onkelbeh/fwbuilder
1
0
Fork 0
mirror of https://github.com/fwbuilder/fwbuilder synced 2026-03-19 09:47:20 +01:00
Code Issues Releases Wiki Activity

2009-03-18 vadim <vadim@vk.crocodile.org>

Browse Source 
* PolicyCompiler_iosacl.cpp (PolicyCompiler_iosacl::prolog): fixed
bug (no #): temporary access list created for IOS when option
"safety net install" is used and ipv6 address is provided should
use keyword "host" if provided address does not specify netmask.


* fwbedit: properly saving data file after "checktree" operation
This commit is contained in:
Vadim Kurland 2009-03-19 04:40:55 +00:00
parent c673ffa635
commit 0732f536ee
6 changed files with 335 additions and 16 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
build_num
View File

@ -1 +1 @@
#define BUILD_NUM 783
#define BUILD_NUM 784

9
doc/ChangeLog
View File

@ -1,3 +1,12 @@
2009-03-18 vadim <vadim@vk.crocodile.org>
* PolicyCompiler_iosacl.cpp (PolicyCompiler_iosacl::prolog): fixed
bug (no #): temporary access list created for IOS when option
"safety net install" is used and ipv6 address is provided should
use keyword "host" if provided address does not specify netmask.
* fwbedit: properly saving data file after "checktree" operation
2009-03-17 vadim <vadim@vk.crocodile.org>
* PolicyCompiler_iosacl.cpp (PolicyCompiler_iosacl::prolog): fixed

19
src/fwbedit/fwbedit.cpp
View File

@ -51,6 +51,11 @@
#include <ctype.h>
#include <stdio.h>
#include <errno.h>
#ifndef errno
extern int errno;
#endif
#ifdef HAVE_GETOPT_H
# include <getopt.h>
#else
@ -560,7 +565,6 @@ int main(int argc, char * const *argv)
if (cmd == STRUCT)
{
checkAndRepairTree(objdb);
return(0);
}
else if (cmd == LIST)
{
@ -634,10 +638,15 @@ int main(int argc, char * const *argv)
}
}
string bakfile=filename+".bak";
rename(filename.c_str(),bakfile.c_str());
objdb->saveFile(filename);
string bakfile = filename+".bak";
if (rename(filename.c_str(),bakfile.c_str()) == 0)
objdb->saveFile(filename);
else
{
cout << "Could not rename data file, abroting operation" << endl;
cout << strerror(errno) << endl;
exit(-1);
}
} catch(FWException &ex) {
cerr << ex.toString() << endl;

2
src/gui/ObjectManipulator.cpp
View File

@ -2629,7 +2629,7 @@ FWObject* ObjectManipulator::createObject(const QString &objType,
QObject::tr(
"Type '%1': new object can not be created because\n"
"corresponding branch is missing in the object tree.\n"
"Please repair the tree using command 'fwbedit -s -f file.fwb'.")
"Please repair the tree using command 'fwbedit checktree -f file.fwb'.")
.arg(objType),
"&Continue", QString::null, QString::null,
0, 1 );

5
src/iosacl/PolicyCompiler_iosacl.cpp
View File

@ -180,7 +180,10 @@ int PolicyCompiler_iosacl::prolog()
addr_family_prefix = "ipv6";
output << clearACLcmd << " " << temp_acl << endl;
output << "ipv6 access-list " << temp_acl << endl;
output << " permit ipv6 " << addr << " any " << endl;
if (slash_idx!=string::npos)
output << " permit ipv6 " << addr << " any " << endl;
else
output << " permit ipv6 host " << addr << " any " << endl;
output << " deny ipv6 any any " << endl;
output << "exit" << endl;
output << endl;

