onkelbeh/fwbuilder
1
0
Fork 0
mirror of https://github.com/fwbuilder/fwbuilder synced 2026-03-19 17:57:22 +01:00
Code Issues Releases Wiki Activity

* PolicyCompiler_ipt.cpp (specialCaseWithFWInDstAndOutbound::processNext):

Browse Source 
fixed #1523 "outbound ipv6 rule matching multicast ipv6 destination
is not generated". The rule with network object fe80::/10 in source
and ipv6 muticast ff00::/8 in destination did not produce correspondign
ip6tables command. The change affects other cases with rules using
broadcast or multicast objects that should be considered matching
the firewall object.
This commit is contained in:
Vadim Kurland 2010-06-17 23:58:17 +00:00
parent 5442fd5708
commit 1ee9ca248d
4 changed files with 607 additions and 24 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
build_num
View File

@ -1 +1 @@
#define BUILD_NUM 3005
#define BUILD_NUM 3007

10
doc/ChangeLog
View File

@ -1,3 +1,13 @@
2010-06-17 Vadim Kurland <vadim@vk.crocodile.org>
* PolicyCompiler_ipt.cpp (specialCaseWithFWInDstAndOutbound::processNext):
fixed #1523 "outbound ipv6 rule matching multicast ipv6 destination
is not generated". The rule with network object fe80::/10 in source
and ipv6 muticast ff00::/8 in destination did not produce correspondign
ip6tables command. The change affects other cases with rules using
broadcast or multicast objects that should be considered matching
the firewall object.
2010-06-17 Roman Bovsunivkiy <a2k0001@gmail.com>
* RuleSetView.cpp: fixed SF bug 3016680 "Vertical scrollbar issue"

58
src/iptlib/PolicyCompiler_ipt.cpp
View File

@ -53,6 +53,7 @@
#include "fwbuilder/FailoverClusterGroup.h"
#include "fwbuilder/StateSyncClusterGroup.h"
#include "fwbuilder/XMLTools.h"
#include "fwbuilder/ObjectMatcher.h"
#include "combinedAddress.h"
@ -2557,6 +2558,7 @@ bool PolicyCompiler_ipt::specialCaseWithFW1::processNext()
bool PolicyCompiler_ipt::specialCaseWithFWInDstAndOutbound::processNext()
{
PolicyCompiler_ipt *ipt_comp = dynamic_cast<PolicyCompiler_ipt*>(compiler);
PolicyRule *rule=getNext(); if (rule==NULL) return false;
Interface *itf = compiler->getFirstItf(rule);
@ -2600,14 +2602,41 @@ bool PolicyCompiler_ipt::specialCaseWithFWInDstAndOutbound::processNext()
return true;
}
if (!compiler->complexMatch(src,compiler->fw) &&
compiler->complexMatch(dst,compiler->fw))
{
// skipping the rule
;
} else
tmp_queue.push_back(rule);
FWOptions *ruleopt = rule->getOptionsObject();
bool rule_afpa = ruleopt->getBool("firewall_is_part_of_any_and_networks");
bool src_matches = compiler->complexMatch(src, compiler->fw);
bool dst_matches = compiler->complexMatch(dst, compiler->fw);
// if "assume fw is part of any and networks" is turned off,
// do not consider network objects matching. Except when such
// network has netmask 255.255.255.255 and defines just a
// single address
if ((src->isAny() || Network::isA(src) || NetworkIPv6::isA(src)) &&
!rule_afpa && ! src->getNetmaskPtr()->isHostMask()) src_matches = false;
if ((dst->isAny() || Network::isA(dst) || NetworkIPv6::isA(dst)) &&
!rule_afpa && ! dst->getNetmaskPtr()->isHostMask()) dst_matches = false;
// there is still one case that this rule processor catches
// and drop the rule, but I am not sure if it is right thing
// to do. This is when src=some address on the subnet fw
// intrface is on, but not the address of the firewall,
// dst=broadcast or multicast, "assume fw is part of any" is
// turned on, the firewall is not a bridge. A rule like this
// passes all checks above and gets dropped by this rule
// processor. It is hard ot say what should we really do in
// this case.
