see #133 added support for inbound and outbound interfaces in nat rules (DTD, libfwbuilder API); added support for an interface column in PF NAT rules (using outbound interface rule element): changes in GUI and compiler

2026-03-24 04:07:55 +01:00 · 2011-02-15 18:56:05 -08:00 · 2011-02-15 18:56:05 -08:00 · 6135cf8acb
commit 6135cf8acb
parent 4d9abebb64
39 changed files with 433 additions and 95 deletions
--- a/4
+++ b/4
@ -7,13 +7,13 @@ FWB_MICRO_VERSION=0
 # build number is like "nano" version number. I am incrementing build
 # number during development cycle
 #
-BUILD_NUM="3477"
+BUILD_NUM="3477a"

 VERSION="$FWB_MAJOR_VERSION.$FWB_MINOR_VERSION.$FWB_MICRO_VERSION.$BUILD_NUM"

 GENERATION="$FWB_MAJOR_VERSION.$FWB_MINOR_VERSION"

 # Data format version
-FWBUILDER_XML_VERSION=17
+FWBUILDER_XML_VERSION=18


--- a/VERSION.h
+++ b/VERSION.h
@ -1,2 +1,2 @@
-#define VERSION      "4.2.0.3477"
+#define VERSION      "4.2.0.3477a"
 #define GENERATION   "4.2"
--- a/doc/ChangeLog
+++ b/doc/ChangeLog
@ -9,6 +9,12 @@
 	Terminating rules generate "pass quick" commands, while
 	non-terminating rules generate "pass" commands (no "quick" option).

+	* libfwbuilder/migration/FWObjectDatabase_17.xslt: see #133
+	Working on adding interfaces to the NAT rule model. There will be
+	two inetrfaces per NAT rule: "inbound interface" and "outbound
+	interface". DTD version changes to "18", old data files need to
+	be upgraded.
+
 2011-02-14  vadim  <vadim@netcitadel.com>

 	* OSConfigurator_bsd_interfaces.cpp (configureInterfaces): fixes
--- a/packaging/fwbuilder-static-qt.spec
+++ b/packaging/fwbuilder-static-qt.spec
@ -3,7 +3,7 @@


 %define name    fwbuilder
-%define version 4.2.0.3477
+%define version 4.2.0.3477a
 %define release 1

 %if "%_vendor" == "MandrakeSoft"
--- a/packaging/fwbuilder.control
+++ b/packaging/fwbuilder.control
@ -4,6 +4,6 @@ Replaces: fwbuilder (<=4.1.1-1), fwbuilder-common, fwbuilder-bsd, fwbuilder-linu
 Priority: extra
 Section: checkinstall
 Maintainer: vadim@fwbuilder.org
-Version: 4.2.0.3477-1
+Version: 4.2.0.3477a-1
 Depends: libqt4-gui (>= 4.3.0), libxml2, libxslt1.1, libsnmp | libsnmp15
 Description: Firewall Builder GUI and policy compilers
--- a/packaging/fwbuilder.spec
+++ b/packaging/fwbuilder.spec
@ -1,6 +1,6 @@

 %define name    fwbuilder
-%define version 4.2.0.3477
+%define version 4.2.0.3477a
 %define release 1

 %if "%_vendor" == "MandrakeSoft"
--- a/src/libfwbuilder/etc/fwbuilder.dtd
+++ b/src/libfwbuilder/etc/fwbuilder.dtd
@ -2,13 +2,8 @@
 <!--
     Firewall Builder Document Type Definition
     http://www.fwbuilder.org/
-     Version: $Revision: 1023 $
     Authors:  Friedhelm Duesterhoeft, Vadim Zaliva, Vadim Kurland, Tidei Maurizio

-TODO:
-
-1. Allow groups of unrelated objects.
-
 -->

 <!ENTITY % BOOLEAN   "(False|True)">
@ -84,7 +79,7 @@ TODO:
 <!ELEMENT FWObjectDatabase (Library*)>
 <!ATTLIST FWObjectDatabase
 xmlns        CDATA     #FIXED "http://www.fwbuilder.org/1.0/"
- version      %STRING;  #FIXED "17"
+ version      %STRING;  #FIXED "18"
 lastModified %NUMBER;  #IMPLIED
 id           ID        #REQUIRED
 >
@ -188,7 +183,7 @@ own compiler) we do not define content model for this element.
      **** Document structure, rest ****
 -->

-<!ELEMENT NATRule (OSrc,ODst,OSrv,TSrc,TDst,TSrv,When?, NATRuleOptions?)>
+<!ELEMENT NATRule (OSrc,ODst,OSrv,TSrc,TDst,TSrv,ItfInb,ItfOutb,When?, NATRuleOptions?)>
 <!ATTLIST NATRule
 id      ID       #REQUIRED
 action    %NAT_ACTION; #REQUIRED
@ -292,6 +287,16 @@ own compiler) we do not define content model for this element.
 neg %BOOLEAN; #REQUIRED
 >

+<!ELEMENT ItfInb (ObjectRef*)>
+<!ATTLIST ItfInb
+ neg %BOOLEAN; #REQUIRED
+>
+
+<!ELEMENT ItfOutb (ObjectRef*)>
+<!ATTLIST ItfOutb
+ neg %BOOLEAN; #REQUIRED
+>
+

 <!--
   hardware or physical address (MAC, DLCI etc.)
--- a/src/libfwbuilder/etc/fwbuilder.dtd.in
+++ b/src/libfwbuilder/etc/fwbuilder.dtd.in
@ -2,13 +2,8 @@
 <!--
     Firewall Builder Document Type Definition
     http://www.fwbuilder.org/
-     Version: $Revision: 1023 $
     Authors:  Friedhelm Duesterhoeft, Vadim Zaliva, Vadim Kurland, Tidei Maurizio

-TODO:
-
-1. Allow groups of unrelated objects.
-
 -->

 <!ENTITY % BOOLEAN   "(False|True)">
@ -188,7 +183,7 @@ own compiler) we do not define content model for this element.
      **** Document structure, rest ****
 -->

