* NATCompiler_ipt.cpp (AssignInterface::processNext): fixed bug

#1064: "Dedicated IPv6 interfaces show up in IPv4-NAT rules". Use interface only if it has addresses that match address family we compile for. fixes #1064
2026-03-21 10:47:16 +01:00 · 2010-01-08 19:32:20 +00:00 · 2010-01-08 19:32:20 +00:00 · 3b3a4678e4
commit 3b3a4678e4
parent 7c4a31d461
4 changed files with 48 additions and 15 deletions
--- a/2
+++ b/2
@ -1 +1 @@
-#define BUILD_NUM 2323
+#define BUILD_NUM 2324
--- a/doc/ChangeLog
+++ b/doc/ChangeLog
@ -1,3 +1,10 @@
+2010-01-08  Vadim Kurland  <vadim@vk.crocodile.org>
+
+	* NATCompiler_ipt.cpp (AssignInterface::processNext): fixed bug
+	#1064: "Dedicated IPv6 interfaces show up in IPv4-NAT rules". Use
+	interface only if it has addresses that match address family we
+	compile for.
+
 2010-01-07  Vadim Kurland  <vadim@vk.crocodile.org>

 	* FWObjectPropertiesFactory.cpp (FWObjectPropertiesFactory::getObjectPropertiesBrief):
--- a/src/iptlib/NATCompiler_ipt.cpp
+++ b/src/iptlib/NATCompiler_ipt.cpp
@ -156,13 +156,15 @@ string NATCompiler_ipt::getNewTmpChainName(NATRule *rule)

 string NATCompiler_ipt::debugPrintRule(Rule *r)
 {
-    NATRule *rule=NATRule::cast(r);
+    NATRule *rule = NATRule::cast(r);
+    string   iface_name = rule->getInterfaceStr();

    return NATCompiler::debugPrintRule(rule)+
        " " + FWObjectDatabase::getStringId(rule->getInterfaceId()) +
        " c=" + rule->getStr("ipt_chain") +
        " t=" + rule->getStr("ipt_target") +
-        " (type="+rule->getRuleTypeAsString()+")";
+        " (type="+rule->getRuleTypeAsString()+")" +
+        " intf=" + iface_name;
 }

 void NATCompiler_ipt::verifyPlatform()
@ -2118,6 +2120,7 @@ bool NATCompiler_ipt::decideOnTarget::processNext()
 */
 bool NATCompiler_ipt::AssignInterface::processNext()
 {
+    NATCompiler_ipt *ipt_comp = dynamic_cast<NATCompiler_ipt*>(compiler);
    NATRule *rule=getNext(); if (rule==NULL) return false;

 //    Address  *a=NULL;
@ -2136,23 +2139,40 @@ bool NATCompiler_ipt::AssignInterface::processNext()
                iface->isBridgePort()
            ) continue;

-            char *in=strdup( iface->getName().c_str() );
-            char *cptr=in;
-            while (*cptr && *cptr!='*' && !isdigit(*cptr)) ++cptr;
+            /* Bug #1064: "Dedicated IPv6 interfaces show up in
+             * IPv4-NAT rules". Use interface only if it has addresses
+             * that match address family we compile for
+             *
+             * Include interfaces that have no addresses in the list
+             * for backwards compatibility.
+             */
+            FWObjectTypedChildIterator ipv4_addresses = iface->findByType(IPv4::TYPENAME);
+            FWObjectTypedChildIterator ipv6_addresses = iface->findByType(IPv6::TYPENAME);
+
+            if ((ipt_comp->ipv6 && ipv6_addresses != ipv6_addresses.end()) ||
+                (!ipt_comp->ipv6 && ipv4_addresses != ipv4_addresses.end()) ||
+                ipv4_addresses == ipv4_addresses.end() && ipv6_addresses == ipv6_addresses.end())
+            {
+
+                char *in=strdup( iface->getName().c_str() );
+                char *cptr=in;
+                while (*cptr && *cptr!='*' && !isdigit(*cptr)) ++cptr;
+
 /* if interface name ends with '*', this is wildcard interface. Just
 * replace '*' with '+'. If interace name does not end with '*',
 * replace numeric interface index with '+'. Either way, cptr points
 * at the first caracter after the 'family' name of the interface (is
 * there a better term?) which will be either a digit or '*'.
 */
-            *cptr='\0';
-            string inexp=string(in)+"+";
-            if ( std::find(regular_interfaces.begin(),
-                           regular_interfaces.end(),
-                           inexp)==regular_interfaces.end() )
-                regular_interfaces.push_back( inexp );
+                *cptr='\0';
+                string inexp=string(in)+"+";
+                if ( std::find(regular_interfaces.begin(),
+                               regular_interfaces.end(),
+                               inexp)==regular_interfaces.end() )
+                    regular_interfaces.push_back( inexp );