if (!src_matches && dst_matches)
{
// src does not match, dst matches: skipping the rule
return true;
}
tmp_queue.push_back(rule);
return true;
}
@ -4359,13 +4388,6 @@ void PolicyCompiler_ipt::compile()
add( new splitIfSrcMatchesFw("split rule if src matches FW"));
add( new splitIfDstMatchesFw("split rule if dst matches FW"));
/* at this point in all rules where firewall is in either src or
* dst, firewall is a single object in that rule element. Other
* rule elements may contain multiple objects yet
*/
add( new specialCaseWithFWInDstAndOutbound(
"Drop rules in FORWARD chain with non-empty interface and dir Outbound"));
add( new specialCaseWithFW1( "special case with firewall" ) );
add( new decideOnChainIfDstFW( "decide on chain if Dst has fw" ) );
@ -4419,6 +4441,14 @@ void PolicyCompiler_ipt::compile()
add( new finalizeChain( "decide on chain" ) );
/*****************************************************************/
/* at this point in all rules where firewall is in either src or
* dst, firewall is a single object in that rule element. Other
* rule elements may contain multiple objects yet
*/
add( new specialCaseWithFWInDstAndOutbound(
"Drop rules in FORWARD chain with non-empty interface and dir Outbound"));
add( new decideOnTarget( "decide on target" ) );
add( new checkForRestoreMarkInOutput(

561
test/ipt/objects-for-regression-tests.fwb
View File

@ -1,6 +1,6 @@
<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE FWObjectDatabase SYSTEM "fwbuilder.dtd">
<FWObjectDatabase xmlns="http://www.fwbuilder.org/1.0/" version="16" lastModified="1276701134" id="root">
<FWObjectDatabase xmlns="http://www.fwbuilder.org/1.0/" version="16" lastModified="1276800877" id="root">
<Library id="syslib000" color="#d4f8ff" name="Standard" comment="Standard objects" ro="True">
<AnyNetwork id="sysid0" name="Any" comment="Any Network" ro="False" address="0.0.0.0" netmask="0.0.0.0"/>
<AnyIPService id="sysid1" protocol_num="0" name="Any" comment="Any IP Service" ro="False"/>
@ -3565,6 +3565,7 @@
<IPv4 id="id55275X40565" name="gw_201" comment="" ro="False" address="192.168.201.200" netmask="0.0.0.0"/>
<IPv4 id="id55295X40565" name="gw_202" comment="" ro="False" address="192.168.202.200" netmask="0.0.0.0"/>
<IPv4 id="id55476X84465" name="fw35_dyn_intf_broadcast" comment="this address represents broadcast on the subnet where dynamic interface eth0.100 of fw35 is located" ro="False" address="192.168.222.255" netmask="0.0.0.0"/>
<IPv6 id="id3110516X16199" name="addr on fw-ipv6-8 local net" comment="this address belongs to the subnet of interface eth0 of firewall-ipv6-8" ro="False" address="fe80::21d:9ff:fe8b:aaaa" netmask="128"/>
</ObjectGroup>
<ObjectGroup id="stdid04_1" name="Groups" comment="" ro="False">
<ObjectGroup id="id3B4572AF" name="group1" comment="" ro="False">
@ -51737,7 +51738,7 @@ echo '%FWBPROMPT%'; sh /tmp/%FWSCRIPT%
<Option name="verify_interfaces">True</Option>
</FirewallOptions>
</Firewall>
<Firewall id="id654160X7324" host_OS="linux24" inactive="False" lastCompiled="1272404272" lastInstalled="0" lastModified="1276701453" platform="iptables" version="1.4.0" name="firewall-ipv6-8" comment="matching multicast with different directions" ro="False">
<Firewall id="id654160X7324" host_OS="linux24" inactive="False" lastCompiled="1272404272" lastInstalled="0" lastModified="1276815782" platform="iptables" version="1.4.0" name="firewall-ipv6-8" comment="matching multicast with different directions" ro="False">
<NAT id="id654194X7324" name="NAT" comment="" ro="False" ipv4_rule_set="True" ipv6_rule_set="True" top_rule_set="True">
<RuleSetOptions/>
</NAT>
@ -51747,7 +51748,7 @@ echo '%FWBPROMPT%'; sh /tmp/%FWSCRIPT%
</RuleSetOptions>
</Policy>
<Policy id="id1825747X7324" name="Policy_v6" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="True" top_rule_set="True">