-<!ELEMENT NATRule (OSrc,ODst,OSrv,TSrc,TDst,TSrv,When?, NATRuleOptions?)>
+<!ELEMENT NATRule (OSrc,ODst,OSrv,TSrc,TDst,TSrv,ItfInb,ItfOutb,When?, NATRuleOptions?)>
 <!ATTLIST NATRule
 id      ID       #REQUIRED
 action    %NAT_ACTION; #REQUIRED
@ -292,6 +287,16 @@ own compiler) we do not define content model for this element.
 neg %BOOLEAN; #REQUIRED
 >

+<!ELEMENT ItfInb (ObjectRef*)>
+<!ATTLIST ItfInb
+ neg %BOOLEAN; #REQUIRED
+>
+
+<!ELEMENT ItfOutb (ObjectRef*)>
+<!ATTLIST ItfOutb
+ neg %BOOLEAN; #REQUIRED
+>
+

 <!--
   hardware or physical address (MAC, DLCI etc.)
--- a/src/libfwbuilder/migration/FWObjectDatabase_17.xslt
+++ b/src/libfwbuilder/migration/FWObjectDatabase_17.xslt
@ -0,0 +1,84 @@
+<!--
+   FWObjectDatabase_17.xslt 2011-02-15 
+   Author:       Vadim Kurland
+   Description:  translates fwbuilder object database from v17 to 18
+                 Adds NAT rule elements ItfInb and ItfOutb
+                 
+-->
+
+<xsl:stylesheet version="1.0"
+    xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
+    xmlns:fwb="http://www.fwbuilder.org/1.0/"
+    exclude-result-prefixes="fwb">
+
+
+<xsl:output method="xml" version="1.0" 
+   doctype-system="fwbuilder.dtd" indent="yes" encoding="utf-8"/>
+
+<xsl:template match="*" mode="copy">
+  <xsl:copy>
+    <xsl:copy-of select="@*"/>
+    <xsl:apply-templates mode="copy"/>
+  </xsl:copy>
+</xsl:template>
+
+<xsl:template match="//fwb:NATRule" mode="copy">
+  <xsl:element name="NATRule" namespace="http://www.fwbuilder.org/1.0/">
+    <xsl:copy-of select="@*"/> 
+    <xsl:text>
+            </xsl:text>
+    <xsl:apply-templates select="fwb:OSrc" mode="copy"/>
+    <xsl:text>
+            </xsl:text>
+    <xsl:apply-templates select="fwb:ODst" mode="copy"/>
+    <xsl:text>
+            </xsl:text>
+    <xsl:apply-templates select="fwb:OSrv" mode="copy"/>
+    <xsl:text>
+            </xsl:text>
+    <xsl:apply-templates select="fwb:TSrc" mode="copy"/>
+    <xsl:text>
+            </xsl:text>
+    <xsl:apply-templates select="fwb:TDst" mode="copy"/>
+    <xsl:text>
+            </xsl:text>
+    <xsl:apply-templates select="fwb:TSrv" mode="copy"/>
+    <xsl:text>
+            </xsl:text>
+    <xsl:element name="ItfInb" namespace="http://www.fwbuilder.org/1.0/">
+      <xsl:attribute name="neg">False</xsl:attribute>
+      <xsl:element name="ObjectRef" namespace="http://www.fwbuilder.org/1.0/">
+        <xsl:attribute name="ref">sysid0</xsl:attribute>
+      </xsl:element>
+    </xsl:element>
+    <xsl:text>
+            </xsl:text>
+    <xsl:element name="ItfOutb" namespace="http://www.fwbuilder.org/1.0/">
+      <xsl:attribute name="neg">False</xsl:attribute>
+      <xsl:element name="ObjectRef" namespace="http://www.fwbuilder.org/1.0/">
+        <xsl:attribute name="ref">sysid0</xsl:attribute>
+      </xsl:element>
+    </xsl:element>
+    <xsl:text>
+            </xsl:text>
+    <xsl:apply-templates select="fwb:When" mode="copy"/>
+    <xsl:text>
+            </xsl:text>
+    <xsl:apply-templates select="fwb:NATRuleOptions" mode="copy"/>
+    <xsl:text>
+          </xsl:text>
+  </xsl:element>
+</xsl:template>
+
+<xsl:template match="*[attribute::id='root']">
+  <FWObjectDatabase xmlns="http://www.fwbuilder.org/1.0/">
+    <xsl:attribute name="version">18</xsl:attribute>
+    <xsl:attribute name="lastModified"><xsl:value-of select="@lastModified"/></xsl:attribute>
+    <xsl:attribute name="id">root</xsl:attribute>
+    <xsl:apply-templates select="*" mode="copy"/>
+  </FWObjectDatabase>
+</xsl:template>
+
+</xsl:stylesheet>
+
+
--- a/src/libfwbuilder/migration/migration.pro
+++ b/src/libfwbuilder/migration/migration.pro
@ -91,5 +91,6 @@ target.files  = FWObjectDatabase_0.8.7.xslt \
                FWObjectDatabase_14.xslt \
                FWObjectDatabase_15.xslt \
                FWObjectDatabase_16.xslt \
+                FWObjectDatabase_17.xslt \


