* objects_init.xml.in: Added CustomService object "ESTABLISHED

ipv6" which defines code for iptables, ipfw and IOS extended access lists for IPv6. * PolicyCompiler_ipfw_writers.cpp (PrintRule::_printProtocol): fixed behavior or policy compiler for ipfw which was broken in rev714 - it should print protocol "tcp" when custom service object that adds option "established" is used. This compiler worked like that before attribute "protocol" was added to the CustomService object.
2026-03-23 03:37:15 +01:00 · 2009-01-25 06:35:06 +00:00 · 2009-01-25 06:35:06 +00:00 · 067cfb650e
commit 067cfb650e
parent 17d35a70ed
8 changed files with 146 additions and 15 deletions
--- a/2
+++ b/2
@ -1 +1 @@
-#define BUILD_NUM 748
+#define BUILD_NUM 750
--- a/doc/ChangeLog
+++ b/doc/ChangeLog
@ -1,5 +1,16 @@
 2009-01-24  vadim  <vadim@vk.crocodile.org>

+	* objects_init.xml.in: Added CustomService object "ESTABLISHED
+	ipv6" which defines code for iptables, ipfw and IOS extended
+	access lists for IPv6.
+
+	* PolicyCompiler_ipfw_writers.cpp (PrintRule::_printProtocol):
+	fixed behavior or policy compiler for ipfw which was broken in
+	rev714 - it should print protocol "tcp" when custom service object
+	that adds option "established" is used. This compiler worked like
+	that before attribute "protocol" was added to the CustomService
+	object.
+
 	* platforms.cpp (getReadableRuleElementName): code refactoring:
 	made it possible to translate ruleset table column
 	names ("Source", "Destination" etc.). Currently only Russian
@ -23,6 +34,11 @@
 	user tries to delete an object that is used in some groups and
 	rules.

+	* PolicyCompiler_PrintRule.cpp (PrintRule::_printChain): fixed bug
+	#2507239: "length of iptables rule chain names not
+	checked". Iptables does not allow chain names longer than 30
+	characters; policy compiler fwb_ipt should check for this.
+
 	* PolicyCompiler_PrintRule.cpp (PrintRule::_printAddr): fixed bug
 	#2526173: "fwb_ipt crashes due to old-broadcast". This bug was
 	introduced when support for module iprange was sadded. Need
@ -5460,11 +5476,11 @@
 	properly created on FreeBSD". Mutexes gethostbyname_mutex and
 	gethostbyaddr_mutex were never created but used on OS where
 	thread-safe resolver is not available.
-	
+
 2005-02-17    <vadim@vk.crocodile.org>

 	* v2.0.6 released
-	
+
 2005-02-17    <vadim@vk.crocodile.org>

 	* ipt.cpp (main): fixed bug #1123933 "iptables add_addr() expr
--- a/src/ipt/PolicyCompiler_PrintRule.cpp
+++ b/src/ipt/PolicyCompiler_PrintRule.cpp
@ -179,6 +179,7 @@ string PolicyCompiler_ipt::PrintRule::_printChain(PolicyRule *rule)
 {
    string s = rule->getStr("ipt_chain");
    if (s.empty()) s = "UNKNOWN";
+    // check chain name length per bug report #2507239
    if (s.length() > 30)
    {
        ostringstream str;
--- a/src/pflib/PolicyCompiler_ipfw_writers.cpp
+++ b/src/pflib/PolicyCompiler_ipfw_writers.cpp
@ -83,10 +83,20 @@ void PolicyCompiler_ipfw::PrintRule::_printProtocol(Service *srv)
    if ( CustomService::isA(srv) )
    {
        // CustomService returns protocol name starting with v3.0.4
-        // However CustomService can return protocol name "any", which we should
-        // just skip.
+        // However CustomService can return protocol name "any", which
+        // we should just skip. Also, in ipfw option "established" is
+        // only defined for tcp, so we should set protocol to "tcp" if
+        // custom service inserts this option.
        string pn = srv->getProtocolName();
-        if (pn == "any") return;
+        if (pn != "any") compiler->output << pn << " ";
+        else
+        {
+            string cscode = CustomService::cast(srv)->getCodeForPlatform(
+                compiler->myPlatformName() );
+            if (cscode=="established") compiler->output << "tcp ";
+            // custom service does not define protocol - do not add any.
+        }
+        return;
    }

