onkelbeh/fwbuilder
1
0
Fork 0
mirror of https://github.com/fwbuilder/fwbuilder synced 2026-03-19 01:37:17 +01:00
Code Issues Releases Wiki Activity

synchronized with 2.1.16 on tag sync-12-14

Browse Source
This commit is contained in:
Vadim Kurland 2007-12-28 08:31:28 +00:00
parent f6f86aee7f
commit 03b25ab430
16 changed files with 2500 additions and 1410 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

36
doc/ChangeLog
View File

@ -1,3 +1,39 @@
2007-12-19 vadim <vadim@vk.crocodile.org>
* v2.1.16 release
2007-12-15 vadim <vadim@vk.crocodile.org>
* OSConfigurator_linux24.cpp
(OSConfigurator_linux24::printRunTimeWrappers):
fixed bug #1851166: "Installscript does not test for destination
ip address". The problem affected specific case of a firewall with
two (or more) interfaces that get their address dynamically and a
policy rule that has one such interface in source and another in
destination. Generated iptables script retrieves actual addresses
of both interfaces and assigns them to variables, then uses these
variables in actual iptables rules. Special check is provided in
case some interface did not obtain any ip address at a time of
execution of the script. Previously such test was only done for
one dynamic interface per rule. This change makes the script check
for both.
* ipt.cpp: bug #1850352: "Install script wrongly completes
successful". Storing exit status of iptables-restore so that
generated firewall script can return the same status after it
executes commands that set kernel parameters and runs user-defined
epilog code.
* PolicyCompiler_pf_writers.cpp (PrintRule::_printRouteOptions):
applied patch #1850357: "Add support fo load balancing with pf to
PolicyRule::Route" by Tom Judge (tomjudge@users.sourceforge.net)
that adds support for load balancing rules in PF. Extended the
patch adding support for address/netmask format of the next hop.
Added checks for illegal IP addresses and netmasks in the next
hop. Test cases for the PF load balancing rules are in
test/pf/objects-for-regression-tests.fwb, firewall object
firewall40-1.
2007-12-13 vadim <vadim@vk.crocodile.org>
* linux24.xml.in: working on bug #1850352: "Install script wrongly

4
doc/doc.pro
View File

@ -47,7 +47,9 @@ doc.files = AUTHORS \
ReleaseNotes_2.1.14.html \
ReleaseNotes_2.1.14.txt \
ReleaseNotes_2.1.15.html \
ReleaseNotes_2.1.15.txt
ReleaseNotes_2.1.15.txt \
ReleaseNotes_2.1.16.html \
ReleaseNotes_2.1.16.txt
doc.path = $$DOCDIR

55
runqmake.sh
View File

@ -19,39 +19,46 @@ ${QMAKE} -o po/Makefile po/po.pro
if test -n "$CCACHE"; then
${QMAKE} 'QMAKE_CXX=ccache g++' -o src/antlr/Makefile src/antlr/antlr.pro
test -d src/unit_tests && {
${QMAKE} 'QMAKE_CXX=ccache g++' -o src/unit_tests/importer/Makefile \
src/unit_tests/importer/importer.pro
}
${QMAKE} 'QMAKE_CXX=ccache g++' -o src/gui/Makefile src/gui/gui.pro
${QMAKE} 'QMAKE_CXX=ccache g++' -o src/fwblookup/Makefile src/fwblookup/fwblookup.pro
${QMAKE} 'QMAKE_CXX=ccache g++' -o src/fwbedit/Makefile src/fwbedit/fwbedit.pro
${QMAKE} 'QMAKE_CXX=ccache g++' -o src/ipt/Makefile src/ipt/ipt.pro
${QMAKE} 'QMAKE_CXX=ccache g++' -o src/pflib/Makefile src/pflib/pflib.pro
${QMAKE} 'QMAKE_CXX=ccache g++' -o src/pf/Makefile src/pf/pf.pro
${QMAKE} 'QMAKE_CXX=ccache g++' -o src/ipf/Makefile src/ipf/ipf.pro
${QMAKE} 'QMAKE_CXX=ccache g++' -o src/ipfw/Makefile src/ipfw/ipfw.pro
${QMAKE} 'QMAKE_CXX=ccache g++' -o src/antlr/Makefile src/antlr/antlr.pro
${QMAKE} 'QMAKE_CXX=ccache g++' -o src/parsers/Makefile src/parsers/parsers.pro
${QMAKE} 'QMAKE_CXX=ccache g++' -o src/gui/Makefile src/gui/gui.pro
${QMAKE} 'QMAKE_CXX=ccache g++' -o src/fwblookup/Makefile \
src/fwblookup/fwblookup.pro
${QMAKE} 'QMAKE_CXX=ccache g++' -o src/fwbedit/Makefile \
src/fwbedit/fwbedit.pro
${QMAKE} 'QMAKE_CXX=ccache g++' -o src/ipt/Makefile src/ipt/ipt.pro
${QMAKE} 'QMAKE_CXX=ccache g++' -o src/pflib/Makefile src/pflib/pflib.pro
${QMAKE} 'QMAKE_CXX=ccache g++' -o src/pf/Makefile src/pf/pf.pro
${QMAKE} 'QMAKE_CXX=ccache g++' -o src/ipf/Makefile src/ipf/ipf.pro
${QMAKE} 'QMAKE_CXX=ccache g++' -o src/ipfw/Makefile src/ipfw/ipfw.pro
test -d src/unit_tests && ${QMAKE} 'QMAKE_CXX=ccache g++' -o src/unit_tests/importer/Makefile \
src/unit_tests/importer/importer.pro
${QMAKE} 'QMAKE_CXX=ccache g++' -o src/parsers/Makefile \
src/parsers/parsers.pro
else
${QMAKE} -o src/antlr/Makefile src/antlr/antlr.pro
test -d src/unit_tests && {
${QMAKE} -o src/unit_tests/importer/Makefile \
src/unit_tests/importer/importer.pro
}
${QMAKE} -o src/gui/Makefile src/gui/gui.pro
${QMAKE} -o src/fwblookup/Makefile src/fwblookup/fwblookup.pro
${QMAKE} -o src/fwbedit/Makefile src/fwbedit/fwbedit.pro
${QMAKE} -o src/ipt/Makefile src/ipt/ipt.pro
${QMAKE} -o src/pflib/Makefile src/pflib/pflib.pro
${QMAKE} -o src/pf/Makefile src/pf/pf.pro
${QMAKE} -o src/ipf/Makefile src/ipf/ipf.pro
${QMAKE} -o src/ipfw/Makefile src/ipfw/ipfw.pro
${QMAKE} -o src/antlr/Makefile src/antlr/antlr.pro
${QMAKE} -o src/parsers/Makefile src/parsers/parsers.pro
${QMAKE} -o src/gui/Makefile src/gui/gui.pro
${QMAKE} -o src/fwblookup/Makefile src/fwblookup/fwblookup.pro
${QMAKE} -o src/fwbedit/Makefile src/fwbedit/fwbedit.pro
${QMAKE} -o src/ipt/Makefile src/ipt/ipt.pro
${QMAKE} -o src/pflib/Makefile src/pflib/pflib.pro
${QMAKE} -o src/pf/Makefile src/pf/pf.pro
${QMAKE} -o src/ipf/Makefile src/ipf/ipf.pro
${QMAKE} -o src/ipfw/Makefile src/ipfw/ipfw.pro
test -d src/unit_tests && ${QMAKE} -o src/unit_tests/importer/Makefile \
src/unit_tests/importer/importer.pro
${QMAKE} -o src/parsers/Makefile src/parsers/parsers.pro
fi

2
src/gui/ActionsDialog.cpp
View File

@ -249,6 +249,7 @@ void ActionsDialog::setRule(PolicyRule *r )
// build a map for combobox so visible combobox items can be localized
QStringList route_options = getRouteOptions_pf_ipf( platform.c_str() );
QStringList route_load_options = getRouteLoadOptions_pf( platform.c_str() );
// iptables
data.registerOption ( m_dialog->ipt_iif , ropt , "ipt_iif" );
@ -265,6 +266,7 @@ void ActionsDialog::setRule(PolicyRule *r )
// pf
data.registerOption ( m_dialog->pf_fastroute , ropt , "pf_fastroute" );
data.registerOption( m_dialog->pf_route_load_option , ropt , "pf_route_load_option", route_load_options );
data.registerOption ( m_dialog->pf_route_option , ropt , "pf_route_option",
route_options);
data.registerOption ( m_dialog->pf_route_opt_if , ropt , "pf_route_opt_if" );

33
src/gui/SSHSession.cpp
View File

@ -135,21 +135,30 @@ void SSHSession::startSession()
qDebug("SSHSession::startSession this=%p proc=%p heartBeatTimer=%p",
this,proc,heartBeatTimer);
connect(proc,SIGNAL(readyReadStandardOutput()), this, SLOT(readFromStdout() ) );
connect(proc,SIGNAL(readyReadStandardError()), this, SLOT(readFromStderr() ) );
connect(proc,SIGNAL(finished( int, QProcess::ExitStatus )), this, SLOT(finished( int ) ) );
connect(proc,SIGNAL(readyReadStandardOutput()),
this, SLOT(readFromStdout() ) );
connect(proc,SIGNAL(readyReadStandardError()),
this, SLOT(readFromStderr() ) );
connect(proc,SIGNAL(finished( int, QProcess::ExitStatus )),
this, SLOT(finished( int ) ) );
QTextCodec::setCodecForCStrings(QTextCodec::codecForName("latin1"));
QStringList arguments;
assert(args.size() > 0);
for (QStringList::const_iterator i=args.begin(); i!=args.end(); ++i)
QStringList arguments;
QStringList::const_iterator i=args.begin();
QString program = *i;
++i;
for ( ; i!=args.end(); ++i)
{
arguments << *i;
//proc->addArgument( *i );
cmd += *i;
}
QStringList env;
#ifdef _WIN32
@ -178,9 +187,15 @@ void SSHSession::startSession()
proc->setEnvironment(env);
assert(arguments.size() > 0); //i suppose first argument is the program to start
QString program = arguments[0]; //if it isn't so, we'll fail here
if (fwbdebug)
{
qDebug("Launch external ssh client %s", program.toAscii().constData());
qDebug("Arguments:");
QStringList::const_iterator i;
for (i=arguments.begin(); i!=arguments.end(); ++i)
qDebug(" %s", (*i).toAscii().constData());
}
proc->start(program, arguments);
if ( !proc->waitForStarted() )
@ -201,7 +216,9 @@ void SSHSession::startSession()
SSHSession::~SSHSession()
{
if (fwbdebug) qDebug("SSHSession::destructor");
terminate();
if (fwbdebug) qDebug("SSHSession::destructor done");
}
/*