--- a/src/libfwbuilder/src/fwbuilder/FWObjectDatabase.h
+++ b/src/libfwbuilder/src/fwbuilder/FWObjectDatabase.h
@ -97,6 +97,8 @@ namespace libfwbuilder
    class RuleElementDst;
    class RuleElementInterval;
    class RuleElementItf;
+    class RuleElementItfInb;
+    class RuleElementItfOutb;
    class RuleElementODst;
    class RuleElementOSrc;
    class RuleElementOSrv;
@ -162,6 +164,8 @@ namespace libfwbuilder
    DECLARE_CREATE_OBJ_METHOD(RuleElementDst);
    DECLARE_CREATE_OBJ_METHOD(RuleElementInterval);
    DECLARE_CREATE_OBJ_METHOD(RuleElementItf);
+    DECLARE_CREATE_OBJ_METHOD(RuleElementItfInb);
+    DECLARE_CREATE_OBJ_METHOD(RuleElementItfOutb);
    DECLARE_CREATE_OBJ_METHOD(RuleElementODst);
    DECLARE_CREATE_OBJ_METHOD(RuleElementOSrc);
    DECLARE_CREATE_OBJ_METHOD(RuleElementOSrv);
@ -511,6 +515,8 @@ public:
    DECLARE_CREATE_OBJ_CLASS_METHOD(RuleElementDst);
    DECLARE_CREATE_OBJ_CLASS_METHOD(RuleElementInterval);
    DECLARE_CREATE_OBJ_CLASS_METHOD(RuleElementItf);
+    DECLARE_CREATE_OBJ_CLASS_METHOD(RuleElementItfInb);
+    DECLARE_CREATE_OBJ_CLASS_METHOD(RuleElementItfOutb);
    DECLARE_CREATE_OBJ_CLASS_METHOD(RuleElementODst);
    DECLARE_CREATE_OBJ_CLASS_METHOD(RuleElementOSrc);
    DECLARE_CREATE_OBJ_CLASS_METHOD(RuleElementOSrv);
--- a/src/libfwbuilder/src/fwbuilder/FWObjectDatabase_create_object.cpp
+++ b/src/libfwbuilder/src/fwbuilder/FWObjectDatabase_create_object.cpp
@ -212,6 +212,10 @@ void FWObjectDatabase::init_create_methods_table()
                           &create_RuleElementInterval);
        registerObjectType("Itf",
                           &create_RuleElementItf);
+        registerObjectType("ItfInb",
+                           &create_RuleElementItfInb);
+        registerObjectType("ItfOutb",
+                           &create_RuleElementItfOutb);
        registerObjectType("ODst",
                           &create_RuleElementODst);
        registerObjectType("OSrc",
@ -368,6 +372,8 @@ CREATE_OBJ_METHOD(RoutingRuleOptions);
 CREATE_OBJ_METHOD(RuleElementDst);
 CREATE_OBJ_METHOD(RuleElementInterval);
 CREATE_OBJ_METHOD(RuleElementItf);
+CREATE_OBJ_METHOD(RuleElementItfInb);
+CREATE_OBJ_METHOD(RuleElementItfOutb);
 CREATE_OBJ_METHOD(RuleElementODst);
 CREATE_OBJ_METHOD(RuleElementOSrc);
 CREATE_OBJ_METHOD(RuleElementOSrv);
--- a/src/libfwbuilder/src/fwbuilder/Rule.cpp
+++ b/src/libfwbuilder/src/fwbuilder/Rule.cpp
@ -577,6 +577,8 @@ NATRule::NATRule() : Rule()
    tsrc_re = NULL;
    tdst_re = NULL;
    tsrv_re = NULL;
+    itf_inb_re = NULL;
+    itf_outb_re = NULL;
    when_re = NULL;
 }

@ -585,13 +587,29 @@ void NATRule::init(FWObjectDatabase *root)
    FWObject *re = getFirstByType(RuleElementOSrc::TYPENAME);
    if (re == NULL)
    {
-        re = root->createRuleElementOSrc();  assert(re!=NULL); add(re);
-        re = root->createRuleElementODst();  assert(re!=NULL); add(re);
-        re = root->createRuleElementOSrv();  assert(re!=NULL); add(re);
+        re = root->createRuleElementOSrc();  assert(re!=NULL);
+        add(re); osrc_re = RuleElementOSrc::cast(re);
+
+        re = root->createRuleElementODst();  assert(re!=NULL);
+        add(re); odst_re = RuleElementODst::cast(re);
+
+        re = root->createRuleElementOSrv();  assert(re!=NULL);
+        add(re); osrv_re = RuleElementOSrv::cast(re);
    
-        re = root->createRuleElementTSrc();  assert(re!=NULL); add(re);
-        re = root->createRuleElementTDst();  assert(re!=NULL); add(re);
-        re = root->createRuleElementTSrv();  assert(re!=NULL); add(re);
+        re = root->createRuleElementTSrc();  assert(re!=NULL);
+        add(re); tsrc_re = RuleElementTSrc::cast(re);
+
+        re = root->createRuleElementTDst();  assert(re!=NULL);
+        add(re); tdst_re = RuleElementTDst::cast(re);
+
+        re = root->createRuleElementTSrv();  assert(re!=NULL);
+        add(re); tsrv_re = RuleElementTSrv::cast(re);
+
+        re = root->createRuleElementItfInb();  assert(re!=NULL);
+        add(re); itf_inb_re = RuleElementItfInb::cast(re);
+
+        re = root->createRuleElementItfOutb();  assert(re!=NULL);
+        add(re); itf_outb_re = RuleElementItfOutb::cast(re);

        add( root->createNATRuleOptions() );
    }
@ -677,6 +695,21 @@ RuleElementInterval* NATRule::getWhen()
    return when_re;
 }

+RuleElementItfInb* NATRule::getItfInb()
+{
+    if (itf_inb_re) return itf_inb_re;
+    itf_inb_re = RuleElementItfInb::cast(getFirstByType(RuleElementItfInb::TYPENAME));
+    return itf_inb_re;
+}
+
+RuleElementItfOutb* NATRule::getItfOutb()
+{
+    if (itf_outb_re) return itf_outb_re;
+    itf_outb_re = RuleElementItfOutb::cast(getFirstByType(RuleElementItfOutb::TYPENAME));
+    return itf_outb_re;
+}
+
+
 string NATRule::getActionAsString() const
 {
    return getActionAsString(action);
@ -699,15 +732,20 @@ void NATRule::setAction(const string& act)

 bool NATRule::isEmpty()
 {
-    RuleElement *osrc=getOSrc();
-    RuleElement *odst=getODst();
-    RuleElement *osrv=getOSrv();
+    RuleElement *osrc = getOSrc();
+    RuleElement *odst = getODst();
+    RuleElement *osrv = getOSrv();

-    RuleElement *tsrc=getTSrc();
-    RuleElement *tdst=getTDst();
-    RuleElement *tsrv=getTSrv();
+    RuleElement *tsrc = getTSrc();
+    RuleElement *tdst = getTDst();
+    RuleElement *tsrv = getTSrv();

