Send a blanket rule to old versions. New versions will still bidirecitonally enforce on the inbound side.

controller/EmbeddedNetworkController.cpp

@@ -673,12 +673,20 @@ NetworkController::ResultCode EmbeddedNetworkController::doNetworkConfigRequest(
 	json &memberCapabilities = member["capabilities"];
 	json &memberTags = member["tags"];
 
-	if (rules.is_array()) {
+	if (metaData.getUI(ZT_NETWORKCONFIG_REQUEST_METADATA_KEY_RULES_ENGINE_REV,0) <= 0) {
-		for(unsigned long i=0;i<rules.size();++i) {
+		// Old versions with no rules engine support get an allow everything rule.
-			if (nc.ruleCount >= ZT_MAX_NETWORK_RULES)
+		// Since rules are enforced bidirectionally, newer versions *will* still
-				break;
+		// enforce rules on the inbound side.
-			if (_parseRule(rules[i],nc.rules[nc.ruleCount]))
+		nc.ruleCount = 1;
-				++nc.ruleCount;
+		nc.rules[0].t = ZT_NETWORK_RULE_ACTION_ACCEPT;
+	} else {
+		if (rules.is_array()) {
+			for(unsigned long i=0;i<rules.size();++i) {
+				if (nc.ruleCount >= ZT_MAX_NETWORK_RULES)
+					break;
+				if (_parseRule(rules[i],nc.rules[nc.ruleCount]))
+					++nc.ruleCount;
+			}
 		}
 	}