onkelbeh/fwbuilder
1
0
Fork 0
mirror of https://github.com/fwbuilder/fwbuilder synced 2026-03-18 17:27:20 +01:00
Code Issues Releases Wiki Activity

commiting merge

Browse Source
This commit is contained in:
Vadim Kurland 2011-03-12 14:53:12 -08:00
commit 247d4efd61
367 changed files with 3023 additions and 2030 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
VERSION
View File

@ -7,7 +7,7 @@ FWB_MICRO_VERSION=0
# build number is like "nano" version number. I am incrementing build
# number during development cycle
#
BUILD_NUM="3498"
BUILD_NUM="3499"
VERSION="$FWB_MAJOR_VERSION.$FWB_MINOR_VERSION.$FWB_MICRO_VERSION.$BUILD_NUM"

2
VERSION.h
View File

@ -1,2 +1,2 @@
#define VERSION "4.2.0.3498"
#define VERSION "4.2.0.3499"
#define GENERATION "4.2"

14
doc/ChangeLog
View File

@ -1,3 +1,17 @@
2011-03-11 vadim <vadim@netcitadel.com>
* FWObject.cpp (add): fixes #2209 "do not allow the same object to
be child of different objects in the tree". Method FWObject::add()
enforces this. Subsequent clean-up and fixes in many places to
follow this logic. This makes code much cleaner, better organized
and more reliable.
2011-03-10 vadim <vadim@netcitadel.com>
* libfwbuilder/src/fwcompiler/Compiler.cpp (Compiler): see #2207
fixed memory leak in policy compilers. The impact of this leak was
especially severe on Windows with very large object databases.
2011-03-08 vadim <vadim@netcitadel.com>
* CustomServiceDialog.cpp (loadFWObject): fixes #2201 "Some fields

2
packaging/fwbuilder-static-qt.spec
View File

@ -3,7 +3,7 @@
%define name fwbuilder
%define version 4.2.0.3498
%define version 4.2.0.3499
%define release 1
%if "%_vendor" == "MandrakeSoft"

2
packaging/fwbuilder.control
View File

@ -4,6 +4,6 @@ Replaces: fwbuilder (<=4.1.1-1), fwbuilder-common, fwbuilder-bsd, fwbuilder-linu
Priority: extra
Section: checkinstall
Maintainer: vadim@fwbuilder.org
Version: 4.2.0.3498-1
Version: 4.2.0.3499-1
Depends: libqt4-gui (>= 4.3.0), libxml2, libxslt1.1, libsnmp | libsnmp15
Description: Firewall Builder GUI and policy compilers

2
packaging/fwbuilder.spec
View File

@ -1,6 +1,6 @@
%define name fwbuilder
%define version 4.2.0.3498
%define version 4.2.0.3499
%define release 1
%if "%_vendor" == "MandrakeSoft"

7
src/cisco_lib/BaseObjectGroup.h
View File

@ -36,11 +36,12 @@
#include <QString>
namespace fwcompiler {
namespace fwcompiler
{
class NamedObjectsManager;
class BaseObjectGroup : public libfwbuilder::Group {
class BaseObjectGroup : public libfwbuilder::Group
{
public:
typedef enum { UNKNOWN,

54
src/cisco_lib/CompilerDriver_iosacl_run.cpp
View File

@ -44,28 +44,22 @@
#include "NamedObjectsAndGroupsSupport.h"
#include "NamedObjectsManagerIOS.h"
#include "fwbuilder/Resources.h"
#include "fwbuilder/FWObjectDatabase.h"
#include "fwbuilder/XMLTools.h"
#include "fwbuilder/FWException.h"
#include "fwbuilder/Firewall.h"
#include "fwbuilder/Interface.h"
#include "fwbuilder/Policy.h"
#include "fwbuilder/NAT.h"
#include "fwbuilder/Routing.h"
#include "fwcompiler/Preprocessor.h"
#include "fwbuilder/Resources.h"
#include "fwbuilder/FWObjectDatabase.h"
#include "fwbuilder/FWException.h"
#include "fwbuilder/Cluster.h"
#include "fwbuilder/ClusterGroup.h"
#include "fwbuilder/FWException.h"
#include "fwbuilder/FWObjectDatabase.h"
#include "fwbuilder/FailoverClusterGroup.h"
#include "fwbuilder/Firewall.h"
#include "fwbuilder/Interface.h"
#include "fwbuilder/Library.h"
#include "fwbuilder/NAT.h"
#include "fwbuilder/Policy.h"
#include "fwbuilder/Resources.h"
#include "fwbuilder/Routing.h"
#include "fwbuilder/StateSyncClusterGroup.h"
#include "fwbuilder/FailoverClusterGroup.h"
#include "fwbuilder/XMLTools.h"
#include "fwcompiler/Preprocessor.h"
#include <QStringList>
#include <QFileInfo>
@ -125,13 +119,9 @@ QString CompilerDriver_iosacl::run(const std::string &cluster_id,
const std::string &single_rule_id)
{
Cluster *cluster = NULL;
if (!cluster_id.empty())
cluster = Cluster::cast(
objdb->findInIndex(objdb->getIntId(cluster_id)));
Firewall *fw = NULL;
Firewall *fw = Firewall::cast(
objdb->findInIndex(objdb->getIntId(firewall_id)));
assert(fw);
getFirewallAndClusterObjects(cluster_id, firewall_id, &cluster, &fw);
try
{
@ -187,12 +177,19 @@ QString CompilerDriver_iosacl::run(const std::string &cluster_id,
list<FWObject*> all_policies = fw->getByType(Policy::TYPENAME);
// assign unique rule ids that later will be used to generate
// chain names. This should be done after calls to
// findImportedRuleSets()
// NB: these ids are not used by this compiler
assignUniqueRuleIds(all_policies);
vector<int> ipv4_6_runs;
if (!single_rule_compile_on)
system_configuration_script = safetyNetInstall(fw);
NamedObjectsManagerIOS named_objects_manager(fw);
NamedObjectsManagerIOS named_objects_manager(persistent_objects, fw);
// command line options -4 and -6 control address family for which
// script will be generated. If "-4" is used, only ipv4 part will
@ -250,6 +247,7 @@ QString CompilerDriver_iosacl::run(const std::string &cluster_id,
c.setNamedObjectsManager(&named_objects_manager);
c.setSourceRuleSet( policy );
c.setRuleSetName(policy->getName());
c.setPersistentObjects(persistent_objects);
c.setSingleRuleCompileMode(single_rule_id);
if (inTestMode()) c.setTestMode();
@ -284,7 +282,7 @@ QString CompilerDriver_iosacl::run(const std::string &cluster_id,
}
policy_script += c.getCompiledScript();
clear_commands += c.printClearCommands();
named_objects_manager.saveObjectGroups();
//named_objects_manager.saveObjectGroups();
} else
info(" Nothing to compile in Policy");
@ -301,6 +299,7 @@ QString CompilerDriver_iosacl::run(const std::string &cluster_id,
r.setNamedObjectsManager(&named_objects_manager);
r.setSourceRuleSet(routing);
r.setRuleSetName(routing->getName());
r.setPersistentObjects(persistent_objects);
r.setSingleRuleCompileMode(single_rule_id);
if (inTestMode()) r.setTestMode();
@ -325,6 +324,13 @@ QString CompilerDriver_iosacl::run(const std::string &cluster_id,
}
}
/*
* compilers detach persistent objects when they finish, this
* means at this point library persistent_objects is not part
* of any object tree.
*/
objdb->reparent(persistent_objects);
if (haveErrorsAndWarnings())
{
all_errors.push_front(getErrors("").c_str());