-    return (osrc->isAny() && odst->isAny() && osrv->isAny() && tsrc->isAny() && tdst->isAny() && tsrv->isAny());
+    RuleElement *itf_inb = getItfInb();
+    RuleElement *itf_outb = getItfOutb();
+
+    return (osrc->isAny() && odst->isAny() && osrv->isAny() &&
+            tsrc->isAny() && tdst->isAny() && tsrv->isAny() &&
+            itf_inb->isAny() && itf_outb->isAny());
 }

 void NATRule::fromXML(xmlNodePtr root) throw(FWException)
@ -773,6 +811,12 @@ xmlNodePtr NATRule::toXML(xmlNodePtr parent) throw(FWException)
    if ( (o=getFirstByType( RuleElementTSrv::TYPENAME ))!=NULL )
 	o->toXML(me);

+    if ( (o=getFirstByType( RuleElementItfInb::TYPENAME ))!=NULL )
+	o->toXML(me);
+
+    if ( (o=getFirstByType( RuleElementItfOutb::TYPENAME ))!=NULL )
+	o->toXML(me);
+
    if ( (o=getFirstByType( RuleElementInterval::TYPENAME ))!=NULL )
 	o->toXML(me);

@ -861,6 +905,8 @@ FWObject& NATRule::shallowDuplicate(const FWObject *x,
    tsrc_re = NULL;
    tdst_re = NULL;
    tsrv_re = NULL;
+    itf_inb_re = NULL;
+    itf_outb_re = NULL;
    when_re = NULL;

    return  Rule::shallowDuplicate(x, preserve_id);
--- a/src/libfwbuilder/src/fwbuilder/Rule.h
+++ b/src/libfwbuilder/src/fwbuilder/Rule.h
@ -45,6 +45,8 @@ namespace libfwbuilder
    class RuleElementTSrc;
    class RuleElementTDst;
    class RuleElementTSrv;
+    class RuleElementItfInb;
+    class RuleElementItfOutb;
    class RuleElementInterval;
    class RuleElementRDst;
    class RuleElementRGtw;
@ -338,6 +340,8 @@ private:
    libfwbuilder::RuleElementTSrc*      tsrc_re;
    libfwbuilder::RuleElementTDst*      tdst_re;
    libfwbuilder::RuleElementTSrv*      tsrv_re;
+    libfwbuilder::RuleElementItfInb*    itf_inb_re;
+    libfwbuilder::RuleElementItfOutb*   itf_outb_re;
    libfwbuilder::RuleElementInterval* when_re;
    NATAction action;
    NATRuleTypes  rule_type;
@ -384,6 +388,8 @@ public:
    libfwbuilder::RuleElementTSrc* getTSrc();
    libfwbuilder::RuleElementTDst* getTDst();
    libfwbuilder::RuleElementTSrv* getTSrv();
+    libfwbuilder::RuleElementItfInb* getItfInb();
+    libfwbuilder::RuleElementItfOutb* getItfOutb();
    libfwbuilder::RuleElementInterval* getWhen();

    NATAction getAction() const { return action; }
--- a/src/libfwbuilder/src/fwbuilder/RuleElement.cpp
+++ b/src/libfwbuilder/src/fwbuilder/RuleElement.cpp
@ -2,13 +2,10 @@

                          Firewall Builder

-                 Copyright (C) 2000 NetCitadel, LLC
+                 Copyright (C) 2000-2011 NetCitadel, LLC

  Author:  Vadim Kurland     vadim@fwbuilder.org

-  $Id$
-
-
  This program is free software which we release under the GNU General Public
  License. You may redistribute and/or modify this program under the terms
  of that license as published by the Free Software Foundation; either
@ -330,6 +327,12 @@ bool RuleElementItf::checkItfChildOfThisFw(FWObject *o)
    return (fw1 != NULL && fw1 == fw2);
 }

+const char *RuleElementItfInb::TYPENAME={"ItfInb"};
+RuleElementItfInb::RuleElementItfInb() {}
+
+const char *RuleElementItfOutb::TYPENAME={"ItfOutb"};
+RuleElementItfOutb::RuleElementItfOutb() {}
+

 const char *RuleElementOSrc::TYPENAME={"OSrc"};
 RuleElementOSrc::RuleElementOSrc() {}
--- a/src/libfwbuilder/src/fwbuilder/RuleElement.h
+++ b/src/libfwbuilder/src/fwbuilder/RuleElement.h
@ -147,6 +147,23 @@ class RuleElementItf : public ObjectGroup, public RuleElement {
    virtual bool isPrimaryObject() const { return false; }
 };

+class RuleElementItfInb : public RuleElementItf
+{
+    public:
+    DECLARE_FWOBJECT_SUBTYPE(RuleElementItfInb);
+    DECLARE_DISPATCH_METHODS(RuleElementItfInb);
+    RuleElementItfInb();
+};
+
+class RuleElementItfOutb : public RuleElementItf
+{
+    public:
+    DECLARE_FWOBJECT_SUBTYPE(RuleElementItfOutb);
+    DECLARE_DISPATCH_METHODS(RuleElementItfOutb);
+    RuleElementItfOutb();
+   
+};
+
 class RuleElementInterval : public IntervalGroup, public RuleElement {
    public:
    DECLARE_FWOBJECT_SUBTYPE(RuleElementInterval);
--- a/src/libfwbuilder/src/fwcompiler/NATCompiler.cpp
+++ b/src/libfwbuilder/src/fwcompiler/NATCompiler.cpp
@ -644,6 +644,55 @@ bool NATCompiler::ConvertToAtomicForTSrv::processNext()
    return true;
 }

