onkelbeh/fwbuilder
1
0
Fork 0
mirror of https://github.com/fwbuilder/fwbuilder synced 2026-03-23 03:37:15 +01:00
Code Issues Releases Wiki Activity

2009-06-05 vadim <vadim@vk.crocodile.org>

Browse Source 
* PolicyCompiler_PrintRule.cpp (PrintRule::_printIP): fixed bug
#2801548 "fwb_ipt should issue error for ipsrv with options for
ipv6". Since IP options lsrr, ssrr, rr do not exist in ipv6,
compiler should refuse to compile rules that request matching
these options.

* PolicyCompiler_iosacl_writers.cpp (PrintRule::_printIPServiceOptions):
fixed bug #2801547 "fwb_iosacl should issue an error for ipservice
with options". IOS access lists can not match source routing
options set in IPService object, compiler should issue an error
and abort processing when an object like this is encountered in a
rule.

* IPServiceDialog.cpp (IPServiceDialog::loadFWObject): fixed bug
#2801545 "IP Service object: lsrr, ssrr, rr options not saved".

* PolicyCompiler_pf_writers.cpp (PrintRule::_printDstService):
fixed bug #2801544 "missing space after tos option in pf config"
This commit is contained in:
Vadim Kurland 2009-06-05 16:58:28 +00:00
parent 94ac7dd955
commit 0815275873
9 changed files with 78 additions and 69 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
build_num
View File

@ -1 +1 @@
#define BUILD_NUM 1035
#define BUILD_NUM 1036

21
doc/ChangeLog
View File

@ -1,3 +1,24 @@
2009-06-05 vadim <vadim@vk.crocodile.org>
* PolicyCompiler_PrintRule.cpp (PrintRule::_printIP): fixed bug
#2801548 "fwb_ipt should issue error for ipsrv with options for
ipv6". Since IP options lsrr, ssrr, rr do not exist in ipv6,
compiler should refuse to compile rules that request matching
these options.
* PolicyCompiler_iosacl_writers.cpp (PrintRule::_printIPServiceOptions):
fixed bug #2801547 "fwb_iosacl should issue an error for ipservice
with options". IOS access lists can not match source routing
options set in IPService object, compiler should issue an error
and abort processing when an object like this is encountered in a
rule.
* IPServiceDialog.cpp (IPServiceDialog::loadFWObject): fixed bug
#2801545 "IP Service object: lsrr, ssrr, rr options not saved".
* PolicyCompiler_pf_writers.cpp (PrintRule::_printDstService):
fixed bug #2801544 "missing space after tos option in pf config"
2009-06-04 vadim <vadim@vk.crocodile.org>
* IPTImporter.cpp (IPTImporter::pushPolicyRule): fixed bug

6
src/gui/IPServiceDialog.cpp
View File

@ -91,9 +91,9 @@ void IPServiceDialog::loadFWObject(FWObject *o)
m_dialog->obj_name->setText( QString::fromUtf8(s->getName().c_str()) );
m_dialog->protocolNum->setValue( s->getProtocolNumber() );
m_dialog->lsrr->setChecked( s->getBool("m_dialog->lsrr") );
m_dialog->ssrr->setChecked( s->getBool("m_dialog->ssrr") );
m_dialog->rr->setChecked( s->getBool("m_dialog->rr") );
m_dialog->lsrr->setChecked( s->getBool("lsrr") );
m_dialog->ssrr->setChecked( s->getBool("ssrr") );
m_dialog->rr->setChecked( s->getBool("rr") );
m_dialog->timestamp->setChecked( s->getBool("ts") );
m_dialog->all_fragments->setChecked( s->getBool("fragm") );
m_dialog->short_fragments->setChecked( s->getBool("short_fragm") );

3
src/iosacl/PolicyCompiler_iosacl.h
View File

@ -195,8 +195,7 @@ namespace fwcompiler {
std::string _printAction(libfwbuilder::PolicyRule *r);
std::string _printACL(libfwbuilder::PolicyRule *r);
std::string _printLog(libfwbuilder::PolicyRule *r);
std::string _printFragm(libfwbuilder::Service *srv);
std::string _printTOS(libfwbuilder::Service *srv);
std::string _printIPServiceOptions(libfwbuilder::PolicyRule *r);
std::string _printRule(libfwbuilder::PolicyRule *rule);

