onkelbeh/fwbuilder
1
0
Fork 0
mirror of https://github.com/fwbuilder/fwbuilder synced 2026-03-25 12:47:44 +01:00
Code Issues Releases Wiki Activity

* OSConfigurator_linux24::printVirtualAddressesForNatCommands:

Browse Source 
fixed bug 3001228 "v4.0.0 iptables: NAT not creating interface
addresses". Iptables script generated by fwbuilder used to include
commands to configure virtual ip addresses for NAT only if option
"configure interfaces" was turned on. Expected behavior is to
generate these commands when option "Add virtual addresses for
NAT" is turned on regardless of the setting of the option
"configure interfaces".
This commit is contained in:
Vadim Kurland 2010-06-25 03:38:24 +00:00
parent f4c5090383
commit 1994f02f4d
9 changed files with 593 additions and 32 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
build_num
View File

@ -1 +1 @@
#define BUILD_NUM 3020
#define BUILD_NUM 3021

10
doc/ChangeLog
View File

@ -1,3 +1,13 @@
2010-06-24 Vadim Kurland <vadim@vk.crocodile.org>
* OSConfigurator_linux24::printVirtualAddressesForNatCommands:
fixed bug 3001228 "v4.0.0 iptables: NAT not creating interface
addresses". Iptables script generated by fwbuilder used to include
commands to configure virtual ip addresses for NAT only if option
"configure interfaces" was turned on. Expected behavior is to
generate these commands when option "Add virtual addresses for
NAT" is turned on regardless of the setting of the option
"configure interfaces".
2010-06-22 Roman Bovsunivkiy <a2k0001@gmail.com>

13
src/iptlib/CompilerDriver_ipt_run.cpp
View File

@ -514,8 +514,17 @@ QString CompilerDriver_ipt::run(const std::string &cluster_id,
if ( options->getBool("configure_bridge_interfaces") )
ostr << oscnf->printBridgeInterfaceConfigurationCommands();
if ( options->getBool("configure_interfaces") )
ostr << oscnf->printInterfaceConfigurationCommands();
if ( options->getBool("configure_interfaces") ||
options->getBool("manage_virtual_addr"))
{
if ( options->getBool("configure_interfaces"))
ostr << oscnf->printInterfaceConfigurationCommands();
else
ostr << oscnf->printVirtualAddressesForNatCommands();
}
ostr << oscnf->printCommandsToClearKnownInterfaces();
ostr << oscnf->printDynamicAddressesConfigurationCommands();

7
src/iptlib/NATCompiler_ipt.cpp
View File

@ -844,14 +844,9 @@ bool NATCompiler_ipt::addVirtualAddress::processNext()
else
a=compiler->getFirstODst(rule);
// TODO: should always issue the warning that adding virtual
// addresses for NAT is not supported with address ranges,
// regardless of the result of complexMatch()
if ( ! a->isAny() &&
! compiler->complexMatch(a, compiler->fw) &&
! compiler->complexMatch(a, cluster) &&
options->getBool("manage_virtual_addr"))
! compiler->complexMatch(a, cluster))
{
if (AddressRange::cast(a)!=NULL)
{

15
src/iptlib/OSConfigurator_linux24.h
View File

@ -33,6 +33,7 @@
#include "OSData.h"
class QString;
class QStringList;
namespace libfwbuilder {
class FWObject;
@ -54,7 +55,8 @@ namespace fwcompiler {
std::vector<libfwbuilder::InetAddr> virtual_addresses;
// map of virt. addresses for nat for each interface
std::map<std::string, std::string> virtual_addresses_for_nat;
std::list<std::string> known_interfaces;
std::string getInterfaceVarName(libfwbuilder::FWObject *iface,
bool v6=false);
@ -69,6 +71,11 @@ namespace fwcompiler {
const QString &command,
bool ipv6=false);
virtual QString printUpdateAddressCommand(
libfwbuilder::Interface *intf,
QStringList &update_addresses,
QStringList &ignore_addresses);
public:
virtual ~OSConfigurator_linux24();
@ -100,9 +107,13 @@ public:
virtual std::string printRunTimeWrappers(libfwbuilder::FWObject *rule,
const std::string &command,
bool ipv6=false);
virtual std::string printVerifyInterfacesCommands();
virtual std::string printVirtualAddressesForNatCommands();
virtual std::string printInterfaceConfigurationCommands();
virtual std::string printCommandsToClearKnownInterfaces();
virtual std::string printVlanInterfaceConfigurationCommands();
virtual std::string printBridgeInterfaceConfigurationCommands();
virtual std::string printBondingInterfaceConfigurationCommands();