+bool NATCompiler::ConvertToAtomicForItfInb::processNext()
+{
+    NATRule *rule=getNext(); if (rule==NULL) return false;
+
+    RuleElementItfInb *itf_inb_re=rule->getItfInb();    assert(itf_inb_re);
+
+    for (FWObject::iterator i1=itf_inb_re->begin(); i1!=itf_inb_re->end(); ++i1) 
+    {
+        NATRule *r = compiler->dbcopy->createNATRule();
+        r->duplicate(rule);
+        compiler->temp_ruleset->add(r);
+
+        FWObject *s;
+
+        s = r->getItfInb();	assert(s);
+        s->clearChildren();
+        s->addCopyOf( *i1 );
+
+        tmp_queue.push_back(r);
+    }
+
+    return true;
+}
+
+bool NATCompiler::ConvertToAtomicForItfOutb::processNext()
+{
+    NATRule *rule=getNext(); if (rule==NULL) return false;
+
+    RuleElementItfOutb *itf_outb_re=rule->getItfOutb();    assert(itf_outb_re);
+
+    for (FWObject::iterator i1=itf_outb_re->begin(); i1!=itf_outb_re->end(); ++i1) 
+    {
+        NATRule *r = compiler->dbcopy->createNATRule();
+        r->duplicate(rule);
+        compiler->temp_ruleset->add(r);
+
+        FWObject *s;
+
+        s = r->getItfOutb();	assert(s);
+        s->clearChildren();
+        s->addCopyOf( *i1 );
+
+        tmp_queue.push_back(r);
+    }
+
+    return true;
+}
+
+



--- a/src/libfwbuilder/src/fwcompiler/NATCompiler.h
+++ b/src/libfwbuilder/src/fwcompiler/NATCompiler.h
@ -170,6 +170,16 @@ namespace fwcompiler {
 	 */
        DECLARE_NAT_RULE_PROCESSOR(ConvertToAtomicForTSrv);

+	/**
+	 * this processor converts to atomic rules only for ItfInb
+	 */
+        DECLARE_NAT_RULE_PROCESSOR(ConvertToAtomicForItfInb);
+
+	/**
+	 * this processor converts to atomic rules only for ItfOutb
+	 */
+        DECLARE_NAT_RULE_PROCESSOR(ConvertToAtomicForItfOutb);
+
 	/**
 	 * this processor converts to atomic rules using all combinations
 	 * of OSrc,ODst,OSrv,TSrc,TDst,TSrv
--- a/src/libgui/ColDesc.cpp
+++ b/src/libgui/ColDesc.cpp
@ -26,14 +26,17 @@
 #include "ColDesc.h"
 #include "platforms.h"

+using namespace std;
+
+
 ColDesc::ColDesc()
 {
    this->type = Unknown;
 }

-ColDesc::ColDesc(QString origin, ColumnType type)
+ColDesc::ColDesc(const string &platform, const string &origin, ColumnType type)
 {
-    this->origin = origin;
-    this->name = getReadableRuleElementName(origin.toStdString());
+    this->origin = origin.c_str();
+    this->name = getReadableRuleElementName(platform, origin);
    this->type = type;
 }
--- a/src/libgui/ColDesc.h
+++ b/src/libgui/ColDesc.h
@ -26,25 +26,28 @@
 #ifndef COLDESC_H
 #define COLDESC_H

- #include <QMetaType>
+#include <QMetaType>
+
+#include <string>
+

 class ColDesc
 {
 public:
-     enum ColumnType
-     {
-         GroupHandle,
-          RuleOp,
-          Object,
-          Action,
-          Direction,
-          Options,
-          Time,
-          Comment,
-          Metric,
-          Unknown
-      };
-    ColDesc(QString origin, ColumnType type);
+    enum ColumnType
+    {
+        GroupHandle,
+        RuleOp,
+        Object,
+        Action,
+        Direction,
+        Options,
+        Time,
+        Comment,
+        Metric,
+        Unknown
+    };
+    ColDesc(const std::string &platform, const std::string &origin, ColumnType type);
    ColDesc();
    QString name;
    QString origin;
--- a/src/libgui/FindWhereUsedWidget.cpp
+++ b/src/libgui/FindWhereUsedWidget.cpp
@ -312,7 +312,8 @@ QTreeWidgetItem* FindWhereUsedWidget::createQTWidgetItem(FWObject* o,

        if (RuleElement::cast(container)!=NULL)
            rule_element_name =
-                getReadableRuleElementName(container->getParent()->getTypeName());
+                getReadableRuleElementName(
+                    fw->getStr("platform"), container->getParent()->getTypeName());

        if (Rule::cast(container)!=NULL)
            rule_element_name = "Action";
--- a/src/libgui/RuleNode.h
+++ b/src/libgui/RuleNode.h
@ -29,7 +29,7 @@
 #include <QObject>
 #include <QSize>

-#define MAX_COLUMNS 10
+#define MAX_COLUMNS 20

 namespace libfwbuilder {
    class Rule;
--- a/src/libgui/RuleSetModel.cpp
+++ b/src/libgui/RuleSetModel.cpp
@ -1350,32 +1350,36 @@ void PolicyModel::configure()
    supports_logging      = false;
    supports_rule_options = false;
    supports_time         = false;
+    
+    string platform;

    if (getFirewall())
    {
+        platform = getFirewall()->getStr("platform");
+
        try {
            supports_logging = Resources::getTargetCapabilityBool(
-                    getFirewall()->getStr("platform"), "logging_in_policy");
+                    platform, "logging_in_policy");
            supports_rule_options = Resources::getTargetCapabilityBool(
-                    getFirewall()->getStr("platform"), "options_in_policy");
+                    platform, "options_in_policy");
            supports_time = Resources::getTargetCapabilityBool(
-                    getFirewall()->getStr("platform"), "supports_time");
+                    platform, "supports_time");
        } catch(FWException &ex)    {    }
    }

