From b5eff7ec4037aac456e49903b99c974298e60134 Mon Sep 17 00:00:00 2001
From: Vadim Kurland <vadim@netcitadel.com>
Date: Thu, 22 Oct 2009 19:48:43 +0000
Subject: [PATCH] detect cluster interfaces in NAT rules and process
 accordingly

---
 build_num                                 |  2 +-
 src/iptlib/CompilerDriver_ipt_run.cpp     |  1 -
 src/iptlib/NATCompiler_ipt.cpp            | 53 +++++++++++++++++++----
 test/ipt/objects-for-regression-tests.fwb | 13 ++----
 4 files changed, 49 insertions(+), 20 deletions(-)

diff --git a/build_num b/build_num
index 512770896..e0074f2ea 100644
--- a/build_num
+++ b/build_num
@@ -1 +1 @@
-#define BUILD_NUM 1630
+#define BUILD_NUM 1632
diff --git a/src/iptlib/CompilerDriver_ipt_run.cpp b/src/iptlib/CompilerDriver_ipt_run.cpp
index efd9b1b23..5b5430eb3 100644
--- a/src/iptlib/CompilerDriver_ipt_run.cpp
+++ b/src/iptlib/CompilerDriver_ipt_run.cpp
@@ -201,7 +201,6 @@ string CompilerDriver_ipt::run(const std::string &cluster_id,
     list<FWObject*> all_nat = fw->getByType(NAT::TYPENAME);
 
     int routing_rules_count = 0;
-    bool have_nat = false;
     bool have_ipv6 = false;
 
     // track chains in each table separately. Can we have the same
diff --git a/src/iptlib/NATCompiler_ipt.cpp b/src/iptlib/NATCompiler_ipt.cpp
index e2feafb34..f3ae3c334 100644
--- a/src/iptlib/NATCompiler_ipt.cpp
+++ b/src/iptlib/NATCompiler_ipt.cpp
@@ -40,10 +40,13 @@
 #include "fwbuilder/UDPService.h"
 #include "fwbuilder/CustomService.h"
 #include "fwbuilder/TagService.h"
+#include "fwbuilder/Cluster.h"
 #include "fwbuilder/Host.h"
+#include "fwbuilder/FailoverClusterGroup.h"
 #include "fwbuilder/Network.h"
 #include "fwbuilder/Interface.h"
 #include "fwbuilder/IPv4.h"
+#include "fwbuilder/IPv6.h"
 #include "fwbuilder/Firewall.h"
 #include "fwbuilder/AddressTable.h"
 #include "fwbuilder/DNSName.h"
@@ -2131,19 +2134,53 @@ bool NATCompiler_ipt::AssignInterface::processNext()
         }
     }
 
-    switch (rule->getRuleType()) {
+    switch (rule->getRuleType())
+    {
     case NATRule::SNAT:
     case NATRule::Masq:
     {
-        Address* a=compiler->getFirstTSrc(rule);
+        Address* a = compiler->getFirstTSrc(rule);
+        Interface *iface = Interface::cast(a);
 
-        if ( (Interface::isA(a) || IPv4::isA(a)) && a->isChildOf(compiler->fw))
+        if (IPv4::isA(a) || IPv6::isA(a))
         {
-            FWObject *p=a;
-            while ( ! Interface::isA(p) ) p=p->getParent();
-            rule->setInterfaceId( p->getId() );
-            tmp_queue.push_back(rule);
-            return true;
+            iface = Interface::cast(a->getParent());
+        }
+
+        if (iface)
+        {
+            if (Cluster::isA(iface->getParentHost()) &&
+                iface->isFailoverInterface())
+            {
+                FWObject *failover_group =
+                    iface->getFirstByType(FailoverClusterGroup::TYPENAME);
+
+                if (failover_group)
+                {
+                    for (FWObjectTypedChildIterator it =
+                             failover_group->findByType(FWObjectReference::TYPENAME);
+                         it != it.end(); ++it)
+                    {
+                        Interface *fw_iface = Interface::cast(FWObjectReference::getObject(*it));
+                        assert(fw_iface);
+                        if (fw_iface->isChildOf(compiler->fw))
+                        {
+                            iface = fw_iface;
+                            rule->setInterfaceId(iface->getId());
+                            tmp_queue.push_back(rule);
+                            return true;
+                        }
+                    }
+                }
+            } else
+            {
+                if (iface->isChildOf(compiler->fw))
+                {
+                    rule->setInterfaceId(iface->getId());
+                    tmp_queue.push_back(rule);
+                    return true;
+                }
+            }
         }
 