<PolicyRule id="id4536389X7324" disabled="False" group="" log="False" position="0" action="Accept" direction="Both" comment="">
<PolicyRule id="id4536389X7324" disabled="False" group="fw is part of any and networks is OFF" log="False" position="0" action="Accept" direction="Both" comment="see #1523">
<Src neg="False">
<ObjectRef ref="id2383X75851"/>
</Src>
@ -51765,7 +51766,7 @@ echo '%FWBPROMPT%'; sh /tmp/%FWSCRIPT%
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions>
<Option name="color">#C08B5A</Option>
<Option name="color">#C86E6E</Option>
<Option name="connlimit_above_not">False</Option>
<Option name="connlimit_masklen">0</Option>
<Option name="connlimit_value">0</Option>
@ -51793,7 +51794,7 @@ echo '%FWBPROMPT%'; sh /tmp/%FWSCRIPT%
<Option name="ulog_nlgroup">1</Option>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id4536436X7324" disabled="False" group="" log="False" position="1" action="Accept" direction="Outbound" comment="">
<PolicyRule id="id395092X14549" disabled="False" group="fw is part of any and networks is OFF" log="False" position="1" action="Accept" direction="Inbound" comment="see #1523">
<Src neg="False">
<ObjectRef ref="id2383X75851"/>
</Src>
@ -51810,10 +51811,11 @@ echo '%FWBPROMPT%'; sh /tmp/%FWSCRIPT%
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions>
<Option name="color">#C86E6E</Option>
<Option name="connlimit_above_not">False</Option>
<Option name="connlimit_masklen">0</Option>
<Option name="connlimit_value">0</Option>
<Option name="firewall_is_part_of_any_and_networks"></Option>
<Option name="firewall_is_part_of_any_and_networks">0</Option>
<Option name="hashlimit_burst">0</Option>
<Option name="hashlimit_dstlimit">False</Option>
<Option name="hashlimit_expire">0</Option>
@ -51837,7 +51839,548 @@ echo '%FWBPROMPT%'; sh /tmp/%FWSCRIPT%
<Option name="ulog_nlgroup">1</Option>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id1825823X7324" disabled="False" log="False" position="2" action="Branch" direction="Both" comment="">
<PolicyRule id="id4536436X7324" disabled="False" group="fw is part of any and networks is OFF" log="False" position="2" action="Accept" direction="Outbound" comment="see #1523">
<Src neg="False">
<ObjectRef ref="id2383X75851"/>
</Src>
<Dst neg="False">
<ObjectRef ref="id2685X75851"/>
</Dst>
<Srv neg="False">
<ServiceRef ref="sysid1"/>
</Srv>
<Itf neg="False">
<ObjectRef ref="id654168X7324"/>
</Itf>
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions>
<Option name="color">#C86E6E</Option>
<Option name="connlimit_above_not">False</Option>
<Option name="connlimit_masklen">0</Option>
<Option name="connlimit_value">0</Option>
<Option name="firewall_is_part_of_any_and_networks">0</Option>
<Option name="hashlimit_burst">0</Option>
<Option name="hashlimit_dstlimit">False</Option>
<Option name="hashlimit_expire">0</Option>
<Option name="hashlimit_gcinterval">0</Option>
<Option name="hashlimit_max">0</Option>
<Option name="hashlimit_mode_dstip">False</Option>
<Option name="hashlimit_mode_dstport">False</Option>
<Option name="hashlimit_mode_srcip">False</Option>
<Option name="hashlimit_mode_srcport">False</Option>
<Option name="hashlimit_name"></Option>
<Option name="hashlimit_size">0</Option>
<Option name="hashlimit_suffix"></Option>
<Option name="hashlimit_value">0</Option>
<Option name="limit_burst">0</Option>
<Option name="limit_suffix"></Option>
<Option name="limit_value">0</Option>
<Option name="limit_value_not">False</Option>
<Option name="log_level"></Option>
<Option name="log_prefix"></Option>
<Option name="stateless">True</Option>
<Option name="ulog_nlgroup">1</Option>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id3110548X16199" disabled="False" group="fw is part of any and networks is OFF" log="False" position="3" action="Accept" direction="Outbound" comment="see #1523">