    compiler->output << srv->getProtocolName();
@ -421,8 +431,9 @@ void PolicyCompiler_ipfw::PrintRule::_printDstService(RuleElementSrv  *rel)

    compiler->output << " ";
 /*
- *  TCP services with flags were separated in rule processor separateTCPWithFlags.
- *  We can count on objects like that being a single object in the SRV.
+ *  TCP services with flags were separated in rule processor
+ *  separateTCPWithFlags.  We can count on objects like that being a
+ *  single object in the SRV.
 */
    if (TCPService::isA(s1)) 
    {
@ -435,7 +446,7 @@ void PolicyCompiler_ipfw::PrintRule::_printDstService(RuleElementSrv  *rel)

 string PolicyCompiler_ipfw::PrintRule::_printDstService(Service *srv,bool neg)
 {
-    string         res;
+    string  res;

    if (TCPService::isA(srv) || UDPService::isA(srv)) 
    {
@ -452,7 +463,8 @@ string PolicyCompiler_ipfw::PrintRule::_printDstService(Service *srv,bool neg)

    if (CustomService::isA(srv)) 
    {
-	res= CustomService::cast(srv)->getCodeForPlatform( compiler->myPlatformName() ) + " ";
+	res= CustomService::cast(srv)->getCodeForPlatform(
+            compiler->myPlatformName() ) + " ";
    }