3
src/gui/SSHUnx.cpp
View File

@ -71,6 +71,7 @@ SSHUnx::SSHUnx(QWidget *_par,
iptables_errors.push_back("'iptables --help' for more information.");
iptables_errors.push_back("'iptables-restore --help' for more information.");
iptables_errors.push_back("iptables-restore: line .* failed");
}
SSHUnx::~SSHUnx()
@ -87,7 +88,7 @@ bool SSHUnx::checkForErrors(QStringList *errptr)
if (fwbdebug)
qDebug(QString("SSHUnx::stateMachine: error='%1'").arg(*i).toAscii().constData());
if ( stdoutBuffer.lastIndexOf(*i,-1)!=-1 )
if ( stdoutBuffer.lastIndexOf(QRegExp(*i),-1)!=-1 )
{
if (fwbdebug)
qDebug("SSHUnx::stateMachine: MATCH. Error detected.");

2341
src/gui/actionsdialog_q.ui
View File

File diff suppressed because it is too large Load Diff

139
src/gui/instDialog.cpp
View File

@ -103,8 +103,21 @@ instDialog::instDialog(QWidget* p, BatchOperation op, t_fwSet reqFirewalls_) : Q
pendingLogLine = "";
rejectDialogFlag=false;
/* object proc is used to launch policy compilers as background
* processes. SSH sessions in installers are controlled by class
* SSHSession (and classes derived from it). This leads to some
* duplication, such as all the apparatus for reading from stdout
* of the background process is duplicated in SSHSession and here.
*
* The same object is also used to launch custom installer scripts.
*
* TODO(vadim): need to move everything that deals with compiler
* process into its own class CompilerSession derived from
* SSHSession. Perhaps also rename SSHSession to BackgroundSession
* or something.
*/
connect(&proc, SIGNAL(readyReadStandardOutput()), this, SLOT(readFromStdout()) );
//connect(&proc, SIGNAL(readyReadStandardError()), this, SLOT(readFromStderr()) );
connect(&proc, SIGNAL(finished(int,QProcess::ExitStatus)), this, SLOT(processExited(int)) );
proc.setProcessChannelMode(QProcess::MergedChannels);
@ -119,7 +132,7 @@ instDialog::instDialog(QWidget* p, BatchOperation op, t_fwSet reqFirewalls_) : Q
findFirewalls();
if (firewalls.size()==0)
{
setTitle( pageCount()-1, tr("There is no firewalls to process.") );
setTitle( pageCount()-1, tr("There are no firewalls to process.") );
for (int i=0;i<pageCount()-1;i++)
{
setAppropriate(i,false);
@ -262,7 +275,7 @@ void instDialog::prepareInstallerOptions()
{
if (fwbdebug) qDebug("instDialog::prepareInstallerOptions");
ready=false;
activationCommandDone=false;
activationCommandDone = false;
FWOptions *fwopt = cnf.fwobj->getOptionsObject();
fwb_prompt="--**--**--";
@ -855,7 +868,8 @@ bool instDialog::doInstallPage(Firewall* f)
#else
args.push_back(argv0.c_str());
args.push_back("-X"); // fwbuilder works as ssh wrapper
// args.push_back("-d");
//if (fwbdebug)
// args.push_back("-d");
args.push_back("-t");
args.push_back("-t");
@ -967,10 +981,36 @@ bool instDialog::doInstallPage(Firewall* f)
return true;
}
/* reset ssh session to continue the same installation process, such as
* when we need to copy several files to the firewall
*/
void instDialog::resetInstallSSHSession()
{
if (fwbdebug) qDebug("instDialog::resetInstallSSHSession");
if (session!=NULL)
QTimer::singleShot( 0, this, SLOT(stopSessionAndDisconnectSignals()));
activationCommandDone = false;
if (fwbdebug) qDebug("instDialog::resetInstallSSHSession done");
}
/* instDialog::stopSessionAndDisconnectSignals runs when we have no
* other events in the events queue. This is necessary because call to
* instDialog::finishInstall can come from inside the state machine
* (e.g. when error was detected). This means we are trying to
* terminate working session right in the middle, when there could be
* some more output from its stdout to be collected. To avoid race
* conditions with events that have not been processed, we schedule
* all termination and clean-up operations so they will be done at
* idle time when there are no events in the queue
*/
void instDialog::stopSessionAndDisconnectSignals()
{
if (fwbdebug)
qDebug("instDialog::stopSessionAndDisconnectSignals()");
if (session!=NULL)
{
disconnect(session,SIGNAL(printStdout_sign(const QString&)),
@ -991,7 +1031,8 @@ void instDialog::resetInstallSSHSession()
session=NULL;
}
activationCommandDone=false;
if (fwbdebug)
qDebug("instDialog::stopSessionAndDisconnectSignals() done");
}
/*
@ -1129,7 +1170,9 @@ void instDialog::initiateCopy(const QString &file)
#else
args.push_back(argv0.c_str());
args.push_back("-X"); // fwbuilder works as ssh wrapper
// if (fwbdebug>1) args.push_back("-d");
//if (fwbdebug)
// args.push_back("-d");
// args.push_back("-t");
// args.push_back("-t");
#endif
@ -1249,31 +1292,26 @@ void instDialog::finishInstall(bool success)
if(opListIterator!=opList.end() && m_dialog->batchInstall->isChecked() && !stopProcessFlag)
{
installSelected();
// installSelected();
QTimer::singleShot( 0, this, SLOT(installSelected()));
return;
}
setNextEnabled( 1, true);
}
/*
* continueRun is called via idle event handler after the session object
* is destroyed in stopSessionAndDisconnectSignals.
*
* Various methods call resetInstallSSHSession, which schedules call
* to stopSessionAndDisconnectSignals. installerFinished() also
* schedules call to continueRun() right after that. So continueRun()
* is always called when we have no active session object.
*/
void instDialog::continueRun()
{
if (fwbdebug) qDebug("instDialog::continueRun");
if (session)
{
if (session->getErrorStatus())
{
if (fwbdebug) qDebug("session error");
addToLog( tr("Fatal error, terminating install sequence\n") );
finishInstall(false);
//setFinishEnabled( page(1), true );
return;
}
delete session;
session=NULL;
}
if (activationCommandDone)
{
if (fwbdebug) qDebug("activationCommandDone");
@ -1314,6 +1352,8 @@ void instDialog::continueRun()
#else
args.push_back(argv0.c_str());
args.push_back("-X"); // fwbuilder works as ssh wrapper
//if (fwbdebug)
// args.push_back("-d");
args.push_back("-t");
args.push_back("-t");
#endif
@ -1344,7 +1384,7 @@ void instDialog::continueRun()
if (cnf.verbose) displayCommand(args);
activationCommandDone=true;
activationCommandDone = true;
runSSH( new SSHUnx(this,
cnf.fwobj->getName().c_str(),
@ -1400,29 +1440,9 @@ void instDialog::finishClicked()
void instDialog::cancelClicked()
{
if (fwbdebug) qDebug("instDialog::cancelClicked()");
if (session!=NULL)
{
if (fwbdebug)
qDebug("instDialog::reject() killing ssh session");
disconnect(session,SIGNAL(printStdout_sign(const QString&)),
this,SLOT(append(const QString&)));
disconnect(session,SIGNAL(sessionFinished_sign()),
this,SLOT(installerFinished()));
disconnect(session,SIGNAL(sessionFatalError_sign()),
this,SLOT(installerError()));
disconnect(session,SIGNAL(updateProgressBar_sign(int,bool)),
this,SLOT(updateProgressBar(int,bool)));
session->terminate();
delete session;
session=NULL;
}
stopSessionAndDisconnectSignals();
// What is this? Do we need this? This code is not present in 2.1.16.
if (proc.state() == QProcess::Running)
{
rejectDialogFlag = true;
@ -1885,25 +1905,22 @@ void instDialog::installerError()
addToLog( tr("Error: Terminating install sequence\n") );
finishInstall(false);
resetInstallSSHSession();
//setFinishEnabled( page(1), true );
if (session) delete session;
session=NULL;
// session object is destroyed in stopSessionAndDisconnectSignals()
QTimer::singleShot( 0, this, SLOT(stopSessionAndDisconnectSignals()));
}
void instDialog::installerFinished()
{
if( fwbdebug) qDebug("instDialog::installerFinished");
if (session->getErrorStatus())
{
installerError();
else
{
// session object is destroyed in stopSessionAndDisconnectSignals()
QTimer::singleShot( 0, this, SLOT(stopSessionAndDisconnectSignals()));
}
if (session) delete session;
session=NULL;
QTimer::singleShot( 0, this, SLOT(continueRun()) );
}
@ -1944,7 +1961,7 @@ void instDialog::processExited(int res)
if (opListIterator!=opList.end() && m_dialog->batchInstall->isChecked() && !stopProcessFlag)
{
installSelected();
QTimer::singleShot( 0, this, SLOT(installSelected()));
}
else
{
@ -2021,7 +2038,8 @@ void instDialog::processExited(int res)
}
++opListIterator;
}
if (currentFirewallsBar) currentFirewallsBar->setValue(currentFirewallsBar->maximum());
if (currentFirewallsBar)
currentFirewallsBar->setValue(currentFirewallsBar->maximum());
if (currentStopButton)
{
@ -2235,20 +2253,19 @@ bool instDialog::runInstall(Firewall *fw)
if (fwbdebug) qDebug("custom script");
summary();
addToLog( args.join(" ") );
addToLog(args.join(" "));
QString path = args[0];
args.pop_front();
proc.start(path, args);
if ( !proc.waitForStarted() )
if (!proc.waitForStarted())
{
addToLog( tr("Error: Failed to start program") );
return false;
}
args.push_front(path); //return to previous state
}
else
{