63
src/cisco_lib/CompilerDriver_pix_run.cpp
View File

@ -48,27 +48,24 @@
#include "Helper.h"
#include "fwbuilder/Resources.h"
#include "fwbuilder/FWObjectDatabase.h"
#include "fwbuilder/XMLTools.h"
#include "fwbuilder/FWException.h"
#include "fwbuilder/Firewall.h"
#include "fwbuilder/Interface.h"
#include "fwbuilder/Policy.h"
#include "fwbuilder/NAT.h"
#include "fwbuilder/Routing.h"
#include "fwbuilder/IPv4.h"
#include "fwbuilder/IPv6.h"
#include "fwcompiler/Preprocessor.h"
#include "fwbuilder/Cluster.h"
#include "fwbuilder/ClusterGroup.h"
#include "fwbuilder/Firewall.h"
#include "fwbuilder/Interface.h"
#include "fwbuilder/Policy.h"
#include "fwbuilder/StateSyncClusterGroup.h"
#include "fwbuilder/FWException.h"
#include "fwbuilder/FWObjectDatabase.h"
#include "fwbuilder/FailoverClusterGroup.h"
#include "fwbuilder/Firewall.h"
#include "fwbuilder/IPv4.h"
#include "fwbuilder/IPv6.h"
#include "fwbuilder/Interface.h"
#include "fwbuilder/Library.h"
#include "fwbuilder/NAT.h"
#include "fwbuilder/Policy.h"
#include "fwbuilder/Resources.h"
#include "fwbuilder/Routing.h"
#include "fwbuilder/StateSyncClusterGroup.h"
#include "fwbuilder/XMLTools.h"
#include "fwcompiler/Preprocessor.h"
#include <QStringList>
#include <QFileInfo>
@ -168,11 +165,9 @@ QString CompilerDriver_pix::run(const std::string &cluster_id,
const std::string &single_rule_id)
{
Cluster *cluster = NULL;
if (!cluster_id.empty())
cluster = Cluster::cast(objdb->findInIndex(objdb->getIntId(cluster_id)));
Firewall *fw = NULL;
Firewall *fw = Firewall::cast(objdb->findInIndex(objdb->getIntId(firewall_id)));
assert(fw);
getFirewallAndClusterObjects(cluster_id, firewall_id, &cluster, &fw);
// Copy rules from the cluster object
populateClusterElements(cluster, fw);
@ -297,7 +292,7 @@ QString CompilerDriver_pix::run(const std::string &cluster_id,
copies_of_cluster_interfaces.pop_front();
}
NamedObjectsManagerPIX named_objects_manager(fw);
NamedObjectsManagerPIX named_objects_manager(persistent_objects, fw);
all_interfaces = fw->getByTypeDeep(Interface::TYPENAME);
@ -389,9 +384,12 @@ QString CompilerDriver_pix::run(const std::string &cluster_id,
RuleSet *nat = RuleSet::cast(fw->getFirstByType(NAT::TYPENAME));
if (nat)
{
nat->assignUniqueRuleIds();
n->setNamedObjectsManager(&named_objects_manager);
n->setSourceRuleSet(nat);
n->setRuleSetName(nat->getName());
n->setPersistentObjects(persistent_objects);
if (inTestMode()) n->setTestMode();
if (inEmbeddedMode()) n->setEmbeddedMode();
@ -410,7 +408,7 @@ QString CompilerDriver_pix::run(const std::string &cluster_id,
named_objects_manager.haveNamedObjects());
have_object_groups = (have_object_groups ||
named_objects_manager.haveObjectGroups());
named_objects_manager.saveObjectGroups();
//named_objects_manager.saveObjectGroups();
} else
info(" Nothing to compile in NAT");
}
@ -421,9 +419,12 @@ QString CompilerDriver_pix::run(const std::string &cluster_id,
RuleSet *policy = RuleSet::cast(fw->getFirstByType(Policy::TYPENAME));
if (policy)
{
policy->assignUniqueRuleIds();
c->setNamedObjectsManager(&named_objects_manager);
c->setSourceRuleSet(policy);
c->setRuleSetName(policy->getName());
c->setPersistentObjects(persistent_objects);
if (inTestMode()) c->setTestMode();
if (inEmbeddedMode()) c->setEmbeddedMode();
@ -442,7 +443,7 @@ QString CompilerDriver_pix::run(const std::string &cluster_id,
named_objects_manager.haveNamedObjects());
have_object_groups = (have_object_groups ||
named_objects_manager.haveObjectGroups());
named_objects_manager.saveObjectGroups();
//named_objects_manager.saveObjectGroups();
} else
info(" Nothing to compile in Policy");
}
@ -453,10 +454,13 @@ QString CompilerDriver_pix::run(const std::string &cluster_id,
RuleSet *routing = RuleSet::cast(fw->getFirstByType(Routing::TYPENAME));
if (routing)
{
routing->assignUniqueRuleIds();
r->setNamedObjectsManager(&named_objects_manager);
r->setSourceRuleSet(routing);
r->setRuleSetName(routing->getName());
r->setPersistentObjects(persistent_objects);
if (inTestMode()) r->setTestMode();
if (inEmbeddedMode()) r->setEmbeddedMode();
r->setSingleRuleCompileMode(single_rule_id);
@ -472,6 +476,13 @@ QString CompilerDriver_pix::run(const std::string &cluster_id,
info(" Nothing to compile in Routing");
}
/*
* compilers detach persistent objects when they finish, this
* means at this point library persistent_objects is not part
* of any object tree.
*/
objdb->reparent(persistent_objects);
if (haveErrorsAndWarnings())
{
all_errors.push_front(getErrors("").c_str());

