onkelbeh/fwbuilder
1
0
Fork 0
mirror of https://github.com/fwbuilder/fwbuilder synced 2026-03-23 03:37:15 +01:00
Code Issues Releases Wiki Activity

compiler for iptables works with multiple rule sets

Browse Source
This commit is contained in:
Vadim Kurland 2008-05-30 00:13:13 +00:00
parent a6aa15dd09
commit 1e245de1bf
12 changed files with 7110 additions and 10615 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

44
doc/ChangeLog
View File

@ -1,3 +1,45 @@
2008-05-29 Vadim Kurland <vadim@vk.crocodile.org>
* ipt.cpp (main): Compiler for iptables processes all Policy and
NAT rulesets that firewall object has, regardless of whether they
are referenced from any rules with action Branch or not. This is a
change compared to the behavior of 2.1 which processed only those
branch rule sets that were used in Branch rules. Each rule set
that has name other than "Policy" is placed in a chain with the
name the same as the name of the rule set. This way the user can
create multiple rule sets and place them in different chains,
control to these chains can be passed in the iptables commands
supplied in prolog or epilog scripts.
Another reason for this is to allow the user to place rules for
ipv4 and ipv6 in separate rule sets. An attribute "address_family"
will be added to objects Policy and NAT later on to be able to
mark rule sets as belonging to either ipv4 or ipv6 address
family. This separation helps avoid ambiguity that is possible in
mixed rule sets (when both ipv4 and ipv6 rules are mixed in the
same rule set). Suppose we allow the user to put both ipv4 and
ipv6 rules in the same rule set and the user creates a rule with
ipv4 object in Dst with negation. "Not host A", where "host A"
translates into one ipv4 address should probably include "all
ipv6" as well, which means that this simple rule can inadvertenly
block all ipv6 without user even noticing it. This can be very
confusing and difficult to troubleshoot. Placing rules acting on
different address families into different rule sets helps avoid
this problem.
* ipt.cpp: Compiler for iptables can determine if a rule set is
referenced by a rule with action Branch and option "branch in
mangle table in addition to the filter table" and correctly places
referenced rule set in both filter and mangle tables.
* ObjectManipulator.cpp: Policy rules can now be arranged in
multiple rule sets with names. These rule sets are shown in the
tree under the firewall object (next to its interfaces). Each rule
set is independent from others, user can add as many as they
want. Rules with action "Branch" refer to existing rule sets, user
associates them by dragging rule set object into action parameters
dialog of the branching rule.
2008-05-23 Vadim Kurland <vadim@vk.crocodile.org>
* PolicyCompiler_ipt.cpp (countChainUsage::processNext): New
@ -8,7 +50,7 @@
2008-05-22 Vadim Kurland <vadim@vk.crocodile.org>
* ipt.cpp (main): Poliucy compiler for iptables supports
* ipt.cpp (main): Policy compiler for iptables supports
IPv6. Added command line switches "-4" and "-6" which force
compiler to generate script for only one specified address
family (by default it does both). Compiler can generate simple

4
src/ipt/MangleTableCompiler_ipt.cpp
View File

@ -100,7 +100,8 @@ bool MangleTableCompiler_ipt::keepMangleTableRules::processNext()
if (rule->getAction() == PolicyRule::Tag ||
rule->getAction() == PolicyRule::Route ||
rule->getAction() == PolicyRule::Classify) tmp_queue.push_back(rule);
rule->getAction() == PolicyRule::Classify ||
ruleopt->getBool("put_in_mangle_table")) tmp_queue.push_back(rule);
return true;
}
@ -117,6 +118,7 @@ string MangleTableCompiler_ipt::flushAndSetDefaultPolicy()
PolicyCompiler_ipt::PrintRule *prp = createPrintRuleProcessor();
res << endl;
res << prp->_declareTable();
if (have_connmark)