23
src/iosacl/PolicyCompiler_iosacl_writers.cpp
View File

@ -275,8 +275,7 @@ string PolicyCompiler_iosacl::PrintRule::_printRule(PolicyRule *rule)
aclstr << _printDstService( compiler->getFirstSrv(rule) );
aclstr << _printLog( rule );
// "fragments" should be the last option in the access-list command
aclstr << _printFragm( compiler->getFirstSrv(rule) );
aclstr << _printTOS( compiler->getFirstSrv(rule) );
aclstr << _printIPServiceOptions(rule);
// aclstr << endl;
@ -345,20 +344,20 @@ string PolicyCompiler_iosacl::PrintRule::_printSrcService(Service *srv)
return str.str();
}
string PolicyCompiler_iosacl::PrintRule::_printFragm(Service *srv)
{
if (IPService::isA(srv) && (
srv->getBool("fragm") || srv->getBool("short_fragm")))
return "fragments ";
return "";
}
string PolicyCompiler_iosacl::PrintRule::_printTOS(Service *srv)
string PolicyCompiler_iosacl::PrintRule::_printIPServiceOptions(PolicyRule *r)
{
Service *srv = compiler->getFirstSrv(r);
const IPService *ip;
if ((ip=IPService::constcast(srv))!=NULL)
{
if (ip->getBool("lsrr") || ip->getBool("ssrr") || ip->getBool("rr"))
compiler->abort(
string("Source routing options match is not supported. Rule ") +
r->getLabel());
if (srv->getBool("fragm") || srv->getBool("short_fragm"))
return "fragments ";
string tos = ip->getTOSCode();
string dscp = ip->getDSCPCode();
if (!dscp.empty()) return string("dscp ") + dscp;

76
src/ipt/PolicyCompiler_PrintRule.cpp
View File

@ -805,49 +805,47 @@ string PolicyCompiler_ipt::PrintRule::_printICMP(ICMPService *srv)
return str.str();
}
string PolicyCompiler_ipt::PrintRule::_printIP(IPService *srv)
string PolicyCompiler_ipt::PrintRule::_printIP(IPService *srv, PolicyRule *rule)
{
PolicyCompiler_ipt *ipt_comp=dynamic_cast<PolicyCompiler_ipt*>(compiler);
std::ostringstream str;
IPService *ip;
if ((ip=IPService::cast(srv))!=NULL)
if (srv->getBool("fragm") || srv->getBool("short_fragm"))
{
if (srv->getBool("fragm") || srv->getBool("short_fragm"))
{
if (ipt_comp->ipv6) str << " -m frag --fragmore";
else str << " -f ";
}
string tos = ip->getTOSCode();
string dscp = ip->getDSCPCode();
if (!tos.empty())
str << " -m tos --tos " << tos;
else
if (!dscp.empty())
{
if (dscp.find("BE")==0 ||
dscp.find("EF")==0 ||
dscp.find("AF")==0 ||
dscp.find("CS")==0)
str << " -m dscp --dscp-class " << dscp;
else
str << " -m dscp --dscp " << dscp;
}
if (!ipt_comp->ipv6)
{
if (srv->getBool("lsrr") ||
srv->getBool("ssrr") ||
srv->getBool("rr") ||
srv->getBool("ts") ) str << " -m ipv4options ";
if (srv->getBool("lsrr")) str << " --lsrr";
if (srv->getBool("ssrr")) str << " --ssrr";
if (srv->getBool("rr")) str << " --rr";
if (srv->getBool("ts")) str << " --ts";
}
if (ipt_comp->ipv6) str << " -m frag --fragmore";
else str << " -f ";
}
string tos = srv->getTOSCode();
string dscp = srv->getDSCPCode();
if (!tos.empty())
str << " -m tos --tos " << tos;
else
if (!dscp.empty())
{
if (dscp.find("BE")==0 ||
dscp.find("EF")==0 ||
dscp.find("AF")==0 ||
dscp.find("CS")==0)
str << " -m dscp --dscp-class " << dscp;
else
str << " -m dscp --dscp " << dscp;
}
if (!ipt_comp->ipv6)
{
if (srv->getBool("lsrr") ||
srv->getBool("ssrr") ||
srv->getBool("rr") ||
srv->getBool("ts") ) str << " -m ipv4options ";
if (srv->getBool("lsrr")) str << " --lsrr";
if (srv->getBool("ssrr")) str << " --ssrr";
if (srv->getBool("rr")) str << " --rr";
if (srv->getBool("ts")) str << " --ts";
} else
compiler->abort(
string("IP options match is not supported for IPv6. Rule ") +
rule->getLabel());
return str.str();
}
@ -1018,7 +1016,7 @@ string PolicyCompiler_ipt::PrintRule::_printDstService(RuleElementSrv *rel)
}
if (IPService::isA(srv))
{
string str=_printIP( IPService::cast(srv) );
string str = _printIP(IPService::cast(srv), PolicyRule::cast(rel->getParent()));
if (! str.empty() )
{
ostr << _printSingleObjectNegation(rel)

