Author: vadim
Date: 2010-08-19 11:13:22 -0700 (Thu, 19 Aug 2010)
New Revision: 3237
Modified:
branches/v4_1/build_num
branches/v4_1/doc/ChangeLog
branches/v4_1/src/iptlib/NATCompiler_ipt.cpp
branches/v4_1/test/ipt/objects-for-regression-tests.fwb
Log:
* NATCompiler_ipt.cpp (splitNATBranchRule::processNext): fixed #1686
"can not generate basic NAT branching rule". NAT branching rules
were not generated in single rule compile mode.
Modified: branches/v4_1/build_num
===================================================================
--- branches/v4_1/build_num 2010-08-19 17:05:26 UTC (rev 3236)
+++ branches/v4_1/build_num 2010-08-19 18:13:22 UTC (rev 3237)
@@ -1 +1 @@
-#define BUILD_NUM 3235
+#define BUILD_NUM 3236
Modified: branches/v4_1/doc/ChangeLog
===================================================================
--- branches/v4_1/doc/ChangeLog 2010-08-19 17:05:26 UTC (rev 3236)
+++ branches/v4_1/doc/ChangeLog 2010-08-19 18:13:22 UTC (rev 3237)
@@ -1,5 +1,13 @@
2010-08-19 Vadim Kurland <vadim@...>
+ * NATCompiler_ipt.cpp (splitNATBranchRule::processNext): fixed #1686
+ "can not generate basic NAT branching rule". NAT branching rules
+ were not generated in single rule compile mode because compiler
+ needs information about targets used in the branch rule set rules
+ to decide which chain the branching rule should be placed in. Now it
+ will use PREROUTING and POSTROUTING in single compile mode but issue
+ a warning.
+
* NATCompiler_PrintRule.cpp (PrintRule::processNext): fixed #1693
SF bug 3048516 "NAT rule with 'Use SNAT instead MASQ' doesn't
work". NAT rule using combination of the option "Use SNAT instead
Modified: branches/v4_1/src/iptlib/NATCompiler_ipt.cpp
===================================================================
--- branches/v4_1/src/iptlib/NATCompiler_ipt.cpp 2010-08-19 17:05:26 UTC (rev 3236)
+++ branches/v4_1/src/iptlib/NATCompiler_ipt.cpp 2010-08-19 18:13:22 UTC (rev 3237)
@@ -2006,29 +2006,31 @@
}
}
+ return true;
}
- } else
- {
- compiler->warning(rule,
- "NAT branching rule does not have information"
- " about targets used in the branch ruleset"
- " to choose proper chain in the nat table."
- " Will split the rule and place it in both"
- " PREROUTNING and POSTROUTING");
- NATRule *r = compiler->dbcopy->createNATRule();
- compiler->temp_ruleset->add(r);
- r->duplicate(rule);
- r->setStr("ipt_chain", "POSTROUTING");
- r->setStr("ipt_target", branch_name);
- tmp_queue.push_back(r);
+ }
- r = compiler->dbcopy->createNATRule();
- compiler->temp_ruleset->add(r);
- r->duplicate(rule);
- r->setStr("ipt_chain", "PREROUTING");
- r->setStr("ipt_target", branch_name);
- tmp_queue.push_back(r);
- }
+ compiler->warning(rule,
+ "NAT branching rule does not have information"
+ " about targets used in the branch ruleset"
+ " to choose proper chain in the nat table."