23
src/gui/instDialog.h
View File

@ -151,7 +151,6 @@ class instDialog : public QDialog, public FakeWizard
bool testFirewall(libfwbuilder::Firewall*);
void finishInstall(bool success=true);
void fillInstallOpList();
void installSelected();
void initInstall();
void analyseInstallQueue(bool &fPix, bool &fCustInst);
libfwbuilder::Firewall *findFirewallbyListItem(QTreeWidgetItem* item);
@ -193,19 +192,20 @@ protected:
QString getFullPath(instConf &cnf, const QString &file );
protected slots:
void processExited(int code);
void installerFinished();
void installerError();
void showPage(const int page);
void processExited(int code);
void installerFinished();
void installerError();
void installSelected();
void showPage(const int page);
void finishClicked();
void cancelClicked();
void finishClicked();
void cancelClicked();
void testRunRequested();
void testRunRequested();
void append(const QString &line);
void appendRich(const QString &line);
void updateProgressBar(int n,bool setsize);
void append(const QString &line);
void appendRich(const QString &line);
void updateProgressBar(int n,bool setsize);
void continueRun();
virtual void saveLog();
@ -219,6 +219,7 @@ protected:
virtual void nextClicked();
virtual void backClicked();
void stopSessionAndDisconnectSignals();
void compileSelected();
void stopCompile();

16
src/gui/main.cpp
View File

@ -372,16 +372,17 @@ int main( int argc, char ** argv )
i=1;
j=1;
for ( ; argv[i]!=NULL; i++)
//for ( ; argv[i]!=NULL; i++)
for ( ; i<argc; i++)
{
if (strncmp(argv[i], "-X", 2)==0) { ssh_wrapper=true; continue; }
else
if (strncmp(argv[i], "-d", 2)==0) { fwbdebug++; continue; }
else
arg[j]=strdup(argv[i]);
arg[j] = strdup(argv[i]);
j++;
}
arg[j]=NULL;
arg[j] = NULL;
if (ssh_wrapper)
{
@ -415,8 +416,15 @@ int main( int argc, char ** argv )
arg[0]=strdup( sshcmd.toLatin1().constData() );
if (fwbdebug)
{
qDebug("cmd: %s",arg[0]);
qDebug("Arguments:");
for (const char **cptr = arg; *cptr!=NULL; cptr++)
{
qDebug(" %s", *cptr);
cptr++;
}
}
/* forks ssh with a pty and proxies its communication on stdin/stdout
* to avoid having to deal with pty. This is only needed on Unix.

17
src/gui/platforms.cpp
View File

@ -49,6 +49,7 @@ QStringList logLevels;
QStringList logFacilities;
QStringList actionsOnReject;
QStringList routeOptions_pf_ipf;
QStringList routeLoadOptions_pf;
QStringList prologPlaces_ipt;
QStringList prologPlaces_pf;
QStringList limitSuffixes;
@ -135,6 +136,8 @@ void init_platforms()
actionsOnReject.push_back(QObject::tr("TCP RST"));
actionsOnReject.push_back("TCP RST");
routeOptions_pf_ipf.push_back(QObject::tr("None"));
routeOptions_pf_ipf.push_back("none");
routeOptions_pf_ipf.push_back(QObject::tr("Route through"));
routeOptions_pf_ipf.push_back("route_through");
routeOptions_pf_ipf.push_back(QObject::tr("Route reply through"));
@ -142,6 +145,15 @@ void init_platforms()
routeOptions_pf_ipf.push_back(QObject::tr("Route a copy through"));
routeOptions_pf_ipf.push_back("route_copy_through");
routeLoadOptions_pf.push_back(QObject::tr("None"));
routeLoadOptions_pf.push_back("none");
routeLoadOptions_pf.push_back(QObject::tr("Random"));
routeLoadOptions_pf.push_back("random");
routeLoadOptions_pf.push_back(QObject::tr("Source Hash"));
routeLoadOptions_pf.push_back("source_hash");
routeLoadOptions_pf.push_back(QObject::tr("Round Robin"));
routeLoadOptions_pf.push_back("round_robin");
prologPlaces_ipt.push_back(QObject::tr("on top of the script"));
prologPlaces_ipt.push_back("top");
prologPlaces_ipt.push_back(QObject::tr("after interface configuration"));
@ -460,6 +472,11 @@ const QStringList& getRouteOptions_pf_ipf(const QString &platform)
return routeOptions_pf_ipf;
}
const QStringList& getRouteLoadOptions_pf(const QString &platform)
{
return routeLoadOptions_pf;
}
const QStringList& getPrologPlaces(const QString &platform)
{
if (platform=="pf")

3
src/gui/platforms.h
View File

@ -53,6 +53,7 @@ bool isDefaultPolicyRuleOptions(libfwbuilder::FWOptions *opt);
bool isDefaultNATRuleOptions(libfwbuilder::FWOptions *opt);
bool isDefaultRoutingRuleOptions(libfwbuilder::FWOptions *opt);
// using list of pairs instead of a map or QMap because maps are dictionaries
// and do not preserve order of elements
std::list<QStringPair> getVersionsForPlatform(const QString &platform);
@ -83,6 +84,8 @@ const QStringList& getActionsOnReject(const QString &platform);
*/
const QStringList& getRouteOptions_pf_ipf(const QString &platform);
const QStringList& getRouteLoadOptions_pf(const QString &platform);
/**
* returns a list of Prolog places (mapping list)
*/

78
src/ipt/OSConfigurator_linux24.cpp
View File

@ -641,7 +641,6 @@ string OSConfigurator_linux24::printRunTimeWrappers(FWObject *rule,
const string &command)
{
string command_line = command;
ostringstream res;
ostringstream ext_command_line;
int nlines = 0;
@ -674,41 +673,62 @@ string OSConfigurator_linux24::printRunTimeWrappers(FWObject *rule,
}
/* if anywhere in command_line we used variable holding an address of
* dynamic interface (named $i_something) then we need to add
* this command with a check for the value of this variable. We execute
* dynamic interface (named $i_something) then we need to add this
* command with a check for the value of this variable. We execute
* iptables command only if the value is a non-empty string.
*
* bug #1851166: there could be two dynamic interfaces in the same
* rule.
*/
if (command_line.find("$i_")==string::npos) return command_line;
p1=command_line.find("$i_");
string iface_name;
string iface_var;
if ( p1==string::npos ) return command_line;
ostringstream res;
bool wildcard_interfaces = false;
p1=0;
while ((p1=command_line.find("$i_", p1))!=string::npos)
{
string iface_name;
string iface_var;
p2=command_line.find(" ",p1);
p3=command_line.find("_",p1) +1;
iface_name=command_line.substr(p3,p2-p3);
iface_var= command_line.substr(p1,p2-p1);
p2=command_line.find(" ",p1);
p3=command_line.find("_",p1) +1;
iface_name=command_line.substr(p3,p2-p3);
iface_var= command_line.substr(p1,p2-p1);
/* if interface name ends with '*', this is a wildcard interface. */
string::size_type p4;
if ((p4=iface_name.find("*"))!=string::npos)
string::size_type p4;
if ((p4=iface_name.find("*"))!=string::npos)
{
wildcard_interfaces = true;
string cmdline=command_line;
string iface_family_name=iface_name.substr(0,p4);
res << "getinterfaces " << iface_family_name << " | while read I; do" << endl;
res << " ivar=`getInterfaceVarName $I`" << endl;
res << " getaddr $I $ivar" << endl;
res << " cmd=\"$\"$ivar" << endl;
res << " eval \"addr=$cmd\"" << endl;
cmdline.replace(p1,p2-p1,"$addr");
res << " test -n \"$addr\" && ";
if (nlines>1) res << "{" << endl;
res << cmdline;
if (nlines>1) res << "}" << endl;
res << "done" << endl;
} else
{
// bug #1851166: there could be two dynamic interfaces in
// the same rule. Just print "test" command here and continue
// in the "while" loop. We'll print actual commands when the loop
// ends.
res << "test -n \"" << iface_var << "\" && ";
}
p1++; // p1 points at the previous "$i_" fragment
}
// for wildcard interfaces we only support one such interface
// per rule and we have already printed the actual command above.
if (!wildcard_interfaces)
{
string cmdline=command_line;
string iface_family_name=iface_name.substr(0,p4);
res << "getinterfaces " << iface_family_name << " | while read I; do" << endl;
res << " ivar=`getInterfaceVarName $I`" << endl;
res << " getaddr $I $ivar" << endl;
res << " cmd=\"$\"$ivar" << endl;
res << " eval \"addr=$cmd\"" << endl;
cmdline.replace(p1,p2-p1,"$addr");
res << " test -n \"$addr\" && ";
if (nlines>1) res << "{" << endl;
res << cmdline;
if (nlines>1) res << "}" << endl;
res << "done" << endl;
} else
{
res << "test -n \"" << iface_var << "\" && ";
if (nlines>1) res << "{" << endl;
res << command_line;
if (nlines>1) res << "}" << endl;