54
src/cisco_lib/CompilerDriver_procurve_acl_run.cpp
View File

@ -44,28 +44,22 @@
#include "NamedObjectsAndGroupsSupport.h"
#include "NamedObjectsManagerIOS.h"
#include "fwbuilder/Resources.h"
#include "fwbuilder/FWObjectDatabase.h"
#include "fwbuilder/XMLTools.h"
#include "fwbuilder/FWException.h"
#include "fwbuilder/Firewall.h"
#include "fwbuilder/Interface.h"
#include "fwbuilder/Policy.h"
#include "fwbuilder/NAT.h"
#include "fwbuilder/Routing.h"
#include "fwcompiler/Preprocessor.h"
#include "fwbuilder/Resources.h"
#include "fwbuilder/FWObjectDatabase.h"
#include "fwbuilder/FWException.h"
#include "fwbuilder/Cluster.h"
#include "fwbuilder/ClusterGroup.h"
#include "fwbuilder/FWException.h"
#include "fwbuilder/FWObjectDatabase.h"
#include "fwbuilder/FailoverClusterGroup.h"
#include "fwbuilder/Firewall.h"
#include "fwbuilder/Interface.h"
#include "fwbuilder/Library.h"
#include "fwbuilder/NAT.h"
#include "fwbuilder/Policy.h"
#include "fwbuilder/Resources.h"
#include "fwbuilder/Routing.h"
#include "fwbuilder/StateSyncClusterGroup.h"
#include "fwbuilder/FailoverClusterGroup.h"
#include "fwbuilder/XMLTools.h"
#include "fwcompiler/Preprocessor.h"
#include <QStringList>
#include <QFileInfo>
@ -121,13 +115,9 @@ QString CompilerDriver_procurve_acl::run(const std::string &cluster_id,
const std::string &single_rule_id)
{
Cluster *cluster = NULL;
if (!cluster_id.empty())
cluster = Cluster::cast(
objdb->findInIndex(objdb->getIntId(cluster_id)));
Firewall *fw = NULL;
Firewall *fw = Firewall::cast(
objdb->findInIndex(objdb->getIntId(firewall_id)));
assert(fw);
getFirewallAndClusterObjects(cluster_id, firewall_id, &cluster, &fw);
try
{
@ -175,12 +165,19 @@ QString CompilerDriver_procurve_acl::run(const std::string &cluster_id,
list<FWObject*> all_policies = fw->getByType(Policy::TYPENAME);
// assign unique rule ids that later will be used to generate
// chain names. This should be done after calls to
// findImportedRuleSets()
// NB: these ids are not used by this compiler
assignUniqueRuleIds(all_policies);
vector<int> ipv4_6_runs;
if (!single_rule_compile_on)
system_configuration_script = safetyNetInstall(fw);
NamedObjectsManagerIOS named_objects_manager(fw);
NamedObjectsManagerIOS named_objects_manager(persistent_objects, fw);
// command line options -4 and -6 control address family for which
// script will be generated. If "-4" is used, only ipv4 part will
@ -238,6 +235,7 @@ QString CompilerDriver_procurve_acl::run(const std::string &cluster_id,
c.setNamedObjectsManager(&named_objects_manager);
c.setSourceRuleSet( policy );
c.setRuleSetName(policy->getName());
c.setPersistentObjects(persistent_objects);
c.setSingleRuleCompileMode(single_rule_id);
if (inTestMode()) c.setTestMode();
@ -272,7 +270,7 @@ QString CompilerDriver_procurve_acl::run(const std::string &cluster_id,
}
policy_script += c.getCompiledScript();
clear_commands += c.printClearCommands();
named_objects_manager.saveObjectGroups();
//named_objects_manager.saveObjectGroups();
} else
info(" Nothing to compile in Policy");
@ -289,6 +287,7 @@ QString CompilerDriver_procurve_acl::run(const std::string &cluster_id,
r.setNamedObjectsManager(&named_objects_manager);
r.setSourceRuleSet(routing);
r.setRuleSetName(routing->getName());
r.setPersistentObjects(persistent_objects);
r.setSingleRuleCompileMode(single_rule_id);
if (inTestMode()) r.setTestMode();
@ -313,6 +312,13 @@ QString CompilerDriver_procurve_acl::run(const std::string &cluster_id,
}
}
/*
* compilers detach persistent objects when they finish, this
* means at this point library persistent_objects is not part
* of any object tree.
*/
objdb->reparent(persistent_objects);
if (haveErrorsAndWarnings())
{
all_errors.push_front(getErrors("").c_str());

53
src/cisco_lib/NATCompiler_pix.cpp
View File

@ -29,22 +29,23 @@
#include "NamedObjectsAndGroupsSupport.h"
#include "NamedObjectsManager.h"
#include "fwbuilder/FWObjectDatabase.h"
#include "fwbuilder/RuleElement.h"
#include "fwbuilder/NAT.h"
#include "fwbuilder/AddressRange.h"
#include "fwbuilder/AddressTable.h"
#include "fwbuilder/Cluster.h"
#include "fwbuilder/FWObjectDatabase.h"
#include "fwbuilder/FailoverClusterGroup.h"
#include "fwbuilder/ICMPService.h"
#include "fwbuilder/TCPService.h"
#include "fwbuilder/UDPService.h"
#include "fwbuilder/Interface.h"
#include "fwbuilder/IPv4.h"
#include "fwbuilder/IPv6.h"
#include "fwbuilder/InetAddr.h"
#include "fwbuilder/Interface.h"
#include "fwbuilder/Library.h"
#include "fwbuilder/NAT.h"
#include "fwbuilder/Network.h"
#include "fwbuilder/Resources.h"
#include "fwbuilder/AddressTable.h"
#include "fwbuilder/Cluster.h"
#include "fwbuilder/FailoverClusterGroup.h"
#include "fwbuilder/RuleElement.h"
#include "fwbuilder/TCPService.h"
#include "fwbuilder/UDPService.h"
#include <algorithm>
#include <functional>
@ -92,8 +93,6 @@ NATCompiler_pix::~NATCompiler_pix()
static_commands.clear();
nonat_rules.clear();
first_nonat_rule_id.clear();
if (final_ruleset != NULL) delete final_ruleset;
}
bool StaticCmd::operator==(const StaticCmd &other)
@ -230,8 +229,10 @@ int NATCompiler_pix::prolog()
{
global_pool_no = 1;
final_ruleset = new NAT();
fw->add( final_ruleset );
NAT *final_ruleset = new NAT();
final_ruleset->setName("Final NAT Rule Set");
persistent_objects->add( final_ruleset );
final_ruleset_id = final_ruleset->getId();
return NATCompiler::prolog();
}
@ -308,13 +309,30 @@ string NATCompiler_pix::debugPrintRule(Rule *r)
os.str();
}
/*
* store final nat rules in final rule set object in
* persistent_obejcts. Note that we can't add the same rules since an
* object can not be placed in two different places in the tree, so we
* have to add copies.
*/
bool NATCompiler_pix::storeProcessedRules::processNext()
{
NATCompiler_pix *pix_comp=dynamic_cast<NATCompiler_pix*>(compiler);
NATRule *rule=getNext(); if (rule==NULL) return false;
tmp_queue.push_back(rule);
NATCompiler_pix *pix_comp = dynamic_cast<NATCompiler_pix*>(compiler);
pix_comp->final_ruleset->add(rule);
FWObject *final_ruleset = compiler->persistent_objects->getRoot()->findInIndex(
pix_comp->final_ruleset_id);
slurp();
if (tmp_queue.size()==0) return false;
for (deque<Rule*>::iterator k=tmp_queue.begin(); k!=tmp_queue.end(); ++k)
{
NATRule *rule = NATRule::cast( *k );
NATRule *r = compiler->dbcopy->createNATRule();
final_ruleset->add(r);
r->duplicate(rule);
}
return true;
}
@ -1389,6 +1407,5 @@ class MergeConflictRes : public FWObjectDatabase::ConflictResolutionPredicate
void NATCompiler_pix::setNamedObjectsManager(NamedObjectsManager *mgr)
{
named_objects_manager = mgr;
mgr->setWorkingObjectTree(dbcopy);
}

5
src/cisco_lib/NATCompiler_pix.h
View File

@ -112,8 +112,7 @@ namespace fwcompiler
// first: interface->getId(), second: rule->getId()
std::map<int,int> first_nonat_rule_id;
libfwbuilder::RuleSet *final_ruleset;
int final_ruleset_id;
std::string debugPrintRule(libfwbuilder::Rule *r);
@ -507,7 +506,7 @@ namespace fwcompiler
virtual std::string printClearCommands();
/**
* scans all rules in combined_ruleset and finds rules (if
* scans all rules in source_ruleset and finds rules (if
* any) that define DNAT translation for a combination of
* src,dst and srv where src matches OSrc, srv matches OSrv
* and dst matches rule element defined by argument

12
src/cisco_lib/NATCompiler_pix_find_translations.cpp
View File

@ -23,13 +23,14 @@
#include "NATCompiler_pix.h"
#include "fwbuilder/Interface.h"
#include "fwbuilder/Address.h"
#include "fwbuilder/IPv4.h"
#include "fwbuilder/InetAddr.h"
#include "fwbuilder/Address.h"
#include "fwbuilder/RuleSet.h"
#include "fwbuilder/Interface.h"
#include "fwbuilder/Library.h"
#include "fwbuilder/Rule.h"
#include "fwbuilder/RuleElement.h"
#include "fwbuilder/RuleSet.h"
#include <sstream>
@ -79,8 +80,9 @@ list<NATRule*> NATCompiler_pix::findMatchingDNATRules(
list<NATRule*> res;
map<string,NATRule*> res_dict;
for (FWObject::iterator i=final_ruleset->begin();
i!=final_ruleset->end(); ++i)
FWObject *final_ruleset = persistent_objects->getRoot()->findInIndex(final_ruleset_id);
for (FWObject::iterator i=final_ruleset->begin(); i!=final_ruleset->end(); ++i)
{
NATRule *rule = NATRule::cast(*i);
if (rule == NULL) continue; // skip RuleSetOptions object