3
src/ipt/NATCompiler_ipt.cpp
View File

@ -2165,7 +2165,7 @@ void NATCompiler_ipt::compile()
#endif
add( new NATCompiler::Begin());
add( new printTotalNumberOfRules( ));
add( new printTotalNumberOfRules());
add( new recursiveGroupsInOSrc("check for recursive groups in OSRC"));
add( new recursiveGroupsInODst("check for recursive groups in ODST"));
@ -2184,6 +2184,7 @@ void NATCompiler_ipt::compile()
add( new emptyGroupsInTSrv("check for empty groups in TSRV" ));
add( new ExpandGroups( "Expand groups" ));
// processors that expand objects with multiple addresses
// check addresses against current address family using member
// ipv6. If all addresses do not match, we may end up with

130
src/ipt/PolicyCompiler_ipt.cpp
View File

@ -145,7 +145,8 @@ string PolicyCompiler_ipt::getNewTmpChainName(PolicyRule *rule)
#endif
}
string PolicyCompiler_ipt::getNewChainName(PolicyRule *rule,Interface *rule_iface)
string PolicyCompiler_ipt::getNewChainName(PolicyRule *rule,
Interface *rule_iface)
{
std::ostringstream str;
@ -167,12 +168,13 @@ string PolicyCompiler_ipt::getNewChainName(PolicyRule *rule,Interface *rule_ifac
}
int pos=rule->getPosition();
// parent_rule_num is set by processor "Branching" for branch rules
string ppos = rule->getStr("parent_rule_num");
string ruleset_name = getRuleSetName();
if (ruleset_name != "Policy")
str << ruleset_name << "_";
else
str << "RULE_";
str << "RULE_";
if (ppos != "")
str << ppos << "_";
if (pos>=0)
str << pos;
else // special case: position == -1
@ -318,6 +320,11 @@ void PolicyCompiler_ipt::resetActionOnReject(PolicyRule *rule)
ruleopt->setStr("action_on_reject","none"); // hack.
}
void PolicyCompiler_ipt::registerRuleSetChain(const std::string &chain_name)
{
chain_usage_counter[chain_name] = 1;
}
int PolicyCompiler_ipt::prolog()
{
if (fw->getStr("platform")!="iptables")
@ -643,88 +650,6 @@ bool PolicyCompiler_ipt::InterfacePolicyRulesWithOptimization::processNext()
return true;
}
void PolicyCompiler_ipt::Branching::expandBranch(PolicyRule *rule,
const string &parentRuleNum)
{
std::ostringstream str;
if (rule->getAction() == PolicyRule::Branch)
{
RuleSet *subset = rule->getBranch();
if (subset==NULL)
{
compiler->abort(
_("Action 'Branch' but no branch policy in policy rule ")
+rule->getLabel());
}
tmp_queue.push_back(rule);
FWOptions *ropt = rule->getOptionsObject();
string branchName = ropt->getStr("branch_name");
rule->setStr("ipt_target",branchName);
string branchRuleLabelSuffix = string("branch head: ") + rule->getLabel();
//string parentRuleNum = r->getStr("parent_rule_num");
string lbl;
for (FWObject::iterator i=subset->begin(); i!=subset->end(); i++)
{
PolicyRule *r = PolicyRule::cast(*i);
if (r->isDisabled()) continue;
RuleElementItf *itfre=r->getItf(); assert(itfre);
if (itfre->isAny())
{
lbl = rule->getLabel() + " / " + branchName + " " +
compiler->createRuleLabel("",
r->getPosition());
r->setLabel(lbl);
} else
{
string interfaces = "";
for (FWObject::iterator i=itfre->begin(); i!=itfre->end(); ++i)
{
FWObject *o=*i;
if (FWReference::cast(o)!=NULL) o=FWReference::cast(o)->getPointer();
if (interfaces!="") interfaces += ",";
interfaces += o->getName();
}
lbl = rule->getLabel() + " / " + branchName + " " +
compiler->createRuleLabel(interfaces,
r->getPosition());
r->setLabel(lbl);
}
std::ostringstream str;
r->setStr("parent_rule_num",parentRuleNum);
r->setStr("ipt_chain",branchName);
r->setUniqueId( r->getId() );
//tmp_queue.push_back(r);
str << parentRuleNum << "_" << r->getPosition();