126
src/iptlib/OSConfigurator_linux24_interfaces.cpp
View File

@ -93,14 +93,36 @@ string OSConfigurator_linux24::printVerifyInterfacesCommands()
return verify_interfaces.expand().toStdString();
}
/*
* Generate calls to the shell function update_addresses_of_interface
* to add or remove ip addresses of interfaces. The following cases
* are supported, depending on the value of
* @add_virtual_addresses_for_nat and @configure_interfaces
*
* configure_interfaces == false && add_virtual_addresses_for_nat == false:
* do not generate any commands
*
* configure_interfaces == false && add_virtual_addresses_for_nat == true:
* use only virtual_addresses_for_nat, add normal addresses of the interface
* to the list of addresses we should ignore
*
* configure_interfaces == true && add_virtual_addresses_for_nat == false:
* ignore virtual_addresses_for_nat
*
* configure_interfaces == true && add_virtual_addresses_for_nat == true:
* use virtual_addresses_for_nat
*
*
*/
string OSConfigurator_linux24::printInterfaceConfigurationCommands()
{
FWOptions* options = fw->getOptionsObject();
QStringList gencmd;
std::auto_ptr<interfaceProperties> int_prop(
interfacePropertiesObjectFactory::getInterfacePropertiesObject(
fw->getStr("host_OS")));
QStringList known_interfaces;
list<FWObject*> interfaces = fw->getByTypeDeep(Interface::TYPENAME);
list<FWObject*>::iterator i;
for (i=interfaces.begin(); i!=interfaces.end(); ++i )
@ -109,13 +131,13 @@ string OSConfigurator_linux24::printInterfaceConfigurationCommands()
assert(iface);
string iface_name = iface->getName();
QStringList out;
QStringList update_addresses;
QStringList ignore_addresses;
if (int_prop->manageIpAddresses(iface, update_addresses, ignore_addresses))
{
if (virtual_addresses_for_nat.count(iface_name) > 0)
if (options->getBool("manage_virtual_addr") &&
virtual_addresses_for_nat.count(iface_name) > 0)
update_addresses.push_back(
virtual_addresses_for_nat[iface_name].c_str());
@ -125,34 +147,100 @@ string OSConfigurator_linux24::printInterfaceConfigurationCommands()
// removed. Say, interface was regular and had an address
// and then user converted it to unnumbered. In this case
// the address should be removed.
update_addresses.push_front(iface_name.c_str());
out.push_back("update_addresses_of_interface");
out.push_back("\"" + update_addresses.join(" ") + "\"");
out.push_back("\"" + ignore_addresses.join(" ") + "\"");
gencmd.push_back(out.join(" "));
QString iface_spec = iface_name.c_str();
if (iface->getOptionsObject()->getStr("type") == "8021q")
{
FWObject *parent_iface = iface->getParent();
iface_spec = QString("%1@%2").arg(iface_name.c_str()).arg(parent_iface->getName().c_str());
}
gencmd.push_back(
printUpdateAddressCommand(iface, update_addresses, ignore_addresses));
}
known_interfaces.push_back(iface_name.c_str());
known_interfaces.push_back(iface_name);
}
return gencmd.join("\n").toStdString() + "\n";
}
/*
* printVirtualAddressesForNatCommands() deals with the case when we
* add virtual addresses for NAT but do not configure normal addresses
* of interfaces
*/
string OSConfigurator_linux24::printVirtualAddressesForNatCommands()
{
QStringList gencmd;
std::auto_ptr<interfaceProperties> int_prop(
interfacePropertiesObjectFactory::getInterfacePropertiesObject(
fw->getStr("host_OS")));
list<FWObject*> interfaces = fw->getByTypeDeep(Interface::TYPENAME);
list<FWObject*>::iterator i;
for (i=interfaces.begin(); i!=interfaces.end(); ++i )
{
Interface *iface = Interface::cast(*i);
assert(iface);
string iface_name = iface->getName();
QStringList update_addresses;
QStringList ignore_addresses;
// Return value of InterfaceProperties::manageIpAddresses()
// signals if we should manage addresses of the interface at
// all, so it is useful even if we are not going to use the
// lists.
if (int_prop->manageIpAddresses(iface, update_addresses, ignore_addresses))
{
// we should not configure normal addresses of interfaces, but
// should configure virtual addresses for nat. This means we should
// add normal addresses to the ignore_addresses list.
ignore_addresses.append(update_addresses);
update_addresses.clear();
if (virtual_addresses_for_nat.count(iface_name) > 0)
{
update_addresses.push_back(
virtual_addresses_for_nat[iface_name].c_str());
gencmd.push_back(
printUpdateAddressCommand(iface, update_addresses, ignore_addresses));
}
}
known_interfaces.push_back(iface_name);
}
return gencmd.join("\n").toStdString() + "\n";
}
string OSConfigurator_linux24::printCommandsToClearKnownInterfaces()
{
if (fw->getOptionsObject()->getBool("clear_unknown_interfaces") &&
known_interfaces.size() > 0)
{
// last resort protection: if there are no interfaces with
// addresses in fwbuilder configuration, we should not kill
// all addresses of all interfaces on the firewall
known_interfaces.push_front(
"clear_addresses_except_known_interfaces");
gencmd.push_back(known_interfaces.join(" "));
string res = "clear_addresses_except_known_interfaces ";
for (list<string>::iterator it=known_interfaces.begin();
it!=known_interfaces.end(); ++it)
{
res += *it + " ";
}
return res;
}
return gencmd.join("\n").toStdString() + "\n";
return "";
}
QString OSConfigurator_linux24::printUpdateAddressCommand(
Interface *intf, QStringList &update_addresses, QStringList &ignore_addresses)
{
QStringList out;
update_addresses.push_front(intf->getName().c_str());
out.push_back("update_addresses_of_interface");
out.push_back("\"" + update_addresses.join(" ") + "\"");
out.push_back("\"" + ignore_addresses.join(" ") + "\"");
return out.join(" ");
}
string OSConfigurator_linux24::printVlanInterfaceConfigurationCommands()