3
src/ipt/PolicyCompiler_ipt.h
View File

@ -890,7 +890,8 @@ namespace fwcompiler {
virtual std::string _printSrcPorts(libfwbuilder::Service *srv);
virtual std::string _printDstPorts(libfwbuilder::Service *srv);
virtual std::string _printICMP(libfwbuilder::ICMPService *srv);
virtual std::string _printIP(libfwbuilder::IPService *srv);
virtual std::string _printIP(libfwbuilder::IPService *srv,
libfwbuilder::PolicyRule *rule);
virtual std::string _printTCPFlags(libfwbuilder::TCPService *srv);
virtual std::string _printSrcAddr(libfwbuilder::RuleElement *rel,
libfwbuilder::Address *o);

2
src/pflib/PolicyCompiler_pf_writers.cpp
View File

@ -580,7 +580,7 @@ void PolicyCompiler_pf::PrintRule::_printDstService(RuleElementSrv *rel)
const IPService *ip = IPService::constcast(srv);
string tos = ip->getTOSCode();
string dscp = ip->getDSCPCode();
if (!tos.empty()) compiler->output << " tos " << tos;
if (!tos.empty()) compiler->output << " tos " << tos << " ";
if (!dscp.empty())
compiler->abort("PF does not support DSCP matching");
}

11
test/pf/objects-for-regression-tests.fwb
View File

@ -406,15 +406,6 @@
<ObjectRef ref="host-hostB"/>
<ObjectRef ref="id3B022266"/>
<ObjectRef ref="id3B4572AF"/>
<ObjectRef ref="sysid0"/>
<ServiceRef ref="sysid1"/>
<ObjectRef ref="sysid0"/>
<ObjectRef ref="sysid0"/>
<ServiceRef ref="sysid1"/>
<ObjectRef ref="sysid0"/>
<ObjectRef ref="id3B0C63E1"/>
<ObjectRef ref="host-hostA"/>
<ObjectRef ref="sysid0"/>
</Library>
<Library id="syslib001" color="#d2ffd0" name="User" comment="User defined objects" ro="False">
<ObjectGroup id="stdid01_1" name="Objects" comment="" ro="False">
@ -5302,7 +5293,7 @@
<Option name="use_tables">True</Option>
</FirewallOptions>
</Firewall>
<Firewall id="id3E853CBE" host_OS="freebsd" inactive="False" lastCompiled="1157930825" lastInstalled="0" lastModified="1200415214" platform="pf" version="" name="firewall9" comment="testing rules with broadcasts" ro="False">
<Firewall id="id3E853CBE" host_OS="freebsd" inactive="False" lastCompiled="1244147946" lastInstalled="0" lastModified="1200415214" platform="pf" version="" name="firewall9" comment="testing rules with broadcasts" ro="False">
<NAT id="id3E853CBF" name="NAT" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
<NATRule id="id3E853EF8" disabled="True" position="0" comment="">
<OSrc neg="False">