fixed bug in fwb_pix with netzone "any"

2026-03-24 12:17:26 +01:00 · 2008-08-12 21:13:31 +00:00 · 2008-08-12 21:13:31 +00:00 · 3d11499301
commit 3d11499301
parent 4a7c7af704
3 changed files with 27 additions and 7 deletions
--- a/doc/ChangeLog
+++ b/doc/ChangeLog
@ -1,5 +1,9 @@
 2008-08-12  Vadim Kurland  <vadim@vk.crocodile.org>

+	* Helper.cpp (Helper::findInterfaceByNetzone): fixed bug in policy
+	compiler for pix - it could not properly identify interface with
+	network zone "any"
+
 	* ObjectManipulator.cpp (ObjectManipulator::contextMenuRequested):
 	fixed bug #2047992: "segfault cloning policies in version
 	3". "Duplicate" and "Move" context menu items should not be
--- a/src/cisco_lib/Helper.cpp
+++ b/src/cisco_lib/Helper.cpp
@ -132,8 +132,6 @@ int  Helper::findInterfaceByNetzone(Address *obj)

 int  Helper::findInterfaceByNetzone(const InetAddr *addr) throw(string)
 {
-    if (addr==NULL) return -1;
-
    Firewall *fw=compiler->fw;
    map<int,FWObject*> zones;
    FWObjectTypedChildIterator i=fw->findByType(Interface::TYPENAME);
@ -142,6 +140,14 @@ int  Helper::findInterfaceByNetzone(const InetAddr *addr) throw(string)
        // NOTE: "network_zone" is globally unique string ID
        int netzone_id =
            FWObjectDatabase::getIntId((*i)->getStr("network_zone"));
+
+        FWObject *netzone = fw->getRoot()->findInIndex(netzone_id);
+#if 0
+        cerr << "netzone_id=" << netzone_id
+             << "  " << (*i)->getStr("network_zone")
+             << "  " << netzone->getName()
+             << endl;
+#endif
        if (netzone_id != -1)
        {
            FWObject *netzone = fw->getRoot()->findInIndex(netzone_id);
@ -149,8 +155,18 @@ int  Helper::findInterfaceByNetzone(const InetAddr *addr) throw(string)
                 j!=netzone->end(); ++j)
            {
                assert(Address::cast(*j)!=NULL);
-                if (Address::cast(*j)->belongs(*addr))
-                    zones[(*i)->getId()] = netzone;
+
+                // if addr==NULL, return id of the interfacce that has
+                // net_zone=="any"
+                if (addr==NULL)
+                {
+                    if ((*j)->getId()==FWObjectDatabase::ANY_ADDRESS_ID)
+                        return (*i)->getId(); // id of the interface
+                } else
+                {
+                    if (Address::cast(*j)->belongs(*addr))
+                        zones[(*i)->getId()] = netzone;
+                }
            }
        }
    }
@ -182,7 +198,7 @@ int  Helper::findInterfaceByNetzone(const InetAddr *addr) throw(string)

    if (res_id == -1)
        throw(string("Can not find interface with network zone that includes "
-                     "address ") + addr->toString());
+                     "address ") + string((addr)?addr->toString():"NULL"));
    return res_id;
 }

--- a/src/pix/NATCompiler_pix.cpp
+++ b/src/pix/NATCompiler_pix.cpp
@ -349,8 +349,8 @@ bool NATCompiler_pix::AssignInterface::processNext()

    assert(a1!=NULL && a2!=NULL);

-    rule->setInt("nat_iface_orig",helper.findInterfaceByNetzone(a1));
-    rule->setInt("nat_iface_trn", helper.findInterfaceByNetzone(a2));
+    rule->setInt("nat_iface_orig", helper.findInterfaceByNetzone(a1));
+    rule->setInt("nat_iface_trn",  helper.findInterfaceByNetzone(a2));

    if ( rule->getInt("nat_iface_orig")==-1 ) 
 	compiler->abort("Object '" + a1->getName() +