314
test/iosacl/objects-for-regression-tests.fwb
View File

@ -1,6 +1,6 @@
<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE FWObjectDatabase SYSTEM "fwbuilder.dtd">
<FWObjectDatabase xmlns="http://www.fwbuilder.org/1.0/" version="10" lastModified="1237092662" id="root">
<FWObjectDatabase xmlns="http://www.fwbuilder.org/1.0/" version="10" lastModified="1237437243" id="root">
<Library id="sysid99" name="Deleted Objects" comment="" ro="False">
<ServiceRef ref="id151F20845"/>
<ServiceRef ref="id464147DA29061"/>
@ -18,12 +18,8 @@
<ObjectRef ref="id46435A0C16989"/>
<ServiceRef ref="stdid14_1"/>
<ServiceRef ref="id5470X38343"/>
<ObjectRef ref="sysid0"/>
<ObjectRef ref="id19068X65694"/>
<ObjectRef ref="sysid0"/>
<ObjectRef ref="id19240X65694"/>
<ObjectRef ref="sysid0"/>
<ServiceRef ref="sysid1"/>
</Library>
<Library id="id4511636323682" color="#d2ffd0" name="User" comment="" ro="False">
<ObjectGroup id="id4511636423682" name="Objects" comment="" ro="False">
@ -1934,7 +1930,7 @@
<Option name="verify_interfaces">true</Option>
</FirewallOptions>
</Firewall>
<Firewall id="id19020X65694" host_OS="ios" inactive="False" lastCompiled="1230499638" lastInstalled="0" lastModified="1236920099" platform="iosacl" version="12.x" name="firewall-ipv6-1" comment="" ro="False">
<Firewall id="id19020X65694" host_OS="ios" inactive="False" lastCompiled="1237437124" lastInstalled="0" lastModified="1237437119" platform="iosacl" version="12.x" name="firewall-ipv6-1" comment="" ro="False">
<NAT id="id19428X65694" name="NAT" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True"/>
<Policy id="id19026X65694" name="fw-ipv6-1-ipv4" comment="" ro="False" ipv4_rule_set="True" ipv6_rule_set="False" top_rule_set="False">
<PolicyRule id="id19054X65694" disabled="False" group="" log="False" position="0" action="Accept" direction="Both" comment="">
@ -2309,10 +2305,25 @@
<Option name="freebsd_path_sysctl"></Option>
<Option name="ignore_empty_groups">False</Option>
<Option name="in_out_code">True</Option>
<Option name="iosacl_acl_basic">True</Option>
<Option name="iosacl_acl_basic">False</Option>
<Option name="iosacl_acl_no_clear">False</Option>
<Option name="iosacl_acl_substitution">True</Option>
<Option name="iosacl_acl_temp_addr">fe80::21d:9ff:aaaa:bbbb</Option>
<Option name="iosacl_add_clear_statements">true</Option>
<Option name="iosacl_assume_fw_part_of_any">true</Option>
<Option name="iosacl_include_comments">true</Option>
<Option name="iosacl_epilog_script"></Option>
<Option name="iosacl_generate_logging_commands">False</Option>
<Option name="iosacl_include_comments">True</Option>
<Option name="iosacl_logging_buffered">False</Option>
<Option name="iosacl_logging_buffered_level">0</Option>
<Option name="iosacl_logging_console">False</Option>
<Option name="iosacl_logging_console_level">0</Option>
<Option name="iosacl_logging_timestamp">False</Option>
<Option name="iosacl_logging_trap_level">0</Option>
<Option name="iosacl_prolog_script"></Option>
<Option name="iosacl_regroup_commands">False</Option>
<Option name="iosacl_syslog_facility"></Option>
<Option name="iosacl_syslog_host"></Option>
<Option name="ipt_mangle_only_rulesets"></Option>
<Option name="ipv4_6_order">ipv4_first</Option>
<Option name="limit_suffix"></Option>
@ -2415,6 +2426,7 @@
<Option name="prolog_script"></Option>
<Option name="prompt1">$ </Option>
<Option name="prompt2"> # </Option>
<Option name="scpArgs"></Option>
<Option name="solaris_ip_forward">1</Option>
<Option name="sshArgs"></Option>
<Option name="ulog_cprange">0</Option>
@ -3468,6 +3480,292 @@
<Option name="verify_interfaces">True</Option>
</FirewallOptions>
</Firewall>
<Firewall id="id12133X53662" host_OS="ios" inactive="False" lastCompiled="1237437336" lastInstalled="0" lastModified="1237437327" platform="iosacl" version="12.x" name="firewall-ipv6-3" comment="test &quot;safety net&quot; install in case when there are many rulesets" ro="False">