    return res;
--- a/src/res/objects_init.xml
+++ b/src/res/objects_init.xml
@ -70,12 +70,22 @@
      </ObjectGroup>
    </ObjectGroup>
    <ServiceGroup id="stdid05" name="Services">
-      <CustomService id="stdid14_1" name="ESTABLISHED" comment="This service matches all packets which are part of network connections established through the firewall, or connections 'related' to those established through the firewall. Term 'established' refers to the state tracking mechanism which exists inside iptables and other stateful firewalls and does not mean any particular combination of packet header options. Packet is considered to correspond to the state 'ESTABLISHED' if it belongs to the network session, for which proper initiation has been seen by the firewall, so its stateful inspection module made appropriate record in the state table. Usually stateful firewalls keep track of network connections using not only tcp protocol, but also udp and sometimes even icmp protocols. 'RELATED' describes packet belonging to a separate network connection, related to the session firewall is keeping track of. One example is FTP command and FTP data sessions.">
+      <CustomService id="stdid14_1" name="ESTABLISHED" comment="This service matches all packets which are part of network connections established through the firewall, or connections 'related' to those established through the firewall. Term 'established' refers to the state tracking mechanism which exists inside iptables and other stateful firewalls and does not mean any particular combination of packet header options. Packet is considered to correspond to the state 'ESTABLISHED' if it belongs to the network session, for which proper initiation has been seen by the firewall, so its stateful inspection module made appropriate record in the state table. Usually stateful firewalls keep track of network connections using not only tcp protocol, but also udp and sometimes even icmp protocols. 'RELATED' describes packet belonging to a separate network connection, related to the session firewall is keeping track of. One example is FTP command and FTP data sessions." protocol="any" address_family="ipv4">
        <CustomServiceCommand platform="Undefined"></CustomServiceCommand>
        <CustomServiceCommand platform="ipfilter"></CustomServiceCommand>
        <CustomServiceCommand platform="ipfw">established</CustomServiceCommand>
        <CustomServiceCommand platform="iptables">-m state --state ESTABLISHED,RELATED</CustomServiceCommand>
+        <CustomServiceCommand platform="iosacl">established</CustomServiceCommand>
      </CustomService>
+
+      <CustomService id="stdid14_2" name="ESTABLISHED ipv6" comment="This service matches all packets which are part of network connections established through the firewall, or connections 'related' to those established through the firewall. Term 'established' refers to the state tracking mechanism which exists inside iptables and other stateful firewalls and does not mean any particular combination of packet header options. Packet is considered to correspond to the state 'ESTABLISHED' if it belongs to the network session, for which proper initiation has been seen by the firewall, so its stateful inspection module made appropriate record in the state table. Usually stateful firewalls keep track of network connections using not only tcp protocol, but also udp and sometimes even icmp protocols. 'RELATED' describes packet belonging to a separate network connection, related to the session firewall is keeping track of. One example is FTP command and FTP data sessions." protocol="any" address_family="ipv6">
+        <CustomServiceCommand platform="Undefined"></CustomServiceCommand>
+        <CustomServiceCommand platform="ipfilter"></CustomServiceCommand>
+        <CustomServiceCommand platform="ipfw">established</CustomServiceCommand>
+        <CustomServiceCommand platform="iptables">-m state --state ESTABLISHED,RELATED</CustomServiceCommand>
+        <CustomServiceCommand platform="iosacl">established</CustomServiceCommand>
+      </CustomService>
+
      <ServiceGroup id="stdid10" name="Groups">
        <ServiceGroup id="sg-DHCP" name="DHCP">
          <ServiceRef ref="udp-bootpc"/>
--- a/src/res/objects_init.xml.in
+++ b/src/res/objects_init.xml.in
@ -70,12 +70,22 @@
      </ObjectGroup>
    </ObjectGroup>
    <ServiceGroup id="stdid05" name="Services">
