onkelbeh/fwbuilder
1
0
Fork 0
mirror of https://github.com/fwbuilder/fwbuilder synced 2026-03-21 18:57:14 +01:00
Code Issues Releases Wiki Activity

* RoutingCompiler_ipt_writers.cpp (PrintRule::processNext): fixed

Browse Source 
bug #2540389: "Routing Broken from 2.1 to 3.0.3". Generated script
preserved default route when it deleted route entries before
installing new ones. This was different compared to the behavior
of the v2.1 where default was deleted together with other routing
entries. The reason for this change (made some time in summer of
2008) was that if user did not define default route in their
routing ruleset, the script would delete existing default without
installing new one, leaving firewall with no default route at all.
Now the script deletes default if there is new one to install and
preserves it otherwise.

* RoutingCompiler_ipt_writers.cpp (PrintRule::processNext): fixed
bug (no #): if generated firewall script detects an error from one
of the commands that install routing rules and runs function that
restores previous routing entries, it should also run epilog
commands.
This commit is contained in:
Vadim Kurland 2009-02-28 06:55:33 +00:00
parent 31ef42f3a1
commit 0ff42b7fff
6 changed files with 478 additions and 117 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
build_num
View File

@ -1 +1 @@
#define BUILD_NUM 769
#define BUILD_NUM 770

20
doc/ChangeLog
View File

@ -1,3 +1,23 @@
2009-02-27 vadim <vadim@vk.crocodile.org>
* RoutingCompiler_ipt_writers.cpp (PrintRule::processNext): fixed
bug #2540389: "Routing Broken from 2.1 to 3.0.3". Generated script
preserved default route when it deleted route entries before
installing new ones. This was different compared to the behavior
of the v2.1 where default was deleted together with other routing
entries. The reason for this change (made some time in summer of
2008) was that if user did not define default route in their
routing ruleset, the script would delete existing default without
installing new one, leaving firewall with no default route at all.
Now the script deletes default if there is new one to install and
preserves it otherwise.
* RoutingCompiler_ipt_writers.cpp (PrintRule::processNext): fixed
bug (no #): if generated firewall script detects an error from one
of the commands that install routing rules and runs function that
restores previous routing entries, it should also run epilog
commands.
2009-02-21 vadim <vadim@vk.crocodile.org>
* FirewallInstaller.cpp (FirewallInstaller::getDestinationDir):

59
src/ipt/RoutingCompiler_ipt.cpp
View File

@ -93,7 +93,7 @@ bool RoutingCompiler_ipt::optimize3::processNext()
if (printRule==NULL)
{
printRule=new PrintRule("");
printRule = new PrintRule("");
printRule->setContext(compiler);
}
@ -102,7 +102,7 @@ bool RoutingCompiler_ipt::optimize3::processNext()
if (rules_seen_so_far.count(thisRule)!=0) return true;
tmp_queue.push_back(rule);
rules_seen_so_far[thisRule]=true;
rules_seen_so_far[thisRule] = true;
return true;
}
@ -113,7 +113,7 @@ bool RoutingCompiler_ipt::optimize3::processNext()
bool RoutingCompiler_ipt::eliminateDuplicateRules::processNext()
{
RoutingRule *rule;
rule=getNext(); if (rule==NULL) return false;
rule = getNext(); if (rule==NULL) return false;
if (rule->isFallback() || rule->isHidden())
{
@ -123,7 +123,7 @@ bool RoutingCompiler_ipt::eliminateDuplicateRules::processNext()
if (printRule==NULL)
{
printRule=new PrintRule("");
printRule = new PrintRule("");
printRule->setContext(compiler);
}
@ -135,18 +135,34 @@ bool RoutingCompiler_ipt::eliminateDuplicateRules::processNext()
rules_it = rules_seen_so_far.find(thisRule);
if (rules_it != rules_seen_so_far.end()) {
if (rules_it != rules_seen_so_far.end())
{
string msg;
msg = "Two of the sub rules created from the gui routing rules " + rules_it->second + " and " + rule->getLabel() +
"\nare identical, skipping the second. Please revise them to avoid this warning!";
msg = "Two of the sub rules created from the gui routing rules " +
rules_it->second + " and " + rule->getLabel() +
"\nare identical, skipping the second. " +
"Please revise them to avoid this warning!";
compiler->warning( msg.c_str() );
return true;
}
tmp_queue.push_back(rule);
rules_seen_so_far[thisRule]=rule->getLabel();
rules_seen_so_far[thisRule] = rule->getLabel();
return true;
}
bool RoutingCompiler_ipt::FindDefaultRoute::processNext()
{
RoutingCompiler_ipt *ipt_comp = dynamic_cast<RoutingCompiler_ipt*>(compiler);
RoutingRule *rule;
rule=getNext(); if (rule==NULL) return false;
RuleElementRDst *dstrel = rule->getRDst();
FWObject *ref = dstrel->front();
Address *dst = Address::cast(FWReference::cast(ref)->getPointer());
if (dst->isAny()) ipt_comp->have_default_route = true;
tmp_queue.push_back(rule);
return true;
}
@ -184,13 +200,15 @@ void RoutingCompiler_ipt::compile()
"Expand objects with multiple addresses in DST"));
add(new eliminateDuplicatesInDST("Eliminate duplicates in DST"));