63
src/iptlib/unit_tests/generatedScriptTestsLinux/generatedScriptTestsLinux.cpp
View File

@ -304,3 +304,66 @@ void GeneratedScriptTest::configureInterfacesClusterTest()
delete objdb;
}
void GeneratedScriptTest::virtualAddressesForNat1Test()
{
QStringList sample_1;
sample_1 << "update_addresses_of_interface \"eth0 192.0.2.1/24 192.0.2.100/24 192.0.2.101/24\" \"\"";
sample_1 << "update_addresses_of_interface \"lo 127.0.0.1/8\" \"\"";
objdb = new FWObjectDatabase();
runCompiler("test1.fwb", "test5", "test5.fw");
// unfortunately function configure_interfaces is not generated by its
// own configlet
QString res = Configlet::findConfigletInFile("script_skeleton", "test5.fw");
int n1 = res.indexOf("configure_interfaces() {");
CPPUNIT_ASSERT_MESSAGE("Shell function configure_interfaces is missing", n1 != -1);
int n2 = res.indexOf("}", n1);
res = res.mid(n1, n2-n1);
QStringList intf_list;
foreach(QString line, res.split("\n"))
{
if (line.indexOf("update_addresses_of_interface ")!=-1)
{
intf_list.push_back(line.trimmed());
}
}
intf_list.sort();
CPPUNIT_ASSERT(sample_1 == intf_list);
delete objdb;
}
void GeneratedScriptTest::virtualAddressesForNat2Test()
{
QStringList sample_1;
sample_1 << "update_addresses_of_interface \"eth0 192.0.2.100/24 192.0.2.101/24\" \"192.0.2.1/24\"";
objdb = new FWObjectDatabase();
runCompiler("test1.fwb", "test6", "test6.fw");
// unfortunately function configure_interfaces is not generated by its
// own configlet
QString res = Configlet::findConfigletInFile("script_skeleton", "test6.fw");
int n1 = res.indexOf("configure_interfaces() {");
CPPUNIT_ASSERT_MESSAGE("Shell function configure_interfaces is missing", n1 != -1);
int n2 = res.indexOf("}", n1);
res = res.mid(n1, n2-n1);
QStringList intf_list;
foreach(QString line, res.split("\n"))
{
if (line.indexOf("update_addresses_of_interface ")!=-1)
{
intf_list.push_back(line.trimmed());
}
}
intf_list.sort();
CPPUNIT_ASSERT(sample_1 == intf_list);
delete objdb;
}

4
src/iptlib/unit_tests/generatedScriptTestsLinux/generatedScriptTestsLinux.h
View File

@ -55,6 +55,8 @@ public:
void verifyInterfacesTest();
void configureInterfacesTest();
void configureInterfacesClusterTest();
void virtualAddressesForNat1Test();
void virtualAddressesForNat2Test();
CPPUNIT_TEST_SUITE(GeneratedScriptTest);
CPPUNIT_TEST(ManifestTest);
@ -63,6 +65,8 @@ public:
CPPUNIT_TEST(verifyInterfacesTest);
CPPUNIT_TEST(configureInterfacesTest);
CPPUNIT_TEST(configureInterfacesClusterTest);
CPPUNIT_TEST(virtualAddressesForNat1Test);
CPPUNIT_TEST(virtualAddressesForNat2Test);
CPPUNIT_TEST_SUITE_END();
};

