* PolicyCompiler_ipt.cpp (singleItfNegation::processNext): fixed

bug #2819901: "sub-optimal expansion of negated interface". Policy
rules with single interface object in "interface" rule element
with negation should generate iptables commands using "-i ! itf"
or "-o ! itf" rather than multiply the rule using all other
interfaces of the firewall. Note that for iptables v1.4.3 and
later, extrapositioned syntax is used, such as "! -i itf".

build_num

@@ -1 +1 @@
-#define BUILD_NUM 1153
+#define BUILD_NUM 1155

doc/ChangeLog

@@ -1,5 +1,13 @@
 2009-07-14  vadim  <vadim@vk.crocodile.org>
 
+	* PolicyCompiler_ipt.cpp (singleItfNegation::processNext): fixed
+	bug #2819901: "sub-optimal expansion of negated interface". Policy
+	rules with single interface object in "interface" rule element
+	with negation should generate iptables commands using "-i ! itf"
+	or "-o ! itf" rather than multiply the rule using all other
+	interfaces of the firewall. Note that for iptables v1.4.3 and
+	later, extrapositioned syntax is used, such as "! -i itf".
+
 	* PolicyCompiler_PrintRule.cpp, NATCompiler_PrintRule.cpp: fixed
 	bug #2821050: "loading new fw rules on iptables 1.4.3.2+ gives
 	warnings". starting with v1.4.3.1 iptables started giving warnings

src/ipt/PolicyCompiler_PrintRule.cpp

@@ -424,9 +424,11 @@ string PolicyCompiler_ipt::PrintRule::_printDirectionAndInterface(PolicyRule *ru
 {
     std::ostringstream ostr;
 
-    string       iface_name = rule->getInterfaceStr();
+    string iface_name = rule->getInterfaceStr();
     if (iface_name.empty() || iface_name=="nil" )   return "";
 
+    RuleElementItf *itfrel = rule->getItf();
+
 /* if interface name ends with '*', this is a wildcard
  * interface. Iptables supports wildcard interfaces but uses '+' as a
  * wildcard symbol */
@@ -449,10 +451,10 @@ string PolicyCompiler_ipt::PrintRule::_printDirectionAndInterface(PolicyRule *ru
     } else
     {
         if (rule->getDirection()==PolicyRule::Inbound)   
-            ostr << " -i "  << iface_name; 
+            ostr << _printSingleOptionWithNegation(" -i", itfrel, iface_name);
 
         if (rule->getDirection()==PolicyRule::Outbound)  
-            ostr << " -o "  << iface_name; 
+            ostr << _printSingleOptionWithNegation(" -o", itfrel, iface_name);
     }
 
 //    if (rule->getDirection()==PolicyRule::Both)      

src/ipt/PolicyCompiler_ipt.cpp

@@ -942,6 +942,26 @@ bool PolicyCompiler_ipt::printRuleElements::processNext()
     return true;
 }
 
+bool PolicyCompiler_ipt::singleItfNegation::processNext()
+{
+    PolicyRule *rule = getNext(); if (rule==NULL) return false;
+    RuleElementItf *itfrel = rule->getItf();
+
+    if (itfrel->getNeg() && itfrel->size()==1)
+    {
+        Interface *itf = compiler->getFirstItf(rule);
+        // note: itf can be NULL if object in this rule element is a group
+        if (itf!=NULL && itf->isChildOf(compiler->fw))
+        {
+            itfrel->setNeg(false);
+            itfrel->setBool("single_object_negation", true);
+        }
+    }
+
+    tmp_queue.push_back(rule);
+    return true;
+}
+
 bool PolicyCompiler_ipt::singleSrcNegation::processNext()
 {
     PolicyRule *rule = getNext(); if (rule==NULL) return false;
@@ -3992,6 +4012,7 @@ void PolicyCompiler_ipt::compile()
     //add( new setChainForMangle("set chain for other rules in mangle"));
 
     add( new Logging1("check global logging override option"));
+    add( new singleItfNegation("negation in Itf if it holds single object"));
     add( new ItfNegation("process negation in Itf"));
 
     add( new decideOnChainForClassify("set chain for action is Classify"));

src/ipt/PolicyCompiler_ipt.h

@@ -221,6 +221,11 @@ namespace fwcompiler {
 	 */
         DECLARE_POLICY_RULE_PROCESSOR(convertAnyToNotFWForShadowing);
 
+	/**
+	 * processes rules with negation in Itf if it holds only one object
+	 */
+        DECLARE_POLICY_RULE_PROCESSOR(singleItfNegation);
+
 	/**
 	 * processes rules with negation in Src if it holds only one object
 	 */