add(new FindDefaultRoute("Find rules that install default route"));
add(new createSortedDstIdsLabel(
"Create label with a sorted dst-id-list for 'competingRules'"));
add(new competingRules("Check for competing rules"));
add(new ConvertToAtomicForDST(
"Convert to atomic rules by dst address elements"));
add(new createSortedDstIdsLabel(
"Create label with a sorted dst-id-list for 'classifyRoutingRules'"));
add(new classifyRoutingRules(
@ -212,7 +230,6 @@ void RoutingCompiler_ipt::compile()
}
}
string RoutingCompiler_ipt::debugPrintRule(Rule *r)
{
RoutingRule *rule=RoutingRule::cast(r);
@ -222,26 +239,32 @@ string RoutingCompiler_ipt::debugPrintRule(Rule *r)
return s;
}
void RoutingCompiler_ipt::epilog()
{
///int total = ecmp_comments_buffer.size();
int nb = 0;
// ecmp roules can only be generated after all the rules have been parsed, that is the reason for putting this code in the epilog function
if(ecmp_rules_buffer.size() > 0) {
output << "\n#\n# ======================================= EQUAL COST MULTI PATH ========================================\n#" << endl;
// ecmp roules can only be generated after all the rules have been
// parsed, that is the reason for putting this code in the epilog
// function
if (ecmp_rules_buffer.size() > 0)
{
output << "\n#\n# ============== EQUAL COST MULTI PATH ============\n#"
<< endl;
output << "echo \"Activating ecmp routing rules...\"" << endl;
for (map<string,string>::iterator ecmp_comments_buffer_it = ecmp_comments_buffer.begin(); ecmp_comments_buffer_it != ecmp_comments_buffer.end(); ++ecmp_comments_buffer_it) {
for (map<string,string>::iterator
ecmp_comments_buffer_it = ecmp_comments_buffer.begin();
ecmp_comments_buffer_it != ecmp_comments_buffer.end();
++ecmp_comments_buffer_it)
{
output << ecmp_comments_buffer_it->second << "#\n" << flush;
output << ecmp_rules_buffer[ecmp_comments_buffer_it->first] << flush;
output << " \\\n|| routeFailed " << "\"" << ++nb << "\"" << endl;
//echo \"Error: The ECMP routing rule #" << ++nb <<" couldn't be activated! Please make sure your kernel is compiled with the CONFIG_IP_ROUTE_MULTIPATH option.\"" << endl;
}

42
src/ipt/RoutingCompiler_ipt.h
View File

@ -6,22 +6,25 @@
Author: Tidei Maurizio <fwbuilder-routing at compal.de>
Permission is hereby granted, free of charge, to any person obtaining a copy
of this software and associated documentation files (the "Software"), to deal
in the Software without restriction, including without limitation the rights
to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies
of the Software, and to permit persons to whom the Software is furnished to do
so, subject to the following conditions:
Permission is hereby granted, free of charge, to any person
obtaining a copy of this software and associated documentation files
(the "Software"), to deal in the Software without restriction,
including without limitation the rights to use, copy, modify, merge,
publish, distribute, sublicense, and/or sell copies of the Software,
and to permit persons to whom the Software is furnished to do so,
subject to the following conditions:
The above copyright notice and this permission notice shall be included in all
copies or substantial portions of the Software.
The above copyright notice and this permission notice shall be
included in all copies or substantial portions of the Software.
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED,
INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A
PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT
HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE
OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS
BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN
ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
SOFTWARE.
*/
@ -33,6 +36,7 @@
#include "fwcompiler/RoutingCompiler.h"
#include "fwbuilder/RuleElement.h"
#include "config.h"
namespace libfwbuilder {
class RuleElementRDst;
class RuleElementRItf;
@ -64,6 +68,10 @@ namespace fwcompiler {
*/
DECLARE_ROUTING_RULE_PROCESSOR(DstNegation);
/**
* check if we have to install default route
*/
DECLARE_ROUTING_RULE_PROCESSOR(FindDefaultRoute);
/**
* remove duplicate rules
@ -154,13 +162,17 @@ namespace fwcompiler {
std::map< std::string, std::string> ecmp_rules_buffer; // sortedDstId+metric-->nexthops
std::map< std::string, std::string> ecmp_comments_buffer; // sortedDstId+metric-->rule's info for the fw script
bool have_default_route;
public:
RoutingCompiler_ipt(libfwbuilder::FWObjectDatabase *_db,
const std::string &fwname, bool ipv6_policy,
fwcompiler::OSConfigurator *_oscnf) :
RoutingCompiler(_db, fwname, ipv6_policy, _oscnf) {}
RoutingCompiler(_db, fwname, ipv6_policy, _oscnf)
{
have_default_route = false;
}
virtual int prolog();

150
src/ipt/RoutingCompiler_ipt_writers.cpp
View File

@ -132,7 +132,8 @@ RoutingCompiler_ipt::PrintRule::PrintRule(const std::string &name) : RoutingRule
bool RoutingCompiler_ipt::PrintRule::processNext()