385
src/iptlib/unit_tests/generatedScriptTestsLinux/test1.fwb
View File

@ -1,6 +1,6 @@
<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE FWObjectDatabase SYSTEM "fwbuilder.dtd">
<FWObjectDatabase xmlns="http://www.fwbuilder.org/1.0/" version="16" lastModified="1269885923" id="root">
<FWObjectDatabase xmlns="http://www.fwbuilder.org/1.0/" version="16" lastModified="1277436196" id="root">
<Library id="syslib000" color="#d4f8ff" name="Standard" comment="Standard objects" ro="True">
<AnyNetwork id="sysid0" name="Any" comment="Any Network" ro="False" address="0.0.0.0" netmask="0.0.0.0"/>
<AnyIPService id="sysid1" protocol_num="0" name="Any" comment="Any IP Service" ro="False"/>
@ -101,17 +101,29 @@
<ServiceGroup id="stdid05" name="Services" comment="" ro="False">
<CustomService id="stdid14_1" name="ESTABLISHED" comment="This service matches all packets which are part of network connections established through the firewall, or connections 'related' to those established through the firewall. Term 'established' refers to the state tracking mechanism which exists inside iptables and other stateful firewalls and does not mean any particular combination of packet header options. Packet is considered to correspond to the state 'ESTABLISHED' if it belongs to the network session, for which proper initiation has been seen by the firewall, so its stateful inspection module made appropriate record in the state table. Usually stateful firewalls keep track of network connections using not only tcp protocol, but also udp and sometimes even icmp protocols. 'RELATED' describes packet belonging to a separate network connection, related to the session firewall is keeping track of. One example is FTP command and FTP data sessions." ro="False" protocol="any" address_family="ipv4">
<CustomServiceCommand platform="Undefined"></CustomServiceCommand>
<CustomServiceCommand platform="fwsm"></CustomServiceCommand>
<CustomServiceCommand platform="iosacl">established</CustomServiceCommand>
<CustomServiceCommand platform="ipf"></CustomServiceCommand>
<CustomServiceCommand platform="ipfilter"></CustomServiceCommand>
<CustomServiceCommand platform="ipfw">established</CustomServiceCommand>
<CustomServiceCommand platform="iptables">-m state --state ESTABLISHED,RELATED</CustomServiceCommand>
<CustomServiceCommand platform="pf"></CustomServiceCommand>
<CustomServiceCommand platform="pix"></CustomServiceCommand>
<CustomServiceCommand platform="procurve_acl">established</CustomServiceCommand>
<CustomServiceCommand platform="unknown"></CustomServiceCommand>
</CustomService>
<CustomService id="stdid14_2" name="ESTABLISHED ipv6" comment="This service matches all packets which are part of network connections established through the firewall, or connections 'related' to those established through the firewall. Term 'established' refers to the state tracking mechanism which exists inside iptables and other stateful firewalls and does not mean any particular combination of packet header options. Packet is considered to correspond to the state 'ESTABLISHED' if it belongs to the network session, for which proper initiation has been seen by the firewall, so its stateful inspection module made appropriate record in the state table. Usually stateful firewalls keep track of network connections using not only tcp protocol, but also udp and sometimes even icmp protocols. 'RELATED' describes packet belonging to a separate network connection, related to the session firewall is keeping track of. One example is FTP command and FTP data sessions." ro="False" protocol="any" address_family="ipv6">
<CustomServiceCommand platform="Undefined"></CustomServiceCommand>
<CustomServiceCommand platform="fwsm"></CustomServiceCommand>
<CustomServiceCommand platform="iosacl">established</CustomServiceCommand>
<CustomServiceCommand platform="ipf"></CustomServiceCommand>
<CustomServiceCommand platform="ipfilter"></CustomServiceCommand>
<CustomServiceCommand platform="ipfw">established</CustomServiceCommand>
<CustomServiceCommand platform="iptables">-m state --state ESTABLISHED,RELATED</CustomServiceCommand>
<CustomServiceCommand platform="pf"></CustomServiceCommand>
<CustomServiceCommand platform="pix"></CustomServiceCommand>
<CustomServiceCommand platform="procurve_acl">established</CustomServiceCommand>