<Src neg="False">
<ObjectRef ref="id3110516X16199"/>
</Src>
<Dst neg="False">
<ObjectRef ref="id2685X75851"/>
</Dst>
<Srv neg="False">
<ServiceRef ref="sysid1"/>
</Srv>
<Itf neg="False">
<ObjectRef ref="id654168X7324"/>
</Itf>
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions>
<Option name="color">#C86E6E</Option>
<Option name="connlimit_above_not">False</Option>
<Option name="connlimit_masklen">0</Option>
<Option name="connlimit_value">0</Option>
<Option name="firewall_is_part_of_any_and_networks">0</Option>
<Option name="hashlimit_burst">0</Option>
<Option name="hashlimit_dstlimit">False</Option>
<Option name="hashlimit_expire">0</Option>
<Option name="hashlimit_gcinterval">0</Option>
<Option name="hashlimit_max">0</Option>
<Option name="hashlimit_mode_dstip">False</Option>
<Option name="hashlimit_mode_dstport">False</Option>
<Option name="hashlimit_mode_srcip">False</Option>
<Option name="hashlimit_mode_srcport">False</Option>
<Option name="hashlimit_name"></Option>
<Option name="hashlimit_size">0</Option>
<Option name="hashlimit_suffix"></Option>
<Option name="hashlimit_value">0</Option>
<Option name="limit_burst">0</Option>
<Option name="limit_suffix"></Option>
<Option name="limit_value">0</Option>
<Option name="limit_value_not">False</Option>
<Option name="log_level"></Option>
<Option name="log_prefix"></Option>
<Option name="stateless">True</Option>
<Option name="ulog_nlgroup">1</Option>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id2091305X16199" disabled="False" group="fw is part of any and networks is OFF" log="False" position="4" action="Accept" direction="Outbound" comment="see #1523">
<Src neg="False">
<ObjectRef ref="id654160X7324"/>
</Src>
<Dst neg="False">
<ObjectRef ref="id2685X75851"/>
</Dst>
<Srv neg="False">
<ServiceRef ref="sysid1"/>
</Srv>
<Itf neg="False">
<ObjectRef ref="id654168X7324"/>
</Itf>
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions>
<Option name="color">#C86E6E</Option>
<Option name="connlimit_above_not">False</Option>
<Option name="connlimit_masklen">0</Option>
<Option name="connlimit_value">0</Option>
<Option name="firewall_is_part_of_any_and_networks">0</Option>
<Option name="hashlimit_burst">0</Option>
<Option name="hashlimit_dstlimit">False</Option>
<Option name="hashlimit_expire">0</Option>
<Option name="hashlimit_gcinterval">0</Option>
<Option name="hashlimit_max">0</Option>
<Option name="hashlimit_mode_dstip">False</Option>
<Option name="hashlimit_mode_dstport">False</Option>
<Option name="hashlimit_mode_srcip">False</Option>
<Option name="hashlimit_mode_srcport">False</Option>
<Option name="hashlimit_name"></Option>
<Option name="hashlimit_size">0</Option>
<Option name="hashlimit_suffix"></Option>
<Option name="hashlimit_value">0</Option>
<Option name="limit_burst">0</Option>
<Option name="limit_suffix"></Option>
<Option name="limit_value">0</Option>
<Option name="limit_value_not">False</Option>
<Option name="log_level"></Option>
<Option name="log_prefix"></Option>
<Option name="stateless">True</Option>
<Option name="ulog_nlgroup">1</Option>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id2091259X16199" disabled="False" group="fw is part of any and networks is OFF" log="False" position="5" action="Accept" direction="Outbound" comment="see #1523">
<Src neg="False">
<ObjectRef ref="id654168X7324"/>
</Src>
<Dst neg="False">
<ObjectRef ref="id2685X75851"/>
</Dst>
<Srv neg="False">
<ServiceRef ref="sysid1"/>
</Srv>
<Itf neg="False">
<ObjectRef ref="id654168X7324"/>
</Itf>
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions>
<Option name="color">#C86E6E</Option>
<Option name="connlimit_above_not">False</Option>
<Option name="connlimit_masklen">0</Option>
<Option name="connlimit_value">0</Option>
