* Helper.cpp (Helper::findInterfaceByNetzone): fixes #1118

"fwb_pix uses wrong interface compiling the second cluster member". NAT compiler for PIX failed to find interface with correct network zone if interface was a child of another interface, e.g. vlan subinterface.
2026-05-02 07:07:32 +02:00 · 2010-01-20 19:12:39 +00:00 · 2010-01-20 19:12:39 +00:00 · 7bcd04bac3
commit 7bcd04bac3
parent 4e8a5f2d48
5 changed files with 42 additions and 27 deletions
--- a/2
+++ b/2
@ -1 +1 @@
-#define BUILD_NUM 2395
+#define BUILD_NUM 2396
--- a/doc/ChangeLog
+++ b/doc/ChangeLog
@ -1,5 +1,11 @@
 2010-01-20  vadim  <vadim@vk.crocodile.org>

+	* Helper.cpp (Helper::findInterfaceByNetzone): fixes #1118
+	"fwb_pix uses wrong interface compiling the second cluster
+	member".  NAT compiler for PIX failed to find interface with
+	correct network zone if interface was a child of another
+	interface, e.g. vlan subinterface.
+
 	* clusterMembersDialog.cpp (clusterMembersDialog::getSelectedMembers):
 	fixes #1117 "failover group member editor loses interfaces". If
 	failover group included vlan interfaces of the member firewalls,
--- a/src/cisco_lib/Helper.cpp
+++ b/src/cisco_lib/Helper.cpp
@ -117,19 +117,23 @@ int  Helper::findInterfaceByNetzone(Address *obj)

 int  Helper::findInterfaceByNetzone(const InetAddr *addr) throw(string)
 {
-    Firewall *fw=compiler->fw;
+    Firewall *fw = compiler->fw;
    map<int,FWObject*> zones;
-    FWObjectTypedChildIterator i=fw->findByType(Interface::TYPENAME);
-    for ( ; i!=i.end(); ++i)
+    list<FWObject*> l2 = fw->getByTypeDeep(Interface::TYPENAME);
+    for (list<FWObject*>::iterator i=l2.begin(); i!=l2.end(); ++i)
    {
+        Interface *iface = Interface::cast(*i);
+        if (iface->isDedicatedFailover()) continue;
+        if (iface->isUnprotected()) continue;
+
        // NOTE: "network_zone" is globally unique string ID
        int netzone_id =
-            FWObjectDatabase::getIntId((*i)->getStr("network_zone"));
+            FWObjectDatabase::getIntId(iface->getStr("network_zone"));

 #if 0
        FWObject *netzone = fw->getRoot()->findInIndex(netzone_id);
        cerr << "netzone_id=" << netzone_id
-             << "  " << (*i)->getStr("network_zone")
+             << "  " << iface->getStr("network_zone")
             << "  " << netzone->getName()
             << endl;
 #endif
@ -148,11 +152,11 @@ int  Helper::findInterfaceByNetzone(const InetAddr *addr) throw(string)
                if (addr==NULL)
                {
                    if ((*j)->getId()==FWObjectDatabase::ANY_ADDRESS_ID)
-                        return (*i)->getId(); // id of the interface
+                        return iface->getId(); // id of the interface
                } else
                {
                    if (Address::cast(*j)->belongs(*addr))
-                        zones[(*i)->getId()] = netzone;
+                        zones[iface->getId()] = netzone;
                }
            }
        }
--- a/src/cisco_lib/NATCompiler_pix.cpp
+++ b/src/cisco_lib/NATCompiler_pix.cpp
@ -440,22 +440,27 @@ bool NATCompiler_pix::VerifyRules::processNext()
 bool NATCompiler_pix::AssignInterface::processNext()
 {
    Helper helper(compiler);
-    NATRule *rule=getNext(); if (rule==NULL) return false;
+    NATRule *rule = getNext(); if (rule==NULL) return false;

-    Address  *a1=NULL;
-    Address  *a2=NULL;
+    Address  *a1 = NULL;
+    Address  *a2 = NULL;

