onkelbeh/fwbuilder
1
0
Fork 0
mirror of https://github.com/fwbuilder/fwbuilder synced 2026-03-22 19:27:13 +01:00
Code Issues Releases Wiki Activity

detect cluster interfaces in NAT rules and process accordingly

Browse Source
This commit is contained in:
Vadim Kurland 2009-10-22 19:48:43 +00:00
parent 023a9356ef
commit b5eff7ec40
4 changed files with 49 additions and 20 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
build_num
View File

@ -1 +1 @@
#define BUILD_NUM 1630
#define BUILD_NUM 1632

1
src/iptlib/CompilerDriver_ipt_run.cpp
View File

@ -201,7 +201,6 @@ string CompilerDriver_ipt::run(const std::string &cluster_id,
list<FWObject*> all_nat = fw->getByType(NAT::TYPENAME);
int routing_rules_count = 0;
bool have_nat = false;
bool have_ipv6 = false;
// track chains in each table separately. Can we have the same

53
src/iptlib/NATCompiler_ipt.cpp
View File

@ -40,10 +40,13 @@
#include "fwbuilder/UDPService.h"
#include "fwbuilder/CustomService.h"
#include "fwbuilder/TagService.h"
#include "fwbuilder/Cluster.h"
#include "fwbuilder/Host.h"
#include "fwbuilder/FailoverClusterGroup.h"
#include "fwbuilder/Network.h"
#include "fwbuilder/Interface.h"
#include "fwbuilder/IPv4.h"
#include "fwbuilder/IPv6.h"
#include "fwbuilder/Firewall.h"
#include "fwbuilder/AddressTable.h"
#include "fwbuilder/DNSName.h"
@ -2131,19 +2134,53 @@ bool NATCompiler_ipt::AssignInterface::processNext()
}
}
switch (rule->getRuleType()) {
switch (rule->getRuleType())
{
case NATRule::SNAT:
case NATRule::Masq:
{
Address* a=compiler->getFirstTSrc(rule);
Address* a = compiler->getFirstTSrc(rule);
Interface *iface = Interface::cast(a);
if ( (Interface::isA(a) || IPv4::isA(a)) && a->isChildOf(compiler->fw))
if (IPv4::isA(a) || IPv6::isA(a))
{
FWObject *p=a;
while ( ! Interface::isA(p) ) p=p->getParent();
rule->setInterfaceId( p->getId() );
tmp_queue.push_back(rule);
return true;
iface = Interface::cast(a->getParent());
}
if (iface)
{
if (Cluster::isA(iface->getParentHost()) &&
iface->isFailoverInterface())
{
FWObject *failover_group =
iface->getFirstByType(FailoverClusterGroup::TYPENAME);
if (failover_group)
{
for (FWObjectTypedChildIterator it =
failover_group->findByType(FWObjectReference::TYPENAME);
it != it.end(); ++it)
{
Interface *fw_iface = Interface::cast(FWObjectReference::getObject(*it));
assert(fw_iface);
if (fw_iface->isChildOf(compiler->fw))
{
iface = fw_iface;
rule->setInterfaceId(iface->getId());
tmp_queue.push_back(rule);
return true;
}
}
}
} else
{
if (iface->isChildOf(compiler->fw))
{
rule->setInterfaceId(iface->getId());
tmp_queue.push_back(rule);
return true;
}
}
}
/* if we appear here, then TSrc is not an interface or address of an

13
test/ipt/objects-for-regression-tests.fwb
View File

@ -1783,18 +1783,11 @@
<ObjectRef ref="if-FW-firewall2-eth1"/>
<ObjectRef ref="if-FW-firewall2-eth1-ipv4"/>
<IPv4 id="id48995X39861" name="Address" comment="" ro="False" address="0.0.0.0" netmask="0.0.0.0"/>
<ObjectRef ref="sysid0"/>
<ObjectRef ref="sysid0"/>
<ObjectRef ref="id48792X29790"/>
<ObjectRef ref="host-hostA"/>
<ObjectRef ref="sysid0"/>
<ObjectRef ref="sysid0"/>
<ObjectRef ref="id48789X29790"/>
<ObjectRef ref="id48789X29790"/>
<Interface id="id48789X29790" dyn="True" label="" mgmt="False" security_level="0" unnum="False" unprotected="False" name="eth0.200" comment="VLAN interface" ro="False">
<InterfaceOptions/>
</Interface>
<ObjectRef ref="sysid0"/>
</Library>
<Library id="syslib001" color="#d2ffd0" name="User" comment="User defined objects" ro="False">
<ObjectGroup id="stdid01_1_clusters" name="Clusters" comment="" ro="False"/>
@ -2981,7 +2974,7 @@
</ServiceGroup>
</ServiceGroup>
<ObjectGroup id="stdid12_1" name="Firewalls" comment="" ro="False">
<Firewall id="fw-firewall2" host_OS="linux24" inactive="False" lastCompiled="1251648535" lastInstalled="1142003872" lastModified="1247979693" platform="iptables" version="" name="firewall" comment="this is simple firewall with two interfaces. Test regular policy rules, including IP_fragments rule" ro="False">
<Firewall id="fw-firewall2" host_OS="linux24" inactive="False" lastCompiled="1251648535" lastInstalled="1142003872" lastModified="1256238759" platform="iptables" version="" name="firewall" comment="this is simple firewall with two interfaces. Test regular policy rules, including IP_fragments rule" ro="False">
<NAT id="nat-firewall2" name="NAT" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
<NATRule id="nat-firewall2-0" disabled="False" position="0" action="Translate" comment="">
<OSrc neg="False">
@ -44563,7 +44556,7 @@ echo '%FWBPROMPT%'; sh /tmp/%FWSCRIPT%
</Firewall>
<Firewall id="id48783X29790" host_OS="linux24" inactive="False" lastCompiled="1256067005" lastInstalled="0" lastModified="1256066997" platform="iptables" version="" name="firewall80" comment="Branch rules in NAT" ro="False">
<NAT id="id48857X29790" name="NAT" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
<NATRule id="id138652X29790" disabled="False" group="" position="0" action="Branch" comment="Branch rule with actual translation. Translation is ignored and warning should be issued">
<NATRule id="id138652X29790" disabled="False" group="" position="0" action="NATBranch" comment="Branch rule with actual translation. Translation is ignored and warning should be issued">
<OSrc neg="False">
<ObjectRef ref="sysid0"/>
</OSrc>
@ -44607,7 +44600,7 @@ echo '%FWBPROMPT%'; sh /tmp/%FWSCRIPT%
<Option name="rule_name_accounting"></Option>
</NATRuleOptions>
</NATRule>
<NATRule id="id116180X29790" disabled="False" position="1" action="Branch" comment="DNAT Rule">
<NATRule id="id116180X29790" disabled="False" position="1" action="NATBranch" comment="DNAT Rule">
<OSrc neg="False">
<ObjectRef ref="sysid0"/>
</OSrc>