3
src/cisco_lib/NamedObject.h
View File

@ -30,7 +30,8 @@
#include <QSet>
namespace fwcompiler {
namespace fwcompiler
{
class NamedObject
{

4
src/cisco_lib/NamedObjectsAndGroupsSupport.cpp
View File

@ -77,7 +77,7 @@ BaseObjectGroup* CreateObjectGroups::findObjectGroup(RuleElement *re)
for (FWObject::iterator i1=re->begin(); i1!=re->end(); ++i1)
relement.push_back(FWReference::getObject(*i1));
FWObject *object_groups = named_objects_manager->getObjectGroupsGroupInWorkTree();
FWObject *object_groups = named_objects_manager->getObjectGroupsGroup();
for (FWObject::iterator i=object_groups->begin(); i!=object_groups->end(); ++i)
{
BaseObjectGroup *og = dynamic_cast<BaseObjectGroup*>(*i);
@ -118,7 +118,7 @@ bool CreateObjectGroups::processNext()
if (obj_group==NULL)
{
obj_group = named_objects_manager->createObjectGroup();
named_objects_manager->getObjectGroupsGroupInWorkTree()->add(obj_group);
named_objects_manager->getObjectGroupsGroup()->add(obj_group);
packObjects(re, obj_group);

86
src/cisco_lib/NamedObjectsManager.cpp
View File

@ -30,21 +30,22 @@
#include "ASA8ObjectGroup.h"
#include "IOSObjectGroup.h"
#include "fwbuilder/FWObjectDatabase.h"
#include "fwbuilder/RuleElement.h"
#include "fwbuilder/IPService.h"
#include "fwbuilder/ICMPService.h"
#include "fwbuilder/TCPService.h"
#include "fwbuilder/UDPService.h"
#include "fwbuilder/AddressRange.h"
#include "fwbuilder/AddressTable.h"
#include "fwbuilder/CustomService.h"
#include "fwbuilder/FWObjectDatabase.h"
#include "fwbuilder/Firewall.h"
#include "fwbuilder/ICMPService.h"
#include "fwbuilder/IPService.h"
#include "fwbuilder/Interface.h"
#include "fwbuilder/Library.h"
#include "fwbuilder/Management.h"
#include "fwbuilder/Network.h"
#include "fwbuilder/Policy.h"
#include "fwbuilder/Interface.h"
#include "fwbuilder/Management.h"
#include "fwbuilder/Resources.h"
#include "fwbuilder/AddressTable.h"
#include "fwbuilder/AddressRange.h"
#include "fwbuilder/Firewall.h"
#include "fwbuilder/RuleElement.h"
#include "fwbuilder/TCPService.h"
#include "fwbuilder/UDPService.h"
#include "fwcompiler/Compiler.h"
@ -84,15 +85,17 @@ FWObject* create_ASA8ObjectGroup(int id)
return nobj;
}
NamedObjectsManager::NamedObjectsManager(const Firewall *fw)
NamedObjectsManager::NamedObjectsManager(Library *persistent_objects,
const Firewall *fw)
{
version = fw->getStr("version");
platform = fw->getStr("platform");
object_groups_tree = new FWObjectDatabase();
this->persistent_objects = persistent_objects;
Group *object_groups = new Group();
object_groups->setName("Object Groups");
object_groups_tree->add( object_groups );
persistent_objects->add( object_groups );
object_groups_group_id = FWObjectDatabase::getStringId(object_groups->getId());
BaseObjectGroup::name_disambiguation.clear();
@ -136,7 +139,7 @@ bool NamedObjectsManager::haveNamedObjects()
bool NamedObjectsManager::haveObjectGroups()
{
FWObject *object_groups = object_groups_tree->findInIndex(
FWObject *object_groups = persistent_objects->getRoot()->findInIndex(
FWObjectDatabase::getIntId(object_groups_group_id));
return (object_groups->size() > 0);
}
@ -153,7 +156,7 @@ string NamedObjectsManager::getNamedObjectsDefinitions()
output << nobj->getCommand();
}
FWObject *object_groups = object_groups_tree->findInIndex(
FWObject *object_groups = persistent_objects->getRoot()->findInIndex(
FWObjectDatabase::getIntId(object_groups_group_id));
for (FWObject::iterator i=object_groups->begin();
@ -185,58 +188,15 @@ BaseObjectGroup* NamedObjectsManager::createObjectGroup()
}
if (platform == "iosacl") grp = new IOSObjectGroup();
assert(grp!=NULL);
grp->init(work_db);
return grp;
}
void NamedObjectsManager::setWorkingObjectTree(FWObjectDatabase *dbcopy)
Group* NamedObjectsManager::getObjectGroupsGroup()
{
FWObjectDatabase::ConflictResolutionPredicate merge_predicate;
dbcopy->merge(object_groups_tree, &merge_predicate);
work_db = dbcopy;
}
/*
* copy group that holds new object groups from the working tree, that
* belongs to the compiler to our own tree in object_groups_tree. We
* simply add group object to object_groups_tree (this changes its
* parent AND BREAKS OBJECT TREE IT USED TO BELONG TO). We have to
* scan all groups inside of it and create copies of objects they
* reference. We add copies of these objects right into the root of
* object_groups_tree.
*/
void NamedObjectsManager::saveObjectGroups()
{
object_groups_tree->clearChildren();
FWObject *work_object_groups = getObjectGroupsGroupInWorkTree(); // finds it in work_db
// move from work tree to object_groups_tree
object_groups_tree->add(work_object_groups);
for (FWObject::iterator i=work_object_groups->begin();
i!=work_object_groups->end(); ++i)
{
FWObject *grp = *i;
grp->setRoot(object_groups_tree);
for (FWObject::iterator i1=grp->begin(); i1!=grp->end(); ++i1)
{
FWObject *obj = FWReference::getObject(*i1);
object_groups_tree->add(obj);
obj->setRoot(object_groups_tree);
(*i1)->setRoot(object_groups_tree);
}
}
object_groups_tree->addToIndexRecursive(work_object_groups);
//object_groups_tree->dump(true, true);
}
Group* NamedObjectsManager::getObjectGroupsGroupInWorkTree()
{
return Group::cast(work_db->findInIndex(
return Group::cast(persistent_objects->getRoot()->findInIndex(
FWObjectDatabase::getIntId(object_groups_group_id)));
}