<NAT id="id12339X53662" name="NAT" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True"/>
<Policy id="id12139X53662" name="fw-ipv6-3-ipv4" comment="" ro="False" ipv4_rule_set="True" ipv6_rule_set="False" top_rule_set="True">
<PolicyRule id="id12140X53662" disabled="False" group="" log="False" position="0" action="Accept" direction="Both" comment="">
<Src neg="False">
<ObjectRef ref="id19068X65694"/>
</Src>
<Dst neg="False">
<ObjectRef ref="sysid0"/>
</Dst>
<Srv neg="False">
<ServiceRef ref="tcp-SSH"/>
</Srv>
<Itf neg="False">
<ObjectRef ref="sysid0"/>
</Itf>
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions>
<Option name="stateless">False</Option>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id12152X53662" disabled="False" group="" log="False" position="1" action="Accept" direction="Both" comment="">
<Src neg="False">
<ObjectRef ref="id19240X65694"/>
</Src>
<Dst neg="False">
<ObjectRef ref="sysid0"/>
</Dst>
<Srv neg="False">
<ServiceRef ref="id26068X65694"/>
<ServiceRef ref="id8888X64279"/>
</Srv>
<Itf neg="False">
<ObjectRef ref="sysid0"/>
</Itf>
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions>
<Option name="stateless">False</Option>
</PolicyRuleOptions>
</PolicyRule>
</Policy>
<Policy id="id12165X53662" name="fw-ipv6-3-ipv6-1" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="True" top_rule_set="True">
<PolicyRule id="id12166X53662" disabled="False" group="" log="False" position="0" action="Accept" direction="Both" comment="">
<Src neg="False">
<ObjectRef ref="id19068X65694"/>
</Src>
<Dst neg="False">
<ObjectRef ref="sysid0"/>
</Dst>
<Srv neg="False">
<ServiceRef ref="tcp-SSH"/>
</Srv>
<Itf neg="False">
<ObjectRef ref="sysid0"/>
</Itf>
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions>
<Option name="stateless">False</Option>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id12202X53662" disabled="False" group="" log="True" position="1" action="Accept" direction="Both" comment="">
<Src neg="False">
<ObjectRef ref="id19208X65694"/>
</Src>
<Dst neg="False">
<ObjectRef ref="sysid0"/>
</Dst>
<Srv neg="False">
<ServiceRef ref="tcp-SSH"/>
</Srv>
<Itf neg="False">
<ObjectRef ref="sysid0"/>
</Itf>
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions>
<Option name="stateless">False</Option>
</PolicyRuleOptions>
</PolicyRule>
</Policy>
<Policy id="id18060X53662" name="fw-ipv6-3-ipv6-2" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="True" top_rule_set="False">
<PolicyRule id="id21571X53662" disabled="False" group="" log="False" position="0" action="Accept" direction="Both" comment="">
<Src neg="False">
<ObjectRef ref="id19240X65694"/>
</Src>
<Dst neg="False">
<ObjectRef ref="sysid0"/>
</Dst>
<Srv neg="False">
<ServiceRef ref="id8888X64279"/>
<ServiceRef ref="id26068X65694"/>
</Srv>
<Itf neg="False">
<ObjectRef ref="sysid0"/>
</Itf>
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions>
<Option name="stateless">False</Option>
</PolicyRuleOptions>
</PolicyRule>
</Policy>
<Routing id="id12340X53662" name="Routing" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True"/>
<Interface id="id12341X53662" bridgeport="False" dyn="False" label="" mgmt="True" security_level="100" unnum="False" unprotected="False" name="Ethernet0/0" comment="" ro="False">
<IPv4 id="id12344X53662" name="firewall-ipv6-3:Ethernet0/0:ip" comment="" ro="False" address="1.1.1.1" netmask="255.255.255.0"/>
<IPv6 id="id12345X53662" name="firewall-ipv6-3:Ethernet0/0:ip6" comment="" ro="False" address="fe80::21d:9ff:fe8b:8e94" netmask="64"/>
</Interface>
<Management address="1.1.1.1">
<SNMPManagement enabled="False" snmp_read_community="" snmp_write_community=""/>
<FWBDManagement enabled="False" identity="" port="-1"/>
<PolicyInstallScript arguments="" command="" enabled="False"/>
</Management>
