2009-08-12 vadim <vadim@vk.crocodile.org>

* NATCompiler_ipt.cpp (splitSDNATRule::processNext): fixed bug #2836321: "SNAT rule that changes Trans Src and Trans Port does not work". Dual translation rule that changes source address and destination port was not supported.
2026-03-22 03:07:20 +01:00 · 2009-08-12 17:51:41 +00:00 · 2009-08-12 17:51:41 +00:00 · 5aaea155ec
commit 5aaea155ec
parent 213d270623
4 changed files with 91 additions and 7 deletions
--- a/2
+++ b/2
@ -1 +1 @@
-#define BUILD_NUM 1301
+#define BUILD_NUM 1302
--- a/doc/ChangeLog
+++ b/doc/ChangeLog
@ -1,3 +1,10 @@
+2009-08-12  vadim  <vadim@vk.crocodile.org>
+
+	* NATCompiler_ipt.cpp (splitSDNATRule::processNext): fixed bug
+	#2836321: "SNAT rule that changes Trans Src and Trans Port does
+	not work". Dual translation rule that changes source address and
+	destination port was not supported.
+
 2009-08-10  vadim  <vadim@vk.crocodile.org>

 	* PolicyCompiler_pf_writers.cpp (PrintRule::processNext): For bug
--- a/src/ipt/NATCompiler_ipt.cpp
+++ b/src/ipt/NATCompiler_ipt.cpp
@ -336,23 +336,64 @@ bool NATCompiler_ipt::splitSDNATRule::processNext()
        RuleElementOSrv *osrv;
        RuleElementTSrc *tsrc;
        RuleElementTDst *tdst;
+        RuleElementTSrv *tsrv;
+
+        bool tsrv_translates_src_port = false;
+        bool tsrv_translates_dst_port = false;
+
+        Service  *osrv_obj = compiler->getFirstOSrv(rule);
+        Service  *tsrv_obj = compiler->getFirstTSrv(rule);
+        
+        if (TCPUDPService::cast(osrv_obj) && TCPUDPService::cast(tsrv_obj))
+        {
+            TCPUDPService *tu_osrv = TCPUDPService::cast(osrv_obj);
+            TCPUDPService *tu_tsrv = TCPUDPService::cast(tsrv_obj);
+
+            tsrv_translates_src_port =
+                (tu_tsrv->getSrcRangeStart() != 0 && tu_tsrv->getDstRangeStart() == 0);
+            tsrv_translates_dst_port =
+                (tu_tsrv->getSrcRangeStart() == 0 && tu_tsrv->getDstRangeStart() != 0);
+
+            if (tsrv_translates_dst_port &&
+                tu_osrv->getDstRangeStart() == tu_tsrv->getDstRangeStart() &&
+                tu_osrv->getDstRangeEnd() == tu_tsrv->getDstRangeEnd())
+                tsrv_translates_dst_port = false;  // osrv and tsrv define the same ports
+
+            if (tsrv_translates_src_port &&
+                tu_osrv->getSrcRangeStart() == tu_tsrv->getSrcRangeStart() &&
+                tu_osrv->getSrcRangeEnd() == tu_tsrv->getSrcRangeEnd())
+                tsrv_translates_src_port = false;  // osrv and tsrv define the same ports
+        }

 /* first rule translates destination and may translate service (depends
- * on the original rule) */
+ * on the original rule). Set type to Unknown because this may become
+ * DNAT or DNetNat - we will decide later.
+ */
        NATRule *r = compiler->dbcopy->createNATRule();
        r->duplicate(rule);
        compiler->temp_ruleset->add(r);
        r->setRuleType(NATRule::Unknown);
                
-        tsrc=r->getTSrc();
+        tsrc = r->getTSrc();
        tsrc->clearChildren();
        tsrc->setAnyElement();

+/* this rule translates destination and can't deal with source port
+ * translation. Leave that to the second rule
+ */
+        if (tsrv_translates_src_port)
+        {
+            tsrv = r->getTSrv();
+            tsrv->clearChildren();
+            tsrv->setAnyElement();
+        }
+
        tmp_queue.push_back(r);

 /* the second rule translates source and uses translated object in
 * ODst. Since the service could have been translated by the first
- * rule, we use TSrv in OSrv */
+ * rule, we use TSrv in OSrv
+ */
        r = compiler->dbcopy->createNATRule();
        r->duplicate(rule);
        compiler->temp_ruleset->add(r);
@ -414,10 +455,17 @@ bool NATCompiler_ipt::splitSDNATRule::processNext()
            }
        }

-        tdst=r->getTDst();
+        tdst = r->getTDst();
        tdst->clearChildren();
        tdst->setAnyElement();