<Option name="firewall_is_part_of_any_and_networks">0</Option>
<Option name="hashlimit_burst">0</Option>
<Option name="hashlimit_dstlimit">False</Option>
<Option name="hashlimit_expire">0</Option>
<Option name="hashlimit_gcinterval">0</Option>
<Option name="hashlimit_max">0</Option>
<Option name="hashlimit_mode_dstip">False</Option>
<Option name="hashlimit_mode_dstport">False</Option>
<Option name="hashlimit_mode_srcip">False</Option>
<Option name="hashlimit_mode_srcport">False</Option>
<Option name="hashlimit_name"></Option>
<Option name="hashlimit_size">0</Option>
<Option name="hashlimit_suffix"></Option>
<Option name="hashlimit_value">0</Option>
<Option name="limit_burst">0</Option>
<Option name="limit_suffix"></Option>
<Option name="limit_value">0</Option>
<Option name="limit_value_not">False</Option>
<Option name="log_level"></Option>
<Option name="log_prefix"></Option>
<Option name="stateless">True</Option>
<Option name="ulog_nlgroup">1</Option>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id1751929X16199" disabled="False" group="fw is part of any and networks is OFF" log="False" position="6" action="Accept" direction="Outbound" comment="see #1523">
<Src neg="False">
<ObjectRef ref="id654173X7324"/>
</Src>
<Dst neg="False">
<ObjectRef ref="id2685X75851"/>
</Dst>
<Srv neg="False">
<ServiceRef ref="sysid1"/>
</Srv>
<Itf neg="False">
<ObjectRef ref="id654168X7324"/>
</Itf>
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions>
<Option name="color">#C86E6E</Option>
<Option name="connlimit_above_not">False</Option>
<Option name="connlimit_masklen">0</Option>
<Option name="connlimit_value">0</Option>
<Option name="firewall_is_part_of_any_and_networks">0</Option>
<Option name="hashlimit_burst">0</Option>
<Option name="hashlimit_dstlimit">False</Option>
<Option name="hashlimit_expire">0</Option>
<Option name="hashlimit_gcinterval">0</Option>
<Option name="hashlimit_max">0</Option>
<Option name="hashlimit_mode_dstip">False</Option>
<Option name="hashlimit_mode_dstport">False</Option>
<Option name="hashlimit_mode_srcip">False</Option>
<Option name="hashlimit_mode_srcport">False</Option>
<Option name="hashlimit_name"></Option>
<Option name="hashlimit_size">0</Option>
<Option name="hashlimit_suffix"></Option>
<Option name="hashlimit_value">0</Option>
<Option name="limit_burst">0</Option>
<Option name="limit_suffix"></Option>
<Option name="limit_value">0</Option>
<Option name="limit_value_not">False</Option>
<Option name="log_level"></Option>
<Option name="log_prefix"></Option>
<Option name="stateless">True</Option>
<Option name="ulog_nlgroup">1</Option>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id2095965X26084" disabled="False" group="fw is part of any and networks is ON" log="False" position="7" action="Accept" direction="Both" comment="see #1523">
<Src neg="False">
<ObjectRef ref="id2383X75851"/>
</Src>
<Dst neg="False">
<ObjectRef ref="id2383X75851"/>
<ObjectRef ref="id2685X75851"/>
</Dst>
<Srv neg="False">
<ServiceRef ref="sysid1"/>
</Srv>
<Itf neg="False">
<ObjectRef ref="id654168X7324"/>
</Itf>
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions>
<Option name="color">#C0BA44</Option>
<Option name="connlimit_above_not">False</Option>
<Option name="connlimit_masklen">0</Option>
<Option name="connlimit_value">0</Option>
<Option name="firewall_is_part_of_any_and_networks">1</Option>
<Option name="hashlimit_burst">0</Option>
<Option name="hashlimit_dstlimit">False</Option>
<Option name="hashlimit_expire">0</Option>
<Option name="hashlimit_gcinterval">0</Option>
<Option name="hashlimit_max">0</Option>
<Option name="hashlimit_mode_dstip">False</Option>
<Option name="hashlimit_mode_dstport">False</Option>
<Option name="hashlimit_mode_srcip">False</Option>
<Option name="hashlimit_mode_srcport">False</Option>
