Send a blanket rule to old versions. New versions will still bidirecitonally enforce on the inbound side.

2024-12-22 06:17:48 +00:00 · 2016-11-08 14:24:30 -08:00 · 2016-11-08 14:24:30 -08:00 · 3d948a930e
commit 3d948a930e
parent 6f3595bfd2
1 changed files with 14 additions and 6 deletions
--- a/controller/EmbeddedNetworkController.cpp
+++ b/controller/EmbeddedNetworkController.cpp
@ -673,12 +673,20 @@ NetworkController::ResultCode EmbeddedNetworkController::doNetworkConfigRequest(
 	json &memberCapabilities = member["capabilities"];
 	json &memberTags = member["tags"];

-	if (rules.is_array()) {
-		for(unsigned long i=0;i<rules.size();++i) {
-			if (nc.ruleCount >= ZT_MAX_NETWORK_RULES)
-				break;
-			if (_parseRule(rules[i],nc.rules[nc.ruleCount]))
-				++nc.ruleCount;
+	if (metaData.getUI(ZT_NETWORKCONFIG_REQUEST_METADATA_KEY_RULES_ENGINE_REV,0) <= 0) {
+		// Old versions with no rules engine support get an allow everything rule.
+		// Since rules are enforced bidirectionally, newer versions *will* still
+		// enforce rules on the inbound side.
+		nc.ruleCount = 1;
+		nc.rules[0].t = ZT_NETWORK_RULE_ACTION_ACCEPT;
+	} else {
+		if (rules.is_array()) {
+			for(unsigned long i=0;i<rules.size();++i) {
+				if (nc.ruleCount >= ZT_MAX_NETWORK_RULES)
+					break;
+				if (_parseRule(rules[i],nc.rules[nc.ruleCount]))
+					++nc.ruleCount;
+			}
 		}
 	}