-      <CustomService id="stdid14_1" name="ESTABLISHED" comment="This service matches all packets which are part of network connections established through the firewall, or connections 'related' to those established through the firewall. Term 'established' refers to the state tracking mechanism which exists inside iptables and other stateful firewalls and does not mean any particular combination of packet header options. Packet is considered to correspond to the state 'ESTABLISHED' if it belongs to the network session, for which proper initiation has been seen by the firewall, so its stateful inspection module made appropriate record in the state table. Usually stateful firewalls keep track of network connections using not only tcp protocol, but also udp and sometimes even icmp protocols. 'RELATED' describes packet belonging to a separate network connection, related to the session firewall is keeping track of. One example is FTP command and FTP data sessions.">
+      <CustomService id="stdid14_1" name="ESTABLISHED" comment="This service matches all packets which are part of network connections established through the firewall, or connections 'related' to those established through the firewall. Term 'established' refers to the state tracking mechanism which exists inside iptables and other stateful firewalls and does not mean any particular combination of packet header options. Packet is considered to correspond to the state 'ESTABLISHED' if it belongs to the network session, for which proper initiation has been seen by the firewall, so its stateful inspection module made appropriate record in the state table. Usually stateful firewalls keep track of network connections using not only tcp protocol, but also udp and sometimes even icmp protocols. 'RELATED' describes packet belonging to a separate network connection, related to the session firewall is keeping track of. One example is FTP command and FTP data sessions." protocol="any" address_family="ipv4">
        <CustomServiceCommand platform="Undefined"></CustomServiceCommand>
        <CustomServiceCommand platform="ipfilter"></CustomServiceCommand>
        <CustomServiceCommand platform="ipfw">established</CustomServiceCommand>
        <CustomServiceCommand platform="iptables">-m state --state ESTABLISHED,RELATED</CustomServiceCommand>
+        <CustomServiceCommand platform="iosacl">established</CustomServiceCommand>
      </CustomService>
+
+      <CustomService id="stdid14_2" name="ESTABLISHED ipv6" comment="This service matches all packets which are part of network connections established through the firewall, or connections 'related' to those established through the firewall. Term 'established' refers to the state tracking mechanism which exists inside iptables and other stateful firewalls and does not mean any particular combination of packet header options. Packet is considered to correspond to the state 'ESTABLISHED' if it belongs to the network session, for which proper initiation has been seen by the firewall, so its stateful inspection module made appropriate record in the state table. Usually stateful firewalls keep track of network connections using not only tcp protocol, but also udp and sometimes even icmp protocols. 'RELATED' describes packet belonging to a separate network connection, related to the session firewall is keeping track of. One example is FTP command and FTP data sessions." protocol="any" address_family="ipv6">
+        <CustomServiceCommand platform="Undefined"></CustomServiceCommand>
+        <CustomServiceCommand platform="ipfilter"></CustomServiceCommand>
+        <CustomServiceCommand platform="ipfw">established</CustomServiceCommand>
+        <CustomServiceCommand platform="iptables">-m state --state ESTABLISHED,RELATED</CustomServiceCommand>
+        <CustomServiceCommand platform="iosacl">established</CustomServiceCommand>
+      </CustomService>
+
      <ServiceGroup id="stdid10" name="Groups">
        <ServiceGroup id="sg-DHCP" name="DHCP">
          <ServiceRef ref="udp-bootpc"/>
--- a/test/iosacl/objects-for-regression-tests.fwb
+++ b/test/iosacl/objects-for-regression-tests.fwb
@ -1,6 +1,6 @@
 <?xml version="1.0" encoding="utf-8"?>
 <!DOCTYPE FWObjectDatabase SYSTEM "fwbuilder.dtd">
-<FWObjectDatabase xmlns="http://www.fwbuilder.org/1.0/" version="10" lastModified="1230880304" id="root">
+<FWObjectDatabase xmlns="http://www.fwbuilder.org/1.0/" version="10" lastModified="1232864095" id="root">
  <Library id="sysid99" name="Deleted Objects" comment="" ro="False">
    <ServiceRef ref="id151F20845"/>
    <ServiceRef ref="id464147DA29061"/>
@ -16,6 +16,9 @@
    <ObjectRef ref="id46435A0816989"/>
    <ObjectRef ref="id46412C3F26611"/>
    <ObjectRef ref="id46435A0C16989"/>
+    <ServiceRef ref="stdid14_1"/>
+    <ServiceRef ref="id5470X38343"/>
+    <ServiceRef ref="sysid1"/>
  </Library>
  <Library id="id4511636323682" color="#d2ffd0" name="User" comment="" ro="False">
    <ObjectGroup id="id4511636423682" name="Objects" comment="" ro="False">
@ -129,6 +132,7 @@