expandBranch(r, str.str() );
}
subset->ref();
rule->remove(subset);
} else
tmp_queue.push_back(rule);
}
bool PolicyCompiler_ipt::Branching::processNext()
{
std::ostringstream str;
PolicyRule *rule=getNext(); if (rule==NULL) return false;
str << rule->getPosition();
expandBranch( rule, str.str() );
return true;
}
bool PolicyCompiler_ipt::Route::processNext()
{
PolicyRule *rule=getNext(); if (rule==NULL) return false;
@ -1595,6 +1520,17 @@ bool PolicyCompiler_ipt::setChainForMangle::processNext()
if (rule->getDirection()==PolicyRule::Outbound)
rule->setStr("ipt_chain","POSTROUTING");
/* if direction is "Outbound", chain can never be INPUT, but could be FORWARD */
RuleElementSrc *srcrel=rule->getSrc();
Address *src =compiler->getFirstSrc(rule); assert(src);
if ( rule->getDirection()!=PolicyRule::Inbound &&
!srcrel->isAny() &&
compiler->complexMatch(src,compiler->fw,true,true))
{
rule->setStr("ipt_chain","OUTPUT");
}
}
tmp_queue.push_back(rule);
@ -2973,6 +2909,12 @@ bool PolicyCompiler_ipt::decideOnTarget::processNext()
case PolicyRule::Continue: rule->setStr("ipt_target","CONTINUE"); break;
case PolicyRule::Custom: rule->setStr("ipt_target","CUSTOM"); break;
case PolicyRule::Route: rule->setStr("ipt_target","ROUTE"); break;
case PolicyRule::Branch:
{
FWOptions *ropt = rule->getOptionsObject();
rule->setStr("ipt_target", ropt->getStr("branch_name"));
break;
}
default: ;
}
return true;
@ -3692,7 +3634,7 @@ void PolicyCompiler_ipt::compile()
{
printRule=NULL;
cout << " Compiling rules for '" << my_table << "' table";
cout << " Compiling ruleset " << getRuleSetName() << " for '" << my_table << "' table";
if (ipv6) cout << ", IPv6";
cout << endl << flush;
@ -3707,8 +3649,6 @@ void PolicyCompiler_ipt::compile()
{
add( new Begin("Detecting rule shadowing"));
add( new Branching("fold in branches"));
addRuleFilter();
add( new printTotalNumberOfRules());
@ -3780,19 +3720,15 @@ void PolicyCompiler_ipt::compile()
add( new PolicyCompiler::Begin() );
add( new addPredefinedRules("Add some predefined rules" ) );
add( new Branching( "fold in branches" ) );
addRuleFilter();
add( new printTotalNumberOfRules( ) );
// add( new Branching("process branch rules" ) );
add( new Route("process route rules" ) );
add( new storeAction("store original action of this rule" ) );
add( new splitIfTagAndConnmark("Tag+CONNMARK combo"));
add( new setChainForMangle("set chain for other rules in mangle"));
//add( new setChainForMangle("set chain for other rules in mangle"));
add( new Logging1("check global logging override option" ) );
add( new ItfNegation("process negation in Itf" ) );
@ -3868,6 +3804,8 @@ void PolicyCompiler_ipt::compile()
add( new splitIfSrcAny("split rule if src is any") );
add( new setChainForMangle("set chain for other rules in mangle"));
// call setChainPreroutingForTag before splitIfDstAny
add( new setChainPreroutingForTag("chain PREROUTING for Tag"));

9
src/ipt/PolicyCompiler_ipt.h
View File

@ -938,6 +938,15 @@ namespace fwcompiler {
* some of the rules out before we begin actual processing
*/
virtual void addRuleFilter();
/**
* this method registers chain used for the ruleset (most
* often branch rule set). Since rules in the same ruleset do
* not use this chain as target, rule processor
* countChainUsage considers it unused. Registering it makes
* sure its usage counter is > 0.
*/
void registerRuleSetChain(const std::string &chain_name);
void setHaveDynamicInterfaces(bool f) { have_dynamic_interfaces=f; }