56
src/cisco_lib/NamedObjectsManager.h
View File

@ -28,10 +28,12 @@
#include "BaseObjectGroup.h"
#include "fwbuilder/Group.h"
#include "fwbuilder/FWObjectDatabase.h"
#include "fwbuilder/Firewall.h"
namespace libfwbuilder
{
class Group;
class Firewall;
class Library;
};
namespace fwcompiler
{
@ -45,31 +47,14 @@ protected:
// command object-group
std::string object_groups_group_id;
/*
* This is a storage object tree. Method saveObjectGroups()
* copies object groups objects created during compiler pass
* in the working tree work_db to this tree. There should be
* no access to the storage tree from outside, it should only
* be used by methods of this class that generate commands for
* object groups definitions or "clear" commands.
*/
libfwbuilder::FWObjectDatabase *object_groups_tree;
/*
* This is a working object tree. When compilers need to
* interact with named object manager, they should use this
* object tree. Access to the group that holds created object
* groups is provided by method
* getObjectGroupsGroupInWorkTree() that finds it in the
* working tree
*/
libfwbuilder::FWObjectDatabase *work_db;
libfwbuilder::Library *persistent_objects;
public:
std::map<int, NamedObject*> named_objects;
std::map<int, NamedObject*> named_objects;
NamedObjectsManager(const libfwbuilder::Firewall *_fw);
NamedObjectsManager(libfwbuilder::Library *persistent_objects,
const libfwbuilder::Firewall *_fw);
virtual ~NamedObjectsManager();
void addNamedObject(const libfwbuilder::FWObject *obj);
NamedObject* getNamedObject(const libfwbuilder::FWObject *obj);
@ -81,26 +66,7 @@ public:
bool haveObjectGroups();
BaseObjectGroup* createObjectGroup();
libfwbuilder::Group* getObjectGroupsGroupInWorkTree();
void setWorkingObjectTree(libfwbuilder::FWObjectDatabase *dbcopy);
/*
* saveObjectGroups() moves group that holds all newly created
* object groups from the object database used by the compiler
* (referenced by work_db) to object_groups_tree. Note that we
* just simply re-parent group object which breaks all
* references to it from rules in work_db. Call this from the
* run() function only at the point where compiler's copy of
* the object tree is not needed anymore. Good moment is right
* after the call to epilog().
*
* Again, THIS METHOD BREAKS OBJECT TREE inside policy
* compiler this instance of NamedObjectsManager works with
* (they get associated by the call to method setNamedObjectsManager()
* of the compiler)
*/
void saveObjectGroups();
libfwbuilder::Group* getObjectGroupsGroup();
};

5
src/cisco_lib/NamedObjectsManagerASA8.h
View File

@ -36,8 +36,9 @@ namespace fwcompiler
{
public:
NamedObjectsManagerASA8(const libfwbuilder::Firewall *fw) :
NamedObjectsManagerPIX(fw) {}
NamedObjectsManagerASA8(libfwbuilder::Library *persistent_objects,
const libfwbuilder::Firewall *fw) :
NamedObjectsManagerPIX(persistent_objects, fw) {}
virtual ~NamedObjectsManagerASA8() {};
};
}

10
src/cisco_lib/NamedObjectsManagerIOS.cpp
View File

@ -27,6 +27,9 @@
#include "NamedObject.h"
#include "BaseObjectGroup.h"
#include "fwbuilder/Firewall.h"
#include "fwbuilder/Library.h"
#include <sstream>
#include <assert.h>
@ -36,8 +39,8 @@ using namespace fwcompiler;
using namespace std;
NamedObjectsManagerIOS::NamedObjectsManagerIOS(const Firewall *fw) :
NamedObjectsManager(fw)
NamedObjectsManagerIOS::NamedObjectsManagerIOS(Library *po, const Firewall *fw) :
NamedObjectsManager(po, fw)
{
}
@ -49,8 +52,7 @@ string NamedObjectsManagerIOS::getClearCommands()
{
ostringstream output;
FWObject *object_groups = object_groups_tree->findInIndex(
FWObjectDatabase::getIntId(object_groups_group_id));
FWObject *object_groups = getObjectGroupsGroup();
for (FWObject::iterator i=object_groups->begin(); i!=object_groups->end(); ++i)
{

10
src/cisco_lib/NamedObjectsManagerIOS.h
View File

@ -28,8 +28,13 @@
#include "NamedObjectsManager.h"
#include "fwbuilder/Firewall.h"
namespace libfwbuilder
{
class Group;
class Firewall;
class Library;
};
namespace fwcompiler
{
@ -38,7 +43,8 @@ namespace fwcompiler
{
public:
NamedObjectsManagerIOS(const libfwbuilder::Firewall *_fw);
NamedObjectsManagerIOS(libfwbuilder::Library *persistent_objects,
const libfwbuilder::Firewall *_fw);
virtual ~NamedObjectsManagerIOS();
virtual std::string getClearCommands();

6
src/cisco_lib/NamedObjectsManagerPIX.cpp
View File

@ -26,6 +26,8 @@
#include "NamedObjectsManagerPIX.h"
#include "PIXObjectGroup.h"
#include "fwbuilder/Firewall.h"
#include "fwbuilder/Library.h"
#include "fwbuilder/Resources.h"
#include <sstream>
@ -37,8 +39,8 @@ using namespace fwcompiler;
using namespace std;
NamedObjectsManagerPIX::NamedObjectsManagerPIX(const Firewall *fw) :
NamedObjectsManager(fw)
NamedObjectsManagerPIX::NamedObjectsManagerPIX(Library *po, const Firewall *fw) :
NamedObjectsManager(po, fw)
{
}

11
src/cisco_lib/NamedObjectsManagerPIX.h
View File

@ -28,8 +28,12 @@
#include "NamedObjectsManager.h"
#include "fwbuilder/Firewall.h"
namespace libfwbuilder
{
class Group;
class Firewall;
class Library;
};
namespace fwcompiler
{
@ -38,7 +42,8 @@ namespace fwcompiler
{
public:
NamedObjectsManagerPIX(const libfwbuilder::Firewall *_fw);
NamedObjectsManagerPIX(libfwbuilder::Library *persistent_objects,
const libfwbuilder::Firewall *_fw);
virtual ~NamedObjectsManagerPIX();
virtual std::string getClearCommands();

49
src/cisco_lib/PolicyCompiler_cisco.cpp
View File

@ -30,18 +30,19 @@
#include "NamedObjectsAndGroupsSupport.h"
#include "NamedObjectsManager.h"
#include "fwbuilder/AddressTable.h"
#include "fwbuilder/FWObjectDatabase.h"
#include "fwbuilder/RuleElement.h"
#include "fwbuilder/IPService.h"
#include "fwbuilder/ICMPService.h"
#include "fwbuilder/TCPService.h"
#include "fwbuilder/UDPService.h"
#include "fwbuilder/IPService.h"
#include "fwbuilder/Interface.h"
#include "fwbuilder/Library.h"
#include "fwbuilder/Management.h"
#include "fwbuilder/Network.h"
#include "fwbuilder/Policy.h"
#include "fwbuilder/Interface.h"
#include "fwbuilder/Management.h"
#include "fwbuilder/Resources.h"
#include "fwbuilder/AddressTable.h"
#include "fwbuilder/RuleElement.h"
#include "fwbuilder/TCPService.h"
#include "fwbuilder/UDPService.h"
#include <iostream>
#include <iomanip>
@ -158,18 +159,18 @@ void PolicyCompiler_cisco::addDefaultPolicyRule()
TCPService *ssh = dbcopy->createTCPService();
ssh->setDstRangeStart(22);
ssh->setDstRangeEnd(22);
dbcopy->add(ssh, false);
persistent_objects->add(ssh, false);
TCPService *ssh_rev = dbcopy->createTCPService();
ssh_rev->setSrcRangeStart(22);
ssh_rev->setSrcRangeEnd(22);
dbcopy->add(ssh_rev, false);
persistent_objects->add(ssh_rev, false);
Network *mgmt_workstation = dbcopy->createNetwork();
mgmt_workstation->setAddressNetmask(
getCachedFwOpt()->getStr("mgmt_addr"));
dbcopy->add(mgmt_workstation, false);
persistent_objects->add(mgmt_workstation, false);
PolicyCompiler::addMgmtRule(
mgmt_workstation, fw, ssh,
@ -539,40 +540,34 @@ bool PolicyCompiler_cisco::tcpServiceToFW::processNext()
std::list<FWObject*> cl;
for (list<FWObject*>::iterator i1=srv->begin(); i1!=srv->end(); ++i1)
{
FWObject *o = *i1;
FWObject *obj = NULL;
if (FWReference::cast(o)!=NULL) obj=FWReference::cast(o)->getPointer();
Service *s=Service::cast(obj);
FWObject *obj = FWReference::getObject(*i1);
Service *s = Service::cast(obj);
assert(s!=NULL);
if (TCPService::isA(s) &&
TCPUDPService::cast(s)->getDstRangeStart()==port &&
TCPUDPService::cast(s)->getDstRangeEnd()==port) cl.push_back(o);
TCPUDPService::cast(s)->getDstRangeEnd()==port) cl.push_back(obj);
}
if (!cl.empty())
{
PolicyRule *r= compiler->dbcopy->createPolicyRule();
PolicyRule *r = compiler->dbcopy->createPolicyRule();
compiler->temp_ruleset->add(r);
r->duplicate(rule);
RuleElementDst *ndst=r->getDst();
RuleElementDst *ndst = r->getDst();
ndst->clearChildren();
ndst->setAnyElement();
// Was commented out in r50
ndst->addRef( compiler->fw );
RuleElementSrv *nsrv=r->getSrv();
RuleElementSrv *nsrv = r->getSrv();
nsrv->clearChildren();
nsrv->add( cl.front() );
nsrv->addRef( cl.front() );
r->setBool("ssh_telnet_cmd",true);
tmp_queue.push_back(r);
for (list<FWObject*>::iterator i1=cl.begin(); i1!=cl.end(); ++i1)
srv->remove( (*i1) );
srv->removeRef(*i1);
if ( ! srv->isAny()) tmp_queue.push_back(rule);
if (srv->size()>0)
tmp_queue.push_back(rule);
} else
tmp_queue.push_back(rule);
} else
@ -833,7 +828,5 @@ string PolicyCompiler_cisco::printClearCommands()
void PolicyCompiler_cisco::setNamedObjectsManager(NamedObjectsManager *mgr)
{
named_objects_manager = mgr;
// initialize object groups support
mgr->setWorkingObjectTree(dbcopy);
}