{
RoutingRule *rule =getNext();
RoutingCompiler_ipt *ipt_comp = dynamic_cast<RoutingCompiler_ipt*>(compiler);
RoutingRule *rule = getNext();
if (rule==NULL) return false;
tmp_queue.push_back(rule);
@ -140,42 +141,74 @@ bool RoutingCompiler_ipt::PrintRule::processNext()
static int ecmp_nb = 0;
stringstream ecmp_nb_string;
if (print_once_on_top) {
if (print_once_on_top)
{
compiler->output
<< "#\n#\n# ============== ROUTING RULES ============== \n#"
<< endl;
compiler->output << "#\n#\n# ========================================== ROUTING RULES =============================================\n#" << endl;
compiler->output << "# if any routing rule fails we do our best to prevent freezing the firewall" << endl;
compiler->output << "routeFailed()" << endl;
compiler->output << "{" << endl;
compiler->output << " echo \"Error: Routing rule $1 couldn't be activated!\"" << endl;
compiler->output << " echo \"Recovering previous routing configuration...\"" << endl;
compiler->output << " # delete current routing rules" << endl;
compiler->output << " $IP route show | while read route ; do $IP route del $route ; done" << endl;
compiler->output << " # restore old routing rules" << endl;
/* this shell code has been tested with bash, zsh, ash, sash, csh and tcsh */
compiler->output << " (IFS=\"\n\"; for route in $oldRoutes; do (IFS=' '; $IP route add $route); done)" << endl;
compiler->output << " echo \"...done\"" << endl;
compiler->output << " exit 1" << endl;
compiler->output << "}" << endl << endl;
compiler->output << "# store previous routing configuration (sort: 'via' GW has to be inserted after device routes)" << endl;
compiler->output << "# if any routing rule fails we do our best to prevent freezing the firewall" << endl;
compiler->output << "routeFailed()" << endl;
compiler->output << "{" << endl;
compiler->output << " echo \"Error: Routing rule $1 couldn't be activated!\"" << endl;
compiler->output << " echo \"Recovering previous routing configuration...\"" << endl;
compiler->output << " # delete current routing rules" << endl;
compiler->output << " $IP route show | while read route ; do $IP route del $route ; done" << endl;
compiler->output << " # restore old routing rules" << endl;
/* this shell code has been tested with bash, zsh, ash, sash,
* csh and tcsh */
compiler->output << " (IFS=\"\n\"; for route in $oldRoutes; do (IFS=' '; $IP route add $route); done)" << endl;
compiler->output << " echo \"...done\"" << endl;
/* Note that we call epilog_commands in case when
* iptables-restore returns with an error. We should also call
* it if routing commands fail.
*/
compiler->output << " epilog_commands" << endl;
compiler->output << " exit 1" << endl;
compiler->output << "}" << endl << endl;
compiler->output << "# store previous routing configuration "
<< "(sort: 'via' GW has to be inserted after device routes)" << endl;
compiler->output << "oldRoutes=$($IP route show | sort -k 2)" << endl << endl;
compiler->output << "echo \"Deleting routing rules previously set by user space processes...\"" << endl;
compiler->output << "$IP route show | grep -v '\\( proto kernel \\)\\|\\(default via \\)' | while read route ; do $IP route del $route ; done\n" << endl;
compiler->output << "echo \"Activating non-ecmp routing rules...\"" << endl << endl;
compiler->output << "echo \"Deleting routing rules previously set by user space processes...\""
<< endl;
// we should delete default route if we have a new one to
// install. IF user did not define any routes that look like
// default (i.e. where destination is "any"), then we should
// preserve default so that we won't leave machine with no
// default at all.
string route_pattern = "";
if (ipt_comp->have_default_route)
{
// If we will install default route, delete it now
route_pattern = "'proto kernel'";
} else
{
// do not delete default if we won't install new one
route_pattern = "'\\( proto kernel \\)\\|\\(default via \\)'";
}
compiler->output << "$IP route show | grep -v "
<< route_pattern
<< " | while read route ; do $IP route del $route ; done\n"
<< endl;
compiler->output << "echo \"Activating non-ecmp routing rules...\""
<< endl << endl;
print_once_on_top=false;
}
string rl=rule->getLabel();
string comm=rule->getComment();
string rl = rule->getLabel();
string comm = rule->getComment();
string::size_type c1,c2;
c1=0;
if (rl!=current_rule_label) {
if (rl!=current_rule_label)
{
compiler->output << "# " << endl;
compiler->output << "# Rule " << rl << endl;
//compiler->output << "# " << rule->getRuleTypeAsString() << endl;
@ -184,59 +217,63 @@ bool RoutingCompiler_ipt::PrintRule::processNext()
compiler->output << "# " << endl;
}
if( rule->getRuleType() != RoutingRule::MultiPath ) {
if (rl!=current_rule_label) {
while ( (c2=comm.find('\n',c1))!=string::npos ) {
if( rule->getRuleType() != RoutingRule::MultiPath )
{
if (rl!=current_rule_label)
{
while ( (c2=comm.find('\n',c1))!=string::npos )
{
