fixed #1693 , SF bug 3048516: "NAT rule with 'Use SNAT instead MASQ'

doesn't work".
2026-03-20 02:07:23 +01:00 · 2010-08-19 17:05:26 +00:00 · 2010-08-19 17:05:26 +00:00 · 2ea02ccf67
commit 2ea02ccf67
parent 5718886174
5 changed files with 51 additions and 5 deletions
--- a/2
+++ b/2
@ -1 +1 @@
-#define BUILD_NUM 3234
+#define BUILD_NUM 3235
--- a/doc/ChangeLog
+++ b/doc/ChangeLog
@ -1,3 +1,11 @@
+2010-08-19  Vadim Kurland  <vadim@vk.crocodile.org>
+
+	* NATCompiler_PrintRule.cpp (PrintRule::processNext): fixed #1693
+	SF bug 3048516 "NAT rule with 'Use SNAT instead MASQ' doesn't
+	work".  NAT rule using combination of the option "Use SNAT instead
+	of MASQ", dynamic address of an interface and source port
+	translation produced iptables command with incorrect syntax.
+
 2010-08-18  Vadim Kurland  <vadim@vk.crocodile.org>

 	* Helper.cpp (list): fixed #1691 , this is a better fix for the
--- a/src/iptlib/NATCompiler_PrintRule.cpp
+++ b/src/iptlib/NATCompiler_PrintRule.cpp
@ -60,6 +60,7 @@

 #include <assert.h>

+#include <QString>
 #include <QStringList>

 using namespace libfwbuilder;
@ -724,9 +725,21 @@ bool NATCompiler_ipt::PrintRule::processNext()
 	    cmdout << "--to-source ";
            // if TSrc is "any" and this is SNAT rule, then this rule only
            // translates source port. Skip address part.
-            if (!tsrc->isAny()) cmdout << _printAddr(tsrc, false, true);
+            // Note for #1693: _printAddr() returns string that ends with a space,
+            // but there should be no space if the address is followed by port
+            // spec.
+            QString addr_part;
+            if (!tsrc->isAny())
+            {
+                addr_part = _printAddr(tsrc, false, true).c_str();
+            }
 	    string ports = _printSNATPorts(tsrv);
-	    if (!ports.empty()) cmdout << ":" << ports;
+	    if (!ports.empty())
+            {
+                cmdout << addr_part.trimmed().toStdString()
+                       << ":" << ports;
+            } else
+                cmdout << addr_part.toStdString();

            if (ropt->getBool("ipt_nat_random")) cmdout << " --random";
            if (XMLTools::version_compare(version, "1.4.3")>=0)
--- a/src/iptlib/OSConfigurator_linux24.cpp
+++ b/src/iptlib/OSConfigurator_linux24.cpp
@ -515,7 +515,7 @@ string OSConfigurator_linux24::printRunTimeWrappers(FWObject *rule,

    command_wrappers->setVariable("address_table", false);

-    QRegExp intf_re("\\$i_(\\S+)");
+    QRegExp intf_re("\\$i_([^ :]+)");

    QStringList iface_names;
    QStringList iface_vars;
--- a/test/ipt/objects-for-regression-tests.fwb
+++ b/test/ipt/objects-for-regression-tests.fwb
@ -14059,7 +14059,7 @@
          <Option name="verify_interfaces">False</Option>
        </FirewallOptions>
      </Firewall>
-      <Firewall id="id3D94D4F8" host_OS="linux24" inactive="False" lastCompiled="1272404308" lastInstalled="1142003872" lastModified="1266172388" platform="iptables" version="" name="firewall11" comment="testing rules with broadcasts and multicasts and action-on-reject 'TCP reset'. &#10;&#10;This is BRIDGING FIREWALL &#10;Firewall is part of any is OFF&#10;&#10;Interfaces eth0 and eth1 are parts of the bridge; Interface eth2 is external interface (doing NAT and routing on this interface) Interface eth3 is connected to protected network and is used to manage firewall. This is rather realistic configuration for the bridging firewall " ro="False">
+      <Firewall id="id3D94D4F8" host_OS="linux24" inactive="False" lastCompiled="1272404308" lastInstalled="1142003872" lastModified="1282234973" platform="iptables" version="" name="firewall11" comment="testing rules with broadcasts and multicasts and action-on-reject 'TCP reset'. &#10;&#10;This is BRIDGING FIREWALL &#10;Firewall is part of any is OFF&#10;&#10;Interfaces eth0 and eth1 are parts of the bridge; Interface eth2 is external interface (doing NAT and routing on this interface) Interface eth3 is connected to protected network and is used to manage firewall. This is rather realistic configuration for the bridging firewall " ro="False">
        <NAT id="id3D94D4F9" name="NAT" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
          <NATRule id="id3E854D22" disabled="True" position="0" action="Translate" comment="">
            <OSrc neg="False">
@ -14103,6 +14103,31 @@
            </TSrv>
            <NATRuleOptions/>
          </NATRule>
+          <NATRule id="id57837X26254" disabled="False" group="" position="2" action="Translate" comment="see bug #1693 , SF bug 3048516&#10;combination of using SNAT instead of MASQ,&#10;source port translation and dynamic interface">
+            <OSrc neg="False">
+              <ObjectRef ref="net-Internal_net"/>
+            </OSrc>
+            <ODst neg="False">
+              <ObjectRef ref="sysid0"/>
+            </ODst>
+            <OSrv neg="False">
+              <ServiceRef ref="id3CE719F5"/>
+            </OSrv>
+            <TSrc neg="False">
+              <ObjectRef ref="id3E21FC66"/>
+            </TSrc>
+            <TDst neg="False">
+              <ObjectRef ref="sysid0"/>
+            </TDst>
+            <TSrv neg="False">
+              <ServiceRef ref="id3CE719F5"/>
+            </TSrv>
+            <NATRuleOptions>
+              <Option name="ipt_nat_persistent">False</Option>
+              <Option name="ipt_nat_random">False</Option>
+              <Option name="ipt_use_snat_instead_of_masq">True</Option>
+            </NATRuleOptions>
+          </NATRule>
          <RuleSetOptions/>
        </NAT>
        <Policy id="id3D94D508" name="Policy" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">