+ " Will split the rule and place it in both"
+ " PREROUTNING and POSTROUTING");
+ NATRule *r = compiler->dbcopy->createNATRule();
+ compiler->temp_ruleset->add(r);
+ r->duplicate(rule);
+ r->setStr("ipt_chain", "POSTROUTING");
+ r->setStr("ipt_target", branch_name);
+ tmp_queue.push_back(r);
+
+ r = compiler->dbcopy->createNATRule();
+ compiler->temp_ruleset->add(r);
+ r->duplicate(rule);
+ r->setStr("ipt_chain", "PREROUTING");
+ r->setStr("ipt_target", branch_name);
+ tmp_queue.push_back(r);
+
+ return true;
}
else
{
Modified: branches/v4_1/test/ipt/objects-for-regression-tests.fwb
===================================================================
--- branches/v4_1/test/ipt/objects-for-regression-tests.fwb 2010-08-19 17:05:26 UTC (rev 3236)
+++ branches/v4_1/test/ipt/objects-for-regression-tests.fwb 2010-08-19 18:13:22 UTC (rev 3237)
@@ -47715,7 +47715,7 @@
<Option name="verify_interfaces">true</Option>
</FirewallOptions>
</Firewall>
- <Firewall id="id48783X29790" host_OS="linux24" inactive="False" lastCompiled="1272404572" lastInstalled="0" lastModified="1256066997" platform="iptables" version="" name="firewall80" comment="Branch rules in NAT" ro="False">
+ <Firewall id="id48783X29790" host_OS="linux24" inactive="False" lastCompiled="1272404572" lastInstalled="0" lastModified="1282238317" platform="iptables" version="" name="firewall80" comment="Branch rules in NAT" ro="False">
<NAT id="id48857X29790" name="NAT" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
<NATRule id="id138652X29790" disabled="False" group="" position="0" action="NATBranch" comment="Branch rule with actual translation. Translation is ignored and warning should be issued">
<OSrc neg="False">
@@ -47805,6 +47805,94 @@
<Option name="rule_name_accounting"></Option>
</NATRuleOptions>
</NATRule>
+ <NATRule id="id57866X1812" disabled="False" group="" position="2" action="NATBranch" comment="for #1686 ">
+ <OSrc neg="False">
+ <ObjectRef ref="id48792X29790"/>
+ </OSrc>
+ <ODst neg="False">
+ <ObjectRef ref="sysid0"/>
+ </ODst>
+ <OSrv neg="False">
+ <ServiceRef ref="id3B20468D"/>
+ </OSrv>
+ <TSrc neg="False">
+ <ObjectRef ref="sysid0"/>
+ </TSrc>
+ <TDst neg="False">
+ <ObjectRef ref="sysid0"/>
+ </TDst>
+ <TSrv neg="False">
+ <ServiceRef ref="sysid1"/>
+ </TSrv>
+ <NATRuleOptions>
+ <Option name="action_on_reject"></Option>
+ <Option name="branch_id">id71294X29790</Option>
+ <Option name="classify_str"></Option>
+ <Option name="custom_str"></Option>
+ <Option name="ipf_route_opt_addr"></Option>
+ <Option name="ipf_route_opt_if"></Option>
+ <Option name="ipf_route_option">route_through</Option>
+ <Option name="ipfw_classify_method">2</Option>
+ <Option name="ipfw_pipe_port_num">0</Option>
+ <Option name="ipfw_pipe_queue_num">0</Option>
+ <Option name="ipt_continue">False</Option>
+ <Option name="ipt_gw"></Option>
+ <Option name="ipt_iif"></Option>
+ <Option name="ipt_mark_connections">False</Option>
+ <Option name="ipt_oif"></Option>
+ <Option name="ipt_tee">False</Option>
+ <Option name="pf_fastroute">False</Option>
+ <Option name="pf_route_load_option">none</Option>
+ <Option name="pf_route_opt_addr"></Option>
+ <Option name="pf_route_opt_if"></Option>
+ <Option name="pf_route_option">none</Option>
+ <Option name="rule_name_accounting"></Option>
+ </NATRuleOptions>
+ </NATRule>
+ <NATRule id="id916423X1812" disabled="False" group="" position="3" action="NATBranch" comment="for #1686 ">
+ <OSrc neg="False">
+ <ObjectRef ref="id48783X29790"/>
+ </OSrc>
+ <ODst neg="False">
+ <ObjectRef ref="sysid0"/>
+ </ODst>
+ <OSrv neg="False">
+ <ServiceRef ref="id3B20468D"/>
+ </OSrv>
+ <TSrc neg="False">
+ <ObjectRef ref="sysid0"/>
+ </TSrc>
+ <TDst neg="False">
+ <ObjectRef ref="sysid0"/>
+ </TDst>
+ <TSrv neg="False">
+ <ServiceRef ref="sysid1"/>
+ </TSrv>
+ <NATRuleOptions>
+ <Option name="action_on_reject"></Option>
+ <Option name="branch_id">id71294X29790</Option>
+ <Option name="classify_str"></Option>
+ <Option name="custom_str"></Option>
+ <Option name="ipf_route_opt_addr"></Option>
+ <Option name="ipf_route_opt_if"></Option>
+ <Option name="ipf_route_option">route_through</Option>
+ <Option name="ipfw_classify_method">2</Option>