compiler->output << "# " << comm.substr(c1,c2-c1) << endl;
c1=c2+1;
}
compiler->output << "# " << comm.substr(c1) << endl;
compiler->output << "# " << endl;
current_rule_label=rl;
current_rule_label = rl;
}
string command_line = RoutingRuleToString(rule);
compiler->output << command_line;
} else {
} else
{
// the ecmp_id contains the table, the rule label and the metric. These are the properties the ecmp rules are distinguished
string metric = rule->getMetricAsString();
string ecmp_id = rule->getSortedDstIds() + "#" + metric;
if (rl!=current_rule_label) {
if (rl!=current_rule_label)
{
compiler->output << "# Some sub rules belonging to an ECMP (Equal Cost Multi Path) rule were placed in the ECMP section below." << endl;
current_rule_label=rl;
}
map< string, string>& ecmp_rules_buffer = ((RoutingCompiler_ipt*)compiler)->ecmp_rules_buffer;
map< string, string>& ecmp_comments_buffer = ((RoutingCompiler_ipt*)compiler)->ecmp_comments_buffer;
map< string, string>& ecmp_rules_buffer =
((RoutingCompiler_ipt*)compiler)->ecmp_rules_buffer;
map< string, string>& ecmp_comments_buffer =
((RoutingCompiler_ipt*)compiler)->ecmp_comments_buffer;
map< string, string>::iterator ecmp_rules_buffer_it;
ecmp_rules_buffer_it = ecmp_rules_buffer.find(ecmp_id);
if( ecmp_rules_buffer_it == ecmp_rules_buffer.end() ) {
if( ecmp_rules_buffer_it == ecmp_rules_buffer.end() )
{
// ECMP Dst not seen so far, add "ip route add x.x.x.x" and comment's header
ecmp_nb_string << ++ecmp_nb;
ecmp_comments_buffer[ecmp_id] = "#\n# Multipath Rule #" + ecmp_nb_string.str() + " derivated from the following routing rules:\n#\n";
if (rule->getMetricAsString() != "0") {
if (rule->getMetricAsString() != "0")
{
ecmp_rules_buffer[ecmp_id] += "$IP route add " + _printRDst(rule) + "metric " + metric;
} else {
} else
{
ecmp_rules_buffer[ecmp_id] += "$IP route add " + _printRDst(rule);
}
}
ecmp_comments_buffer[ecmp_id] += "# Rule " + rl + "\n";
while ( (c2=comm.find('\n',c1))!=string::npos ) {
ecmp_comments_buffer[ecmp_id] += "# " + comm.substr(c1,c2-c1) + "\n";
while ( (c2=comm.find('\n',c1))!=string::npos )
{
ecmp_comments_buffer[ecmp_id] +=
"# " + comm.substr(c1,c2-c1) + "\n";
c1=c2+1;
}
ecmp_comments_buffer[ecmp_id] += "# " + comm.substr(c1) + "\n";
@ -266,7 +303,8 @@ string RoutingCompiler_ipt::PrintRule::RoutingRuleToString(RoutingRule *rule)
command_line << "$IP route add ";
command_line << _printRDst(rule);
if (rule->getMetricAsString() != "0") {
if (rule->getMetricAsString() != "0")
{
command_line << " metric " << rule->getMetricAsString() << " ";
}
command_line << _printRGtw(rule);
@ -275,9 +313,11 @@ string RoutingCompiler_ipt::PrintRule::RoutingRuleToString(RoutingRule *rule)
FWObject *opt_dummy = rule->getFirstByType(RoutingRuleOptions::TYPENAME);
RoutingRuleOptions *opt = opt_dummy ? RoutingRuleOptions::cast(opt_dummy) : 0;
if ( opt && opt->getBool("no_fail") ) {
if ( opt && opt->getBool("no_fail") )
{
command_line << "echo \"*** Warning: routing rule " << rule->getLabel() << " failed. ignored. ***\"\n";
} else {
} else
{
command_line << "routeFailed " << "\"" << rule->getLabel() << "\"" << endl;;
}
command_line << endl;
@ -289,9 +329,9 @@ string RoutingCompiler_ipt::PrintRule::_printRGtw(RoutingRule *rule)
{
FWObject *ref;
RuleElementRGtw *gtwrel=rule->getRGtw();
ref=gtwrel->front();
Address *gtw=Address::cast(FWReference::cast(ref)->getPointer());
RuleElementRGtw *gtwrel = rule->getRGtw();
ref = gtwrel->front();
Address *gtw = Address::cast(FWReference::cast(ref)->getPointer());
if(gtw==NULL)
throw FWException(_("Broken GTW in ")+rule->getLabel());

322
test/ipt/objects-for-regression-tests.fwb
View File

@ -1,6 +1,6 @@
<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE FWObjectDatabase SYSTEM "fwbuilder.dtd">
<FWObjectDatabase xmlns="http://www.fwbuilder.org/1.0/" version="10" lastModified="1232903269" id="root">
<FWObjectDatabase xmlns="http://www.fwbuilder.org/1.0/" version="10" lastModified="1235803462" id="root">
<Library id="sysid99" name="Deleted Objects" comment="" ro="False">
<ICMP6Service id="idE0C27650" code="0" type="1" name="ipv6 dest unreachable" comment="No route to destination" ro="False"/>
<IPv4 id="id41D295E2" name="firewall30:ppp.200*:ip" comment="" ro="False" address="192.168.1.1" netmask="255.255.255.0"/>
@ -798,6 +798,11 @@
<Interface id="id78158X59595" bridgeport="False" dyn="False" label="" security_level="0" unnum="False" unprotected="False" name="eth2" comment="" ro="False">
<IPv4 id="id78160X59595" name="firewall70:eth2:ip" comment="" ro="False" address="66.66.66.1" netmask="255.255.255.128"/>
</Interface>
<ObjectRef ref="id4733FFE419714"/>
<ObjectRef ref="id40860X98946"/>
<ObjectRef ref="sysid0"/>
<ObjectRef ref="id118609X9876"/>
<ObjectRef ref="sysid0"/>
</Library>
<Library id="syslib001" color="#d2ffd0" name="User" comment="User defined objects" ro="False">
<ObjectGroup id="stdid01_1" name="Objects" comment="" ro="False">
@ -832,6 +837,7 @@