129
src/ipt/ipt.cpp
View File

@ -594,65 +594,33 @@ _("Dynamic interface %s should not have an IP address object attached to it. Thi
if (options->getBool("use_iptables_restore"))
{
if (have_dynamic_interfaces)
script << "(" << endl;
script << c.flushAndSetDefaultPolicy();
if (prolog_place == "after_flush")
{
script << "(" << endl;
script << c.flushAndSetDefaultPolicy();
if (prolog_place == "after_flush")
{
script << addPrologScript(nocomm,
fw->getOptionsObject()->getStr("prolog_script"));
}
script << c.getCompiledScript();
script << c.commit();
if (m.getCompiledScriptLength()>0)
{
script << m.flushAndSetDefaultPolicy();
script << m.getCompiledScript();
script << m.commit();
}
if (n.getCompiledScriptLength()>0)
{
script << n.flushAndSetDefaultPolicy();
script << n.getCompiledScript();
script << n.commit();
}
script << "#" << endl;
script << ") | $IPTABLES_RESTORE" << endl;
} else
{
script << "cat << EOF | $IPTABLES_RESTORE" << endl;
script << c.flushAndSetDefaultPolicy();
if (prolog_place == "after_flush")
{
script << addPrologScript(nocomm,
fw->getOptionsObject()->getStr("prolog_script"));
}
script << c.getCompiledScript();
script << c.commit();
if (m.getCompiledScriptLength()>0)
{
script << m.flushAndSetDefaultPolicy();
script << m.getCompiledScript();
script << m.commit();
}
if (n.getCompiledScriptLength()>0)
{
script << n.flushAndSetDefaultPolicy();
script << n.getCompiledScript();
script << n.commit();
}
script << "#" << endl;
script << "EOF" << endl;
script << addPrologScript(nocomm,
fw->getOptionsObject()->getStr("prolog_script"));
}
script << c.getCompiledScript();
script << c.commit();
if (m.getCompiledScriptLength()>0)
{
script << m.flushAndSetDefaultPolicy();
script << m.getCompiledScript();
script << m.commit();
}
if (n.getCompiledScriptLength()>0)
{
script << n.flushAndSetDefaultPolicy();
script << n.getCompiledScript();
script << n.commit();
}
script << "#" << endl;
script << ") | $IPTABLES_RESTORE; IPTABLES_RESTORE_RES=$?" << endl;
} else
{
@ -709,52 +677,15 @@ _("Dynamic interface %s should not have an IP address object attached to it. Thi
script << "#" << endl;
}
script << endl;
if (options->getBool("use_iptables_restore"))
script << "exit $IPTABLES_RESTORE_RES";
script << endl;
string sbuf = script.str();
/* starting with 2.0.3 we copy script to linksys using scp and do not
* need to escape double quotes and '$' anymore
*/
#if 0
if ( Resources::getTargetOptionBool(fw->getStr("host_OS"),
"escape_everything") )
{
/* need to escape single and double quotes, as well as '$' in the script */
string::size_type i;
i = 0;
while ( (i=sbuf.find('\"',i))!=string::npos )
{
sbuf.replace(i,1,"\\\"");
i+=2;
}
i = 0;
while ( (i=sbuf.find('\'',i))!=string::npos )
{
sbuf.replace(i,1,"\\\'");
i+=2;
}
i = 0;
while ( (i=sbuf.find('`',i))!=string::npos )
{
sbuf.replace(i,1,"\\`");
i+=2;
}
i = 0;
while ( (i=sbuf.find('$',i))!=string::npos )
{
sbuf.replace(i,1,"\\$");
i+=2;
}
}
#endif
ofstream fw_file;
fw_file.exceptions(ofstream::eofbit|ofstream::failbit|ofstream::badbit);

151
src/pflib/PolicyCompiler_pf_writers.cpp
View File

@ -134,34 +134,137 @@ void PolicyCompiler_pf::PrintRule::_printRouteOptions(PolicyRule *rule)
if (rule->getAction() == PolicyRule::Route)
{
if (ruleopt->getBool("pf_fastroute"))
string prefix = "pf";
if (compiler->myPlatformName()=="ipf")
prefix="ipf";
string ro = ruleopt->getStr(prefix+"_route_option");
if (ruleopt->getBool("pf_fastroute") && ro != "none")
{
compiler->abort("Cannot use fastroute and route method in same rule they are mutually exclusive in rule "+rule->getLabel());
} else if (ruleopt->getBool("pf_fastroute") && ro == "none" ) {
compiler->output << "fastroute ";
} else {
string roif = ruleopt->getStr(prefix+"_route_opt_if");
string roaddr_list = ruleopt->getStr(prefix+"_route_opt_addr");
string roload = ruleopt->getStr("pf_route_load_option");
if (!ro.empty())
{
if (roif.empty())
compiler->abort("Interface specification is required for action Route in rule "+rule->getLabel());
string prefix = "pf";
if (compiler->myPlatformName()=="ipf")
prefix="ipf";
if (ro == "route_through")
compiler->output << "route-to ";
else if (ro == "route_reply_through")
compiler->output << "reply-to ";
else if (ro == "route_copy_through")
compiler->output << "dup-to ";
else
compiler->abort("Unknown option for rule action Route: '" +
ro + "' in rule "+rule->getLabel());
compiler->output << "{ ";
string ro = ruleopt->getStr(prefix+"_route_option");
string roif = ruleopt->getStr(prefix+"_route_opt_if");
string roaddr = ruleopt->getStr(prefix+"_route_opt_addr");
int route_member = 0;
std::istringstream buf(roaddr_list);
string roaddr;
while (std::getline(buf, roaddr, ','))
{
if (!roaddr.empty())
{
if (route_member > 0 )
{
compiler->output << ", ";
}
compiler->output << "( ";
compiler->output << roif << " ";
compiler->output << roaddr << " ";
compiler->output << ") ";
int sp = roaddr.find('/');
if (sp!=std::string::npos)
{
// roaddr is addr/netmask
try
{
string a = roaddr.substr(0,sp);
IPAddress roaddr_addr = IPAddress(a);
} catch (FWException &ex)
{
compiler->abort(
"Illegal IP address for next hop in rule "+rule->getLabel());
}
try
{
Netmask roaddr_netmask;
string n = roaddr.substr(sp+1);
if (n.find('.')!=std::string::npos)
{
roaddr_netmask = n;
} else
{
roaddr_netmask = Netmask(
atoi(n.c_str()));
}
if (roaddr_netmask.getLength()==32)
route_member++;
else
// lame way to tell compiler that
// we actually have several addresses for
// the next hop. We do not exactly care
// how many there are, as long as it is
// greater than 1.
route_member += 2;
} catch (FWException &ex)
{
compiler->abort(
"Illegal netmask for next hop in rule "+rule->getLabel());
}
} else
{
// roaddr is just an addres
try
{
IPAddress roaddr_addr = IPAddress(roaddr);
} catch (FWException &ex)
{
compiler->abort(
"Illegal IP address for next hop in rule "+rule->getLabel());
}
route_member++;
}
}
}
if (route_member < 1)
{
compiler->abort("No router specified rule action Route: '"+
ro + "' in rule "+rule->getLabel());
}
if (route_member >= 2 && (roload.empty() || roload == "none"))
{
compiler->abort("More than one router specified without load balancing for rule action Route: '" +
ro + "' in rule "+rule->getLabel());
}
if (route_member == 1 && ((!roload.empty()) && roload != "none"))
{
compiler->abort("Only one router specified with load balancing for rule action Route: '" +
ro + "' in rule "+rule->getLabel());
}
if (!ro.empty())
{
if (roif.empty())
compiler->abort("Interface specification is required for action Route in rule "+rule->getLabel());
if (ro == "route_through") compiler->output << "route-to ";
else if (ro == "route_reply_through") compiler->output << "reply-to ";
else if (ro == "route_copy_through") compiler->output << "dup-to ";
else
compiler->abort("Unknown option for rule action Route: '" +
ro + "' in rule "+rule->getLabel());
compiler->output << "( ";
compiler->output << roif << " ";
if (!roaddr.empty()) compiler->output << roaddr << " ";
compiler->output << ") ";
}
compiler->output << "} ";
if (!roload.empty())
{
if (roload == "bitmask")
compiler->output << "bitmask ";
else if (roload == "random")
compiler->output << "random ";
else if (roload == "source_hash")
compiler->output << "source-hash ";
else if (roload == "round_robin")
compiler->output << "round-robin ";
}
}
}
}
}

