[fwbuilder-commits] r2338 - in branches/v3_1: . doc src/pflib src/res/help/en_US
Brought to you by:
mikehorn
Menu
▾
▴
[fwbuilder-commits] r2338 - in branches/v3_1: . doc src/pflib src/res/help/en_US
|
From: <va...@in...> - 2010-01-10 19:37:21
|
Author: vadim
Date: 2010-01-10 11:36:41 -0800 (Sun, 10 Jan 2010)
New Revision: 2338
Modified:
branches/v3_1/build_num
branches/v3_1/doc/ChangeLog
branches/v3_1/src/pflib/NATCompiler_pf.cpp
branches/v3_1/src/res/help/en_US/release_notes_3.1.0.html
Log:
fixes #1071 can't use dynamic cluster interface in NAT rules for PF
Modified: branches/v3_1/build_num
===================================================================
--- branches/v3_1/build_num 2010-01-10 14:56:34 UTC (rev 2337)
+++ branches/v3_1/build_num 2010-01-10 19:36:41 UTC (rev 2338)
@@ -1 +1 @@
-#define BUILD_NUM 2335
+#define BUILD_NUM 2337
Modified: branches/v3_1/doc/ChangeLog
===================================================================
--- branches/v3_1/doc/ChangeLog 2010-01-10 14:56:34 UTC (rev 2337)
+++ branches/v3_1/doc/ChangeLog 2010-01-10 19:36:41 UTC (rev 2338)
@@ -1,3 +1,14 @@
+2010-01-10 vadim <va...@vk...>
+
+ * NATCompiler_pf.cpp (checkForDynamicInterfacesOfOtherObjects::findDynamicInterfaces):
+ fixed bug #1071 "can't use dynamic cluster interface in NAT rules
+ for PF". In this case, cluster has interface rl1 which is mapped
+ to dynamic interfaces rl1 of two member firewalls. Cluster
+ interface object is used in the TSrc of a NAT rule. Compiler
+ refused to compile this rule with error "cluster:NAT:2: error: Can
+ not build rule using dynamic interface 'rl1' of the object 'member1'
+ because its address in unknown."
+
2010-01-09 Vadim Kurland <va...@vk...>
* src/res/configlets/openwrt/installer_commands_root: Added
Modified: branches/v3_1/src/pflib/NATCompiler_pf.cpp
===================================================================
--- branches/v3_1/src/pflib/NATCompiler_pf.cpp 2010-01-10 14:56:34 UTC (rev 2337)
+++ branches/v3_1/src/pflib/NATCompiler_pf.cpp 2010-01-10 19:36:41 UTC (rev 2338)
@@ -42,6 +42,8 @@
#include "fwbuilder/IPv4.h"
#include "fwbuilder/Firewall.h"
#include "fwbuilder/AddressTable.h"
+#include "fwbuilder/FailoverClusterGroup.h"
+#include "fwbuilder/Cluster.h"
#include <iostream>
#include <iomanip>
@@ -121,6 +123,8 @@
FWObject *p = addr;
while ( ! Interface::isA(p) ) p=p->getParent();
Interface *intf = Interface::cast(p);
+
+ // TODO: use replaceFailoverInterfaceInRE to replace cluster interfaces
if (intf->getOptionsObject()->getBool("cluster_interface"))
{
string base_interface_id = intf->getOptionsObject()->getStr("base_interface_id");
@@ -131,6 +135,7 @@
if (base_interface) intf = Interface::cast(base_interface);
}
}
+
rule->setInterfaceId(intf->getId());
rule->setInterfaceStr(intf->getName());
return true;
@@ -1030,16 +1035,38 @@
list<FWObject*> cl;
for (list<FWObject*>::iterator i1=re->begin(); i1!=re->end(); ++i1)
{
- FWObject *o = *i1;
+ FWObject *o = *i1;
FWObject *obj = o;
if (FWReference::cast(o)!=NULL) obj=FWReference::cast(o)->getPointer();
- Interface *ifs =Interface::cast( obj );
+ Interface *ifs = Interface::cast(obj);
- if (ifs!=NULL && ifs->isDyn() && ! ifs->isChildOf(compiler->fw))
+ if (ifs && Cluster::isA(ifs->getParent()))
{
+ FailoverClusterGroup *failover_group =
+ FailoverClusterGroup::cast(
+ ifs->getFirstByType(FailoverClusterGroup::TYPENAME));
+ if (failover_group)
+ {
+ for (FWObjectTypedChildIterator it =
+ failover_group->findByType(FWObjectReference::TYPENAME);
+ it != it.end(); ++it)
+ {
+ Interface *member_iface = Interface::cast(FWObjectReference::getObject(*it));
+ assert(member_iface);
+ if (member_iface->isChildOf(compiler->fw))
+ {
+ ifs = member_iface;
+ break;
+ }
+ }
+ }
+ }
+
+ if (ifs && ifs->isDyn() && ! ifs->isChildOf(compiler->fw))
+ {
char errstr[2048];
sprintf(errstr,
- "Can not build rule using dynamic interface '%s' of the object '%s' because its address in unknown.",
+ "Can not build rule using dynamic interface '%s' of the object '%s' because its address is unknown.",
ifs->getName().c_str(),
ifs->getParent()->getName().c_str());
Modified: branches/v3_1/src/res/help/en_US/release_notes_3.1.0.html
===================================================================
--- branches/v3_1/src/res/help/en_US/release_notes_3.1.0.html 2010-01-10 14:56:34 UTC (rev 2337)
+++ branches/v3_1/src/res/help/en_US/release_notes_3.1.0.html 2010-01-10 19:36:41 UTC (rev 2338)
@@ -426,6 +426,31 @@
object there instead, except the program automatically picks the
member firewall it compiles the policy for.
</li>
+
+ <li>
+ First, the program looks at Policy and NAT rule set objects of
+ the cluster and member firewalls and compares their names. If
+ there is rule set object with the same name in both the cluster
+ and member firewall and both have non-zero number of rules, the
+ rule set object from the member is used and the one from the
+ cluster is ignored. The program prints a warning message when
+ this is done. If rule set objects with the same name exist but
+ the one in the member firewall has zero rules, it is ignored and
+ the one from the cluster is used (no warning is
+ issued). Likewise, if there are rule sets with the same name but
+ the one in the cluster has zero rules, it is ignored.
+ </li>
+
+ <li>
+ If you want to have most rules in the cluster and some in the
+ member, you can create separate rule set object in the member
+ and pass control to it using branching rule. You need to create
+ rule set with the same name in the cluster too, so that you can
+ drag it into the "branch" rule action. Leave this cluster
+ ruleset object empty so you can put rules in the member
+ firewall.
+ </li>
+
</ul>
</p>
|