<CustomServiceCommand platform="unknown"></CustomServiceCommand>
</CustomService>
<ServiceGroup id="stdid10" name="Groups" comment="" ro="False">
<ServiceGroup id="sg-DHCP" name="DHCP" comment="" ro="False">
@ -416,10 +428,39 @@
<Library id="sysid99" name="Deleted Objects" comment="" ro="False">
<IPv4 id="id2564X9501" name="test4:eth2:ip" comment="" ro="False" address="192.168.2.1" netmask="255.255.255.0"/>
<IPv4 id="id2554X9501" name="test4:eth1:ip" comment="" ro="False" address="192.168.1.1" netmask="255.255.255.0"/>
<Interface id="id2711X30989" dedicated_failover="False" dyn="False" label="dmz" mgmt="False" security_level="0" unnum="True" unprotected="False" name="eth2" comment="" ro="False">
<InterfaceOptions/>
<Interface id="id2720X30989" dedicated_failover="False" dyn="False" label="" mgmt="False" security_level="0" unnum="False" unprotected="False" name="vlan110" comment="" ro="False">
<IPv4 id="id2723X30989" name="test5:eth2:vlan110:ip" comment="" ro="False" address="192.168.2.1" netmask="255.255.255.0"/>
<InterfaceOptions>
<Option name="type">8021q</Option>
<Option name="vlan_id">110</Option>
</InterfaceOptions>
</Interface>
<Interface id="id2725X30989" dedicated_failover="False" dyn="False" security_level="0" unnum="False" unprotected="False" name="vlan111" comment="" ro="False">
<IPv4 id="id2728X30989" name="test5:eth2:vlan111:ip" comment="" ro="False" address="192.168.3.1" netmask="255.255.255.0"/>
<InterfaceOptions>
<Option name="type">8021q</Option>
<Option name="vlan_id">111</Option>
</InterfaceOptions>
</Interface>
</Interface>
<IPv4 id="id2703X30989" name="test5:eth1:eth1.200:ip" comment="" ro="False" address="192.168.1.1" netmask="255.255.255.0"/>
<Interface id="id2699X30989" dedicated_failover="False" dyn="False" label="" mgmt="False" security_level="0" unnum="False" unprotected="False" name="eth1.200" comment="" ro="False">
<IPv6 id="id2704X30989" name="test5:eth1:eth1.200:ip6" comment="" ro="False" address="fe80::20c:29ff:fed2:cca1" netmask="64"/>
<InterfaceOptions>
<Option name="type">8021q</Option>
<Option name="vlan_id">200</Option>
</InterfaceOptions>
</Interface>
</Library>
<Library id="id1548X1251" color="#d2ffd0" name="User" comment="" ro="False">
<ObjectGroup id="id1549X1251" name="Objects" comment="" ro="False">
<ObjectGroup id="id1550X1251" name="Addresses" comment="" ro="False"/>
<ObjectGroup id="id1550X1251" name="Addresses" comment="" ro="False">
<IPv4 id="id2864X30989" name="192.0.2.100" comment="" ro="False" address="192.0.2.100" netmask="0.0.0.0"/>
<IPv4 id="id11875X30989" name="192.0.2.101" comment="" ro="False" address="192.0.2.101" netmask="0.0.0.0"/>
<IPv4 id="id11890X30989" name="192.168.1.100" comment="" ro="False" address="192.168.1.100" netmask="0.0.0.0"/>
</ObjectGroup>
<ObjectGroup id="id1551X1251" name="DNS Names" comment="" ro="False"/>
<ObjectGroup id="id1552X1251" name="Address Tables" comment="" ro="False"/>
<ObjectGroup id="id1553X1251" name="Groups" comment="" ro="False"/>
@ -868,6 +909,346 @@
<Option name="verify_interfaces">True</Option>
</FirewallOptions>
</Firewall>
<Firewall id="id2679X30989" host_OS="linux24" inactive="False" lastCompiled="1277436183" lastInstalled="0" lastModified="1277436175" platform="iptables" version="" name="test5" comment="both &quot;configure interfaces&quot; and &quot;add virtual addresses for nat&quot; are turned on" ro="False">
<NAT id="id2732X30989" name="NAT" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
<NATRule id="id2842X30989" disabled="False" position="0" action="Translate" comment="">
<OSrc neg="False">
<ObjectRef ref="id3DC75CE7-1"/>
</OSrc>
<ODst neg="False">
<ObjectRef ref="sysid0"/>
</ODst>
<OSrv neg="False">
<ServiceRef ref="sysid1"/>
</OSrv>
<TSrc neg="False">
<ObjectRef ref="id2864X30989"/>
</TSrc>
<TDst neg="False">
<ObjectRef ref="sysid0"/>
</TDst>
<TSrv neg="False">
<ServiceRef ref="sysid1"/>
</TSrv>
<NATRuleOptions/>
</NATRule>
<NATRule id="id11861X30989" disabled="False" group="" position="1" action="Translate" comment="">
<OSrc neg="False">
<ObjectRef ref="sysid0"/>
</OSrc>
<ODst neg="False">
<ObjectRef ref="id11875X30989"/>
</ODst>
<OSrv neg="False">
<ServiceRef ref="sysid1"/>
</OSrv>
<TSrc neg="False">
<ObjectRef ref="sysid0"/>
</TSrc>
<TDst neg="False">
<ObjectRef ref="id11890X30989"/>
</TDst>
<TSrv neg="False">
<ServiceRef ref="sysid1"/>
</TSrv>