880
test/pf/objects-for-regression-tests.fwb
View File

@ -1,6 +1,6 @@
<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE FWObjectDatabase SYSTEM "fwbuilder.dtd">
<FWObjectDatabase xmlns="http://www.fwbuilder.org/1.0/" version="2.1.15" lastModified="1193632637" id="root">
<FWObjectDatabase xmlns="http://www.fwbuilder.org/1.0/" version="2.1.16" lastModified="1197750649" id="root">
<Library color="#d2ffd0" comment="User defined objects" id="syslib001" name="User" ro="False">
<ObjectGroup id="stdid01_1" name="Objects">
<ObjectGroup id="stdid01_1_og_ats_1" name="Address Tables">
@ -9149,6 +9149,884 @@
<Option name="use_tables">True</Option>
</FirewallOptions>
</Firewall>
<Firewall comment="testing Route action&#10;with load balancing&#10;" host_OS="openbsd" id="id476458AA9697" inactive="False" lastCompiled="1157930816" lastInstalled="0" lastModified="1197750649" name="firewall40-1" platform="pf" ro="False" version="">
<NAT id="id476458FA9697">
<NATRule comment="Translate source address&#10;for outgoing connections" disabled="False" id="id476458FB9697" position="0">
<OSrc neg="False">
<ObjectRef ref="id3DC75CE7-1"/>
</OSrc>
<ODst neg="False">
<ObjectRef ref="sysid0"/>
</ODst>
<OSrv neg="False">
<ServiceRef ref="sysid1"/>
</OSrv>
<TSrc neg="False">
<ObjectRef ref="id476459189697"/>
</TSrc>
<TDst neg="False">
<ObjectRef ref="sysid0"/>
</TDst>
<TSrv neg="False">
<ServiceRef ref="sysid1"/>
</TSrv>
<NATRuleOptions/>
</NATRule>
<NATRule comment="Translate source address&#10;for outgoing connections" disabled="False" id="id476459099697" position="1">
<OSrc neg="False">
<ObjectRef ref="id3DC75CE7-1"/>
</OSrc>
<ODst neg="False">
<ObjectRef ref="sysid0"/>
</ODst>
<OSrv neg="False">
<ServiceRef ref="sysid1"/>
</OSrv>
<TSrc neg="False">
<ObjectRef ref="id476459219697"/>
</TSrc>
<TDst neg="False">
<ObjectRef ref="sysid0"/>
</TDst>
<TSrv neg="False">
<ServiceRef ref="sysid1"/>
</TSrv>
<NATRuleOptions/>
</NATRule>
</NAT>
<Policy id="id476458B09697">
<PolicyRule action="Route" comment="" direction="Inbound" disabled="False" id="id47646C979697" log="False" position="0">
<Src neg="False">
<ObjectRef ref="id3DC75CE7-1"/>
</Src>
<Dst neg="False">
<ObjectRef ref="sysid0"/>
</Dst>
<Srv neg="False">
<ServiceRef ref="tcp-HTTP"/>
</Srv>
<Itf neg="False">
<ObjectRef ref="id4764591B9697"/>
</Itf>
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions>
<Option name="action_on_reject"></Option>
<Option name="branch_anchor_name"></Option>
<Option name="branch_chain_name"></Option>
<Option name="classify_str"></Option>
<Option name="color">#8BC065</Option>
<Option name="custom_str"></Option>
<Option name="ipf_route_opt_addr"></Option>
<Option name="ipf_route_opt_if"></Option>
<Option name="ipf_route_option">route_through</Option>
<Option name="ipfw_classify_method">2</Option>
<Option name="ipfw_pipe_port_num">0</Option>
<Option name="ipfw_pipe_queue_num">0</Option>
<Option name="ipt_continue">False</Option>
<Option name="ipt_gw"></Option>
<Option name="ipt_iif"></Option>
<Option name="ipt_mark_connections">False</Option>
<Option name="ipt_oif"></Option>
<Option name="ipt_tee">False</Option>
<Option name="log_prefix"></Option>
<Option name="pf_fastroute">False</Option>
<Option name="pf_keep_state">False</Option>
<Option name="pf_max_src_conn">0</Option>
<Option name="pf_max_src_conn_flush">False</Option>
<Option name="pf_max_src_conn_global">False</Option>
<Option name="pf_max_src_conn_overload_table"></Option>
<Option name="pf_max_src_conn_rate_flush">False</Option>
<Option name="pf_max_src_conn_rate_global">False</Option>
<Option name="pf_max_src_conn_rate_num">0</Option>
<Option name="pf_max_src_conn_rate_overload_table"></Option>
<Option name="pf_max_src_conn_rate_seconds">0</Option>
<Option name="pf_max_src_nodes">0</Option>
<Option name="pf_max_src_states">0</Option>
<Option name="pf_route_load_option">random</Option>
<Option name="pf_route_opt_addr">192.0.2.1,192.0.2.2,192.0.2.3</Option>
<Option name="pf_route_opt_if">le1</Option>
<Option name="pf_route_option">route_through</Option>
<Option name="pf_rule_max_state">0</Option>
<Option name="pf_source_tracking">False</Option>
<Option name="rule_name_accounting"></Option>
<Option name="stateless">False</Option>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule action="Route" comment="" direction="Inbound" disabled="False" id="id47646C869697" log="False" position="1">
<Src neg="False">
<ObjectRef ref="id3DC75CE7-1"/>
</Src>
<Dst neg="False">
<ObjectRef ref="sysid0"/>
</Dst>
<Srv neg="False">
<ServiceRef ref="tcp-HTTP"/>
</Srv>
<Itf neg="False">
<ObjectRef ref="id4764591B9697"/>
</Itf>
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions>
<Option name="action_on_reject"></Option>
<Option name="branch_anchor_name"></Option>
<Option name="branch_chain_name"></Option>
<Option name="classify_str"></Option>
<Option name="color">#8BC065</Option>
<Option name="custom_str"></Option>
<Option name="ipf_route_opt_addr"></Option>
<Option name="ipf_route_opt_if"></Option>
<Option name="ipf_route_option">route_through</Option>
<Option name="ipfw_classify_method">2</Option>
<Option name="ipfw_pipe_port_num">0</Option>
<Option name="ipfw_pipe_queue_num">0</Option>
<Option name="ipt_continue">False</Option>
<Option name="ipt_gw"></Option>
<Option name="ipt_iif"></Option>
<Option name="ipt_mark_connections">False</Option>
<Option name="ipt_oif"></Option>
<Option name="ipt_tee">False</Option>
<Option name="log_prefix"></Option>
<Option name="pf_fastroute">False</Option>
<Option name="pf_keep_state">False</Option>
<Option name="pf_max_src_conn">0</Option>
<Option name="pf_max_src_conn_flush">False</Option>
<Option name="pf_max_src_conn_global">False</Option>
<Option name="pf_max_src_conn_overload_table"></Option>
<Option name="pf_max_src_conn_rate_flush">False</Option>
<Option name="pf_max_src_conn_rate_global">False</Option>
<Option name="pf_max_src_conn_rate_num">0</Option>
<Option name="pf_max_src_conn_rate_overload_table"></Option>
<Option name="pf_max_src_conn_rate_seconds">0</Option>
<Option name="pf_max_src_nodes">0</Option>
<Option name="pf_max_src_states">0</Option>
<Option name="pf_route_load_option">round_robin</Option>
<Option name="pf_route_opt_addr">192.0.2.1,192.0.2.2,192.0.2.3</Option>
<Option name="pf_route_opt_if">le2</Option>
<Option name="pf_route_option">route_through</Option>
<Option name="pf_rule_max_state">0</Option>
<Option name="pf_source_tracking">False</Option>
<Option name="rule_name_accounting"></Option>
<Option name="stateless">False</Option>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule action="Route" comment="" direction="Inbound" disabled="False" id="id47646C759697" log="False" position="2">
<Src neg="False">
<ObjectRef ref="id3DC75CE7-1"/>
</Src>
<Dst neg="False">
<ObjectRef ref="sysid0"/>
</Dst>
<Srv neg="False">
<ServiceRef ref="tcp-HTTP"/>
</Srv>
<Itf neg="False">
<ObjectRef ref="id4764591B9697"/>
</Itf>
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions>
<Option name="action_on_reject"></Option>
<Option name="branch_anchor_name"></Option>
<Option name="branch_chain_name"></Option>
<Option name="classify_str"></Option>
<Option name="color">#8BC065</Option>
<Option name="custom_str"></Option>
<Option name="ipf_route_opt_addr"></Option>
<Option name="ipf_route_opt_if"></Option>
<Option name="ipf_route_option">route_through</Option>
<Option name="ipfw_classify_method">2</Option>
<Option name="ipfw_pipe_port_num">0</Option>
<Option name="ipfw_pipe_queue_num">0</Option>
<Option name="ipt_continue">False</Option>
<Option name="ipt_gw"></Option>
<Option name="ipt_iif"></Option>
<Option name="ipt_mark_connections">False</Option>
<Option name="ipt_oif"></Option>
<Option name="ipt_tee">False</Option>
<Option name="log_prefix"></Option>
<Option name="pf_fastroute">False</Option>
<Option name="pf_keep_state">False</Option>
<Option name="pf_max_src_conn">0</Option>
<Option name="pf_max_src_conn_flush">False</Option>
<Option name="pf_max_src_conn_global">False</Option>
<Option name="pf_max_src_conn_overload_table"></Option>
<Option name="pf_max_src_conn_rate_flush">False</Option>
<Option name="pf_max_src_conn_rate_global">False</Option>
<Option name="pf_max_src_conn_rate_num">0</Option>
<Option name="pf_max_src_conn_rate_overload_table"></Option>
<Option name="pf_max_src_conn_rate_seconds">0</Option>
<Option name="pf_max_src_nodes">0</Option>
<Option name="pf_max_src_states">0</Option>
<Option name="pf_route_load_option">round_robin</Option>
<Option name="pf_route_opt_addr">192.0.2.1,192.0.2.2,192.0.2.3</Option>
<Option name="pf_route_opt_if">le2</Option>
<Option name="pf_route_option">route_through</Option>
<Option name="pf_rule_max_state">0</Option>
<Option name="pf_source_tracking">False</Option>
<Option name="rule_name_accounting"></Option>
<Option name="stateless">False</Option>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule action="Route" comment="" direction="Inbound" disabled="False" id="id476480059697" log="False" position="3">
<Src neg="False">