-    header  << ColDesc(RuleElementSrc::TYPENAME, ColDesc::Object)   // 1
-            << ColDesc(RuleElementDst::TYPENAME, ColDesc::Object)   // 2
-            << ColDesc(RuleElementSrv::TYPENAME, ColDesc::Object)   // 3
-            << ColDesc(RuleElementItf::TYPENAME, ColDesc::Object)   // 4
-            << ColDesc("Direction", ColDesc::Direction)             // 5
-            << ColDesc("Action", ColDesc::Action);                  // 6
+    header  << ColDesc(platform, RuleElementSrc::TYPENAME, ColDesc::Object)   // 1
+            << ColDesc(platform, RuleElementDst::TYPENAME, ColDesc::Object)   // 2
+            << ColDesc(platform, RuleElementSrv::TYPENAME, ColDesc::Object)   // 3
+            << ColDesc(platform, RuleElementItf::TYPENAME, ColDesc::Object)   // 4
+            << ColDesc(platform, "Direction", ColDesc::Direction)             // 5
+            << ColDesc(platform, "Action", ColDesc::Action);                  // 6
    if (supports_time)
-        header << ColDesc(RuleElementInterval::TYPENAME, ColDesc::Time);  // 7
+        header << ColDesc(platform, RuleElementInterval::TYPENAME, ColDesc::Time);  // 7

    if (supports_logging && supports_rule_options)
-        header << ColDesc("Options", ColDesc::Options);
+        header << ColDesc(platform, "Options", ColDesc::Options);

-    header << ColDesc("Comment", ColDesc::Comment);
+    header << ColDesc(platform, "Comment", ColDesc::Comment);
 }

 QVariant PolicyModel::getRuleDataForDisplayRole(const QModelIndex &index, RuleNode* node) const
@ -1463,27 +1467,42 @@ bool PolicyModel::checkRuleType(libfwbuilder::Rule *rule)
 void NatModel::configure()
 {
    supports_actions = false;
+    supports_inbound_interface = false;
+    supports_outbound_interface = false;

+    string platform;
+    
    if (getFirewall())
    {
+        platform = getFirewall()->getStr("platform");
+
        try {
            supports_actions = Resources::getTargetCapabilityBool(
-                getFirewall()->getStr("platform"), "actions_in_nat");
+                platform, "actions_in_nat");
+            supports_inbound_interface = Resources::getTargetCapabilityBool(
+                platform, "inbound_interface_in_nat");
+            supports_outbound_interface = Resources::getTargetCapabilityBool(
+                platform, "outbound_interface_in_nat");
        } catch(FWException &ex)    {    }
    }

-    header  << ColDesc(RuleElementOSrc::TYPENAME, ColDesc::Object)   // 1
-            << ColDesc(RuleElementODst::TYPENAME, ColDesc::Object)   // 2
-            << ColDesc(RuleElementOSrv::TYPENAME, ColDesc::Object)   // 3
-            << ColDesc(RuleElementTSrc::TYPENAME, ColDesc::Object)   // 4
-            << ColDesc(RuleElementTDst::TYPENAME, ColDesc::Object)   // 5
-            << ColDesc(RuleElementTSrv::TYPENAME, ColDesc::Object);   // 6
+    header  << ColDesc(platform, RuleElementOSrc::TYPENAME, ColDesc::Object)   // 1
+            << ColDesc(platform, RuleElementODst::TYPENAME, ColDesc::Object)   // 2
+            << ColDesc(platform, RuleElementOSrv::TYPENAME, ColDesc::Object)   // 3
+            << ColDesc(platform, RuleElementTSrc::TYPENAME, ColDesc::Object)   // 4
+            << ColDesc(platform, RuleElementTDst::TYPENAME, ColDesc::Object)   // 5
+            << ColDesc(platform, RuleElementTSrv::TYPENAME, ColDesc::Object);   // 6
+
+    if (supports_inbound_interface)
+        header << ColDesc(platform, RuleElementItfInb::TYPENAME, ColDesc::Object);
+    if (supports_outbound_interface)
+        header << ColDesc(platform, RuleElementItfOutb::TYPENAME, ColDesc::Object);

    if (supports_actions)
-        header << ColDesc("Action", ColDesc::Action);
+        header << ColDesc(platform, "Action", ColDesc::Action);

-    header << ColDesc("Options", ColDesc::Options)                  // 7
-           << ColDesc("Comment", ColDesc::Comment);                 // 8
+    header << ColDesc(platform, "Options", ColDesc::Options)                  // 7
+           << ColDesc(platform, "Comment", ColDesc::Comment);                 // 8
 }

 QVariant NatModel::getRuleDataForDisplayRole(const QModelIndex &index, RuleNode* node) const
@ -1556,28 +1575,33 @@ void RoutingModel::configure()
    supports_routing_itf  = false;
    supports_metric  = false;

+    string platform;
+    string host_os;
+
    if (getFirewall())
    {
+        platform = getFirewall()->getStr("platform");
+        host_os = getFirewall()->getStr("host_OS");
+
        try {
-            supports_routing_itf =
-                Resources::getTargetCapabilityBool(
-                        getFirewall()->getStr("host_OS"), "supports_routing_itf");
+            supports_routing_itf = Resources::getTargetCapabilityBool(
+                host_os, "supports_routing_itf");
            supports_metric = Resources::getTargetCapabilityBool(
-                    getFirewall()->getStr("host_OS"), "supports_metric");
+                host_os, "supports_metric");
        } catch(FWException &ex)    {    }
    }

-    header  << ColDesc(RuleElementRDst::TYPENAME, ColDesc::Object)   // 1
-            << ColDesc(RuleElementRGtw::TYPENAME, ColDesc::Object);  // 2
+    header  << ColDesc(platform, RuleElementRDst::TYPENAME, ColDesc::Object)   // 1
+            << ColDesc(platform, RuleElementRGtw::TYPENAME, ColDesc::Object);  // 2

    if (supports_routing_itf)
-        header << ColDesc(RuleElementRItf::TYPENAME, ColDesc::Object);
+        header << ColDesc(platform, RuleElementRItf::TYPENAME, ColDesc::Object);

    if (supports_metric)
-        header  << ColDesc("Metric", ColDesc::Metric);
+        header  << ColDesc(platform, "Metric", ColDesc::Metric);

-    header << ColDesc("Options", ColDesc::Options)
-           << ColDesc("Comment", ColDesc::Comment);
+    header << ColDesc(platform, "Options", ColDesc::Options)
+           << ColDesc(platform, "Comment", ColDesc::Comment);
 }