<Option name="hashlimit_name"></Option>
<Option name="hashlimit_size">0</Option>
<Option name="hashlimit_suffix"></Option>
<Option name="hashlimit_value">0</Option>
<Option name="limit_burst">0</Option>
<Option name="limit_suffix"></Option>
<Option name="limit_value">0</Option>
<Option name="limit_value_not">False</Option>
<Option name="log_level"></Option>
<Option name="log_prefix"></Option>
<Option name="stateless">True</Option>
<Option name="ulog_nlgroup">1</Option>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id2096012X26084" disabled="False" group="fw is part of any and networks is ON" log="False" position="8" action="Accept" direction="Inbound" comment="see #1523">
<Src neg="False">
<ObjectRef ref="id2383X75851"/>
</Src>
<Dst neg="False">
<ObjectRef ref="id2685X75851"/>
</Dst>
<Srv neg="False">
<ServiceRef ref="sysid1"/>
</Srv>
<Itf neg="False">
<ObjectRef ref="id654168X7324"/>
</Itf>
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions>
<Option name="color">#C0BA44</Option>
<Option name="connlimit_above_not">False</Option>
<Option name="connlimit_masklen">0</Option>
<Option name="connlimit_value">0</Option>
<Option name="firewall_is_part_of_any_and_networks">1</Option>
<Option name="hashlimit_burst">0</Option>
<Option name="hashlimit_dstlimit">False</Option>
<Option name="hashlimit_expire">0</Option>
<Option name="hashlimit_gcinterval">0</Option>
<Option name="hashlimit_max">0</Option>
<Option name="hashlimit_mode_dstip">False</Option>
<Option name="hashlimit_mode_dstport">False</Option>
<Option name="hashlimit_mode_srcip">False</Option>
<Option name="hashlimit_mode_srcport">False</Option>
<Option name="hashlimit_name"></Option>
<Option name="hashlimit_size">0</Option>
<Option name="hashlimit_suffix"></Option>
<Option name="hashlimit_value">0</Option>
<Option name="limit_burst">0</Option>
<Option name="limit_suffix"></Option>
<Option name="limit_value">0</Option>
<Option name="limit_value_not">False</Option>
<Option name="log_level"></Option>
<Option name="log_prefix"></Option>
<Option name="stateless">True</Option>
<Option name="ulog_nlgroup">1</Option>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id2096058X26084" disabled="False" group="fw is part of any and networks is ON" log="False" position="9" action="Accept" direction="Outbound" comment="see #1523">
<Src neg="False">
<ObjectRef ref="id2383X75851"/>
</Src>
<Dst neg="False">
<ObjectRef ref="id2685X75851"/>
</Dst>
<Srv neg="False">
<ServiceRef ref="sysid1"/>
</Srv>
<Itf neg="False">
<ObjectRef ref="id654168X7324"/>
</Itf>
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions>
<Option name="color">#C0BA44</Option>
<Option name="connlimit_above_not">False</Option>
<Option name="connlimit_masklen">0</Option>
<Option name="connlimit_value">0</Option>
<Option name="firewall_is_part_of_any_and_networks">1</Option>
<Option name="hashlimit_burst">0</Option>
<Option name="hashlimit_dstlimit">False</Option>
<Option name="hashlimit_expire">0</Option>
<Option name="hashlimit_gcinterval">0</Option>
<Option name="hashlimit_max">0</Option>
<Option name="hashlimit_mode_dstip">False</Option>
<Option name="hashlimit_mode_dstport">False</Option>
<Option name="hashlimit_mode_srcip">False</Option>
<Option name="hashlimit_mode_srcport">False</Option>
<Option name="hashlimit_name"></Option>
<Option name="hashlimit_size">0</Option>
<Option name="hashlimit_suffix"></Option>
<Option name="hashlimit_value">0</Option>
<Option name="limit_burst">0</Option>
<Option name="limit_suffix"></Option>
<Option name="limit_value">0</Option>
<Option name="limit_value_not">False</Option>
<Option name="log_level"></Option>
<Option name="log_prefix"></Option>
<Option name="stateless">True</Option>