+        if (tsrv_translates_dst_port)
+        {
+            tsrv = r->getTSrv();
+            tsrv->clearChildren();
+            tsrv->setAnyElement();
+        }
+
        tmp_queue.push_back(r);
    }
    else 
--- a/test/ipt/objects-for-regression-tests.fwb
+++ b/test/ipt/objects-for-regression-tests.fwb
@ -1,6 +1,6 @@
 <?xml version="1.0" encoding="utf-8"?>
 <!DOCTYPE FWObjectDatabase SYSTEM "fwbuilder.dtd">
-<FWObjectDatabase xmlns="http://www.fwbuilder.org/1.0/" version="10" lastModified="1247979638" id="root">
+<FWObjectDatabase xmlns="http://www.fwbuilder.org/1.0/" version="10" lastModified="1250096448" id="root">
  <Library id="sysid99" name="Deleted Objects" comment="" ro="False">
    <ICMP6Service id="idE0C27650" code="0" type="1" name="ipv6 dest unreachable" comment="No route to destination" ro="False"/>
    <IPv4 id="id41D295E2" name="firewall30:ppp.200*:ip" comment="" ro="False" address="192.168.1.1" netmask="255.255.255.0"/>
@ -1750,6 +1750,12 @@
    <ObjectRef ref="if-FW-firewall2-eth0"/>
    <ObjectRef ref="if-FW-firewall2-eth1"/>
    <ObjectRef ref="if-FW-firewall2-eth1-ipv4"/>
+    <ObjectRef ref="sysid0"/>
+    <ObjectRef ref="sysid0"/>
+    <ServiceRef ref="sysid1"/>
+    <ServiceRef ref="sysid1"/>
+    <ObjectRef ref="sysid0"/>
+    <ObjectRef ref="host-hostA"/>
  </Library>
  <Library id="syslib001" color="#d2ffd0" name="User" comment="User defined objects" ro="False">
    <ObjectGroup id="stdid01_1" name="Objects" comment="" ro="False">
@ -2792,6 +2798,8 @@
        <TCPService id="id459E36F110170" ack_flag="True" ack_flag_mask="True" fin_flag="False" fin_flag_mask="True" psh_flag="False" psh_flag_mask="True" rst_flag="False" rst_flag_mask="True" syn_flag="False" syn_flag_mask="True" urg_flag="False" urg_flag_mask="True" name="ack" comment="" ro="False" src_range_start="0" src_range_end="0" dst_range_start="0" dst_range_end="0"/>
        <TCPService id="id45821X95438" ack_flag="False" ack_flag_mask="False" established="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" name="tcp 0-0:22-22" comment="Imported from &quot;c3620&quot;&#10;0-0:22-22" ro="False" src_range_start="0" src_range_end="0" dst_range_start="22" dst_range_end="22"/>
        <TCPService id="id46355X95438" ack_flag="False" ack_flag_mask="False" established="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="True" syn_flag_mask="True" urg_flag="False" urg_flag_mask="False" name="New TCP Service 1" comment="" ro="False" src_range_start="0" src_range_end="0" dst_range_start="1" dst_range_end="1"/>
+        <TCPService id="id69385X25753" ack_flag="False" ack_flag_mask="False" established="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" name="ports 3050-3051" comment="" ro="False" src_range_start="0" src_range_end="0" dst_range_start="3050" dst_range_end="3051"/>
+        <TCPService id="id69386X25753" ack_flag="False" ack_flag_mask="False" established="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" name="port 700" comment="" ro="False" src_range_start="0" src_range_end="0" dst_range_start="700" dst_range_end="700"/>
      </ServiceGroup>
      <ServiceGroup id="stdid08_1" name="UDP" comment="" ro="False">
        <UDPService id="id3ED59BF0" name="udp-src-6767" comment="" ro="False" src_range_start="6767" src_range_end="6767" dst_range_start="0" dst_range_end="0"/>
@ -6221,7 +6229,7 @@
          <Option name="verify_interfaces">False</Option>
        </FirewallOptions>
      </Firewall>
-      <Firewall id="id3AFB66C6" host_OS="linux24" inactive="False" lastCompiled="1247363932" lastInstalled="1142003872" lastModified="1240585346" platform="iptables" version="" name="firewall2" comment="this object has several interfaces and shows different rules for NAT. Also testing policy rule options " ro="False">
+      <Firewall id="id3AFB66C6" host_OS="linux24" inactive="False" lastCompiled="1250096540" lastInstalled="1142003872" lastModified="1250096529" platform="iptables" version="" name="firewall2" comment="this object has several interfaces and shows different rules for NAT. Also testing policy rule options " ro="False">
        <NAT id="id3AFB66C7" name="NAT" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
          <NATRule id="id3AFB66C8" disabled="False" position="0" comment="">
            <OSrc neg="False">
@ -7294,6 +7302,27 @@
              <Option name="color">#C0BA44</Option>
            </NATRuleOptions>
          </NATRule>
+          <NATRule id="id47662X25753" disabled="False" group="" position="48" comment="">
+            <OSrc neg="False">
+              <ObjectRef ref="net-Internal_net"/>
+            </OSrc>
+            <ODst neg="False">
+              <ObjectRef ref="sysid0"/>
+            </ODst>
+            <OSrv neg="False">
+              <ServiceRef ref="id69385X25753"/>
+            </OSrv>
+            <TSrc neg="False">
+              <ObjectRef ref="host-hostA"/>
+            </TSrc>
+            <TDst neg="False">
+              <ObjectRef ref="sysid0"/>
+            </TDst>
+            <TSrv neg="False">
+              <ServiceRef ref="id69386X25753"/>
+            </TSrv>
+            <NATRuleOptions/>
+          </NATRule>
        </NAT>
        <Policy id="id3AFB66E4" name="Policy" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
          <PolicyRule id="id3AFB6708" disabled="False" log="True" position="0" action="Deny" direction="Inbound" comment="Anti-spoofing rule">