletions(-)

diff --git a/src/plugins/firewall.sml b/src/plugins/firewall.sml
index 9ceaeea..bb58a84 100644
--- a/src/plugins/firewall.sml
+++ b/src/plugins/firewall.sml
@@ -104,12 +104,12 @@ fun dnsExists dnsRR dnsRecord =
 	  | (_, NONE) => false
     end
 
+fun fermVariable x = String.isPrefix "$" x
 fun filterHosts (hosts, ipv6) =
-    List.filter (fn host => if (Domain.validIpv6 host orelse Domain.validIp host)
-			    then
-				true
-			    else
-				dnsExists ipv6 host)
+    List.filter (fn host => fermVariable host
+			    orelse (case ipv6 of FwIPv6 => Domain.validIpv6 host
+					       | FwIPv4 =>  Domain.validIp host)
+			    orelse dnsExists ipv6 host)
 		hosts
 
 
@@ -161,13 +161,15 @@ fun generateNodeFermRules rules  =
 	    case rule of
 		Client (ports, hosts) => (confLine_out (uname, rule); confLine_out_v6 (uname, rule))
 	      | Server (ports, hosts) => (confLine_in (uname, rule); confLine_in_v6 (uname, rule))
-	      | LocalServer ports => (insertConfLine (uname, ruleNode, Client (ports, ["127.0.0.1/8", ":::1"]));
-				      insertConfLine (uname, ruleNode, Server (ports, ["127.0.0.1/8", ":::1"])))
+	      | LocalServer ports => (insertConfLine (uname, ruleNode, Client (ports, ["127.0.0.1/8"]));
+				      insertConfLine (uname, ruleNode, Server (ports, ["127.0.0.1/8"]));
+				      insertConfLine (uname, ruleNode, Client (ports, [":::1"]));
+				      insertConfLine (uname, ruleNode, Server (ports, [":::1"])))
 	      | ProxiedServer ports => if (fn FirewallNode r => r) ruleNode = Slave.hostname () then
 					   (insertConfLine (uname, ruleNode, Server (ports, ["$WEBNODES"]));
-					    insertConfLine (uname, ruleNode, Client (ports, [(fn FirewallNode r => r) ruleNode])))
+					    insertConfLine (uname, ruleNode, Client (ports, [(fn FirewallNode r => r ^ "." ^ Config.defaultDomain) ruleNode])))
 				       else (* we are a web server *)
-					   (insertConfLine (uname, ruleNode, Client (ports, [(fn FirewallNode r => r) ruleNode]));
+					   (insertConfLine (uname, ruleNode, Client (ports, [(fn FirewallNode r => r ^ "." ^ Config.defaultDomain) ruleNode]));
 					    insertConfLine (User "www-data", ruleNode, Client (ports, [(fn FirewallNode r => r) ruleNode])))
 
 	val _ = map insertConfLine (filter_node_rules rules)
-- 
2.20.1