<IPv6 id="id48416A7116880" name="altavista" comment="" ro="False" address="3ffe:1200:2001:1:8000::1" netmask="128"/>
<IPv6 id="id48416A7216880" name="6bone.net" comment="" ro="False" address="2001:5c0:0:2::24" netmask="128"/>
<IPv4 id="id40860X98946" name="internal gw" comment="" ro="False" address="192.168.1.254" netmask="0.0.0.0"/>
<IPv4 id="id118625X9876" name="ext gateway" comment="" ro="False" address="192.0.2.100" netmask="0.0.0.0"/>
</ObjectGroup>
<ObjectGroup id="stdid04_1" name="Groups" comment="" ro="False">
<ObjectGroup id="id3B4572AF" name="group1" comment="" ro="False">
@ -19717,30 +19723,8 @@ echo '%FWBPROMPT%'; sh /tmp/%FWSCRIPT%
<Option name="verify_interfaces">False</Option>
</FirewallOptions>
</Firewall>
<Firewall id="id43A2BF7416451" host_OS="linux24" inactive="False" lastCompiled="1215360266" lastInstalled="1142003872" lastModified="1230884346" platform="iptables" version="" name="firewall36" comment="&#10;testing routing rules - both actually routing and ROUTE target&#10;" ro="False">
<NAT id="id43A2C00E16451" name="NAT" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
<NATRule id="id43A2C01D16451" disabled="False" position="0" comment="Translate source address&#10;for outgoing connections">
<OSrc neg="False">
<ObjectRef ref="id3DC75CE7-1"/>
</OSrc>
<ODst neg="False">
<ObjectRef ref="sysid0"/>
</ODst>
<OSrv neg="False">
<ServiceRef ref="sysid1"/>
</OSrv>
<TSrc neg="False">
<ObjectRef ref="id43A2C03B16451"/>
</TSrc>
<TDst neg="False">
<ObjectRef ref="sysid0"/>
</TDst>
<TSrv neg="False">
<ServiceRef ref="sysid1"/>
</TSrv>
<NATRuleOptions/>
</NATRule>
</NAT>
<Firewall id="id43A2BF7416451" host_OS="linux24" inactive="False" lastCompiled="1215360266" lastInstalled="1142003872" lastModified="1235803788" platform="iptables" version="" name="firewall36" comment="&#10;testing routing rules - both actually routing and ROUTE target&#10;&#10;routing ruleset installs ECMP default" ro="False">
<NAT id="id43A2C00E16451" name="NAT" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True"/>
<Policy id="id43A2BF7A16451" name="Policy" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
<PolicyRule id="id43A2BFF616451" disabled="False" log="False" position="0" action="Accept" direction="Both" comment="This permits access from internal net&#10;to the Internet and DMZ">
<Src neg="False">
@ -28202,7 +28186,7 @@ echo '%FWBPROMPT%'; sh /tmp/%FWSCRIPT%
<Option name="verify_interfaces">True</Option>
</FirewallOptions>
</Firewall>
<Firewall id="id4848A4294626" host_OS="linux24" inactive="False" lastCompiled="1215360866" lastInstalled="1142003872" lastModified="1227249554" platform="iptables" version="" name="firewall-base-rulesets" comment="this firewall is used to test a rule in the global policy of object &quot;firewall&quot;&#10;" ro="False">
<Firewall id="id4848A4294626" host_OS="linux24" inactive="False" lastCompiled="1215360866" lastInstalled="1142003872" lastModified="1235665840" platform="iptables" version="" name="firewall-base-rulesets" comment="this firewall is used to test a rule in the global policy of object &quot;firewall&quot;&#10;" ro="False">
<NAT id="id4848A4304626" name="NAT" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True"/>
<Policy id="id4848A42F4626" name="Policy" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True"/>
<Policy id="id4848A4414626" name="web_server_inbound" comment="Basic rules for web servers.&#10;" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="False">
@ -28420,6 +28404,28 @@ echo '%FWBPROMPT%'; sh /tmp/%FWSCRIPT%
</PolicyRuleOptions>
</PolicyRule>
</Policy>
<Policy id="id41960X1271" name="base-ruleset" comment="" ro="False" ipv4_rule_set="True" ipv6_rule_set="False" top_rule_set="False">
<PolicyRule id="id41961X1271" disabled="False" log="False" position="0" action="Accept" direction="Both" comment="">
<Src neg="False">
<ObjectRef ref="sysid0"/>
</Src>
<Dst neg="False">
<ObjectRef ref="id4848A4294626"/>
</Dst>
<Srv neg="False">
<ServiceRef ref="tcp-SSH"/>
</Srv>
<Itf neg="False">
<ObjectRef ref="sysid0"/>
</Itf>
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions>
<Option name="stateless">False</Option>
</PolicyRuleOptions>
</PolicyRule>
</Policy>
<Routing id="id4848A4314626" name="Routing" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True"/>
<Interface id="id4848A4324626" bridgeport="False" dyn="False" label="" mgmt="False" security_level="0" unnum="False" unprotected="False" name="eth0" comment="" ro="False">
<IPv4 id="id4848A4344626" name="firewall-base-rulesets:eth0:ip" comment="" ro="False" address="33.33.33.33" netmask="255.255.255.0"/>
@ -28449,6 +28455,7 @@ echo '%FWBPROMPT%'; sh /tmp/%FWSCRIPT%
<Option name="dyn_addr">False</Option>
<Option name="firewall_is_part_of_any_and_networks">True</Option>
<Option name="ignore_empty_groups">False</Option>
<Option name="ipt_mangle_only_rulesets"></Option>
<Option name="limit_suffix">/day</Option>