<FirewallOptions>
<Option name="accept_established">True</Option>
<Option name="accept_new_tcp_with_no_syn">True</Option>
<Option name="action_on_reject"></Option>
<Option name="activationCmd"></Option>
<Option name="add_check_state_rule">true</Option>
<Option name="admUser"></Option>
<Option name="altAddress"></Option>
<Option name="bridging_fw">False</Option>
<Option name="check_shading">True</Option>
<Option name="clamp_mss_to_mtu">False</Option>
<Option name="classify_mark_terminating">False</Option>
<Option name="cmdline">-xt</Option>
<Option name="compiler"></Option>
<Option name="configure_interfaces">True</Option>
<Option name="debug">False</Option>
<Option name="drop_invalid">False</Option>
<Option name="eliminate_duplicates">true</Option>
<Option name="enable_ipv6">True</Option>
<Option name="epilog_script"></Option>
<Option name="fallback_log">False</Option>
<Option name="firewall_dir">/etc</Option>
<Option name="firewall_is_part_of_any_and_networks">True</Option>
<Option name="freebsd_ip_forward">1</Option>
<Option name="freebsd_ip_redirect"></Option>
<Option name="freebsd_ip_sourceroute"></Option>
<Option name="freebsd_ipv6_forward">1</Option>
<Option name="freebsd_path_ipf"></Option>
<Option name="freebsd_path_ipfw"></Option>
<Option name="freebsd_path_ipnat"></Option>
<Option name="freebsd_path_sysctl"></Option>
<Option name="ignore_empty_groups">False</Option>
<Option name="in_out_code">True</Option>
<Option name="iosacl_acl_basic">False</Option>
<Option name="iosacl_acl_no_clear">False</Option>
<Option name="iosacl_acl_substitution">True</Option>
<Option name="iosacl_acl_temp_addr">fe80::21d:9ff:aaaa:bbbb/64</Option>
<Option name="iosacl_add_clear_statements">true</Option>
<Option name="iosacl_assume_fw_part_of_any">true</Option>
<Option name="iosacl_epilog_script"></Option>
<Option name="iosacl_generate_logging_commands">False</Option>
<Option name="iosacl_include_comments">True</Option>
<Option name="iosacl_logging_buffered">False</Option>
<Option name="iosacl_logging_buffered_level">1</Option>
<Option name="iosacl_logging_console">False</Option>
<Option name="iosacl_logging_console_level">1</Option>
<Option name="iosacl_logging_timestamp">False</Option>
<Option name="iosacl_logging_trap_level">1</Option>
<Option name="iosacl_prolog_script"></Option>
<Option name="iosacl_regroup_commands">False</Option>
<Option name="iosacl_syslog_facility"></Option>
<Option name="iosacl_syslog_host"></Option>
<Option name="ipt_mangle_only_rulesets"></Option>
<Option name="ipv4_6_order">ipv4_first</Option>
<Option name="limit_suffix"></Option>
<Option name="limit_value">0</Option>
<Option name="linux24_ip_forward">1</Option>
<Option name="load_modules">True</Option>
<Option name="local_nat">False</Option>
<Option name="log_all">False</Option>
<Option name="log_invalid">False</Option>
<Option name="log_ip_opt">False</Option>
<Option name="log_level">info</Option>
<Option name="log_prefix">RULE %N -- %A </Option>
<Option name="log_tcp_opt">False</Option>
<Option name="log_tcp_seq">False</Option>
<Option name="loopback_interface">lo0</Option>
<Option name="macosx_ip_forward">1</Option>
<Option name="manage_virtual_addr">True</Option>
<Option name="mgmt_addr"></Option>
<Option name="mgmt_ssh">False</Option>
<Option name="modulate_state">False</Option>
<Option name="no_ipv6_default_policy">False</Option>
<Option name="openbsd_ip_directed_broadcast"></Option>
<Option name="openbsd_ip_forward">1</Option>
<Option name="openbsd_ip_redirect"></Option>
<Option name="openbsd_ip_sourceroute"></Option>
<Option name="openbsd_ipv6_forward">1</Option>
<Option name="openbsd_path_pfctl"></Option>
<Option name="openbsd_path_sysctl"></Option>
<Option name="output_file"></Option>
<Option name="pass_all_out">False</Option>
<Option name="pf_adaptive_end">0</Option>
<Option name="pf_adaptive_start">0</Option>