290
src/ipt/ipt.cpp
View File

@ -66,6 +66,8 @@
#include "fwbuilder/FWException.h"
#include "fwbuilder/Firewall.h"
#include "fwbuilder/Interface.h"
#include "fwbuilder/Policy.h"
#include "fwbuilder/NAT.h"
#ifdef HAVE_GETOPT_H
#include <getopt.h>
@ -101,6 +103,8 @@ static bool ipv6_run = true;
FWObjectDatabase *objdb = NULL;
static map<string,RuleSet*> branches;
class UpgradePredicate: public XMLTools::UpgradePredicate
{
public:
@ -135,11 +139,60 @@ string addPrologScript(bool nocomment,const string &script)
return res;
}
string dumpPolicies(bool nocomm, Firewall *fw,
MangleTableCompiler_ipt &m,
NATCompiler_ipt &n,
PolicyCompiler_ipt &c,
bool ipv6_policy)
void assignRuleSetChain(RuleSet *ruleset)
{
string branch_name = ruleset->getName();
for (FWObject::iterator r=ruleset->begin(); r!=ruleset->end(); r++)
{
Rule *rule = Rule::cast(*r);
if (rule->isDisabled()) continue;
//rule->setStr("parent_rule_num", parentRuleNum);
if (branch_name != "Policy" && branch_name != "NAT")
rule->setStr("ipt_chain", branch_name);
rule->setUniqueId( rule->getId() );
}
}
void findBranchesInMangleTable(Firewall *fw, list<FWObject*> &all_policies)
{
// special but common case: if we only have one policy, there is
// no need to check if we have to do branching in mangle table
// since we do not have any branching rules in that case.
if (all_policies.size() > 1)
{
for (list<FWObject*>::iterator i=all_policies.begin();
i!=all_policies.end(); ++i)
{
for (list<FWObject*>::iterator r=(*i)->begin();
r!=(*i)->end(); ++r)
{
PolicyRule *rule = PolicyRule::cast(*r);
FWOptions *ruleopt = rule->getOptionsObject();
if (rule->getAction() == PolicyRule::Branch &&
ruleopt->getBool("ipt_branch_in_mangle"))
{
RuleSet *ruleset = rule->getBranch();
for (list<FWObject*>::iterator br=ruleset->begin();
br!=ruleset->end(); ++br)
{
Rule *b_rule = Rule::cast(*br);
ruleopt = b_rule->getOptionsObject();
ruleopt->setBool("put_in_mangle_table", true);
}
}
}
}
}
}
string dumpScript(bool nocomm, Firewall *fw,
const string& reset_script,
const string& nat_script,
const string& mangle_script,
const string& filter_script,
bool ipv6_policy)
{
ostringstream script;
string prolog_place= fw->getOptionsObject()->getStr("prolog_place");
@ -148,7 +201,7 @@ string dumpPolicies(bool nocomm, Firewall *fw,
{
script << "(" << endl;
script << c.flushAndSetDefaultPolicy();
script << reset_script;
if (prolog_place == "after_flush")
{
@ -156,21 +209,10 @@ string dumpPolicies(bool nocomm, Firewall *fw,
nocomm, fw->getOptionsObject()->getStr("prolog_script"));
}
script << c.getCompiledScript();
script << c.commit();
if (!filter_script.empty()) script << filter_script;
if (!mangle_script.empty()) script << mangle_script;
if (!nat_script.empty()) script << nat_script;
if (m.getCompiledScriptLength()>0)
{
script << m.flushAndSetDefaultPolicy();
script << m.getCompiledScript();
script << m.commit();
}
if (n.getCompiledScriptLength()>0)
{
script << n.flushAndSetDefaultPolicy();
script << n.getCompiledScript();
script << n.commit();
}
script << "#" << endl;
if (ipv6_policy)
script << ") | $IP6TABLES_RESTORE; IPTABLES_RESTORE_RES=$?" << endl;
@ -179,11 +221,7 @@ string dumpPolicies(bool nocomm, Firewall *fw,
} else
{
script << c.flushAndSetDefaultPolicy();
if (m.getCompiledScriptLength()>0)
script << m.flushAndSetDefaultPolicy();
if (n.getCompiledScriptLength()>0)
script << n.flushAndSetDefaultPolicy();
script << reset_script;
if (prolog_place == "after_flush")