<Option name="limit_value">0</Option>
<Option name="linux24_accept_redirects"></Option>
@ -28496,7 +28503,7 @@ echo '%FWBPROMPT%'; sh /tmp/%FWSCRIPT%
<Option name="verify_interfaces">False</Option>
</FirewallOptions>
</Firewall>
<Firewall id="id484A05C44626" host_OS="linux24" inactive="False" lastCompiled="1227249571" lastInstalled="1142003872" lastModified="1212694117" platform="iptables" version="" name="firewall51" comment="testing branching rules that point&#10;at rule sets defined in object&#10;firewall-base-rulesets" ro="False">
<Firewall id="id484A05C44626" host_OS="linux24" inactive="False" lastCompiled="1235665887" lastInstalled="1142003872" lastModified="1235665873" platform="iptables" version="" name="firewall51" comment="testing branching rules that point&#10;at rule sets defined in object&#10;firewall-base-rulesets" ro="False">
<NAT id="id484A06174626" name="NAT" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True"/>
<Policy id="id484A05CA4626" name="Policy" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
<PolicyRule id="id484A05CB4626" disabled="False" log="False" position="0" action="Branch" direction="Both" comment="">
@ -28679,7 +28686,50 @@ echo '%FWBPROMPT%'; sh /tmp/%FWSCRIPT%
<Option name="stateless">True</Option>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id484A05E44626" disabled="False" log="False" position="4" action="Branch" direction="Both" comment="">
<PolicyRule id="id61000X1271" disabled="False" group="" log="False" position="4" action="Branch" direction="Both" comment="">
<Src neg="False">
<ObjectRef ref="sysid0"/>
</Src>
<Dst neg="False">
<ObjectRef ref="sysid0"/>
</Dst>
<Srv neg="False">
<ServiceRef ref="sysid1"/>
</Srv>
<Itf neg="False">
<ObjectRef ref="sysid0"/>
</Itf>
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions>
<Option name="action_on_reject"></Option>
<Option name="branch_id">id41960X1271</Option>
<Option name="classify_str"></Option>
<Option name="custom_str"></Option>
<Option name="ipf_route_opt_addr"></Option>
<Option name="ipf_route_opt_if"></Option>
<Option name="ipf_route_option">route_through</Option>
<Option name="ipfw_classify_method">2</Option>
<Option name="ipfw_pipe_port_num">0</Option>
<Option name="ipfw_pipe_queue_num">0</Option>
<Option name="ipt_branch_in_mangle">False</Option>
<Option name="ipt_continue">False</Option>
<Option name="ipt_gw"></Option>
<Option name="ipt_iif"></Option>
<Option name="ipt_mark_connections">False</Option>
<Option name="ipt_oif"></Option>
<Option name="ipt_tee">False</Option>
<Option name="pf_fastroute">False</Option>
<Option name="pf_route_load_option">none</Option>
<Option name="pf_route_opt_addr"></Option>
<Option name="pf_route_opt_if"></Option>
<Option name="pf_route_option">route_through</Option>
<Option name="rule_name_accounting"></Option>
<Option name="stateless">True</Option>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id484A05E44626" disabled="False" log="False" position="5" action="Branch" direction="Both" comment="">
<Src neg="False">
<ObjectRef ref="id3CEBFDFC"/>
</Src>
@ -38591,6 +38641,222 @@ echo '%FWBPROMPT%'; sh /tmp/%FWSCRIPT%
<Option name="verify_interfaces">True</Option>
</FirewallOptions>
</Firewall>
<Firewall id="id42015X9876" host_OS="linux24" inactive="False" lastCompiled="0" lastInstalled="0" lastModified="1235803779" platform="iptables" version="" name="firewall36-1" comment="Testing routing configuration where routing rules do not install default route" ro="False">
<NAT id="id42106X9876" name="NAT" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True"/>
<Policy id="id42021X9876" name="Policy" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True"/>
<Routing id="id42121X9876" name="Routing" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
<RoutingRule id="id42138X9876" disabled="False" group="" metric="0" position="0" comment="">
<RDst neg="False">
<ObjectRef ref="id4733FFE419714"/>
</RDst>
<RGtw neg="False">
<ObjectRef ref="id40860X98946"/>
</RGtw>
<RItf neg="False">
<ObjectRef ref="id42149X9876"/>
</RItf>
<RoutingRuleOptions/>
</RoutingRule>
</Routing>
<Interface id="id42146X9876" bridgeport="False" dyn="False" label="" mgmt="False" security_level="0" unnum="False" unprotected="False" name="eth0" comment="" ro="False">
<IPv4 id="id42148X9876" name="firewall36-1:eth0:ip" comment="This is a test address, change it to your real one" ro="False" address="192.0.2.1" netmask="255.255.255.0"/>
</Interface>
<Interface id="id42149X9876" bridgeport="False" dyn="False" label="" mgmt="True" security_level="100" unnum="False" unprotected="False" name="eth1" comment="" ro="False">
<IPv4 id="id42151X9876" name="firewall36-1:eth1:ip" comment="" ro="False" address="192.168.1.1" netmask="255.255.255.0"/>
</Interface>
<Interface id="id42152X9876" bridgeport="False" dyn="False" label="loopback" mgmt="False" security_level="100" unnum="False" unprotected="False" name="lo" comment="" ro="False">
