fixed SF bug 3428992: "PF: rules order problem with IPv4 and

IPv6". Compiler for PF should group ipv4 and ipv6 NAT rules together,
before it generates ipv4 and ipv6 policy rules.

doc/ChangeLog

@@ -5,6 +5,11 @@
 	ruleset (anchor)". Compiler for PF did not inlcude rules generated
 	for IPv6 in generated PF anchor configuration files.
 
+	* CompilerDriver_pf_run.cpp (CompilerDriver_pf::run): fixed SF bug
+	3428992: "PF: rules order problem with IPv4 and IPv6". Compiler
+	for PF should group ipv4 and ipv6 NAT rules together, before it
+	generates ipv4 and ipv6 policy rules.
+
 	* BaseObjectDialog.cpp (connectSignalsOfAllWidgetsToSlotChange):
 	fixed SF bug #3433587 "Manual edit of new service Destination Port
 	END value fails". This bug made it impossible to edit the value of

src/pflib/CompilerDriver_pf_run.cpp

@@ -424,35 +424,14 @@ QString CompilerDriver_pf::run(const std::string &cluster_id,
         }
 
         ostringstream* main_str = new ostringstream();
+        list<NATCompiler_pf::redirectRuleInfo> redirect_rules_info;
 
         for (vector<int>::iterator i=ipv4_6_runs.begin();
              i!=ipv4_6_runs.end(); ++i)
         {
-            int policy_af = *i;
-            bool ipv6_policy = (policy_af == AF_INET6);
-
-            // Count rules for each address family
-            int nat_count = 0;
-            int policy_count = 0;
-
-            for (list<FWObject*>::iterator p=all_nat.begin();
-                 p!=all_nat.end(); ++p)
-            {
-                NAT *nat = NAT::cast(*p);
-                if (nat->matchingAddressFamily(policy_af)) nat_count++;
-            }
-
-            for (list<FWObject*>::iterator p=all_policies.begin();
-                 p!=all_policies.end(); ++p)
-            {
-                Policy *policy = Policy::cast(*p);
-                if (policy->matchingAddressFamily(policy_af)) policy_count++;
-            }
-
-            if (nat_count || policy_count)
-            {
-                Preprocessor_pf* prep = new Preprocessor_pf(
-                    objdb , fw, ipv6_policy);
+            int ruleset_address_family = *i;
+            bool is_ipv6 = (ruleset_address_family == AF_INET6);
+            Preprocessor_pf* prep = new Preprocessor_pf(objdb , fw, is_ipv6);
             prep->setSingleRuleCompileMode(single_rule_id);
             if (inTestMode()) prep->setTestMode();
             if (inEmbeddedMode()) prep->setEmbeddedMode();
@@ -460,14 +439,22 @@ QString CompilerDriver_pf::run(const std::string &cluster_id,
             delete prep;
         }
 
-            list<NATCompiler_pf::redirectRuleInfo> redirect_rules_info;
+        // ################################################################
+        // First I process NAT rules, both ipv4 and ipv6, then process
+        // ipv4 and ipv6 policy rules. See SF bug 3428992
+
+        for (vector<int>::iterator i=ipv4_6_runs.begin();
+             i!=ipv4_6_runs.end(); ++i)
+        {
+            int ruleset_address_family = *i;
+            bool is_ipv6 = (ruleset_address_family == AF_INET6);
 
             for (list<FWObject*>::iterator p=all_nat.begin();
                  p!=all_nat.end(); ++p )
             {
                 NAT *nat = NAT::cast(*p);
 
-                if (!nat->matchingAddressFamily(policy_af)) continue;
+                if (!nat->matchingAddressFamily(ruleset_address_family)) continue;
                 if (nat->getBool(".skip_ruleset")) continue;
 
                 QString ruleset_name = QString::fromUtf8(nat->getName().c_str());
@@ -479,7 +466,7 @@ QString CompilerDriver_pf::run(const std::string &cluster_id,
                         new fwcompiler::TableFactory(this, fw, persistent_objects, &group_registry);
                 }
 
-                NATCompiler_pf n( objdb, fw, ipv6_policy, oscnf.get(),
+                NATCompiler_pf n( objdb, fw, is_ipv6, oscnf.get(),
                                   table_factories[ruleset_name]
                 );
 
@@ -538,14 +525,23 @@ QString CompilerDriver_pf::run(const std::string &cluster_id,
                 redirect_rules_info.insert(redirect_rules_info.begin(),
                                            lst.begin(), lst.end());
             }
+        }
 
+        // ################################################################
+        // Process policy rule sets
+
+        for (vector<int>::iterator i=ipv4_6_runs.begin();
+             i!=ipv4_6_runs.end(); ++i)
+        {
+            int ruleset_address_family = *i;
+            bool is_ipv6 = (ruleset_address_family == AF_INET6);
 
             for (list<FWObject*>::iterator p=all_policies.begin();
                  p!=all_policies.end(); ++p )
             {
                 Policy *policy = Policy::cast(*p);
 
-                if (!policy->matchingAddressFamily(policy_af)) continue;
+                if (!policy->matchingAddressFamily(ruleset_address_family)) continue;
                 if (policy->getBool(".skip_ruleset")) continue;
 
                 QString ruleset_name = QString::fromUtf8(policy->getName().c_str());
@@ -557,7 +553,7 @@ QString CompilerDriver_pf::run(const std::string &cluster_id,
                         new fwcompiler::TableFactory(this, fw, persistent_objects, &group_registry);
                 }
 
-                PolicyCompiler_pf c( objdb, fw, ipv6_policy, oscnf.get(),
+                PolicyCompiler_pf c( objdb, fw, is_ipv6, oscnf.get(),
                                      &redirect_rules_info,
                                      table_factories[ruleset_name]
                 );

src/res/help/en_US/release_notes_5.0.1.html

@@ -325,6 +325,14 @@
     </p>
   </li>
 
+  <li>
+    <p>
+      fixed SF bug 3428992: "PF: rules order problem with IPv4 and
+      IPv6". Compiler for PF should group ipv4 and ipv6 NAT rules
+      together, before it generates ipv4 and ipv6 policy rules.
+    </p>
+  </li>
+
 
 </ul>