{
@ -191,31 +229,22 @@ string dumpPolicies(bool nocomm, Firewall *fw,
nocomm, fw->getOptionsObject()->getStr("prolog_script"));
}
if (n.getCompiledScriptLength()>0)
{
script << n.getCompiledScript();
script << n.commit();
}
if (m.getCompiledScriptLength()>0)
{
script << m.getCompiledScript();
script << m.commit();
}
script << c.getCompiledScript();
script << c.commit();
if (!nat_script.empty()) script << nat_script;
if (!mangle_script.empty()) script << mangle_script;
if (!filter_script.empty()) script << filter_script;
}
return script.str();
}
void usage(const char *name)
{
cout << _("Firewall Builder: policy compiler for Linux 2.4.x and 2.6.x iptables") << endl;
cout << "Firewall Builder: policy compiler for "
"Linux 2.4.x and 2.6.x iptables" << endl;
cout << _("Version ") << VERSION << "-" << RELEASE_NUM << endl;
cout << _("Usage: ") << name << _(" [-x level] [-v] [-V] [-q] [-f filename.xml] [-d destdir] [-m] [-4|-6] firewall_object_name") << endl;
cout << _("Usage: ") << name
<< " [-x level] [-v] [-V] [-q] [-f filename.xml] [-d destdir] "
"[-m] [-4|-6] firewall_object_name" << endl;
}
int main(int argc, char * const *argv)
@ -486,14 +515,20 @@ _("Dynamic interface %s should not have an IP address object attached to it. Thi
oscnf->prolog();
list<FWObject*> all_policies = fw->getByType(Policy::TYPENAME);
list<FWObject*> all_nat = fw->getByType(NAT::TYPENAME);
int policy_rules_count = 0;
int mangle_rules_count = 0;
int nat_rules_count = 0;
int routing_rules_count = 0;
bool have_nat = false;
vector<bool> ipv4_6_runs;
string generated_script;
findBranchesInMangleTable(fw, all_policies);
// command line options -4 and -6 control address family for which
// script will be generated. If "-4" is used, only ipv4 part will
// be generated. If "-6" is used, only ipv6 part will be generated.
@ -522,12 +557,12 @@ _("Dynamic interface %s should not have an IP address object attached to it. Thi
if (ipv6_policy)
{
generated_script += "\n\n";
generated_script += "#================ IPv6 ================\n";
generated_script += "# ================ IPv6\n";
generated_script += "\n\n";
} else
{
generated_script += "\n\n";
generated_script += "#================ IPv4 ================\n";
generated_script += "# ================ IPv4\n";
generated_script += "\n\n";
}
@ -535,55 +570,144 @@ _("Dynamic interface %s should not have an IP address object attached to it. Thi
objdb , fwobjectname, ipv6_policy);
prep->compile();
MangleTableCompiler_ipt m(
objdb , fwobjectname, ipv6_policy , oscnf );
m.setDebugLevel( dl );
m.setDebugRule( drp );
m.setVerbose( (bool)(verbose) );
m.setHaveDynamicInterfaces(have_dynamic_interfaces);
if (test_mode) m.setTestMode();
ostringstream reset_rules;
ostringstream c_str;
ostringstream m_str;
ostringstream n_str;
if ( (mangle_rules_count=m.prolog()) > 0 )
for (list<FWObject*>::iterator p=all_nat.begin();
p!=all_nat.end(); ++p )
{
m.compile();
m.epilog();
NAT *nat = NAT::cast(*p);
assignRuleSetChain(nat);
string branch_name = nat->getName();
// compile NAT rules before policy rules because policy
// compiler needs to know the number of virtual addresses
// being created for NAT
NATCompiler_ipt n(objdb, fwobjectname, ipv6_policy, oscnf);
n.setSourceRuleSet( nat );
n.setRuleSetName(branch_name);
n.setDebugLevel( dl );
n.setDebugRule( drn );
n.setVerbose( (bool)(verbose) );
n.setHaveDynamicInterfaces(have_dynamic_interfaces);
if (test_mode) n.setTestMode();