<Option name="ulog_nlgroup">1</Option>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id2096104X26084" disabled="False" group="fw is part of any and networks is ON" log="False" position="10" action="Accept" direction="Outbound" comment="see #1523">
<Src neg="False">
<ObjectRef ref="id3110516X16199"/>
</Src>
<Dst neg="False">
<ObjectRef ref="id2685X75851"/>
</Dst>
<Srv neg="False">
<ServiceRef ref="sysid1"/>
</Srv>
<Itf neg="False">
<ObjectRef ref="id654168X7324"/>
</Itf>
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions>
<Option name="color">#C0BA44</Option>
<Option name="connlimit_above_not">False</Option>
<Option name="connlimit_masklen">0</Option>
<Option name="connlimit_value">0</Option>
<Option name="firewall_is_part_of_any_and_networks">1</Option>
<Option name="hashlimit_burst">0</Option>
<Option name="hashlimit_dstlimit">False</Option>
<Option name="hashlimit_expire">0</Option>
<Option name="hashlimit_gcinterval">0</Option>
<Option name="hashlimit_max">0</Option>
<Option name="hashlimit_mode_dstip">False</Option>
<Option name="hashlimit_mode_dstport">False</Option>
<Option name="hashlimit_mode_srcip">False</Option>
<Option name="hashlimit_mode_srcport">False</Option>
<Option name="hashlimit_name"></Option>
<Option name="hashlimit_size">0</Option>
<Option name="hashlimit_suffix"></Option>
<Option name="hashlimit_value">0</Option>
<Option name="limit_burst">0</Option>
<Option name="limit_suffix"></Option>
<Option name="limit_value">0</Option>
<Option name="limit_value_not">False</Option>
<Option name="log_level"></Option>
<Option name="log_prefix"></Option>
<Option name="stateless">True</Option>
<Option name="ulog_nlgroup">1</Option>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id2096150X26084" disabled="False" group="fw is part of any and networks is ON" log="False" position="11" action="Accept" direction="Outbound" comment="see #1523">
<Src neg="False">
<ObjectRef ref="id654160X7324"/>
</Src>
<Dst neg="False">
<ObjectRef ref="id2685X75851"/>
</Dst>
<Srv neg="False">
<ServiceRef ref="sysid1"/>
</Srv>
<Itf neg="False">
<ObjectRef ref="id654168X7324"/>
</Itf>
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions>
<Option name="color">#C0BA44</Option>
<Option name="connlimit_above_not">False</Option>
<Option name="connlimit_masklen">0</Option>
<Option name="connlimit_value">0</Option>
<Option name="firewall_is_part_of_any_and_networks">1</Option>
<Option name="hashlimit_burst">0</Option>
<Option name="hashlimit_dstlimit">False</Option>
<Option name="hashlimit_expire">0</Option>
<Option name="hashlimit_gcinterval">0</Option>
<Option name="hashlimit_max">0</Option>
<Option name="hashlimit_mode_dstip">False</Option>
<Option name="hashlimit_mode_dstport">False</Option>
<Option name="hashlimit_mode_srcip">False</Option>
<Option name="hashlimit_mode_srcport">False</Option>
<Option name="hashlimit_name"></Option>
<Option name="hashlimit_size">0</Option>
<Option name="hashlimit_suffix"></Option>
<Option name="hashlimit_value">0</Option>
<Option name="limit_burst">0</Option>
<Option name="limit_suffix"></Option>
<Option name="limit_value">0</Option>
<Option name="limit_value_not">False</Option>
<Option name="log_level"></Option>
<Option name="log_prefix"></Option>
<Option name="stateless">True</Option>
<Option name="ulog_nlgroup">1</Option>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id2096196X26084" disabled="False" group="fw is part of any and networks is ON" log="False" position="12" action="Accept" direction="Outbound" comment="see #1523">
<Src neg="False">
<ObjectRef ref="id654168X7324"/>
</Src>
<Dst neg="False">
<ObjectRef ref="id2685X75851"/>
</Dst>
<Srv neg="False">
<ServiceRef ref="sysid1"/>
</Srv>
<Itf neg="False">
<ObjectRef ref="id654168X7324"/>
</Itf>
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions>
<Option name="color">#C0BA44</Option>