28
src/cisco_lib/PolicyCompiler_iosacl.cpp
View File

@ -28,19 +28,20 @@
#include "PolicyCompiler_iosacl.h"
#include "NamedObjectsAndGroupsSupport.h"
#include "fwbuilder/AddressTable.h"
#include "fwbuilder/FWObjectDatabase.h"
#include "fwbuilder/RuleElement.h"
#include "fwbuilder/IPService.h"
#include "fwbuilder/ICMPService.h"
#include "fwbuilder/IPService.h"
#include "fwbuilder/Interface.h"
#include "fwbuilder/Library.h"
#include "fwbuilder/Management.h"
#include "fwbuilder/Network.h"
#include "fwbuilder/ObjectMirror.h"
#include "fwbuilder/Policy.h"
#include "fwbuilder/Resources.h"
#include "fwbuilder/RuleElement.h"
#include "fwbuilder/TCPService.h"
#include "fwbuilder/UDPService.h"
#include "fwbuilder/Network.h"
#include "fwbuilder/Policy.h"
#include "fwbuilder/Interface.h"
#include "fwbuilder/Management.h"
#include "fwbuilder/Resources.h"
#include "fwbuilder/AddressTable.h"
#include "fwbuilder/ObjectMirror.h"
#include <iostream>
#if __GNUC__ > 3 || \
@ -87,7 +88,7 @@ int PolicyCompiler_iosacl::prolog()
fw->getOptionsObject()->getBool("iosacl_use_acl_remarks"));
// object_groups = new Group();
// dbcopy->add( object_groups );
// persistent_objects->add( object_groups );
setAllNetworkZonesToNone();
@ -109,13 +110,13 @@ void PolicyCompiler_iosacl::addDefaultPolicyRule()
TCPService *ssh_rev = dbcopy->createTCPService();
ssh_rev->setSrcRangeStart(22);
ssh_rev->setSrcRangeEnd(22);
dbcopy->add(ssh_rev, false);
persistent_objects->add(ssh_rev, false);
Network *mgmt_workstation = dbcopy->createNetwork();
mgmt_workstation->setAddressNetmask(
getCachedFwOpt()->getStr("mgmt_addr"));
dbcopy->add(mgmt_workstation, false);
persistent_objects->add(mgmt_workstation, false);
PolicyCompiler::addMgmtRule(
fw, mgmt_workstation, ssh_rev,
@ -209,7 +210,8 @@ bool PolicyCompiler_iosacl::mirrorRule::processNext()
{
Service *nobj = mirror.getMirroredService(
Service::cast(FWReference::getObject(*i1)));
compiler->dbcopy->add(nobj, false);
if (nobj->getParent() == NULL)
compiler->persistent_objects->add(nobj, false);
nsrv->addRef(nobj);
}
}

1
src/cisco_lib/RoutingCompiler_cisco.cpp
View File

@ -114,5 +114,4 @@ string RoutingCompiler_cisco::debugPrintRule(Rule *r)
void RoutingCompiler_cisco::setNamedObjectsManager(NamedObjectsManager *mgr)
{
named_objects_manager = mgr;
mgr->setWorkingObjectTree(dbcopy);
}

8
src/cisco_lib/specialServices.cpp
View File

@ -40,6 +40,14 @@ bool SpecialServices::processNext()
PolicyCompiler_pix *pix_comp = dynamic_cast<PolicyCompiler_pix*>(compiler);
Rule *rule = prev_processor->getNextRule(); if (rule==NULL) return false;
RuleElement *re = RuleElement::cast(rule->getFirstByType(re_type));
if (re->size() == 0)
{
cerr << "Rule " << rule->getLabel()
<< "rule element " << re_type << " is empty" << endl;
assert(re->size() != 0);
}
FWObject *obj = FWReference::getObject(re->front());
Service *s = Service::cast(obj);

131
src/compiler_lib/AutomaticRules.cpp Normal file
View File

@ -0,0 +1,131 @@
/*
Firewall Builder
Copyright (C) 2011 NetCitadel, LLC
Author: Vadim Kurland vadim@fwbuilder.org
This program is free software which we release under the GNU General Public
License. You may redistribute and/or modify this program under the terms
of that license as published by the Free Software Foundation; either
version 2 of the License, or (at your option) any later version.
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
To get a copy of the GNU General Public License, write to the Free Software
Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
*/
#include "AutomaticRules.h"
#include "fwbuilder/Address.h"
#include "fwbuilder/FWException.h"
#include "fwbuilder/FWObjectDatabase.h"
#include "fwbuilder/Firewall.h"
#include "fwbuilder/Interface.h"
#include "fwbuilder/Library.h"
#include "fwbuilder/Resources.h"
#include "fwbuilder/Rule.h"
#include "fwbuilder/RuleElement.h"
#include "fwbuilder/Policy.h"
using namespace fwcompiler;
using namespace libfwbuilder;
using namespace std;
AutomaticRules::AutomaticRules(Firewall *fw, Library *persistent_objects)
{
this->fw = fw;
this->persistent_objects = persistent_objects;
ruleset = NULL;
list<FWObject*> all_policies = fw->getByType(Policy::TYPENAME);
for (FWObject::iterator it=all_policies.begin(); it!=all_policies.end(); ++it)
{
Policy *policy = Policy::cast(*it);
FWOptions *rulesetopts = policy->getOptionsObject();
if (rulesetopts->getBool("mangle_only_rule_set")) continue;
if (policy->isTop())
{
ruleset = policy;
break;
}
}
}
PolicyRule* AutomaticRules::addMgmtRule(
Address* src,
Address* dst,
Service* service,
Interface* iface,
const PolicyRule::Direction direction,
const PolicyRule::Action action,
const string &label,
bool related)
{
if (ruleset == NULL) return NULL;
/* Insert PolicyRules at top so they do not get shadowed by other
* rules. Call insertRuleAtTop() with hidden_rule argument true to
* make sure this rule gets negative position number and does not
* shift positions of other rules. See ticket #16. Also, hidden
* rules are not considered for shadowing.
*/
PolicyRule* rule = PolicyRule::cast(ruleset->insertRuleAtTop(true));
assert(rule != NULL);
ostringstream str;
str << rule->getPosition() << " " << label << " (automatic)" ;
rule->setLabel(str.str());
FWObject *re;
re = rule->getSrc(); assert(re!=NULL);
RuleElementSrc::cast(re)->reset();
if(src != NULL)
re->addRef(src);
re = rule->getDst(); assert(re!=NULL);
RuleElementDst::cast(re)->reset();
if(dst != NULL)
re->addRef(dst);
re = rule->getSrv(); assert(re!=NULL);
RuleElementSrv::cast(re)->reset();
if(service != NULL)
re->addRef(service);
re = rule->getWhen(); assert(re!=NULL);
RuleElementInterval::cast(re)->reset();
re = rule->getItf(); assert(re!=NULL);
RuleElementItf::cast(re)->reset();
if(iface != NULL)
{
re->addRef(iface);
// rule->setInterfaceId(iface->getId());
}
rule->add(ruleset->getRoot()->create(PolicyRuleOptions::TYPENAME));
rule->setLogging(false);
rule->enable();
rule->setAction(action);
rule->setDirection(direction);
// Use firewall object ID to generate uique ID for this management rule
// to make it stable across different runs of the compiler
rule->setUniqueId(
ruleset->getRoot()->getPredictableId(
FWObjectDatabase::getStringId(fw->getId()) + "."
));
return rule;
}

