see #2405 "Tag and classify actions dont work properly with branches".

When branching rule points to a rule set that has rules with Tag and
Classify options, branching should occur in mangle table even when
checkbox "create branch in mangle table" is not checked. The fix in
this change is tentative as it creates branch in chains PREROUTING,
POSTROUTING and OUTPUT. Since target CLASSIFY is only allowed in
POSTROUTING, this may create conflict. Need to test more.

doc/ChangeLog

@@ -1,5 +1,15 @@
 2011-05-14  vadim  <vadim@netcitadel.com>
 
+	* CompilerDriver_ipt.cpp (findBranchesInMangleTable): see #2405
+	"Tag and classify actions dont work properly with branches".
+	When branching rule points to a rule set that has rules with Tag
+	and Classify options, branching should occur in mangle table even
+	when checkbox "create branch in mangle table" is not checked. The
+	fix in this change is tentative as it creates branch in chains
+	PREROUTING, POSTROUTING and OUTPUT. Since target CLASSIFY is only
+	allowed in POSTROUTING, this may create conflict. Need to test
+	more.
+
 	* AttachedNetworks.cpp (AttachedNetworks): see #1580 New object
 	type: network object that automatically matches subnets an
 	interface is attached to. The object can be a child of an

src/iptlib/CompilerDriver_ipt.cpp

@@ -88,9 +88,48 @@ void CompilerDriver_ipt::assignRuleSetChain(RuleSet *ruleset)
 // ???
 //        rule->setUniqueId( FWObjectDatabase::getStringId(rule->getId()) );
     }
-
 }
 
+void CompilerDriver_ipt::findBranchesInMangleTable(Firewall *fw,
+                                                   list<FWObject*> &all_policies)
+{
+    // special but common case: if we only have one policy, there is
+    // no need to check if we have to do branching in mangle table
+    // since we do not have any branching rules in that case.
+    if (all_policies.size() > 1)
+    {
+        for (list<FWObject*>::iterator i=all_policies.begin();
+             i!=all_policies.end(); ++i)
+        {
+            for (list<FWObject*>::iterator r=(*i)->begin();
+                 r!=(*i)->end(); ++r)
+            {
+                PolicyRule *rule = PolicyRule::cast(*r);
+                if (rule == NULL) continue; // skip RuleSetOptions object
+                FWOptions *ruleopt = rule->getOptionsObject();
+                if (rule->getAction() == PolicyRule::Branch &&
+                    ! ruleopt->getBool("ipt_branch_in_mangle"))
+                {
+                    RuleSet *ruleset = rule->getBranch();
+                    if (ruleset == NULL)
+                    {
+                        abort(fw, *i, rule,
+                              "Action branch does not point to any rule set");
+                    }
+
+                    for (list<FWObject*>::iterator br=ruleset->begin();
+                         br!=ruleset->end(); ++br)
+                    {
+                        PolicyRule *b_rule = PolicyRule::cast(*br);
+                        if (b_rule == NULL) continue;
+                        if (b_rule->getTagging() || b_rule->getClassification())
+                            ruleopt->setBool("ipt_branch_in_mangle", true);
+                    }
+                }
+            }
+        }
+    }
+}
 
 /*
  * TODO: use configlet to define structure of generated script. Need 2

src/iptlib/CompilerDriver_ipt.h

@@ -93,6 +93,8 @@ public:
                             const std::string &single_rule_id);
 
         void assignRuleSetChain(libfwbuilder::RuleSet *ruleset);
+        void findBranchesInMangleTable(libfwbuilder::Firewall*,
+                                       std::list<libfwbuilder::FWObject*> &all_policies);
 
         std::string dumpScript(libfwbuilder::Firewall *fw,
                                const std::string& automatic_rules_script,

src/iptlib/CompilerDriver_ipt_run.cpp

@@ -231,6 +231,7 @@ QString CompilerDriver_ipt::run(const std::string &cluster_id,
         vector<int> ipv4_6_runs;
 
         findImportedRuleSets(fw, all_policies);
+        findBranchesInMangleTable(fw, all_policies);
         findImportedRuleSets(fw, all_nat);
 
         try

test/ipt/rc.firewall.local

@@ -4,7 +4,7 @@
 #
 #  Firewall Builder  fwb_ipt v4.3.0.3542
 #
-#  Generated Fri May 13 18:21:21 2011 PDT by vadim
+#  Generated Sat May 14 15:42:13 2011 PDT by vadim
 #
 # files: * rc.firewall.local /etc/rc.d//rc.firewall.local
 #

test/pf/pf_cluster_4_rc.conf.local

@@ -1,9 +1,9 @@
 #
 #  This is automatically generated file. DO NOT MODIFY !
 #
-#  Firewall Builder  fwb_pf v4.3.0.1
+#  Firewall Builder  fwb_pf v4.3.0.3542
 #
-#  Generated Tue May 10 14:53:34 2011 PDT by vadim
+#  Generated Sat May 14 15:46:00 2011 PDT by vadim
 #
 # files: * pf_cluster_4_rc.conf.local /etc/pf_cluster_4_rc.conf.local
 # files:   pf_cluster_4_pf.conf /etc/pf_cluster_4_pf.conf