<NATRuleOptions/>
</NATRule>
<RuleSetOptions/>
</NAT>
<Policy id="id2730X30989" name="Policy" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
<PolicyRule id="id2830X30989" disabled="False" log="True" position="0" action="Deny" direction="Both" comment="">
<Src neg="False">
<ObjectRef ref="sysid0"/>
</Src>
<Dst neg="False">
<ObjectRef ref="sysid0"/>
</Dst>
<Srv neg="False">
<ServiceRef ref="sysid1"/>
</Srv>
<Itf neg="False">
<ObjectRef ref="sysid0"/>
</Itf>
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions>
<Option name="stateless">True</Option>
</PolicyRuleOptions>
</PolicyRule>
<RuleSetOptions/>
</Policy>
<Routing id="id2734X30989" name="Routing" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
<RuleSetOptions/>
</Routing>
<Interface id="id2687X30989" dedicated_failover="False" dyn="False" label="outside" mgmt="False" security_level="0" unnum="False" unprotected="False" name="eth0" comment="" ro="False">
<IPv4 id="id2690X30989" name="test5:eth0:ip" comment="This is a test address, change it to your real one" ro="False" address="192.0.2.1" netmask="255.255.255.0"/>
<InterfaceOptions/>
</Interface>
<Interface id="id2706X30989" dedicated_failover="False" dyn="False" label="loopback" mgmt="False" security_level="100" unnum="False" unprotected="False" name="lo" comment="" ro="False">
<IPv4 id="id2709X30989" name="test5:lo:ip" comment="" ro="False" address="127.0.0.1" netmask="255.0.0.0"/>
<InterfaceOptions/>
</Interface>
<Interface id="id2692X30989" dedicated_failover="False" dyn="False" label="inside" mgmt="True" security_level="100" unnum="True" unprotected="False" name="eth1" comment="" ro="False">
<IPv4 id="id7389X30989" name="test5:eth1:eth1.200:ip" comment="" ro="False" address="192.168.1.1" netmask="255.255.255.0"/>
<InterfaceOptions/>
</Interface>
<Management address="192.168.1.1">
<SNMPManagement enabled="False" snmp_read_community="" snmp_write_community=""/>
<FWBDManagement enabled="False" identity="" port="-1"/>
<PolicyInstallScript arguments="" command="" enabled="False"/>
</Management>
<FirewallOptions>
<Option name="accept_established">True</Option>
<Option name="accept_new_tcp_with_no_syn">True</Option>
<Option name="action_on_reject"></Option>
<Option name="activationCmd"></Option>
<Option name="add_mgmt_ssh_rule_when_stoped">False</Option>
<Option name="add_rules_for_ipv6_neighbor_discovery">False</Option>
<Option name="admUser"></Option>
<Option name="altAddress"></Option>
<Option name="bridging_fw">False</Option>
<Option name="check_shading">True</Option>
<Option name="clamp_mss_to_mtu">False</Option>
<Option name="classify_mark_terminating">False</Option>
<Option name="clear_unknown_interfaces">False</Option>
<Option name="cmdline"></Option>
<Option name="compiler"></Option>
<Option name="configure_bonding_interfaces">False</Option>
<Option name="configure_bridge_interfaces">False</Option>
<Option name="configure_interfaces">True</Option>
<Option name="configure_vlan_interfaces">False</Option>
<Option name="debug">False</Option>
<Option name="drop_invalid">False</Option>
<Option name="eliminate_duplicates">true</Option>
<Option name="epilog_script"></Option>
<Option name="firewall_dir">/etc</Option>
<Option name="firewall_is_part_of_any_and_networks">True</Option>
<Option name="flush_and_set_default_policy">True</Option>
<Option name="freebsd_ip_forward">1</Option>
<Option name="ignore_empty_groups">False</Option>
<Option name="ipv4_6_order">ipv4_first</Option>
<Option name="limit_suffix"></Option>
<Option name="limit_value">0</Option>
<Option name="linux24_ip_forward">1</Option>
<Option name="load_modules">True</Option>
<Option name="local_nat">False</Option>
<Option name="log_all">False</Option>
<Option name="log_invalid">False</Option>
<Option name="log_ip_opt">False</Option>
<Option name="log_level">info</Option>
<Option name="log_prefix">RULE %N -- %A </Option>
<Option name="log_tcp_opt">False</Option>
<Option name="log_tcp_seq">False</Option>
<Option name="loopback_interface">lo</Option>
<Option name="macosx_ip_forward">1</Option>
<Option name="manage_virtual_addr">True</Option>
<Option name="mgmt_addr"></Option>
<Option name="mgmt_ssh">False</Option>
<Option name="modules_dir">/lib/modules/`uname -r`/kernel/net/</Option>
<Option name="openbsd_ip_forward">1</Option>
<Option name="output_file"></Option>