-    if (rule->getRuleType()==NATRule::SNAT) {
-	a1=compiler->getFirstOSrc(rule);
-	a2=compiler->getFirstTSrc(rule);
+    if (rule->getRuleType()==NATRule::SNAT)
+    {
+	a1 = compiler->getFirstOSrc(rule);
+	a2 = compiler->getFirstTSrc(rule);
    }
-    if (rule->getRuleType()==NATRule::DNAT) {
-	a1=compiler->getFirstODst(rule);
-	a2=compiler->getFirstTDst(rule);
+
+    if (rule->getRuleType()==NATRule::DNAT)
+    {
+	a1 = compiler->getFirstODst(rule);
+	a2 = compiler->getFirstTDst(rule);
    }
-    if (rule->getRuleType()==NATRule::NONAT) {
-	a1=compiler->getFirstOSrc(rule);
-	a2=compiler->getFirstODst(rule);
+
+    if (rule->getRuleType()==NATRule::NONAT)
+    {
+	a1 = compiler->getFirstOSrc(rule);
+	a2 = compiler->getFirstODst(rule);
    }

    assert(a1!=NULL && a2!=NULL);
@ -463,16 +468,16 @@ bool NATCompiler_pix::AssignInterface::processNext()
    rule->setInt("nat_iface_orig", helper.findInterfaceByNetzone(a1));
    rule->setInt("nat_iface_trn",  helper.findInterfaceByNetzone(a2));

-    if ( rule->getInt("nat_iface_orig")==-1 ) 
+    if ( rule->getInt("nat_iface_orig")==-1 )
    {
 	compiler->abort(
            rule, 
-                "Object '" + a1->getName() + 
-                "' does not belong to any known network zone.");
+            "Object '" + a1->getName() + 
+            "' does not belong to any known network zone.");
        return true;
    }

-    if ( rule->getInt("nat_iface_trn")==-1 ) 
+    if ( rule->getInt("nat_iface_trn")==-1 )
    {
 	compiler->abort(
            rule, 
--- a/test/pix/cluster-tests.fwb
+++ b/test/pix/cluster-tests.fwb
@ -282,7 +282,7 @@
  </Library>
  <Library id="id1495X69605" color="#d2ffd0" name="User" comment="" ro="False">
    <ObjectGroup id="id1502X69605" name="Clusters" comment="" ro="False">
-      <Cluster id="id2366X75741" host_OS="pix_os" inactive="False" lastCompiled="1261535722" lastInstalled="0" lastModified="1263972639" platform="pix" name="cluster1" comment="" ro="False">
+      <Cluster id="id2366X75741" host_OS="pix_os" inactive="False" lastCompiled="1261535722" lastInstalled="0" lastModified="1264013073" platform="pix" name="cluster1" comment="" ro="False">
        <NAT id="id2370X75741" name="NAT" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
          <NATRule id="id4606X78273" disabled="False" position="0" action="Translate" comment="">
            <OSrc neg="False">
@ -950,7 +950,7 @@
          <Option name="xlate_ss">0</Option>
        </FirewallOptions>
      </Firewall>
-      <Firewall id="id2930X39486" host_OS="pix_os" inactive="False" lastCompiled="1261535722" lastInstalled="1261535268" lastModified="1258414396" platform="pix" version="7.0" name="pix2" comment="  " ro="False">
+      <Firewall id="id2930X39486" host_OS="pix_os" inactive="False" lastCompiled="1261535722" lastInstalled="1261535268" lastModified="1264013073" platform="pix" version="7.0" name="pix2" comment="  " ro="False">
        <NAT id="id2952X39486" name="NAT" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
          <RuleSetOptions/>
        </NAT>
@ -973,7 +973,7 @@
            <Option name="type">ethernet</Option>
          </InterfaceOptions>
          <Interface id="id2818X95537" dedicated_failover="False" dyn="False" label="outside" mgmt="False" network_zone="sysid0" security_level="0" unnum="False" unprotected="False" name="Ethernet0.101" comment="" ro="False">
-            <IPv4 id="id2826X97641" name="pix2:Ethernet0:ip" comment="" ro="False" address="192.0.2.254" netmask="255.255.255.0"/>
+            <IPv4 id="id2826X97641" name="pix2:Ethernet0:Ethernet0.101:ip" comment="" ro="False" address="192.0.2.254" netmask="255.255.255.0"/>
            <InterfaceOptions>
              <Option name="bonding_policy"></Option>
              <Option name="bondng_driver_options"></Option>