fixed SF bug 3371301 "Error compiling with VLAN and

masquerade". Iptables NAT rules with vlan interface configured as "dynamic" and no ip address in Translated Source caused compiler crash.
2026-03-18 17:27:20 +01:00 · 2011-07-19 19:07:56 -07:00 · 2011-07-19 19:07:56 -07:00 · a47d102c30
commit a47d102c30
parent 739a76ffd0
4 changed files with 26 additions and 16 deletions
--- a/doc/ChangeLog
+++ b/doc/ChangeLog
@ -1,3 +1,10 @@
+2011-07-19  vadim  <vadim@netcitadel.com>
+
+	* NATCompiler_ipt.cpp (processNext): fixed SF bug 3371301 "Error
+	compiling with VLAN and masquerade". Iptables NAT rules with vlan
+	interface configured as "dynamic" and no ip address in Translated
+	Source caused compiler crash.
+
 2011-07-18  theron	<theron@netcitadel.com>
 	* Fixed #2511: make sure auto-scroll of items in ObjectTreeView
 	works, otherwise it's impossible to move an item into a
--- a/src/iptlib/NATCompiler_ipt.cpp
+++ b/src/iptlib/NATCompiler_ipt.cpp
@ -877,14 +877,17 @@ bool NATCompiler_ipt::addVirtualAddress::processNext()
        cluster = Cluster::cast(
            compiler->dbcopy->findInIndex(compiler->fw->getInt("parent_cluster_id")));

-    Address *a=NULL;
+    Address *a = NULL;

    if (rule->getRuleType()==NATRule::SNAT || rule->getRuleType()==NATRule::DNAT) 
    {
        if (rule->getRuleType()==NATRule::SNAT)   
-            a=compiler->getFirstTSrc(rule);
+            a = compiler->getFirstTSrc(rule);
        else
-            a=compiler->getFirstODst(rule);
+            a = compiler->getFirstODst(rule);
+
+        Interface *iface = Interface::cast(a);
+        if (iface && ! iface->isRegular()) return true;

        if ( ! a->isAny() &&
             ! compiler->complexMatch(a, compiler->fw) &&
@ -894,7 +897,8 @@ bool NATCompiler_ipt::addVirtualAddress::processNext()
            {
                compiler->warning(
                        rule, 
-                        string("Adding of virtual address for address range is not implemented (object ") +
+                        string("Adding of virtual address for address range "
+                               "is not implemented (object ") +
                        a->getName() + ")" );
            } else
                compiler->osconfigurator->addVirtualAddressForNAT( a );
--- a/src/iptlib/OSConfigurator_linux24.cpp
+++ b/src/iptlib/OSConfigurator_linux24.cpp
@ -245,11 +245,13 @@ void OSConfigurator_linux24::addVirtualAddressForNAT(const Network *nw)
 void OSConfigurator_linux24::addVirtualAddressForNAT(const Address *addr)
 {
    FWOptions* options=fw->getOptionsObject();
-    if ( options->getBool("manage_virtual_addr") ) 
+    if ( options->getBool("manage_virtual_addr") )
    {
+        const InetAddr *addr_addr = addr->getAddressPtr();
+
        if (virtual_addresses.empty() || 
-            find(virtual_addresses.begin(),virtual_addresses.end(),
-                 *(addr->getAddressPtr())) == virtual_addresses.end()) 
+            find(virtual_addresses.begin(),
+                 virtual_addresses.end(), *addr_addr) == virtual_addresses.end())
        {
            FWObject *vaddr = findAddressFor(addr, fw );
            if (vaddr!=NULL)
@ -262,7 +264,7 @@ void OSConfigurator_linux24::addVirtualAddressForNAT(const Address *addr)
                    Address::cast(vaddr)->getNetmaskPtr();

                addresses.push_back(QString("%1/%2").
-                                    arg(addr->getAddressPtr()->toString().c_str()).
+                                    arg(addr_addr->toString().c_str()).
                                    arg(vaddr_netm->getLength()));

                if (virtual_addresses_for_nat.count(iface->getName()) > 0)
@ -271,11 +273,10 @@ void OSConfigurator_linux24::addVirtualAddressForNAT(const Address *addr)
                virtual_addresses_for_nat[iface->getName()] =
                    addresses.join(" ").toStdString();
        
-                virtual_addresses.push_back(*(addr->getAddressPtr()));
+                virtual_addresses.push_back(*(addr_addr));
                registerVirtualAddressForNat();
            } else
-                warning("Can not add virtual address for object " + 
-                        addr->getName() );
+                warning("Can not add virtual address for object " + addr->getName());
        }
        return;
    }
--- a/test/ipt/heartbeat_cluster_1_d_linux-2-d.fw.orig
+++ b/test/ipt/heartbeat_cluster_1_d_linux-2-d.fw.orig
@ -2,9 +2,9 @@
 #
 #  This is automatically generated file. DO NOT MODIFY !
 #
-#  Firewall Builder  fwb_ipt v5.0.0.3547
+#  Firewall Builder  fwb_ipt v5.0.0.3564
 #
-#  Generated Fri Jun  3 17:29:48 2011 PDT by vadim
+#  Generated Tue Jul 19 19:05:24 2011 PDT by vadim
 #
 # files: * heartbeat_cluster_1_d_linux-2-d.fw firewall.sh
 #
@ -19,8 +19,6 @@
 # heartbeat_cluster_1_d:Policy:7: error: Can not build rule using dynamic interface 'eth0' of the object 'linux-1-d' because its address in unknown.
 # heartbeat_cluster_1_d:Policy:7: error: Can not build rule using dynamic interface 'eth0' of the object 'linux-1-d' because its address in unknown.

-# linux-2-d::: warning: Can not add virtual address for object eth0
-

 FWBDEBUG=""

@ -751,7 +749,7 @@ test -z "$cmd" && {

 case "$cmd" in
    start)
-        log "Activating firewall script generated Fri Jun  3 17:29:48 2011 by vadim"
+        log "Activating firewall script generated Tue Jul 19 19:05:24 2011 by vadim"
        check_tools
         prolog_commands 
        check_run_time_address_table_files