Send a blanket rule to old versions. New versions will still bidirecitonally enforce on the inbound side.

2025-06-05 03:53:44 +02:00 · 2016-11-08 14:24:30 -08:00 · 2016-11-08 14:24:30 -08:00 · 3d948a930e
commit 3d948a930e
parent 6f3595bfd2
1 changed files with 14 additions and 6 deletions
--- a/controller/EmbeddedNetworkController.cpp
+++ b/controller/EmbeddedNetworkController.cpp
@ -673,6 +673,13 @@ NetworkController::ResultCode EmbeddedNetworkController::doNetworkConfigRequest(
 	json &memberCapabilities = member["capabilities"];
 	json &memberTags = member["tags"];

+	if (metaData.getUI(ZT_NETWORKCONFIG_REQUEST_METADATA_KEY_RULES_ENGINE_REV,0) <= 0) {
+		// Old versions with no rules engine support get an allow everything rule.
+		// Since rules are enforced bidirectionally, newer versions *will* still
+		// enforce rules on the inbound side.
+		nc.ruleCount = 1;
+		nc.rules[0].t = ZT_NETWORK_RULE_ACTION_ACCEPT;
+	} else {
 		if (rules.is_array()) {
 			for(unsigned long i=0;i<rules.size();++i) {
 				if (nc.ruleCount >= ZT_MAX_NETWORK_RULES)
@ -681,6 +688,7 @@ NetworkController::ResultCode EmbeddedNetworkController::doNetworkConfigRequest(
 					++nc.ruleCount;
 			}
 		}
+	}

 	if ((memberCapabilities.is_array())&&(memberCapabilities.size() > 0)&&(capabilities.is_array())) {
 		std::map< uint64_t,json * > capsById;