+ <Option name="ipfw_pipe_port_num">0</Option>
+ <Option name="ipfw_pipe_queue_num">0</Option>
+ <Option name="ipt_continue">False</Option>
+ <Option name="ipt_gw"></Option>
+ <Option name="ipt_iif"></Option>
+ <Option name="ipt_mark_connections">False</Option>
+ <Option name="ipt_oif"></Option>
+ <Option name="ipt_tee">False</Option>
+ <Option name="pf_fastroute">False</Option>
+ <Option name="pf_route_load_option">none</Option>
+ <Option name="pf_route_opt_addr"></Option>
+ <Option name="pf_route_opt_if"></Option>
+ <Option name="pf_route_option">none</Option>
+ <Option name="rule_name_accounting"></Option>
+ </NATRuleOptions>
+ </NATRule>
<RuleSetOptions/>
</NAT>
<NAT id="id71294X29790" name="NAT_1" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="False">
@@ -47879,20 +47967,34 @@
<Option name="accept_established">True</Option>
<Option name="accept_new_tcp_with_no_syn">True</Option>
<Option name="action_on_reject">ICMP net unreachable</Option>
+ <Option name="activationCmd"></Option>
+ <Option name="add_mgmt_ssh_rule_when_stoped">False</Option>
+ <Option name="add_rules_for_ipv6_neighbor_discovery">False</Option>
+ <Option name="admUser"></Option>
+ <Option name="altAddress"></Option>
<Option name="bridging_fw">False</Option>
<Option name="check_shading">False</Option>
<Option name="clamp_mss_to_mtu">False</Option>
+ <Option name="classify_mark_terminating">False</Option>
+ <Option name="clear_unknown_interfaces">False</Option>
<Option name="cmdline"></Option>
<Option name="compiler"></Option>
+ <Option name="configure_bonding_interfaces">False</Option>
+ <Option name="configure_bridge_interfaces">False</Option>
<Option name="configure_interfaces">True</Option>
+ <Option name="configure_vlan_interfaces">False</Option>
<Option name="debug">False</Option>
+ <Option name="drop_invalid">False</Option>
<Option name="dyn_addr">False</Option>
+ <Option name="epilog_script"></Option>
+ <Option name="firewall_dir"></Option>
<Option name="firewall_is_part_of_any">True</Option>
<Option name="firewall_is_part_of_any_and_networks">True</Option>
<Option name="ignore_empty_groups">False</Option>
<Option name="inst_cmdline"></Option>
<Option name="inst_script"></Option>
<Option name="install_script"></Option>
+ <Option name="ipv4_6_order">ipv4_first</Option>
<Option name="limit_suffix">/day</Option>
<Option name="limit_value">0</Option>
<Option name="linux24_accept_redirects"></Option>
@@ -47918,9 +48020,10 @@
<Option name="linux24_tcp_timestamps"></Option>
<Option name="linux24_tcp_window_scaling"></Option>
<Option name="load_modules">False</Option>
- <Option name="local_nat">False</Option>
+ <Option name="local_nat">True</Option>
<Option name="log_all">False</Option>
<Option name="log_all_dropped">False</Option>
+ <Option name="log_invalid">False</Option>
<Option name="log_ip_opt">False</Option>
<Option name="log_level">debug</Option>
<Option name="log_limit_suffix">/second</Option>
@@ -47929,19 +48032,29 @@
<Option name="log_tcp_opt">False</Option>
<Option name="log_tcp_seq">False</Option>
<Option name="manage_virtual_addr">True</Option>
+ <Option name="mgmt_addr"></Option>
+ <Option name="mgmt_ssh">False</Option>
<Option name="no_iochains_for_any">False</Option>
<Option name="no_optimisation">False</Option>
+ <Option name="output_file"></Option>
<Option name="platform">iptables</Option>
+ <Option name="prolog_place">top</Option>
+ <Option name="prolog_script"></Option>
<Option name="proxy_arp">False</Option>
+ <Option name="scpArgs"></Option>
<Option name="script_env_path"></Option>
+ <Option name="script_name_on_firewall"></Option>
<Option name="snmp_contact"></Option>
<Option name="snmp_description"></Option>
<Option name="snmp_location"></Option>
+ <Option name="sshArgs"></Option>
<Option name="ulog_cprange">0</Option>
<Option name="ulog_nlgroup">1</Option>
<Option name="ulog_qthreshold">1</Option>
<Option name="use_ULOG">False</Option>
<Option name="use_ip_tool">False</Option>
+ <Option name="use_iptables_restore">False</Option>
+ <Option name="use_m_set">False</Option>
<Option name="use_numeric_log_levels">False</Option>
<Option name="verify_interfaces">False</Option>
</FirewallOptions>
|