<ObjectRef ref="id3DC75CE7-1"/>
</Src>
<Dst neg="False">
<ObjectRef ref="sysid0"/>
</Dst>
<Srv neg="False">
<ServiceRef ref="tcp-HTTP"/>
</Srv>
<Itf neg="False">
<ObjectRef ref="id4764591B9697"/>
</Itf>
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions>
<Option name="action_on_reject"></Option>
<Option name="branch_anchor_name"></Option>
<Option name="branch_chain_name"></Option>
<Option name="classify_str"></Option>
<Option name="color">#7694C0</Option>
<Option name="custom_str"></Option>
<Option name="ipf_route_opt_addr"></Option>
<Option name="ipf_route_opt_if"></Option>
<Option name="ipf_route_option">route_through</Option>
<Option name="ipfw_classify_method">2</Option>
<Option name="ipfw_pipe_port_num">0</Option>
<Option name="ipfw_pipe_queue_num">0</Option>
<Option name="ipt_continue">False</Option>
<Option name="ipt_gw"></Option>
<Option name="ipt_iif"></Option>
<Option name="ipt_mark_connections">False</Option>
<Option name="ipt_oif"></Option>
<Option name="ipt_tee">False</Option>
<Option name="log_prefix"></Option>
<Option name="pf_fastroute">False</Option>
<Option name="pf_keep_state">False</Option>
<Option name="pf_max_src_conn">0</Option>
<Option name="pf_max_src_conn_flush">False</Option>
<Option name="pf_max_src_conn_global">False</Option>
<Option name="pf_max_src_conn_overload_table"></Option>
<Option name="pf_max_src_conn_rate_flush">False</Option>
<Option name="pf_max_src_conn_rate_global">False</Option>
<Option name="pf_max_src_conn_rate_num">0</Option>
<Option name="pf_max_src_conn_rate_overload_table"></Option>
<Option name="pf_max_src_conn_rate_seconds">0</Option>
<Option name="pf_max_src_nodes">0</Option>
<Option name="pf_max_src_states">0</Option>
<Option name="pf_route_load_option">round_robin</Option>
<Option name="pf_route_opt_addr">192.0.2.1,192.0.2.2,192.0.2.3</Option>
<Option name="pf_route_opt_if">le1</Option>
<Option name="pf_route_option">route_through</Option>
<Option name="pf_rule_max_state">0</Option>
<Option name="pf_source_tracking">False</Option>
<Option name="rule_name_accounting"></Option>
<Option name="stateless">True</Option>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule action="Route" comment="" direction="Inbound" disabled="False" id="id476480169697" log="False" position="4">
<Src neg="False">
<ObjectRef ref="id3DC75CE7-1"/>
</Src>
<Dst neg="False">
<ObjectRef ref="sysid0"/>
</Dst>
<Srv neg="False">
<ServiceRef ref="tcp-HTTP"/>
</Srv>
<Itf neg="False">
<ObjectRef ref="id4764591B9697"/>
</Itf>
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions>
<Option name="action_on_reject"></Option>
<Option name="branch_anchor_name"></Option>
<Option name="branch_chain_name"></Option>
<Option name="classify_str"></Option>
<Option name="color">#7694C0</Option>
<Option name="custom_str"></Option>
<Option name="ipf_route_opt_addr"></Option>
<Option name="ipf_route_opt_if"></Option>
<Option name="ipf_route_option">route_through</Option>
<Option name="ipfw_classify_method">2</Option>
<Option name="ipfw_pipe_port_num">0</Option>
<Option name="ipfw_pipe_queue_num">0</Option>
<Option name="ipt_continue">False</Option>
<Option name="ipt_gw"></Option>
<Option name="ipt_iif"></Option>
<Option name="ipt_mark_connections">False</Option>
<Option name="ipt_oif"></Option>
<Option name="ipt_tee">False</Option>
<Option name="log_prefix"></Option>
<Option name="pf_fastroute">False</Option>
<Option name="pf_keep_state">False</Option>
<Option name="pf_max_src_conn">0</Option>
<Option name="pf_max_src_conn_flush">False</Option>
<Option name="pf_max_src_conn_global">False</Option>
<Option name="pf_max_src_conn_overload_table"></Option>
<Option name="pf_max_src_conn_rate_flush">False</Option>
<Option name="pf_max_src_conn_rate_global">False</Option>
<Option name="pf_max_src_conn_rate_num">0</Option>
<Option name="pf_max_src_conn_rate_overload_table"></Option>
<Option name="pf_max_src_conn_rate_seconds">0</Option>
<Option name="pf_max_src_nodes">0</Option>
<Option name="pf_max_src_states">0</Option>
<Option name="pf_route_load_option">round_robin</Option>
<Option name="pf_route_opt_addr">192.0.2.1,192.0.2.2,192.0.2.3</Option>
<Option name="pf_route_opt_if">le2</Option>
<Option name="pf_route_option">route_through</Option>
<Option name="pf_rule_max_state">0</Option>
<Option name="pf_source_tracking">False</Option>
<Option name="rule_name_accounting"></Option>
<Option name="stateless">True</Option>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule action="Route" comment="" direction="Inbound" disabled="False" id="id476480279697" log="False" position="5">
<Src neg="False">
<ObjectRef ref="id3DC75CE7-1"/>
</Src>
<Dst neg="False">
<ObjectRef ref="sysid0"/>
</Dst>
<Srv neg="False">
<ServiceRef ref="tcp-HTTP"/>
</Srv>
<Itf neg="False">
<ObjectRef ref="id4764591B9697"/>
</Itf>
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions>
<Option name="action_on_reject"></Option>
<Option name="branch_anchor_name"></Option>
<Option name="branch_chain_name"></Option>
<Option name="classify_str"></Option>
<Option name="color">#7694C0</Option>
<Option name="custom_str"></Option>
<Option name="ipf_route_opt_addr"></Option>
<Option name="ipf_route_opt_if"></Option>
<Option name="ipf_route_option">route_through</Option>
<Option name="ipfw_classify_method">2</Option>
<Option name="ipfw_pipe_port_num">0</Option>
<Option name="ipfw_pipe_queue_num">0</Option>
<Option name="ipt_continue">False</Option>
<Option name="ipt_gw"></Option>
<Option name="ipt_iif"></Option>
<Option name="ipt_mark_connections">False</Option>
<Option name="ipt_oif"></Option>
<Option name="ipt_tee">False</Option>
<Option name="log_prefix"></Option>
<Option name="pf_fastroute">False</Option>
<Option name="pf_keep_state">False</Option>
<Option name="pf_max_src_conn">0</Option>
<Option name="pf_max_src_conn_flush">False</Option>
<Option name="pf_max_src_conn_global">False</Option>
<Option name="pf_max_src_conn_overload_table"></Option>
<Option name="pf_max_src_conn_rate_flush">False</Option>
<Option name="pf_max_src_conn_rate_global">False</Option>
<Option name="pf_max_src_conn_rate_num">0</Option>
<Option name="pf_max_src_conn_rate_overload_table"></Option>
<Option name="pf_max_src_conn_rate_seconds">0</Option>
<Option name="pf_max_src_nodes">0</Option>
<Option name="pf_max_src_states">0</Option>
<Option name="pf_route_load_option">round_robin</Option>
<Option name="pf_route_opt_addr">192.0.2.1,192.0.2.2,192.0.2.3</Option>
<Option name="pf_route_opt_if">le2</Option>
<Option name="pf_route_option">route_through</Option>
<Option name="pf_rule_max_state">0</Option>
<Option name="pf_source_tracking">False</Option>
<Option name="rule_name_accounting"></Option>
<Option name="stateless">True</Option>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule action="Route" comment="" direction="Inbound" disabled="False" id="id476458C99697" log="False" position="6">
<Src neg="False">
<ObjectRef ref="id3DC75CE7-1"/>
</Src>
<Dst neg="False">
<ObjectRef ref="sysid0"/>
</Dst>
<Srv neg="False">
<ServiceRef ref="tcp-HTTP"/>
</Srv>
<Itf neg="False">
<ObjectRef ref="id4764591B9697"/>
</Itf>
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions>
<Option name="action_on_reject"></Option>
<Option name="branch_anchor_name"></Option>
<Option name="branch_chain_name"></Option>
<Option name="classify_str"></Option>
<Option name="color">#C0BA44</Option>
<Option name="custom_str"></Option>
<Option name="ipf_route_opt_addr"></Option>
<Option name="ipf_route_opt_if"></Option>
<Option name="ipf_route_option">route_through</Option>
<Option name="ipfw_classify_method">2</Option>
<Option name="ipfw_pipe_port_num">0</Option>
<Option name="ipfw_pipe_queue_num">0</Option>
<Option name="ipt_continue">False</Option>
<Option name="ipt_gw"></Option>
<Option name="ipt_iif"></Option>
<Option name="ipt_mark_connections">False</Option>
<Option name="ipt_oif"></Option>
<Option name="ipt_tee">False</Option>
<Option name="log_prefix"></Option>
<Option name="pf_fastroute">False</Option>
<Option name="pf_keep_state">False</Option>
<Option name="pf_max_src_conn">0</Option>
<Option name="pf_max_src_conn_flush">False</Option>
<Option name="pf_max_src_conn_global">False</Option>
<Option name="pf_max_src_conn_overload_table"></Option>
<Option name="pf_max_src_conn_rate_flush">False</Option>
<Option name="pf_max_src_conn_rate_global">False</Option>
<Option name="pf_max_src_conn_rate_num">0</Option>
<Option name="pf_max_src_conn_rate_overload_table"></Option>
<Option name="pf_max_src_conn_rate_seconds">0</Option>
<Option name="pf_max_src_nodes">0</Option>
<Option name="pf_max_src_states">0</Option>
<Option name="pf_route_load_option">random</Option>
<Option name="pf_route_opt_addr">192.0.2.0/24</Option>
<Option name="pf_route_opt_if">le1</Option>
<Option name="pf_route_option">route_through</Option>
<Option name="pf_rule_max_state">0</Option>
<Option name="pf_source_tracking">False</Option>
<Option name="rule_name_accounting"></Option>