<IPv4 id="id42154X9876" name="firewall36-1:lo:ip" comment="" ro="False" address="127.0.0.1" netmask="255.0.0.0"/>
</Interface>
<Interface id="id42155X9876" bridgeport="False" dyn="False" label="" mgmt="False" security_level="0" unnum="False" unprotected="False" name="eth2" comment="" ro="False">
<IPv4 id="id42157X9876" name="firewall36-1:eth2:ip" comment="" ro="False" address="192.0.100.1" netmask="255.255.255.0"/>
</Interface>
<Management address="192.168.1.1">
<SNMPManagement enabled="False" snmp_read_community="" snmp_write_community=""/>
<FWBDManagement enabled="False" identity="" port="-1"/>
<PolicyInstallScript arguments="" command="" enabled="False"/>
</Management>
<FirewallOptions>
<Option name="accept_established">True</Option>
<Option name="accept_new_tcp_with_no_syn">True</Option>
<Option name="action_on_reject"></Option>
<Option name="activationCmd"></Option>
<Option name="admUser"></Option>
<Option name="altAddress"></Option>
<Option name="bridging_fw">False</Option>
<Option name="check_shading">True</Option>
<Option name="clamp_mss_to_mtu">False</Option>
<Option name="cmdline"></Option>
<Option name="compiler"></Option>
<Option name="configure_interfaces">True</Option>
<Option name="debug">False</Option>
<Option name="drop_invalid">False</Option>
<Option name="eliminate_duplicates">true</Option>
<Option name="epilog_script"></Option>
<Option name="firewall_dir">/etc</Option>
<Option name="firewall_is_part_of_any_and_networks">True</Option>
<Option name="freebsd_ip_forward">1</Option>
<Option name="ignore_empty_groups">False</Option>
<Option name="in_out_code">true</Option>
<Option name="limit_suffix"></Option>
<Option name="limit_value">0</Option>
<Option name="linux24_ip_forward">1</Option>
<Option name="load_modules">True</Option>
<Option name="local_nat">False</Option>
<Option name="log_all">False</Option>
<Option name="log_invalid">False</Option>
<Option name="log_ip_opt">False</Option>
<Option name="log_level">info</Option>
<Option name="log_prefix">RULE %N -- %A </Option>
<Option name="log_tcp_opt">False</Option>
<Option name="log_tcp_seq">False</Option>
<Option name="loopback_interface">lo0</Option>
<Option name="macosx_ip_forward">1</Option>
<Option name="manage_virtual_addr">True</Option>
<Option name="mgmt_addr"></Option>
<Option name="mgmt_ssh">False</Option>
<Option name="openbsd_ip_forward">1</Option>
<Option name="output_file"></Option>
<Option name="pass_all_out">false</Option>
<Option name="pf_limit_frags">5000</Option>
<Option name="pf_limit_states">10000</Option>
<Option name="pf_scrub_maxmss">1460</Option>
<Option name="pf_timeout_frag">30</Option>
<Option name="pf_timeout_interval">10</Option>
<Option name="pix_add_clear_statements">true</Option>
<Option name="pix_assume_fw_part_of_any">true</Option>
<Option name="pix_default_logint">300</Option>
<Option name="pix_emblem_log_format">false</Option>
<Option name="pix_emulate_out_acl">true</Option>
<Option name="pix_floodguard">true</Option>
<Option name="pix_include_comments">true</Option>
<Option name="pix_route_dnat_supported">true</Option>
<Option name="pix_rule_syslog_settings">false</Option>
<Option name="pix_security_fragguard_supported">true</Option>
<Option name="pix_syslog_device_id_supported">false</Option>
<Option name="pix_use_acl_remarks">true</Option>
<Option name="prolog_place">top</Option>
<Option name="prolog_script"></Option>
<Option name="prompt1">$ </Option>
<Option name="prompt2"> # </Option>
<Option name="solaris_ip_forward">1</Option>
<Option name="sshArgs"></Option>
<Option name="ulog_cprange">0</Option>
<Option name="ulog_nlgroup">1</Option>
<Option name="ulog_qthreshold">1</Option>
<Option name="use_ULOG">False</Option>
<Option name="use_iptables_restore">False</Option>
<Option name="use_numeric_log_levels">False</Option>
<Option name="verify_interfaces">True</Option>
</FirewallOptions>
</Firewall>
<Firewall id="id118575X9876" host_OS="linux24" inactive="False" lastCompiled="0" lastInstalled="0" lastModified="1235803774" platform="iptables" version="" name="firewall36-2" comment="Testing routing configuration where routing rules install simple (not ECMP) default route" ro="False">
<NAT id="id118582X9876" name="NAT" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True"/>
<Policy id="id118581X9876" name="Policy" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True"/>
<Routing id="id118597X9876" name="Routing" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
<RoutingRule id="id118598X9876" disabled="False" group="" metric="0" position="0" comment="">
<RDst neg="False">
<ObjectRef ref="sysid0"/>
</RDst>
<RGtw neg="False">
<ObjectRef ref="id118625X9876"/>
</RGtw>
<RItf neg="False">
<ObjectRef ref="id118606X9876"/>
</RItf>
<RoutingRuleOptions/>
</RoutingRule>
</Routing>
<Interface id="id118606X9876" bridgeport="False" dyn="False" label="" mgmt="False" security_level="0" unnum="False" unprotected="False" name="eth0" comment="" ro="False">