      </ServiceGroup>
      <ServiceGroup id="id4511637023682" name="TCP" comment="" ro="False">
        <TCPService id="id4641521729061" ack_flag="False" ack_flag_mask="False" established="True" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" name="http established" comment="" ro="False" src_range_start="80" src_range_end="80" dst_range_start="0" dst_range_end="0"/>
+        <TCPService id="id5470X38343" ack_flag="False" ack_flag_mask="False" established="True" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" name="establ" comment="" ro="False" src_range_start="0" src_range_end="0" dst_range_start="0" dst_range_end="0"/>
      </ServiceGroup>
      <ServiceGroup id="id4511637123682" name="UDP" comment="" ro="False"/>
      <ServiceGroup id="id4511637223682" name="Custom" comment="" ro="False">
@ -1548,7 +1552,7 @@
          <Option name="verify_interfaces">true</Option>
        </FirewallOptions>
      </Firewall>
-      <Firewall id="id464359FE16989" host_OS="ios" inactive="False" lastCompiled="1230880328" lastInstalled="0" lastModified="1230884082" platform="iosacl" version="12.x" name="c3620" comment="" ro="False">
+      <Firewall id="id464359FE16989" host_OS="ios" inactive="False" lastCompiled="1230880328" lastInstalled="0" lastModified="1232864483" platform="iosacl" version="12.x" name="c3620" comment="" ro="False">
        <NAT id="id46435A0216989" name="NAT" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True"/>
        <Policy id="id46435A0116989" name="Policy" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
          <PolicyRule id="id464D2B0E24319" disabled="False" log="False" position="0" action="Accept" direction="Inbound" comment="interface eth 1/1 has only&#10;inbound access list">
@ -1691,7 +1695,67 @@
              <Option name="stateless">False</Option>
            </PolicyRuleOptions>
          </PolicyRule>
-          <PolicyRule id="id46435A1016989" disabled="True" log="True" position="7" action="Deny" direction="Both" comment="disable this rule to make&#10;sure no outbound rules are&#10;generated for eth 1/1">
+          <PolicyRule id="id4254X38343" disabled="False" group="" log="False" position="7" action="Accept" direction="Both" comment="">
+            <Src neg="False">
+              <ObjectRef ref="sysid0"/>
+            </Src>
+            <Dst neg="False">
+              <ObjectRef ref="id46435A0F16989"/>
+            </Dst>
+            <Srv neg="False">
+              <ServiceRef ref="stdid14_1"/>
+            </Srv>
+            <Itf neg="False">
+              <ObjectRef ref="sysid0"/>
+            </Itf>
+            <When neg="False">
+              <IntervalRef ref="sysid2"/>
+            </When>
+            <PolicyRuleOptions>
+              <Option name="stateless">False</Option>
+            </PolicyRuleOptions>
+          </PolicyRule>
+          <PolicyRule id="id4268X38343" disabled="False" group="" log="False" position="8" action="Accept" direction="Both" comment="">
+            <Src neg="False">
+              <ObjectRef ref="sysid0"/>
+            </Src>
+            <Dst neg="False">
+              <ObjectRef ref="id46435A0F16989"/>
+            </Dst>
+            <Srv neg="False">
+              <ServiceRef ref="id5470X38343"/>
+            </Srv>
+            <Itf neg="False">
+              <ObjectRef ref="sysid0"/>
+            </Itf>
+            <When neg="False">
+              <IntervalRef ref="sysid2"/>
+            </When>
+            <PolicyRuleOptions>
+              <Option name="stateless">False</Option>
+            </PolicyRuleOptions>
+          </PolicyRule>
+          <PolicyRule id="id5500X42946" disabled="False" group="" log="False" position="9" action="Accept" direction="Both" comment="">
+            <Src neg="False">
+              <ObjectRef ref="sysid0"/>
+            </Src>
+            <Dst neg="False">
+              <ObjectRef ref="id46435A0F16989"/>
+            </Dst>
+            <Srv neg="False">
+              <ServiceRef ref="id4641521729061"/>
+            </Srv>
+            <Itf neg="False">
+              <ObjectRef ref="sysid0"/>
+            </Itf>
+            <When neg="False">
+              <IntervalRef ref="sysid2"/>
+            </When>
+            <PolicyRuleOptions>
+              <Option name="stateless">False</Option>
+            </PolicyRuleOptions>
+          </PolicyRule>
+          <PolicyRule id="id46435A1016989" disabled="True" log="True" position="10" action="Deny" direction="Both" comment="disable this rule to make&#10;sure no outbound rules are&#10;generated for eth 1/1">
            <Src neg="False">
              <ObjectRef ref="sysid0"/>
            </Src>
@ -2296,6 +2360,18 @@