<Option name="connlimit_above_not">False</Option>
<Option name="connlimit_masklen">0</Option>
<Option name="connlimit_value">0</Option>
<Option name="firewall_is_part_of_any_and_networks">1</Option>
<Option name="hashlimit_burst">0</Option>
<Option name="hashlimit_dstlimit">False</Option>
<Option name="hashlimit_expire">0</Option>
<Option name="hashlimit_gcinterval">0</Option>
<Option name="hashlimit_max">0</Option>
<Option name="hashlimit_mode_dstip">False</Option>
<Option name="hashlimit_mode_dstport">False</Option>
<Option name="hashlimit_mode_srcip">False</Option>
<Option name="hashlimit_mode_srcport">False</Option>
<Option name="hashlimit_name"></Option>
<Option name="hashlimit_size">0</Option>
<Option name="hashlimit_suffix"></Option>
<Option name="hashlimit_value">0</Option>
<Option name="limit_burst">0</Option>
<Option name="limit_suffix"></Option>
<Option name="limit_value">0</Option>
<Option name="limit_value_not">False</Option>
<Option name="log_level"></Option>
<Option name="log_prefix"></Option>
<Option name="stateless">True</Option>
<Option name="ulog_nlgroup">1</Option>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id2096242X26084" disabled="False" group="fw is part of any and networks is ON" log="False" position="13" action="Accept" direction="Outbound" comment="see #1523">
<Src neg="False">
<ObjectRef ref="id654173X7324"/>
</Src>
<Dst neg="False">
<ObjectRef ref="id2685X75851"/>
</Dst>
<Srv neg="False">
<ServiceRef ref="sysid1"/>
</Srv>
<Itf neg="False">
<ObjectRef ref="id654168X7324"/>
</Itf>
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions>
<Option name="color">#C0BA44</Option>
<Option name="connlimit_above_not">False</Option>
<Option name="connlimit_masklen">0</Option>
<Option name="connlimit_value">0</Option>
<Option name="firewall_is_part_of_any_and_networks">1</Option>
<Option name="hashlimit_burst">0</Option>
<Option name="hashlimit_dstlimit">False</Option>
<Option name="hashlimit_expire">0</Option>
<Option name="hashlimit_gcinterval">0</Option>
<Option name="hashlimit_max">0</Option>
<Option name="hashlimit_mode_dstip">False</Option>
<Option name="hashlimit_mode_dstport">False</Option>
<Option name="hashlimit_mode_srcip">False</Option>
<Option name="hashlimit_mode_srcport">False</Option>
<Option name="hashlimit_name"></Option>
<Option name="hashlimit_size">0</Option>
<Option name="hashlimit_suffix"></Option>
<Option name="hashlimit_value">0</Option>
<Option name="limit_burst">0</Option>
<Option name="limit_suffix"></Option>
<Option name="limit_value">0</Option>
<Option name="limit_value_not">False</Option>
<Option name="log_level"></Option>
<Option name="log_prefix"></Option>
<Option name="stateless">True</Option>
<Option name="ulog_nlgroup">1</Option>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id1825823X7324" disabled="False" log="False" position="14" action="Branch" direction="Both" comment="">
<Src neg="False">
<ObjectRef ref="sysid0"/>
</Src>
@ -51880,7 +52423,7 @@ echo '%FWBPROMPT%'; sh /tmp/%FWSCRIPT%
<Option name="stateless">True</Option>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id2164144X7324" disabled="False" group="" log="False" position="3" action="Branch" direction="Both" comment="">
<PolicyRule id="id2164144X7324" disabled="False" group="" log="False" position="15" action="Branch" direction="Both" comment="">
<Src neg="False">
<ObjectRef ref="sysid0"/>
</Src>
@ -52051,7 +52594,7 @@ echo '%FWBPROMPT%'; sh /tmp/%FWSCRIPT%
<Option name="admUser"></Option>
<Option name="altAddress"></Option>
<Option name="bridging_fw">False</Option>
<Option name="check_shading">True</Option>
<Option name="check_shading">False</Option>
<Option name="clamp_mss_to_mtu">True</Option>
<Option name="classify_mark_terminating">False</Option>
<Option name="clear_unknown_interfaces">False</Option>