have_nat = (have_nat || ((nat_rules_count=n.prolog()) > 0));
if ( (nat_rules_count=n.prolog()) > 0 )
{
n.compile();
n.epilog();
}
if (n.getCompiledScriptLength() > 0)
{
n_str << "# ================ Table 'nat', rule set "
<< branch_name << endl;
if (branch_name == "NAT")
n_str << n.flushAndSetDefaultPolicy();
n_str << n.getCompiledScript();
n_str << n.commit();
n_str << endl;
}
}
// compile NAT rules before policy rules because policy
// compiler needs to know the number of virtual addresses
// being created for NAT
NATCompiler_ipt n(objdb, fwobjectname, ipv6_policy, oscnf);
n.setDebugLevel( dl );
n.setDebugRule( drn );
n.setVerbose( (bool)(verbose) );
n.setHaveDynamicInterfaces(have_dynamic_interfaces);
if (test_mode) n.setTestMode();
if ( (nat_rules_count=n.prolog()) > 0 )
for (list<FWObject*>::iterator p=all_policies.begin();
p!=all_policies.end(); ++p )
{
oscnf->generateCodeForProtocolHandlers(true);
n.compile();
n.epilog();
} else
oscnf->generateCodeForProtocolHandlers(false);
Policy *policy = Policy::cast(*p);
assignRuleSetChain(policy);
string branch_name = policy->getName();
PolicyCompiler_ipt c(objdb, fwobjectname, ipv6_policy, oscnf);
MangleTableCompiler_ipt m(
objdb , fwobjectname, ipv6_policy , oscnf );
c.setDebugLevel( dl );
c.setDebugRule( drp );
c.setVerbose( (bool)(verbose) );
c.setHaveDynamicInterfaces(have_dynamic_interfaces);
if (test_mode) c.setTestMode();
if (branch_name != "Policy")
m.registerRuleSetChain(branch_name);
m.setSourceRuleSet( policy );
m.setRuleSetName(branch_name);
m.setDebugLevel( dl );
m.setDebugRule( drp );
m.setVerbose( (bool)(verbose) );
m.setHaveDynamicInterfaces(have_dynamic_interfaces);
if (test_mode) m.setTestMode();
if ( (mangle_rules_count=m.prolog()) > 0 )
{
m.compile();
m.epilog();
if (m.getCompiledScriptLength() > 0)
{
if (branch_name == "Policy")
{
m_str
<< "# ================ Table 'mangle', automatic rules"
<< endl;
m_str << m.flushAndSetDefaultPolicy();
}
m_str << "# ================ Table 'mangle', rule set "
<< branch_name << endl;
m_str << m.getCompiledScript();
m_str << m.commit();
m_str << endl;
}
}
PolicyCompiler_ipt c(objdb, fwobjectname, ipv6_policy, oscnf);
if (branch_name != "Policy")
c.registerRuleSetChain(branch_name);
c.setSourceRuleSet( policy );
c.setRuleSetName(branch_name);
c.setDebugLevel( dl );
c.setDebugRule( drp );
c.setVerbose( (bool)(verbose) );
c.setHaveDynamicInterfaces(have_dynamic_interfaces);
if (test_mode) c.setTestMode();
if ( (policy_rules_count=c.prolog()) > 0 )
{
c.compile();
c.epilog();
if (c.getCompiledScriptLength() > 0)
{
c_str << "# ================ Table 'filter', rule set "
<< branch_name << endl;
c_str << c.getCompiledScript();
c_str << c.commit();
c_str << endl;
}
}
if (branch_name == "Policy")
{
reset_rules
<< "# ================ Table 'filter', automatic rules"
<< endl;
reset_rules << c.flushAndSetDefaultPolicy();
}
if ( (policy_rules_count=c.prolog()) > 0 )
{
c.compile();
c.epilog();
}
generated_script += dumpPolicies(nocomm, fw, m, n, c, ipv6_policy);
generated_script += dumpScript(nocomm, fw,
reset_rules.str(),
n_str.str(),
m_str.str(),
c_str.str(),
ipv6_policy);
}
RoutingCompiler_ipt r( objdb , fwobjectname , false, oscnf );
@ -599,6 +723,8 @@ _("Dynamic interface %s should not have an IP address object attached to it. Thi
r.epilog();
}
oscnf->generateCodeForProtocolHandlers(have_nat);
oscnf->printChecksForRunTimeMultiAddress();
oscnf->processFirewallOptions();
oscnf->configureInterfaces();