-            free(in);
+                free(in);
+            }
        }
    }

--- a/test/ipt/objects-for-regression-tests.fwb
+++ b/test/ipt/objects-for-regression-tests.fwb
@ -1,6 +1,6 @@
 <?xml version="1.0" encoding="utf-8"?>
 <!DOCTYPE FWObjectDatabase SYSTEM "fwbuilder.dtd">
-<FWObjectDatabase xmlns="http://www.fwbuilder.org/1.0/" version="15" lastModified="1260914709" id="root">
+<FWObjectDatabase xmlns="http://www.fwbuilder.org/1.0/" version="15" lastModified="1262968518" id="root">
  <Library id="sysid99" name="Deleted Objects" comment="" ro="False">
    <ICMP6Service id="idE0C27650" code="0" type="1" name="ipv6 dest unreachable" comment="No route to destination" ro="False"/>
    <IPv4 id="id41D295E2" name="firewall30:ppp.200*:ip" comment="" ro="False" address="192.168.1.1" netmask="255.255.255.0"/>
@ -9689,7 +9689,7 @@
          <Option name="verify_interfaces">False</Option>
        </FirewallOptions>
      </Firewall>
-      <Firewall id="id3B19BEE6" host_OS="linux24" lastCompiled="1247364158" lastInstalled="1142003872" lastModified="1259714994" platform="iptables" name="firewall5" comment="testing firewall_is_part_of_any_and_networks&#10;also testing SNAT and DNAT rules when external interface&#10;has dynamic address&#10;&#10;dynamic interface ppp0 has an address object attached to it&#10;(interface used to be static and had an address, then got&#10;converted to dynamic but address object is still there). Compiler&#10;should ignore this address object and issue a warning.&#10;" ro="False">
+      <Firewall id="id3B19BEE6" host_OS="linux24" lastCompiled="1247364158" lastInstalled="1142003872" lastModified="1262968608" platform="iptables" name="firewall5" comment="testing firewall_is_part_of_any_and_networks&#10;also testing SNAT and DNAT rules when external interface&#10;has dynamic address&#10;&#10;dynamic interface ppp0 has an address object attached to it&#10;(interface used to be static and had an address, then got&#10;converted to dynamic but address object is still there). Compiler&#10;should ignore this address object and issue a warning.&#10;" ro="False">
        <NAT id="id3B19BEE7" name="NAT" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
          <NATRule id="id3CFD9EE2" disabled="False" position="0" action="Translate" comment="">
            <OSrc neg="False">
@ -10113,6 +10113,12 @@
        <Interface id="id3E8F5B6F" dedicated_failover="False" dyn="True" label="" mgmt="False" security_level="0" unnum="False" unprotected="False" name="ppp1" comment="" ro="False">
          <InterfaceOptions/>
        </Interface>
+        <Interface id="id49862X35079" dedicated_failover="False" dyn="False" label="" mgmt="False" security_level="0" unnum="False" unprotected="False" name="sixxs0" comment="ipv6 tunnel interface. Test for bug #1064" ro="False">
+          <IPv6 id="id49900X35079" name="firewall5:sixxs0:ipv6" comment="" ro="False" address="fe80::1" netmask="64"/>
+          <InterfaceOptions>
+            <Option name="type">ethernet</Option>
+          </InterfaceOptions>
+        </Interface>
        <Management address="192.168.1.1">
          <SNMPManagement enabled="False" snmp_read_community="public" snmp_write_community=""/>
          <FWBDManagement enabled="True" identity="" port="9999"/>