<Option name="stateless">False</Option>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule action="Route" comment="" direction="Inbound" disabled="False" id="id476458D69697" log="False" position="7">
<Src neg="False">
<ObjectRef ref="id3DC75CE7-1"/>
</Src>
<Dst neg="False">
<ObjectRef ref="sysid0"/>
</Dst>
<Srv neg="False">
<ServiceRef ref="tcp-HTTP"/>
</Srv>
<Itf neg="False">
<ObjectRef ref="id4764591B9697"/>
</Itf>
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions>
<Option name="action_on_reject"></Option>
<Option name="branch_anchor_name"></Option>
<Option name="branch_chain_name"></Option>
<Option name="classify_str"></Option>
<Option name="color">#C0BA44</Option>
<Option name="custom_str"></Option>
<Option name="ipf_route_opt_addr"></Option>
<Option name="ipf_route_opt_if"></Option>
<Option name="ipf_route_option">route_through</Option>
<Option name="ipfw_classify_method">2</Option>
<Option name="ipfw_pipe_port_num">0</Option>
<Option name="ipfw_pipe_queue_num">0</Option>
<Option name="ipt_continue">False</Option>
<Option name="ipt_gw"></Option>
<Option name="ipt_iif"></Option>
<Option name="ipt_mark_connections">False</Option>
<Option name="ipt_oif"></Option>
<Option name="ipt_tee">False</Option>
<Option name="log_prefix"></Option>
<Option name="pf_fastroute">False</Option>
<Option name="pf_keep_state">False</Option>
<Option name="pf_max_src_conn">0</Option>
<Option name="pf_max_src_conn_flush">False</Option>
<Option name="pf_max_src_conn_global">False</Option>
<Option name="pf_max_src_conn_overload_table"></Option>
<Option name="pf_max_src_conn_rate_flush">False</Option>
<Option name="pf_max_src_conn_rate_global">False</Option>
<Option name="pf_max_src_conn_rate_num">0</Option>
<Option name="pf_max_src_conn_rate_overload_table"></Option>
<Option name="pf_max_src_conn_rate_seconds">0</Option>
<Option name="pf_max_src_nodes">0</Option>
<Option name="pf_max_src_states">0</Option>
<Option name="pf_route_load_option">source_hash</Option>
<Option name="pf_route_opt_addr">192.0.2.0/24</Option>
<Option name="pf_route_opt_if">le2</Option>
<Option name="pf_route_option">route_through</Option>
<Option name="pf_rule_max_state">0</Option>
<Option name="pf_source_tracking">False</Option>
<Option name="rule_name_accounting"></Option>
<Option name="stateless">False</Option>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule action="Route" comment="" direction="Inbound" disabled="False" id="id4764592B9697" log="False" position="8">
<Src neg="False">
<ObjectRef ref="id3DC75CE7-1"/>
</Src>
<Dst neg="False">
<ObjectRef ref="sysid0"/>
</Dst>
<Srv neg="False">
<ServiceRef ref="tcp-HTTP"/>
</Srv>
<Itf neg="False">
<ObjectRef ref="id4764591B9697"/>
</Itf>
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions>
<Option name="action_on_reject"></Option>
<Option name="branch_anchor_name"></Option>
<Option name="branch_chain_name"></Option>
<Option name="classify_str"></Option>
<Option name="color">#C0BA44</Option>
<Option name="custom_str"></Option>
<Option name="ipf_route_opt_addr"></Option>
<Option name="ipf_route_opt_if"></Option>
<Option name="ipf_route_option">route_through</Option>
<Option name="ipfw_classify_method">2</Option>
<Option name="ipfw_pipe_port_num">0</Option>
<Option name="ipfw_pipe_queue_num">0</Option>
<Option name="ipt_continue">False</Option>
<Option name="ipt_gw"></Option>
<Option name="ipt_iif"></Option>
<Option name="ipt_mark_connections">False</Option>
<Option name="ipt_oif"></Option>
<Option name="ipt_tee">False</Option>
<Option name="log_prefix"></Option>
<Option name="pf_fastroute">False</Option>
<Option name="pf_keep_state">False</Option>
<Option name="pf_max_src_conn">0</Option>
<Option name="pf_max_src_conn_flush">False</Option>
<Option name="pf_max_src_conn_global">False</Option>
<Option name="pf_max_src_conn_overload_table"></Option>
<Option name="pf_max_src_conn_rate_flush">False</Option>
<Option name="pf_max_src_conn_rate_global">False</Option>
<Option name="pf_max_src_conn_rate_num">0</Option>
<Option name="pf_max_src_conn_rate_overload_table"></Option>
<Option name="pf_max_src_conn_rate_seconds">0</Option>
<Option name="pf_max_src_nodes">0</Option>
<Option name="pf_max_src_states">0</Option>
<Option name="pf_route_load_option">round_robin</Option>
<Option name="pf_route_opt_addr">192.0.2.0/255.255.255.0</Option>
<Option name="pf_route_opt_if">le2</Option>
<Option name="pf_route_option">route_through</Option>
<Option name="pf_rule_max_state">0</Option>
<Option name="pf_source_tracking">False</Option>
<Option name="rule_name_accounting"></Option>
<Option name="stateless">False</Option>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule action="Route" comment="this should fail because&#10;it has one address for the next&#10;hop and it is /32.&#10;Run compiler with&#10;command line argument -xt&#10;to convert errors to warnings&#10;and make it generate .conf &#10;file anyway" direction="Inbound" disabled="False" id="id4764BABB9697" log="False" position="9">
<Src neg="False">
<ObjectRef ref="id3DC75CE7-1"/>
</Src>
<Dst neg="False">
<ObjectRef ref="sysid0"/>
</Dst>
<Srv neg="False">
<ServiceRef ref="tcp-HTTP"/>
</Srv>
<Itf neg="False">
<ObjectRef ref="id4764591B9697"/>
</Itf>
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions>
<Option name="action_on_reject"></Option>
<Option name="branch_anchor_name"></Option>
<Option name="branch_chain_name"></Option>
<Option name="classify_str"></Option>
<Option name="color">#C86E6E</Option>
<Option name="custom_str"></Option>
<Option name="ipf_route_opt_addr"></Option>
<Option name="ipf_route_opt_if"></Option>
<Option name="ipf_route_option">route_through</Option>
<Option name="ipfw_classify_method">2</Option>
<Option name="ipfw_pipe_port_num">0</Option>
<Option name="ipfw_pipe_queue_num">0</Option>
<Option name="ipt_continue">False</Option>
<Option name="ipt_gw"></Option>
<Option name="ipt_iif"></Option>
<Option name="ipt_mark_connections">False</Option>
<Option name="ipt_oif"></Option>
<Option name="ipt_tee">False</Option>
<Option name="log_prefix"></Option>
<Option name="pf_fastroute">False</Option>
<Option name="pf_keep_state">False</Option>
<Option name="pf_max_src_conn">0</Option>
<Option name="pf_max_src_conn_flush">False</Option>
<Option name="pf_max_src_conn_global">False</Option>
<Option name="pf_max_src_conn_overload_table"></Option>
<Option name="pf_max_src_conn_rate_flush">False</Option>
<Option name="pf_max_src_conn_rate_global">False</Option>
<Option name="pf_max_src_conn_rate_num">0</Option>
<Option name="pf_max_src_conn_rate_overload_table"></Option>
<Option name="pf_max_src_conn_rate_seconds">0</Option>
<Option name="pf_max_src_nodes">0</Option>
<Option name="pf_max_src_states">0</Option>
<Option name="pf_route_load_option">round_robin</Option>
<Option name="pf_route_opt_addr">192.0.2.1</Option>
<Option name="pf_route_opt_if">le2</Option>
<Option name="pf_route_option">route_through</Option>
<Option name="pf_rule_max_state">0</Option>
<Option name="pf_source_tracking">False</Option>
<Option name="rule_name_accounting"></Option>
<Option name="stateless">False</Option>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule action="Route" comment="this should fail because&#10;it has one address for the next&#10;hop and it is /32.&#10;" direction="Inbound" disabled="False" id="id4764BACC9697" log="False" position="10">
<Src neg="False">
<ObjectRef ref="id3DC75CE7-1"/>
</Src>
<Dst neg="False">
<ObjectRef ref="sysid0"/>
</Dst>
<Srv neg="False">
<ServiceRef ref="tcp-HTTP"/>
</Srv>
<Itf neg="False">
<ObjectRef ref="id4764591B9697"/>
</Itf>
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions>
<Option name="action_on_reject"></Option>
<Option name="branch_anchor_name"></Option>
<Option name="branch_chain_name"></Option>
<Option name="classify_str"></Option>
<Option name="color">#C86E6E</Option>
<Option name="custom_str"></Option>
<Option name="ipf_route_opt_addr"></Option>
<Option name="ipf_route_opt_if"></Option>
<Option name="ipf_route_option">route_through</Option>
<Option name="ipfw_classify_method">2</Option>
<Option name="ipfw_pipe_port_num">0</Option>
<Option name="ipfw_pipe_queue_num">0</Option>
<Option name="ipt_continue">False</Option>
<Option name="ipt_gw"></Option>
<Option name="ipt_iif"></Option>
<Option name="ipt_mark_connections">False</Option>
<Option name="ipt_oif"></Option>
<Option name="ipt_tee">False</Option>
<Option name="log_prefix"></Option>
<Option name="pf_fastroute">False</Option>
<Option name="pf_keep_state">False</Option>
<Option name="pf_max_src_conn">0</Option>
<Option name="pf_max_src_conn_flush">False</Option>
<Option name="pf_max_src_conn_global">False</Option>
<Option name="pf_max_src_conn_overload_table"></Option>
<Option name="pf_max_src_conn_rate_flush">False</Option>
<Option name="pf_max_src_conn_rate_global">False</Option>
<Option name="pf_max_src_conn_rate_num">0</Option>
<Option name="pf_max_src_conn_rate_overload_table"></Option>
<Option name="pf_max_src_conn_rate_seconds">0</Option>
<Option name="pf_max_src_nodes">0</Option>
<Option name="pf_max_src_states">0</Option>