73
src/compiler_lib/AutomaticRules.h Normal file
View File

@ -0,0 +1,73 @@
/*
Firewall Builder
Copyright (C) 2011 NetCitadel, LLC
Author: Vadim Kurland vadim@fwbuilder.org
This program is free software which we release under the GNU General Public
License. You may redistribute and/or modify this program under the terms
of that license as published by the Free Software Foundation; either
version 2 of the License, or (at your option) any later version.
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
To get a copy of the GNU General Public License, write to the Free Software
Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
*/
#ifndef __AUTOMATICRULES_HH__
#define __AUTOMATICRULES_HH__
#include "fwbuilder/Rule.h"
#include <string>
#include <sstream>
namespace libfwbuilder
{
class Address;
class Firewall;
class Interface;
class Library;
class Service;
};
namespace fwcompiler
{
class AutomaticRules
{
protected:
libfwbuilder::Firewall *fw;
libfwbuilder::RuleSet *ruleset;
libfwbuilder::Library *persistent_objects;
public:
AutomaticRules(libfwbuilder::Firewall *fw,
libfwbuilder::Library *persistent_objects);
virtual libfwbuilder::PolicyRule* addMgmtRule(
libfwbuilder::Address* src,
libfwbuilder::Address* dst,
libfwbuilder::Service* service,
libfwbuilder::Interface* iface,
const libfwbuilder::PolicyRule::Direction direction,
const libfwbuilder::PolicyRule::Action action,
const std::string &label,
bool related = false);
};
};
#endif

134
src/compiler_lib/CompilerDriver.cpp
View File

@ -46,22 +46,23 @@
#include "interfaceProperties.h"
#include "interfacePropertiesObjectFactory.h"
#include "fwbuilder/FWObject.h"
#include "fwbuilder/FWObjectDatabase.h"
#include "fwbuilder/FWException.h"
#include "fwbuilder/Cluster.h"
#include "fwbuilder/ClusterGroup.h"
#include "fwbuilder/FWException.h"
#include "fwbuilder/FWObject.h"
#include "fwbuilder/FWObjectDatabase.h"
#include "fwbuilder/FailoverClusterGroup.h"
#include "fwbuilder/Firewall.h"
#include "fwbuilder/Interface.h"
#include "fwbuilder/IPv4.h"
#include "fwbuilder/IPv6.h"
#include "fwbuilder/Rule.h"
#include "fwbuilder/Policy.h"
#include "fwbuilder/Interface.h"
#include "fwbuilder/Library.h"
#include "fwbuilder/NAT.h"
#include "fwbuilder/Routing.h"
#include "fwbuilder/Policy.h"
#include "fwbuilder/Resources.h"
#include "fwbuilder/Routing.h"
#include "fwbuilder/Rule.h"
#include "fwbuilder/StateSyncClusterGroup.h"
#include "fwbuilder/FailoverClusterGroup.h"
#include "fwcompiler/Compiler.h"
@ -91,7 +92,19 @@ CompilerDriver::CompilerDriver(FWObjectDatabase *db) : BaseCompiler()
ipv4_run = true;
ipv6_run = true;
fw_by_id = false;
objdb = new FWObjectDatabase(*db);
//objdb = db;
persistent_objects = new Library();
persistent_objects->setName("Persistent Objects");
objdb->add(persistent_objects);
workspace = new Library();
workspace->setName("Workspace");
objdb->add(workspace);
prolog_done = false;
epilog_done = false;
have_filter = false;
@ -101,6 +114,28 @@ CompilerDriver::CompilerDriver(FWObjectDatabase *db) : BaseCompiler()
CompilerDriver::~CompilerDriver()
{
if (persistent_objects->getParent() == NULL)
delete persistent_objects;
else
{
if (persistent_objects->getParent() == objdb)
{
objdb->remove(persistent_objects, false);
delete persistent_objects;
}
}
if (workspace->getParent() == NULL)
delete workspace;
else
{
if (workspace->getParent() == objdb)
{
objdb->remove(workspace, false);
delete workspace;
}
}
delete objdb;
}
@ -685,9 +720,12 @@ void CompilerDriver::findImportedRuleSets(Firewall *fw,
if (branch_ruleset->isChildOf(fw)) continue;
list<FWObject*>::iterator it = std::find(imported_policies.begin(),
imported_policies.end(),
branch_ruleset);
list<FWObject*>::iterator it =
std::find(
imported_policies.begin(),
imported_policies.end(),
branch_ruleset);
if (it != imported_policies.end()) continue;
// Additional check: the rule set may be child of a
@ -703,6 +741,7 @@ void CompilerDriver::findImportedRuleSets(Firewall *fw,
}
}
}
if (imported_policies.size() > 0)
all_policies.insert(all_policies.end(),
imported_policies.begin(), imported_policies.end());
@ -734,6 +773,11 @@ void CompilerDriver::_findImportedRuleSetsRecursively(
}
}
void CompilerDriver::assignUniqueRuleIds(list<FWObject*> &all_rulesets)
{
for_each(all_rulesets.begin(), all_rulesets.end(),
RuleSet::UniqueRuleIdsSetter());
}
QString CompilerDriver::run(const std::string&, const std::string&, const std::string&)
{
@ -855,8 +899,10 @@ void CompilerDriver::mergeRuleSets(Cluster *cluster, Firewall *fw,
{
FWObject *ruleset = *p;
FWObject::iterator i = std::find_if(fw->begin(), fw->end(),
FWObjectNameEQPredicate(ruleset->getName()));
FWObject::iterator i = std::find_if(
fw->begin(), fw->end(),
FWObjectNameEQPredicate(ruleset->getName()));
if (i!=fw->end() && (*i)->getTypeName() == type)
{
FWObject *fw_ruleset = *i;
@ -925,6 +971,20 @@ void CompilerDriver::populateClusterElements(Cluster *cluster, Firewall *fw)
{
if (cluster==NULL) return;
#ifdef DEBUG_CLUSTER_INTERFACES
cerr << "CompilerDriver::populateClusterElements " << endl;
cerr << cluster->getPath(false, true) << endl;
list<FWObject*> cl_interfaces = cluster->getByTypeDeep(Interface::TYPENAME);
cerr << cl_interfaces.size() << " interface" << endl;
cluster->dump(false, true);
cerr << fw->getPath(false, true) << endl;
list<FWObject*> fw_interfaces = fw->getByTypeDeep(Interface::TYPENAME);
cerr << fw_interfaces.size() << " interface" << endl;
fw->dump(false, true);
#endif
// int addedPolicies = 0;
set<string> state_sync_types;
@ -1185,3 +1245,51 @@ QString CompilerDriver::formSingleRuleCompileOutput(const QString &generated_cod
return res;
}
void CompilerDriver::getFirewallAndClusterObjects(const string &cluster_id,
const string &firewall_id,
Cluster **cl,
Firewall **fw)
{
if (!cluster_id.empty())
{
Cluster *orig_cluster = Cluster::cast(
objdb->findInIndex(objdb->getIntId(cluster_id)));
#ifdef WORK_ON_COPIES
*cl = objdb->createCluster();
workspace->add(*cl);
(*cl)->duplicate(orig_cluster);
#else
*cl = orig_cluster;
#endif
}
Firewall *orig_fw = Firewall::cast(
objdb->findInIndex(objdb->getIntId(firewall_id)));
assert(orig_fw);
#ifdef WORK_ON_COPIES
*fw = objdb->createFirewall();
workspace->add(*fw);
(*fw)->duplicate(orig_fw);
if (*cl != NULL)
{
const map<int, int> &id_map = (*fw)->getIDMappingTable();
map<int, int>::const_iterator it;
for (it=id_map.begin(); it!=id_map.end(); ++it)
(*cl)->replaceRef(it->first, it->second);
}
#else
*fw = orig_fw;
#endif
}