<Option name="pf_do_limit_frags">False</Option>
<Option name="pf_do_limit_src_nodes">False</Option>
<Option name="pf_do_limit_states">False</Option>
<Option name="pf_do_limit_table_entries">False</Option>
<Option name="pf_do_limit_tables">False</Option>
<Option name="pf_do_scrub">False</Option>
<Option name="pf_do_timeout_frag">False</Option>
<Option name="pf_do_timeout_interval">False</Option>
<Option name="pf_icmp_error">0</Option>
<Option name="pf_icmp_first">0</Option>
<Option name="pf_limit_frags">5000</Option>
<Option name="pf_limit_src_nodes">0</Option>
<Option name="pf_limit_states">10000</Option>
<Option name="pf_limit_table_entries">0</Option>
<Option name="pf_limit_tables">0</Option>
<Option name="pf_optimization"></Option>
<Option name="pf_other_first">0</Option>
<Option name="pf_other_multiple">0</Option>
<Option name="pf_other_single">0</Option>
<Option name="pf_scrub_fragm_crop">False</Option>
<Option name="pf_scrub_fragm_drop_ovl">False</Option>
<Option name="pf_scrub_maxmss">1460</Option>
<Option name="pf_scrub_minttl">0</Option>
<Option name="pf_scrub_no_df">False</Option>
<Option name="pf_scrub_random_id">False</Option>
<Option name="pf_scrub_reassemble">True</Option>
<Option name="pf_scrub_use_maxmss">False</Option>
<Option name="pf_scrub_use_minttl">False</Option>
<Option name="pf_set_adaptive">False</Option>
<Option name="pf_set_icmp_error">False</Option>
<Option name="pf_set_icmp_first">False</Option>
<Option name="pf_set_other_first">False</Option>
<Option name="pf_set_other_multiple">False</Option>
<Option name="pf_set_other_single">False</Option>
<Option name="pf_set_tcp_closed">False</Option>
<Option name="pf_set_tcp_closing">False</Option>
<Option name="pf_set_tcp_established">False</Option>
<Option name="pf_set_tcp_finwait">False</Option>
<Option name="pf_set_tcp_first">False</Option>
<Option name="pf_set_tcp_opening">False</Option>
<Option name="pf_set_udp_first">False</Option>
<Option name="pf_set_udp_multiple">False</Option>
<Option name="pf_set_udp_single">False</Option>
<Option name="pf_tcp_closed">0</Option>
<Option name="pf_tcp_closing">0</Option>
<Option name="pf_tcp_established">0</Option>
<Option name="pf_tcp_finwait">0</Option>
<Option name="pf_tcp_first">0</Option>
<Option name="pf_tcp_opening">0</Option>
<Option name="pf_timeout_frag">30</Option>
<Option name="pf_timeout_interval">10</Option>
<Option name="pf_udp_first">0</Option>
<Option name="pf_udp_multiple">0</Option>
<Option name="pf_udp_single">0</Option>
<Option name="pix_add_clear_statements">true</Option>
<Option name="pix_assume_fw_part_of_any">true</Option>
<Option name="pix_default_logint">300</Option>
<Option name="pix_emblem_log_format">false</Option>
<Option name="pix_emulate_out_acl">true</Option>
<Option name="pix_floodguard">true</Option>
<Option name="pix_include_comments">true</Option>
<Option name="pix_route_dnat_supported">true</Option>
<Option name="pix_rule_syslog_settings">false</Option>
<Option name="pix_security_fragguard_supported">true</Option>
<Option name="pix_syslog_device_id_supported">false</Option>
<Option name="pix_use_acl_remarks">true</Option>
<Option name="prolog_place">fw_file</Option>
<Option name="prolog_script"></Option>
<Option name="prompt1">$ </Option>
<Option name="prompt2"> # </Option>
<Option name="scpArgs"></Option>
<Option name="solaris_ip_forward">1</Option>
<Option name="sshArgs"></Option>
<Option name="ulog_cprange">0</Option>
<Option name="ulog_nlgroup">1</Option>
<Option name="ulog_qthreshold">1</Option>
<Option name="use_ULOG">False</Option>
<Option name="use_iptables_restore">False</Option>
<Option name="use_numeric_log_levels">False</Option>
<Option name="verify_interfaces">True</Option>
</FirewallOptions>
</Firewall>
</ObjectGroup>
<IntervalGroup id="id4511637523682" name="Time" comment="" ro="False"/>
</Library>