<Option name="pf_limit_frags">5000</Option>
<Option name="pf_limit_states">10000</Option>
<Option name="pf_timeout_frag">30</Option>
<Option name="pf_timeout_interval">10</Option>
<Option name="pix_add_clear_statements">true</Option>
<Option name="pix_assume_fw_part_of_any">true</Option>
<Option name="pix_default_logint">300</Option>
<Option name="pix_emblem_log_format">false</Option>
<Option name="pix_emulate_out_acl">true</Option>
<Option name="pix_floodguard">true</Option>
<Option name="pix_include_comments">true</Option>
<Option name="pix_route_dnat_supported">true</Option>
<Option name="pix_rule_syslog_settings">false</Option>
<Option name="pix_security_fragguard_supported">true</Option>
<Option name="pix_syslog_device_id_supported">false</Option>
<Option name="pix_use_acl_remarks">true</Option>
<Option name="prolog_place">top</Option>
<Option name="prolog_script"></Option>
<Option name="scpArgs"></Option>
<Option name="script_name_on_firewall">/etc/init.d/firewall.fw</Option>
<Option name="solaris_ip_forward">1</Option>
<Option name="sshArgs"></Option>
<Option name="ulog_cprange">0</Option>
<Option name="ulog_nlgroup">1</Option>
<Option name="ulog_qthreshold">1</Option>
<Option name="use_ULOG">False</Option>
<Option name="use_iptables_restore">True</Option>
<Option name="use_numeric_log_levels">False</Option>
<Option name="verify_interfaces">True</Option>
</FirewallOptions>
</Firewall>
<Firewall id="id16457X30989" host_OS="linux24" inactive="False" lastCompiled="1277436183" lastInstalled="0" lastModified="1277436220" platform="iptables" version="" name="test6" comment="&quot;configure interfaces&quot; is off but &quot;add virtual addresses for nat&quot; is on" ro="False">
<NAT id="id16494X30989" name="NAT" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
<NATRule id="id16495X30989" disabled="False" position="0" action="Translate" comment="">
<OSrc neg="False">
<ObjectRef ref="id3DC75CE7-1"/>
</OSrc>
<ODst neg="False">
<ObjectRef ref="sysid0"/>
</ODst>
<OSrv neg="False">
<ServiceRef ref="sysid1"/>
</OSrv>
<TSrc neg="False">
<ObjectRef ref="id2864X30989"/>
</TSrc>
<TDst neg="False">
<ObjectRef ref="sysid0"/>
</TDst>
<TSrv neg="False">
<ServiceRef ref="sysid1"/>
</TSrv>
<NATRuleOptions/>
</NATRule>
<NATRule id="id16509X30989" disabled="False" group="" position="1" action="Translate" comment="">
<OSrc neg="False">
<ObjectRef ref="sysid0"/>
</OSrc>
<ODst neg="False">
<ObjectRef ref="id11875X30989"/>
</ODst>
<OSrv neg="False">
<ServiceRef ref="sysid1"/>
</OSrv>
<TSrc neg="False">
<ObjectRef ref="sysid0"/>
</TSrc>
<TDst neg="False">
<ObjectRef ref="id11890X30989"/>
</TDst>
<TSrv neg="False">
<ServiceRef ref="sysid1"/>
</TSrv>
<NATRuleOptions/>
</NATRule>
<RuleSetOptions/>
</NAT>
<Policy id="id16480X30989" name="Policy" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
<PolicyRule id="id16481X30989" disabled="False" log="True" position="0" action="Deny" direction="Both" comment="">
<Src neg="False">
<ObjectRef ref="sysid0"/>
</Src>
<Dst neg="False">
<ObjectRef ref="sysid0"/>
</Dst>
<Srv neg="False">
<ServiceRef ref="sysid1"/>
</Srv>
<Itf neg="False">
<ObjectRef ref="sysid0"/>
</Itf>
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions>
<Option name="stateless">True</Option>
</PolicyRuleOptions>
</PolicyRule>
<RuleSetOptions/>
</Policy>
<Routing id="id16524X30989" name="Routing" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
<RuleSetOptions/>
</Routing>
<Interface id="id16465X30989" dedicated_failover="False" dyn="False" label="outside" mgmt="False" security_level="0" unnum="False" unprotected="False" name="eth0" comment="" ro="False">
<IPv4 id="id16468X30989" name="test6:eth0:ip" comment="This is a test address, change it to your real one" ro="False" address="192.0.2.1" netmask="255.255.255.0"/>
<InterfaceOptions/>
</Interface>
<Interface id="id16470X30989" dedicated_failover="False" dyn="False" label="loopback" mgmt="False" security_level="100" unnum="False" unprotected="False" name="lo" comment="" ro="False">
<IPv4 id="id16473X30989" name="test6:lo:ip" comment="" ro="False" address="127.0.0.1" netmask="255.0.0.0"/>
<InterfaceOptions/>
</Interface>
<Interface id="id16475X30989" dedicated_failover="False" dyn="False" label="inside" mgmt="True" security_level="100" unnum="True" unprotected="False" name="eth1" comment="" ro="False">