 QVariant RoutingModel::getRuleDataForDisplayRole(const QModelIndex &index, RuleNode* node) const
--- a/src/libgui/RuleSetModel.h
+++ b/src/libgui/RuleSetModel.h
@ -246,7 +246,9 @@ public:

 private:
    bool supports_actions;
-
+    bool supports_inbound_interface;
+    bool supports_outbound_interface;
+    
    QVariant getRuleDataForDisplayRole(const QModelIndex &index, RuleNode* node) const;
    QStringList getRuleOptions(libfwbuilder::Rule* r) const;
    void configure();
--- a/src/libgui/RuleSetView.cpp
+++ b/src/libgui/RuleSetView.cpp
@ -2279,6 +2279,7 @@ bool RuleSetView::validateForInsertion(RuleElement *re, FWObject *obj, bool quie
        }
    }

+    // This includes RuleElementItfInb and RuleElementItfOutb of nat rules
    if (RuleElementItf::cast(re) || RuleElementRItf::cast(re))
        return validateForInsertionToInterfaceRE(RuleElementItf::cast(re), obj);

--- a/src/libgui/RuleSetViewDelegate.cpp
+++ b/src/libgui/RuleSetViewDelegate.cpp
@ -569,6 +569,9 @@ QString RuleSetViewDelegate::objectText(RuleElement *re,FWObject *obj) const
        if (RuleElementRGtw::isA(re) ||
            RuleElementRItf::isA(re))  return QString("");
        if (RuleElementItf::isA(re))   return QString(tr("All"));
+        if (RuleElementItfInb::isA(re))   return QString(tr("Auto"));
+        if (RuleElementItfOutb::isA(re))   return QString(tr("Auto"));
+
        return any_object_name;
    }

--- a/src/libgui/platforms.cpp
+++ b/src/libgui/platforms.cpp
@ -763,7 +763,8 @@ bool getStatelessFlagForAction(PolicyRule *rule)
 /**
 * Returns translatable string - name of the corresponding rule element.
 */
-QString getReadableRuleElementName(const string &rule_element_type_name)
+QString getReadableRuleElementName(const string &platform,
+                                   const string &rule_element_type_name)
 {
    // The following map TYPENAME of RuleElement classes to readable
    // translatable names.
@ -781,6 +782,18 @@ QString getReadableRuleElementName(const string &rule_element_type_name)
    if (rule_element_type_name == "TDst") return QObject::tr("Translated Dst");
    if (rule_element_type_name == "TSrv") return QObject::tr("Translated Srv");

+    if (platform == "pf")
+    {
+        // For PF I hide inbound interface and show outbound interface
+        // column with header "Interface"
+        if (rule_element_type_name == "ItfInb") return QObject::tr("Interface");
+        if (rule_element_type_name == "ItfOutb") return QObject::tr("Interface");
+    } else
+    {
+        if (rule_element_type_name == "ItfInb") return QObject::tr("Inbound Interface");
+        if (rule_element_type_name == "ItfOutb") return QObject::tr("Outbound Interface");
+    }
+
    if (rule_element_type_name == "RDst") return QObject::tr("Destination");
    if (rule_element_type_name == "RGtw") return QObject::tr("Gateway");
    if (rule_element_type_name == "RItf") return QObject::tr("Interface");
--- a/src/libgui/platforms.h
+++ b/src/libgui/platforms.h
@ -149,7 +149,8 @@ QString getActionNameForPlatform(libfwbuilder::Firewall *fw,

 bool getStatelessFlagForAction(libfwbuilder::PolicyRule *rule);

-QString getReadableRuleElementName(const std::string &rule_element_type_name);
+QString getReadableRuleElementName(const std::string &platform,
+                                   const std::string &rule_element_type_name);

 /*
 * convenience method that calls Resourcess::getPlatforms() and
--- a/src/pflib/NATCompiler_pf.cpp
+++ b/src/pflib/NATCompiler_pf.cpp
@ -707,8 +707,8 @@ bool NATCompiler_pf::assignInterfaceToNATRule(Rule *rule, Address *addr)

 bool NATCompiler_pf::AssignInterface::processNext()
 {
-    NATCompiler_pf *pf_comp=dynamic_cast<NATCompiler_pf*>(compiler);
-    NATRule *rule=getNext(); if (rule==NULL) return false;
+    NATCompiler_pf *pf_comp = dynamic_cast<NATCompiler_pf*>(compiler);
+    NATRule *rule = getNext(); if (rule==NULL) return false;

    if (rule->getInterfaceStr() != "")
    {
@ -716,6 +716,31 @@ bool NATCompiler_pf::AssignInterface::processNext()
        return true;
    }

+    RuleElementItfOutb *itf_re = rule->getItfOutb();
+    assert(itf_re!=NULL);
+    if (!itf_re->isAny())
+    {
+        Interface *intf = Interface::cast(
+            FWObjectReference::getObject(itf_re->front()));
+        assert(intf!=NULL);
+
+        if (intf->isFailoverInterface())
+        {
+            FailoverClusterGroup *fg = FailoverClusterGroup::cast(
+                intf->getFirstByType(FailoverClusterGroup::TYPENAME));
+            if (fg)
+                intf = fg->getInterfaceForMemberFirewall(compiler->fw);
+        }
+
+        if (intf->isChildOf(compiler->fw))
+        {
+            rule->setInterfaceId(intf->getId());
+            rule->setInterfaceStr(intf->getName());
+            tmp_queue.push_back(rule);
+            return true;
+        }
+    }
+
    switch ( rule->getRuleType() )
    {
    case NATRule::SNAT:
@ -1251,6 +1276,8 @@ void NATCompiler_pf::compile()
    //add( new ConvertToAtomicForTSrc( "convert to atomic rules" ) );
    add( new splitForTSrc(
             "split if addresses in TSrc belong to different networks" ));
+    add( new ConvertToAtomicForItfOutb(
+             "convert to atomic for Interface rule element"));
    add( new AssignInterface( "assign rules to interfaces" ) );
    add( new convertInterfaceIdToStr("prepare interface assignments") );