<IPv4 id="id118608X9876" name="firewall36-2:eth0:ip" comment="This is a test address, change it to your real one" ro="False" address="192.0.2.1" netmask="255.255.255.0"/>
</Interface>
<Interface id="id118609X9876" bridgeport="False" dyn="False" label="" mgmt="True" security_level="100" unnum="False" unprotected="False" name="eth1" comment="" ro="False">
<IPv4 id="id118611X9876" name="firewall36-2:eth1:ip" comment="" ro="False" address="192.168.1.1" netmask="255.255.255.0"/>
</Interface>
<Interface id="id118612X9876" bridgeport="False" dyn="False" label="loopback" mgmt="False" security_level="100" unnum="False" unprotected="False" name="lo" comment="" ro="False">
<IPv4 id="id118614X9876" name="firewall36-2:lo:ip" comment="" ro="False" address="127.0.0.1" netmask="255.0.0.0"/>
</Interface>
<Interface id="id118615X9876" bridgeport="False" dyn="False" label="" mgmt="False" security_level="0" unnum="False" unprotected="False" name="eth2" comment="" ro="False">
<IPv4 id="id118617X9876" name="firewall36-2:eth2:ip" comment="" ro="False" address="192.0.100.1" netmask="255.255.255.0"/>
</Interface>
<Management address="192.168.1.1">
<SNMPManagement enabled="False" snmp_read_community="" snmp_write_community=""/>
<FWBDManagement enabled="False" identity="" port="-1"/>
<PolicyInstallScript arguments="" command="" enabled="False"/>
</Management>
<FirewallOptions>
<Option name="accept_established">True</Option>
<Option name="accept_new_tcp_with_no_syn">True</Option>
<Option name="action_on_reject"></Option>
<Option name="activationCmd"></Option>
<Option name="admUser"></Option>
<Option name="altAddress"></Option>
<Option name="bridging_fw">False</Option>
<Option name="check_shading">True</Option>
<Option name="clamp_mss_to_mtu">False</Option>
<Option name="cmdline"></Option>
<Option name="compiler"></Option>
<Option name="configure_interfaces">True</Option>
<Option name="debug">False</Option>
<Option name="drop_invalid">False</Option>
<Option name="eliminate_duplicates">true</Option>
<Option name="epilog_script"></Option>
<Option name="firewall_dir">/etc</Option>
<Option name="firewall_is_part_of_any_and_networks">True</Option>
<Option name="freebsd_ip_forward">1</Option>
<Option name="ignore_empty_groups">False</Option>
<Option name="in_out_code">true</Option>
<Option name="limit_suffix"></Option>
<Option name="limit_value">0</Option>
<Option name="linux24_ip_forward">1</Option>
<Option name="load_modules">True</Option>
<Option name="local_nat">False</Option>
<Option name="log_all">False</Option>
<Option name="log_invalid">False</Option>
<Option name="log_ip_opt">False</Option>
<Option name="log_level">info</Option>
<Option name="log_prefix">RULE %N -- %A </Option>
<Option name="log_tcp_opt">False</Option>
<Option name="log_tcp_seq">False</Option>
<Option name="loopback_interface">lo0</Option>
<Option name="macosx_ip_forward">1</Option>
<Option name="manage_virtual_addr">True</Option>
<Option name="mgmt_addr"></Option>
<Option name="mgmt_ssh">False</Option>
<Option name="openbsd_ip_forward">1</Option>
<Option name="output_file"></Option>
<Option name="pass_all_out">false</Option>
<Option name="pf_limit_frags">5000</Option>
<Option name="pf_limit_states">10000</Option>
<Option name="pf_scrub_maxmss">1460</Option>
<Option name="pf_timeout_frag">30</Option>
<Option name="pf_timeout_interval">10</Option>
<Option name="pix_add_clear_statements">true</Option>
<Option name="pix_assume_fw_part_of_any">true</Option>
<Option name="pix_default_logint">300</Option>
<Option name="pix_emblem_log_format">false</Option>
<Option name="pix_emulate_out_acl">true</Option>
<Option name="pix_floodguard">true</Option>
<Option name="pix_include_comments">true</Option>
<Option name="pix_route_dnat_supported">true</Option>
<Option name="pix_rule_syslog_settings">false</Option>
<Option name="pix_security_fragguard_supported">true</Option>
<Option name="pix_syslog_device_id_supported">false</Option>
<Option name="pix_use_acl_remarks">true</Option>
<Option name="prolog_place">top</Option>
<Option name="prolog_script"></Option>
<Option name="prompt1">$ </Option>
<Option name="prompt2"> # </Option>
<Option name="solaris_ip_forward">1</Option>
<Option name="sshArgs"></Option>
<Option name="ulog_cprange">0</Option>
<Option name="ulog_nlgroup">1</Option>
<Option name="ulog_qthreshold">1</Option>
<Option name="use_ULOG">False</Option>
<Option name="use_iptables_restore">False</Option>
<Option name="use_numeric_log_levels">False</Option>
<Option name="verify_interfaces">True</Option>
</FirewallOptions>
</Firewall>
</ObjectGroup>
<IntervalGroup id="stdid11_1" name="Time" comment="" ro="False">
<Interval id="id3D6864D0" days_of_week="0,1" from_day="-1" from_hour="1" from_minute="1" from_month="-1" from_weekday="0" from_year="-1" to_day="-1" to_hour="2" to_minute="2" to_month="-1" to_weekday="1" to_year="-1" name="test time 1" comment="" ro="False"/>