    <AnyNetwork id="sysid0" name="Any" comment="Any Network" ro="False" address="0.0.0.0" netmask="0.0.0.0"/>
    <AnyIPService id="sysid1" protocol_num="0" name="Any" comment="Any IP Service" ro="False"/>
    <ServiceGroup id="stdid05" name="Services" comment="" ro="False">
+      <CustomService id="stdid14_1" name="ESTABLISHED" comment="This service matches all packets which are part of network connections established through the firewall, or connections 'related' to those established through the firewall. Term 'established' refers to the state tracking mechanism which exists inside iptables and other stateful firewalls and does not mean any particular combination of packet header options. Packet is considered to correspond to the state 'ESTABLISHED' if it belongs to the network session, for which proper initiation has been seen by the firewall, so its stateful inspection module made appropriate record in the state table. Usually stateful firewalls keep track of network connections using not only tcp protocol, but also udp and sometimes even icmp protocols. 'RELATED' describes packet belonging to a separate network connection, related to the session firewall is keeping track of. One example is FTP command and FTP data sessions." ro="False" protocol="any" address_family="ipv4">
+        <CustomServiceCommand platform="Undefined"></CustomServiceCommand>
+        <CustomServiceCommand platform="fwsm"></CustomServiceCommand>
+        <CustomServiceCommand platform="iosacl">established</CustomServiceCommand>
+        <CustomServiceCommand platform="ipf"></CustomServiceCommand>
+        <CustomServiceCommand platform="ipfilter"></CustomServiceCommand>
+        <CustomServiceCommand platform="ipfw">established</CustomServiceCommand>
+        <CustomServiceCommand platform="iptables">-m state --state ESTABLISHED,RELATED</CustomServiceCommand>
+        <CustomServiceCommand platform="pf"></CustomServiceCommand>
+        <CustomServiceCommand platform="pix"></CustomServiceCommand>
+        <CustomServiceCommand platform="unknown"></CustomServiceCommand>
+      </CustomService>
      <ServiceGroup id="stdid09" name="TCP" comment="" ro="False">
        <TCPService id="id4127F04F" ack_flag="False" ack_flag_mask="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" name="bgp" comment="" ro="False" src_range_start="0" src_range_end="0" dst_range_start="179" dst_range_end="179"/>
        <TCPService id="id3AECF774" ack_flag="False" ack_flag_mask="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" name="finger" comment="" ro="False" src_range_start="0" src_range_end="0" dst_range_start="79" dst_range_end="79"/>
--- a/test/ipfw/objects-for-regression-tests.fwb
+++ b/test/ipfw/objects-for-regression-tests.fwb
@ -5528,9 +5528,15 @@
      </ServiceGroup>
      <CustomService id="stdid14_1" name="ESTABLISHED" comment="This service matches all packets which are part of network connections established through the firewall, or connections 'related' to those established through the firewall. Term 'established' refers to the state tracking mechanism which exists inside iptables and other stateful firewalls and does not mean any particular combination of packet header options. Packet is considered to correspond to the state 'ESTABLISHED' if it belongs to the network session, for which proper initiation has been seen by the firewall, so its stateful inspection module made appropriate record in the state table. Usually stateful firewalls keep track of network connections using not only tcp protocol, but also udp and sometimes even icmp protocols. 'RELATED' describes packet belonging to a separate network connection, related to the session firewall is keeping track of. One example is FTP command and FTP data sessions." ro="False" protocol="any" address_family="ipv4">
        <CustomServiceCommand platform="Undefined"></CustomServiceCommand>
+        <CustomServiceCommand platform="fwsm"></CustomServiceCommand>
+        <CustomServiceCommand platform="iosacl"></CustomServiceCommand>
+        <CustomServiceCommand platform="ipf"></CustomServiceCommand>
        <CustomServiceCommand platform="ipfilter"></CustomServiceCommand>
        <CustomServiceCommand platform="ipfw">established</CustomServiceCommand>
        <CustomServiceCommand platform="iptables">-m state --state ESTABLISHED,RELATED</CustomServiceCommand>
+        <CustomServiceCommand platform="pf"></CustomServiceCommand>
+        <CustomServiceCommand platform="pix"></CustomServiceCommand>
+        <CustomServiceCommand platform="unknown"></CustomServiceCommand>
      </CustomService>
    </ServiceGroup>
    <AnyNetwork id="sysid0" name="Any" comment="Any Network" ro="False" address="0.0.0.0" netmask="0.0.0.0"/>