--- a/src/res/objects_init.xml
+++ b/src/res/objects_init.xml
@ -1,6 +1,6 @@
 <?xml version="1.0" encoding="utf-8"?>
 <!DOCTYPE FWObjectDatabase SYSTEM "fwbuilder.dtd">
-<FWObjectDatabase xmlns="http://www.fwbuilder.org/1.0/" version="17" lastModified="1265059184" id="root">
+<FWObjectDatabase xmlns="http://www.fwbuilder.org/1.0/" version="18" lastModified="1265059184" id="root">
  <Library id="syslib000" color="#d4f8ff" name="Standard" comment="Standard objects" ro="True">
    <AnyNetwork id="sysid0" name="Any" comment="Any Network" ro="False" address="0.0.0.0" netmask="0.0.0.0"/>
    <AnyIPService id="sysid1" protocol_num="0" name="Any" comment="Any IP Service" ro="False"/>
--- a/src/res/platform/fwsm.xml
+++ b/src/res/platform/fwsm.xml
@ -233,6 +233,8 @@ nameif %in %il security%sl
        <options_in_policy>True</options_in_policy>
        <supports_nat>True</supports_nat>
        <actions_in_nat>False</actions_in_nat>
+        <inbound_interface_in_nat>False</inbound_interface_in_nat>
+        <outbound_interface_in_nat>False</outbound_interface_in_nat>
        <supports_time>False</supports_time>
        <supports_accounting>False</supports_accounting>
        <security_levels>True</security_levels>
--- a/src/res/platform/iosacl.xml
+++ b/src/res/platform/iosacl.xml
@ -109,6 +109,8 @@ interface %in
        <options_in_policy>True</options_in_policy>
        <supports_nat>False</supports_nat>
        <actions_in_nat>False</actions_in_nat>
+        <inbound_interface_in_nat>False</inbound_interface_in_nat>
+        <outbound_interface_in_nat>False</outbound_interface_in_nat>
        <supports_time>False</supports_time>
        <supports_accounting>False</supports_accounting>
        <security_levels>False</security_levels>
--- a/src/res/platform/ipf.xml
+++ b/src/res/platform/ipf.xml
@ -30,6 +30,8 @@
        <options_in_policy>True</options_in_policy>
        <supports_nat>True</supports_nat>
        <actions_in_nat>False</actions_in_nat>
+        <inbound_interface_in_nat>False</inbound_interface_in_nat>
+        <outbound_interface_in_nat>False</outbound_interface_in_nat>
        <supports_time>False</supports_time>
        <supports_accounting>True</supports_accounting>
        <security_levels>False</security_levels>
--- a/src/res/platform/ipfw.xml
+++ b/src/res/platform/ipfw.xml
@ -28,6 +28,8 @@
        <options_in_policy>True</options_in_policy>
        <supports_nat>False</supports_nat>
        <actions_in_nat>False</actions_in_nat>
+        <inbound_interface_in_nat>False</inbound_interface_in_nat>
+        <outbound_interface_in_nat>False</outbound_interface_in_nat>
        <supports_time>False</supports_time>
        <supports_accounting>True</supports_accounting>
        <security_levels>False</security_levels>
--- a/src/res/platform/pf.xml
+++ b/src/res/platform/pf.xml
@ -33,6 +33,8 @@
        <options_in_policy>True</options_in_policy>
        <supports_nat>True</supports_nat>
        <actions_in_nat>True</actions_in_nat>
+        <inbound_interface_in_nat>False</inbound_interface_in_nat>
+        <outbound_interface_in_nat>True</outbound_interface_in_nat>
        <supports_time>False</supports_time>
        <supports_accounting>True</supports_accounting>
        <security_levels>False</security_levels>
--- a/src/res/platform/pix.xml
+++ b/src/res/platform/pix.xml
@ -646,6 +646,8 @@
        <options_in_policy>True</options_in_policy>
        <supports_nat>True</supports_nat>
        <actions_in_nat>False</actions_in_nat>
+        <inbound_interface_in_nat>False</inbound_interface_in_nat>
+        <outbound_interface_in_nat>False</outbound_interface_in_nat>
        <supports_time>False</supports_time>
        <supports_accounting>False</supports_accounting>
        <security_levels>True</security_levels>
--- a/src/res/platform/procurve_acl.xml
+++ b/src/res/platform/procurve_acl.xml
@ -46,6 +46,8 @@ interface %in
        <options_in_policy>True</options_in_policy>
        <supports_nat>False</supports_nat>
        <actions_in_nat>False</actions_in_nat>
+        <inbound_interface_in_nat>False</inbound_interface_in_nat>
+        <outbound_interface_in_nat>False</outbound_interface_in_nat>
        <supports_time>False</supports_time>
        <supports_accounting>False</supports_accounting>
        <security_levels>False</security_levels>
--- a/src/res/platform/unknown.xml
+++ b/src/res/platform/unknown.xml
@ -20,6 +20,8 @@
        <options_in_policy>False</options_in_policy>
        <supports_nat>False</supports_nat>
        <actions_in_nat>False</actions_in_nat>
+        <inbound_interface_in_nat>False</inbound_interface_in_nat>
+        <outbound_interface_in_nat>False</outbound_interface_in_nat>
        <supports_time>False</supports_time>
        <supports_accounting>False</supports_accounting>
        <security_levels>False</security_levels>
--- a/src/res/templates.xml
+++ b/src/res/templates.xml
@ -1,6 +1,6 @@
 <?xml version="1.0" encoding="utf-8"?>
 <!DOCTYPE FWObjectDatabase SYSTEM "fwbuilder.dtd">
-<FWObjectDatabase xmlns="http://www.fwbuilder.org/1.0/" version="17" lastModified="1270752748" id="root">
+<FWObjectDatabase xmlns="http://www.fwbuilder.org/1.0/" version="18" lastModified="1270752748" id="root">
  <Library id="syslib000" color="#d4f8ff" name="Standard" comment="Standard objects" ro="True">
    <AnyNetwork id="sysid0" name="Any" comment="Any Network" ro="False" address="0.0.0.0" netmask="0.0.0.0"/>
    <AnyIPService id="sysid1" protocol_num="0" name="Any" comment="Any IP Service" ro="False"/>