 /* if we appear here, then TSrc is not an interface or address of an
diff --git a/test/ipt/objects-for-regression-tests.fwb b/test/ipt/objects-for-regression-tests.fwb
index 927a48aff..aa7f2dedd 100644
--- a/test/ipt/objects-for-regression-tests.fwb
+++ b/test/ipt/objects-for-regression-tests.fwb
@@ -1783,18 +1783,11 @@
     <ObjectRef ref="if-FW-firewall2-eth1"/>
     <ObjectRef ref="if-FW-firewall2-eth1-ipv4"/>
     <IPv4 id="id48995X39861" name="Address" comment="" ro="False" address="0.0.0.0" netmask="0.0.0.0"/>
-    <ObjectRef ref="sysid0"/>
-    <ObjectRef ref="sysid0"/>
     <ObjectRef ref="id48792X29790"/>
-    <ObjectRef ref="host-hostA"/>
-    <ObjectRef ref="sysid0"/>
-    <ObjectRef ref="sysid0"/>
-    <ObjectRef ref="id48789X29790"/>
     <ObjectRef ref="id48789X29790"/>
     <Interface id="id48789X29790" dyn="True" label="" mgmt="False" security_level="0" unnum="False" unprotected="False" name="eth0.200" comment="VLAN interface" ro="False">
       <InterfaceOptions/>
     </Interface>
-    <ObjectRef ref="sysid0"/>
   </Library>
   <Library id="syslib001" color="#d2ffd0" name="User" comment="User defined objects" ro="False">
     <ObjectGroup id="stdid01_1_clusters" name="Clusters" comment="" ro="False"/>
@@ -2981,7 +2974,7 @@
       </ServiceGroup>
     </ServiceGroup>
     <ObjectGroup id="stdid12_1" name="Firewalls" comment="" ro="False">
-      <Firewall id="fw-firewall2" host_OS="linux24" inactive="False" lastCompiled="1251648535" lastInstalled="1142003872" lastModified="1247979693" platform="iptables" version="" name="firewall" comment="this is simple firewall with two interfaces. Test regular policy rules, including IP_fragments rule" ro="False">
+      <Firewall id="fw-firewall2" host_OS="linux24" inactive="False" lastCompiled="1251648535" lastInstalled="1142003872" lastModified="1256238759" platform="iptables" version="" name="firewall" comment="this is simple firewall with two interfaces. Test regular policy rules, including IP_fragments rule" ro="False">
         <NAT id="nat-firewall2" name="NAT" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
           <NATRule id="nat-firewall2-0" disabled="False" position="0" action="Translate" comment="">
             <OSrc neg="False">
@@ -44563,7 +44556,7 @@ echo '%FWBPROMPT%'; sh /tmp/%FWSCRIPT%
       </Firewall>
       <Firewall id="id48783X29790" host_OS="linux24" inactive="False" lastCompiled="1256067005" lastInstalled="0" lastModified="1256066997" platform="iptables" version="" name="firewall80" comment="Branch rules in NAT" ro="False">
         <NAT id="id48857X29790" name="NAT" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
-          <NATRule id="id138652X29790" disabled="False" group="" position="0" action="Branch" comment="Branch rule with actual translation. Translation is ignored and warning should be issued">
+          <NATRule id="id138652X29790" disabled="False" group="" position="0" action="NATBranch" comment="Branch rule with actual translation. Translation is ignored and warning should be issued">
             <OSrc neg="False">
               <ObjectRef ref="sysid0"/>
             </OSrc>
@@ -44607,7 +44600,7 @@ echo '%FWBPROMPT%'; sh /tmp/%FWSCRIPT%
               <Option name="rule_name_accounting"></Option>
             </NATRuleOptions>
           </NATRule>
-          <NATRule id="id116180X29790" disabled="False" position="1" action="Branch" comment="DNAT Rule">
+          <NATRule id="id116180X29790" disabled="False" position="1" action="NATBranch" comment="DNAT Rule">
             <OSrc neg="False">
               <ObjectRef ref="sysid0"/>
             </OSrc>