<IPv4 id="id16478X30989" name="test6:eth1:ip" comment="" ro="False" address="192.168.1.1" netmask="255.255.255.0"/>
<InterfaceOptions/>
</Interface>
<Management address="192.168.1.1">
<SNMPManagement enabled="False" snmp_read_community="" snmp_write_community=""/>
<FWBDManagement enabled="False" identity="" port="-1"/>
<PolicyInstallScript arguments="" command="" enabled="False"/>
</Management>
<FirewallOptions>
<Option name="accept_established">True</Option>
<Option name="accept_new_tcp_with_no_syn">True</Option>
<Option name="action_on_reject"></Option>
<Option name="activationCmd"></Option>
<Option name="add_mgmt_ssh_rule_when_stoped">False</Option>
<Option name="add_rules_for_ipv6_neighbor_discovery">False</Option>
<Option name="admUser"></Option>
<Option name="altAddress"></Option>
<Option name="bridging_fw">False</Option>
<Option name="check_shading">True</Option>
<Option name="clamp_mss_to_mtu">False</Option>
<Option name="classify_mark_terminating">False</Option>
<Option name="clear_unknown_interfaces">False</Option>
<Option name="cmdline"></Option>
<Option name="compiler"></Option>
<Option name="configure_bonding_interfaces">False</Option>
<Option name="configure_bridge_interfaces">False</Option>
<Option name="configure_interfaces">False</Option>
<Option name="configure_vlan_interfaces">False</Option>
<Option name="debug">False</Option>
<Option name="drop_invalid">False</Option>
<Option name="eliminate_duplicates">true</Option>
<Option name="epilog_script"></Option>
<Option name="firewall_dir">/etc</Option>
<Option name="firewall_is_part_of_any_and_networks">True</Option>
<Option name="flush_and_set_default_policy">True</Option>
<Option name="freebsd_ip_forward">1</Option>
<Option name="ignore_empty_groups">False</Option>
<Option name="ipv4_6_order">ipv4_first</Option>
<Option name="limit_suffix"></Option>
<Option name="limit_value">0</Option>
<Option name="linux24_ip_forward">1</Option>
<Option name="load_modules">True</Option>
<Option name="local_nat">False</Option>
<Option name="log_all">False</Option>
<Option name="log_invalid">False</Option>
<Option name="log_ip_opt">False</Option>
<Option name="log_level">info</Option>
<Option name="log_prefix">RULE %N -- %A </Option>
<Option name="log_tcp_opt">False</Option>
<Option name="log_tcp_seq">False</Option>
<Option name="loopback_interface">lo</Option>
<Option name="macosx_ip_forward">1</Option>
<Option name="manage_virtual_addr">True</Option>
<Option name="mgmt_addr"></Option>
<Option name="mgmt_ssh">False</Option>
<Option name="modules_dir">/lib/modules/`uname -r`/kernel/net/</Option>
<Option name="openbsd_ip_forward">1</Option>
<Option name="output_file"></Option>
<Option name="pf_limit_frags">5000</Option>
<Option name="pf_limit_states">10000</Option>
<Option name="pf_timeout_frag">30</Option>
<Option name="pf_timeout_interval">10</Option>
<Option name="pix_add_clear_statements">true</Option>
<Option name="pix_assume_fw_part_of_any">true</Option>
<Option name="pix_default_logint">300</Option>
<Option name="pix_emblem_log_format">false</Option>
<Option name="pix_emulate_out_acl">true</Option>
<Option name="pix_floodguard">true</Option>
<Option name="pix_include_comments">true</Option>
<Option name="pix_route_dnat_supported">true</Option>
<Option name="pix_rule_syslog_settings">false</Option>
<Option name="pix_security_fragguard_supported">true</Option>
<Option name="pix_syslog_device_id_supported">false</Option>
<Option name="pix_use_acl_remarks">true</Option>
<Option name="prolog_place">top</Option>
<Option name="prolog_script"></Option>
<Option name="scpArgs"></Option>
<Option name="script_name_on_firewall">/etc/init.d/firewall.fw</Option>
<Option name="solaris_ip_forward">1</Option>
<Option name="sshArgs"></Option>
<Option name="ulog_cprange">0</Option>
<Option name="ulog_nlgroup">1</Option>
<Option name="ulog_qthreshold">1</Option>
<Option name="use_ULOG">False</Option>
<Option name="use_iptables_restore">True</Option>
<Option name="use_numeric_log_levels">False</Option>
<Option name="verify_interfaces">True</Option>
</FirewallOptions>
</Firewall>
</ObjectGroup>
<ObjectGroup id="id1567X1251" name="Clusters" comment="" ro="False">
<Cluster id="id2876X9501" host_OS="linux24" lastCompiled="1269885939" lastInstalled="0" lastModified="1269886019" platform="iptables" name="cluster-2-3" comment="" ro="False">