merge from v3 r1685:1687

2026-03-22 19:27:13 +01:00 · 2009-11-06 18:09:27 +00:00 · 2009-11-06 18:09:27 +00:00 · 2e6c6d9de6
commit 2e6c6d9de6
parent 927baf9333 7971502d72
5 changed files with 45 additions and 14 deletions
--- a/2
+++ b/2
@ -1 +1 @@
-#define BUILD_NUM 1681
+#define BUILD_NUM 1688
--- a/doc/ChangeLog
+++ b/doc/ChangeLog
@ -9,6 +9,18 @@
 	commands are added, then the function body won't be empty and will
 	return success.

+	* NATCompiler_pf.cpp (NATCompiler_pf::compile): fixed bug
+	#2889579: "fwb_pf crash when unnumbered interface is used in nat
+	rule". Compiler for PF crashed when unnumbered interface was used
+	in TSrc element of a NAT rule.
+
+	* PolicyCompiler_PrintRule.cpp (PrintRule::_printSrcAddr): Fixed
+	bug #2892100: "'Old boradcast' object produces 0/0 in iptables
+	script". The bug triggered when iptables version was set to 1.3.x
+	or later. "Old broadcast" object is defined as AddressRange with
+	0.0.0.0 as a start and end addresses of the range. Generated
+	script should have "0.0.0.0" but the compiler uses "0/0" instead.
+
 2009-11-04  Vadim Kurland  <vadim@vk.crocodile.org>

 	* PolicyCompiler_ipfw_writers.cpp (PrintRule::_printDstService):
--- a/src/iptlib/NATCompiler_ipt.cpp
+++ b/src/iptlib/NATCompiler_ipt.cpp
@ -548,11 +548,15 @@ bool NATCompiler_ipt::VerifyRules::processNext()

    if (rule->getRuleType()==NATRule::SNAT ) 
    {
-        Address* o1=compiler->getFirstTSrc(rule);
+        FWObject *o1 = FWReference::getObject(tsrc->front());
        if ( ! tsrc->isAny() && Network::cast(o1)!=NULL)
            compiler->abort(
                rule, 
                "Can not use network object in translated source.");
+        if (Interface::isA(o1) && Interface::cast(o1)->isUnnumbered())
+            compiler->abort(rule,
+                            "Can not use unnumbered interface in "
+                            "Translated Source of a Source translation rule.");
    }

    if (rule->getRuleType()==NATRule::SNetnat && !tsrc->isAny() ) 
--- a/src/iptlib/PolicyCompiler_PrintRule.cpp
+++ b/src/iptlib/PolicyCompiler_PrintRule.cpp
@ -1104,13 +1104,16 @@ string PolicyCompiler_ipt::PrintRule::_printSrcAddr(RuleElement *rel,
        AddressRange *ar = AddressRange::cast(o);
        const InetAddr &range_start = ar->getRangeStart();
        const InetAddr &range_end = ar->getRangeEnd();
+
        if (range_start != range_end)
        {
            if (!have_m_iprange) { res = "-m iprange "; have_m_iprange = true; }
            res += _printSingleObjectNegation(rel) + "--src-range ";
            res += range_start.toString() + "-" + range_end.toString() + " ";
-            return res;
-        }
+        } else
+            res += range_start.toString() + " ";
+
+        return res;
    }
    return _printSingleOptionWithNegation(" -s", rel, _printAddr(o));
 }
@ -1129,8 +1132,10 @@ string PolicyCompiler_ipt::PrintRule::_printDstAddr(RuleElement *rel,
            if (!have_m_iprange) { res = "-m iprange "; have_m_iprange = true; }
            res += _printSingleObjectNegation(rel) + "--dst-range ";
            res += range_start.toString() + "-" + range_end.toString() + " ";
-            return res;
-        }
+        } else
+            res += range_start.toString() + " ";
+
+        return res;
    }
    return _printSingleOptionWithNegation(" -d", rel, _printAddr(o));
 }
--- a/src/pflib/NATCompiler_pf.cpp
+++ b/src/pflib/NATCompiler_pf.cpp
@ -449,19 +449,22 @@ bool NATCompiler_pf::VerifyRules::processNext()
    if (rule->getRuleType()==NATRule::SNAT ) 
    {
        if (tsrc->isAny())
-            compiler->abort(
-                
-                    rule, 
-                    "Source translation rule needs an address in Translated Source.");
+            compiler->abort(rule, 
+                            "Source translation rule needs an address in "
+                            "Translated Source.");
+        FWObject *o = FWReference::getObject(tsrc->front());
+        if (Interface::isA(o) && Interface::cast(o)->isUnnumbered())
+            compiler->abort(rule,
+                            "Can not use unnumbered interface in "
+                            "Translated Source of a Source translation rule.");
    }

    if (rule->getRuleType()==NATRule::DNAT || rule->getRuleType()==NATRule::Redirect ) 
    {
        if (tdst->isAny())
-            compiler->abort(
-                
-                    rule, 
-                    "Destination translation rule needs an address in Translated Destination.");
+            compiler->abort(rule, 
+                            "Destination translation rule needs an address in "
+                            "Translated Destination.");

        if ( tdst->size()!=1)
            compiler->abort(
@ -1162,6 +1165,13 @@ void NATCompiler_pf::compile()

        add( new ExpandMultipleAddresses( "expand multiple addresses" ) );

+        // we might get empty RE after expanding multiple addresses,
+        // for example when unnumbered interface is used in TSRC. Note
+        // that VerifyRules should not allow this, but we may still
+        // get here in the test mode. Calling dropRuleWithEmptyRE works
+        // as a fail-safe and prevents crash.
+        add( new dropRuleWithEmptyRE("drop rules with empty rule elements"));
+
 	if ( manage_virtual_addr )
            add( new addVirtualAddress("add virtual addresses for NAT rules"));