rules". Fixes this and several other problems with policy and nat
rules that use cluster inetrfaces with dynamic addresses.
PolicyCompiler_ipt.cpp
NATCompiler_ipt.cpp
fixes#1234 When failover group object is used in the rule, rule
gets placed in FORWARD chain. Working implementation follows these
rules: 1) if cluster interface obejct is used in the rule, it is
expanded to the set of addresses including cluster virtual IP
address and all addresses of the corresponding member firewall
interface; 2) Failover Group is treated as any regular object
group. Expanding Failover group to the address of its
parent (cluster interface) would work but seems counter-intuitive
fixes#1175 "There is no option for unicast on conntrac
sync-group (like heartbeat)". User can now choose between multicast
and unicast for conntrackd communication.
"compiler/GUI crash compiling cluster NAT rule when cluster and
members have dynamic interface". It should be possible to have
cluster interface that is mapped to dynamic interfaces of the
member firewalls and then use this interface or whole cluster
object in rules. Compiler should expand cluster object and replace
it with its interfaces and corresponding interfaces of the member
firewall and then correctly handle dynamic ones.
fixes#1119 "add test for the integrity of failover cluster
groups". Compilers require all failover group objects to be
configured with interfaces of member firewalls.
really fixed#869 "compile rule" should also print the comment.
Printing rule comment in the compiler output in the single rule
compile mode when firewall object is configured to use
iptables-restore. Code that prints rule label and comment has been
unified for compilers for all firewall platforms.