5
src/pf/pf.cpp
View File

@ -450,6 +450,11 @@ int main(int argc, char * const *argv)
generated_script += "\n\n";
generated_script += "#================ IPv6 ================\n";
generated_script += "\n\n";
} else
{
generated_script += "\n\n";
generated_script += "#================ IPv4 ================\n";
generated_script += "\n\n";
}
TableFactory *table_factory = new TableFactory();

2
src/res/objects_init.xml
View File

@ -1,6 +1,6 @@
<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE FWObjectDatabase SYSTEM "fwbuilder.dtd">
<FWObjectDatabase xmlns="http://www.fwbuilder.org/1.0/" version="6" lastModified="1178590930" id="root">
<FWObjectDatabase xmlns="http://www.fwbuilder.org/1.0/" version="7" lastModified="1178590930" id="root">
<Library color="#d4f8ff" comment="Standard objects" id="syslib000" name="Standard" ro="True">
<AnyNetwork comment="Any Network" id="sysid0" name="Any" address="0.0.0.0" netmask="0.0.0.0"/>
<AnyIPService comment="Any IP Service" id="sysid1" name="Any" protocol_num="0"/>

2
src/res/templates.xml
View File

@ -1,6 +1,6 @@
<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE FWObjectDatabase SYSTEM "fwbuilder.dtd">
<FWObjectDatabase xmlns="http://www.fwbuilder.org/1.0/" version="6" lastModified="1184450093" id="root">
<FWObjectDatabase xmlns="http://www.fwbuilder.org/1.0/" version="7" lastModified="1184450093" id="root">
<Library color="#d4f8ff" comment="Standard objects" id="syslib000" name="Standard" ro="False">
<AnyNetwork comment="Any Network" id="sysid0" name="Any" address="0.0.0.0" netmask="0.0.0.0"/>
<AnyIPService comment="Any IP Service" id="sysid1" name="Any" protocol_num="0"/>

17232
test/ipt/objects-for-regression-tests.fwb
View File

File diff suppressed because it is too large Load Diff

2
test/ipt/quick-cmp.sh
View File

@ -2,7 +2,7 @@
$XMLFILE=@ARGV[0];
$DIFFCMD="diff -C 1 -c -b -B -I \"# Generated\" -I 'Activating ' -I '# Firewall Builder fwb_ipt v' -I 'Can not find file' ";
$DIFFCMD="diff -C 1 -c -b -B -I \"# Generated\" -I 'Activating ' -I '# Firewall Builder fwb_ipt v' -I 'Can not find file' -I '====' -I 'log '";
while (<>) {
$str=$_;

2
test/ipt/run.all
View File

@ -10,7 +10,7 @@ while (<>) {
$fw=$1;
printf "\n";
printf "echo '***** $fw'\n";
printf "fwb_ipt -v -f $XMLFILE $fw\n";
printf "fwb_ipt -4 -v -f $XMLFILE $fw\n";
$str=~ s/^.*<Firewall [^>]+name="$fw"[^>]+>//;
}
}