<Option name="pf_route_load_option">round_robin</Option>
<Option name="pf_route_opt_addr">192.0.2.1/32</Option>
<Option name="pf_route_opt_if">le2</Option>
<Option name="pf_route_option">route_through</Option>
<Option name="pf_rule_max_state">0</Option>
<Option name="pf_source_tracking">False</Option>
<Option name="rule_name_accounting"></Option>
<Option name="stateless">False</Option>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule action="Route" comment="this should fail because&#10;it ip address in next hop&#10;is illegal" direction="Inbound" disabled="False" id="id476509419697" log="False" position="11">
<Src neg="False">
<ObjectRef ref="id3DC75CE7-1"/>
</Src>
<Dst neg="False">
<ObjectRef ref="sysid0"/>
</Dst>
<Srv neg="False">
<ServiceRef ref="tcp-HTTP"/>
</Srv>
<Itf neg="False">
<ObjectRef ref="id4764591B9697"/>
</Itf>
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions>
<Option name="action_on_reject"></Option>
<Option name="branch_anchor_name"></Option>
<Option name="branch_chain_name"></Option>
<Option name="classify_str"></Option>
<Option name="color">#C86E6E</Option>
<Option name="custom_str"></Option>
<Option name="ipf_route_opt_addr"></Option>
<Option name="ipf_route_opt_if"></Option>
<Option name="ipf_route_option">route_through</Option>
<Option name="ipfw_classify_method">2</Option>
<Option name="ipfw_pipe_port_num">0</Option>
<Option name="ipfw_pipe_queue_num">0</Option>
<Option name="ipt_continue">False</Option>
<Option name="ipt_gw"></Option>
<Option name="ipt_iif"></Option>
<Option name="ipt_mark_connections">False</Option>
<Option name="ipt_oif"></Option>
<Option name="ipt_tee">False</Option>
<Option name="log_prefix"></Option>
<Option name="pf_fastroute">False</Option>
<Option name="pf_keep_state">False</Option>
<Option name="pf_max_src_conn">0</Option>
<Option name="pf_max_src_conn_flush">False</Option>
<Option name="pf_max_src_conn_global">False</Option>
<Option name="pf_max_src_conn_overload_table"></Option>
<Option name="pf_max_src_conn_rate_flush">False</Option>
<Option name="pf_max_src_conn_rate_global">False</Option>
<Option name="pf_max_src_conn_rate_num">0</Option>
<Option name="pf_max_src_conn_rate_overload_table"></Option>
<Option name="pf_max_src_conn_rate_seconds">0</Option>
<Option name="pf_max_src_nodes">0</Option>
<Option name="pf_max_src_states">0</Option>
<Option name="pf_route_load_option">round_robin</Option>
<Option name="pf_route_opt_addr">192.0.300.1/32</Option>
<Option name="pf_route_opt_if">le2</Option>
<Option name="pf_route_option">route_through</Option>
<Option name="pf_rule_max_state">0</Option>
<Option name="pf_source_tracking">False</Option>
<Option name="rule_name_accounting"></Option>
<Option name="stateless">False</Option>
</PolicyRuleOptions>
</PolicyRule>
</Policy>
<Routing id="id476459179697"/>
<Interface bridgeport="False" comment="" dyn="False" id="id476459189697" label="" mgmt="False" name="le1" security_level="0" unnum="False" unprotected="False">
<IPv4 address="192.0.2.1" comment="This is a test address, change it to your real one" id="id4764591A9697" name="firewall40-1:le1:ip" netmask="255.255.255.0"/>
</Interface>
<Interface bridgeport="False" comment="" dyn="False" id="id4764591B9697" label="" mgmt="True" name="fxp0" security_level="100" unnum="False" unprotected="False">
<IPv4 address="192.168.1.1" comment="" id="id4764591D9697" name="firewall40-1:fxp0:ip" netmask="255.255.255.0"/>
</Interface>
<Interface bridgeport="False" comment="" dyn="False" id="id4764591E9697" label="" mgmt="False" name="lo0" security_level="100" unnum="False" unprotected="False">
<IPv4 address="127.0.0.1" comment="" id="id476459209697" name="firewall40-1:lo0:ip" netmask="255.0.0.0"/>
</Interface>
<Interface bridgeport="False" comment="" dyn="False" id="id476459219697" label="" mgmt="False" name="le2" security_level="0" unnum="False" unprotected="False">
<IPv4 address="192.0.3.1" comment="" id="id476459239697" name="firewall40-1:le2:ip" netmask="255.255.255.0"/>
</Interface>
<Management address="0.0.0.0">
<SNMPManagement enabled="False" snmp_read_community="" snmp_write_community=""/>
<FWBDManagement enabled="False" identity="" port="-1"/>
<PolicyInstallScript arguments="" command="" enabled="False"/>
</Management>
<FirewallOptions>
<Option name="accept_established">true</Option>
<Option name="accept_new_tcp_with_no_syn">True</Option>
<Option name="activationCmd"></Option>
<Option name="admUser"></Option>
<Option name="altAddress"></Option>
<Option name="check_shading">True</Option>
<Option name="cmdline"></Option>
<Option name="compiler"></Option>
<Option name="configure_interfaces">True</Option>
<Option name="debug">False</Option>
<Option name="eliminate_duplicates">true</Option>
<Option name="epilog_script"></Option>
<Option name="fallback_log">False</Option>
<Option name="firewall_dir">/etc</Option>
<Option name="firewall_is_part_of_any_and_networks">true</Option>
<Option name="freebsd_ip_forward">1</Option>
<Option name="ignore_empty_groups">False</Option>
<Option name="in_out_code">True</Option>
<Option name="limit_value">0</Option>
<Option name="linux24_ip_forward">1</Option>
<Option name="load_modules">true</Option>
<Option name="local_nat">false</Option>
<Option name="log_level">info</Option>
<Option name="log_prefix">RULE %N -- %A </Option>
<Option name="loopback_interface">lo0</Option>
<Option name="macosx_ip_forward">1</Option>
<Option name="manage_virtual_addr">True</Option>
<Option name="mgmt_addr"></Option>
<Option name="mgmt_ssh">False</Option>
<Option name="modulate_state">True</Option>
<Option name="openbsd_ip_forward">1</Option>
<Option name="output_file"></Option>
<Option name="pass_all_out">False</Option>
<Option name="pf_adaptive_end">0</Option>
<Option name="pf_adaptive_start">0</Option>
<Option name="pf_do_limit_frags">False</Option>
<Option name="pf_do_limit_states">False</Option>
<Option name="pf_do_scrub">False</Option>
<Option name="pf_do_timeout_frag">False</Option>
<Option name="pf_do_timeout_interval">False</Option>
<Option name="pf_icmp_error">0</Option>
<Option name="pf_icmp_first">0</Option>
<Option name="pf_limit_frags">5000</Option>
<Option name="pf_limit_states">10000</Option>
<Option name="pf_optimization"></Option>
<Option name="pf_other_first">0</Option>
<Option name="pf_other_multiple">0</Option>
<Option name="pf_other_single">0</Option>
<Option name="pf_scrub_fragm_crop">False</Option>
<Option name="pf_scrub_fragm_drop_ovl">False</Option>
<Option name="pf_scrub_maxmss">1460</Option>
<Option name="pf_scrub_minttl">0</Option>
<Option name="pf_scrub_no_df">False</Option>
<Option name="pf_scrub_random_id">False</Option>
<Option name="pf_scrub_reassemble">True</Option>
<Option name="pf_scrub_use_maxmss">False</Option>
<Option name="pf_scrub_use_minttl">False</Option>
<Option name="pf_set_adaptive">False</Option>
<Option name="pf_set_icmp_error">False</Option>
<Option name="pf_set_icmp_first">False</Option>
<Option name="pf_set_other_first">False</Option>
<Option name="pf_set_other_multiple">False</Option>
<Option name="pf_set_other_single">False</Option>
<Option name="pf_set_tcp_closed">False</Option>
<Option name="pf_set_tcp_closing">False</Option>
<Option name="pf_set_tcp_established">False</Option>
<Option name="pf_set_tcp_finwait">False</Option>
<Option name="pf_set_tcp_first">False</Option>
<Option name="pf_set_tcp_opening">False</Option>
<Option name="pf_set_udp_first">False</Option>
<Option name="pf_set_udp_multiple">False</Option>
<Option name="pf_set_udp_single">False</Option>
<Option name="pf_tcp_closed">0</Option>
<Option name="pf_tcp_closing">0</Option>
<Option name="pf_tcp_established">0</Option>
<Option name="pf_tcp_finwait">0</Option>
<Option name="pf_tcp_first">0</Option>
<Option name="pf_tcp_opening">0</Option>
<Option name="pf_timeout_frag">30</Option>
<Option name="pf_timeout_interval">10</Option>
<Option name="pf_udp_first">0</Option>
<Option name="pf_udp_multiple">0</Option>
<Option name="pf_udp_single">0</Option>
<Option name="pix_add_clear_statements">true</Option>
<Option name="pix_assume_fw_part_of_any">true</Option>
<Option name="pix_default_logint">300</Option>
<Option name="pix_emblem_log_format">false</Option>
<Option name="pix_emulate_out_acl">true</Option>
<Option name="pix_floodguard">true</Option>
<Option name="pix_include_comments">true</Option>
<Option name="pix_route_dnat_supported">true</Option>
<Option name="pix_rule_syslog_settings">false</Option>
<Option name="pix_security_fragguard_supported">true</Option>
<Option name="pix_syslog_device_id_supported">false</Option>
<Option name="pix_use_acl_remarks">true</Option>
<Option name="prolog_script"></Option>
<Option name="prompt1">$ </Option>
<Option name="prompt2"> # </Option>
<Option name="solaris_ip_forward">1</Option>
<Option name="sshArgs"></Option>
<Option name="ulog_nlgroup">1</Option>
<Option name="verify_interfaces">true</Option>
</FirewallOptions>
</Firewall>
</ObjectGroup>
<IntervalGroup id="stdid11_1" name="Time"/>
</Library>