9
src/compiler_lib/CompilerDriver.h
View File

@ -132,6 +132,8 @@ protected:
std::map<std::string,libfwbuilder::RuleSet*> branches;
libfwbuilder::FWObjectDatabase *objdb;
libfwbuilder::Library *persistent_objects;
libfwbuilder::Library *workspace;
void determineOutputFileNames(libfwbuilder::Cluster *cluster,
libfwbuilder::Firewall *current_fw,
@ -250,9 +252,16 @@ public:
*/
virtual libfwbuilder::Firewall* locateObject();
void getFirewallAndClusterObjects(const std::string &cluster_id,
const std::string &fw_id,
libfwbuilder::Cluster **cl,
libfwbuilder::Firewall **fw);
void findImportedRuleSets(libfwbuilder::Firewall *fw,
std::list<libfwbuilder::FWObject*> &all_policies);
void assignUniqueRuleIds(std::list<libfwbuilder::FWObject*> &all_policies);
virtual bool prepare(const QStringList &args);
virtual void compile();
virtual QMap<QString,QString> compileSingleRule(const std::string &rule_id);

12
src/compiler_lib/CompilerDriver_compile.cpp
View File

@ -31,11 +31,12 @@
#include "CompilerDriver.h"
#include "fwbuilder/FWObjectDatabase.h"
#include "fwbuilder/FWException.h"
#include "fwbuilder/Cluster.h"
#include "fwbuilder/FWException.h"
#include "fwbuilder/FWObjectDatabase.h"
#include "fwbuilder/Firewall.h"
#include "fwbuilder/Interface.h"
#include "fwbuilder/Library.h"
#include "fwbuilder/Rule.h"
#include "fwcompiler/Compiler.h"
@ -144,8 +145,15 @@ QMap<QString,QString> CompilerDriver::compileSingleRule(const string &rule_id)
if (cluster)
{
commonChecks(cluster);
list<Firewall*> members;
Cluster::cast(cluster)->getMembersList(members);
// this copy of CompilerDriver is not going to do any useful work and
// does not need these.
objdb->remove(persistent_objects, false);
objdb->remove(workspace, false);
for (list<Firewall*>::iterator it=members.begin(); it!=members.end(); ++it)
{
CompilerDriver *cl_driver = clone();

6
src/compiler_lib/compiler_lib.pro
View File

@ -19,7 +19,8 @@ SOURCES = CompilerDriver.cpp \
iosInterfaces.cpp \
procurveInterfaces.cpp \
pixInterfaces.cpp \
interfacePropertiesObjectFactory.cpp
interfacePropertiesObjectFactory.cpp \
AutomaticRules.cpp
HEADERS = ../../config.h \
CompilerDriver.h \
@ -31,7 +32,8 @@ HEADERS = ../../config.h \
iosInterfaces.h \
procurveInterfaces.h \
pixInterfaces.h \
interfacePropertiesObjectFactory.h
interfacePropertiesObjectFactory.h \
AutomaticRules.h
INCLUDEPATH += ../libfwbuilder/src

12
src/iosacl/iosacl.cpp
View File

@ -153,16 +153,20 @@ int main(int argc, char **argv)
FWObject *slib = objdb->getById(FWObjectDatabase::STANDARD_LIB_ID);
if (slib && slib->isReadOnly()) slib->setReadOnly(false);
CompilerDriver_iosacl driver(objdb);
if (!driver.prepare(args))
CompilerDriver_iosacl *driver = new CompilerDriver_iosacl(objdb);
if (!driver->prepare(args))
{
usage(argv[0]);
exit(1);
}
driver.compile();
driver->compile();
int ret = (driver->getStatus() == BaseCompiler::FWCOMPILER_SUCCESS) ? 0 : 1;
delete driver;
delete objdb;
return (driver.getStatus() == BaseCompiler::FWCOMPILER_SUCCESS) ? 0 : 1;
return ret;
} catch(libfwbuilder::FWException &ex)
{

12
src/ipf/ipf.cpp
View File

@ -167,15 +167,19 @@ int main(int argc, char **argv)
FWObject *slib = objdb->getById(FWObjectDatabase::STANDARD_LIB_ID);
if (slib && slib->isReadOnly()) slib->setReadOnly(false);
CompilerDriver_ipf driver(objdb);
if (!driver.prepare(args))
CompilerDriver_ipf *driver = new CompilerDriver_ipf(objdb);
if (!driver->prepare(args))
{
usage(argv[0]);
exit(1);
}
driver.compile();
driver->compile();
int ret = (driver->getStatus() == BaseCompiler::FWCOMPILER_SUCCESS) ? 0 : 1;
delete driver;
delete objdb;
return (driver.getStatus() == BaseCompiler::FWCOMPILER_SUCCESS) ? 0 : 1;
return ret;
} catch(const FWException &ex) {
cerr << ex.toString() << endl;

12
src/ipfw/ipfw.cpp
View File

@ -163,15 +163,19 @@ int main(int argc, char **argv)
FWObject *slib = objdb->getById(FWObjectDatabase::STANDARD_LIB_ID);
if (slib && slib->isReadOnly()) slib->setReadOnly(false);
CompilerDriver_ipfw driver(objdb);
if (!driver.prepare(args))
CompilerDriver_ipfw *driver = new CompilerDriver_ipfw(objdb);
if (!driver->prepare(args))
{
usage(argv[0]);
exit(1);
}
driver.compile();
driver->compile();
int ret = (driver->getStatus() == BaseCompiler::FWCOMPILER_SUCCESS) ? 0 : 1;
delete driver;
delete objdb;
return (driver.getStatus() == BaseCompiler::FWCOMPILER_SUCCESS) ? 0 : 1;
return ret;
} catch(const FWException &ex)
{

11
src/ipt/ipt.cpp
View File

@ -144,16 +144,19 @@ int main(int argc, char **argv)
FWObject *slib = objdb->findInIndex(FWObjectDatabase::STANDARD_LIB_ID);
if (slib && slib->isReadOnly()) slib->setReadOnly(false);
CompilerDriver_ipt driver(objdb);
if (!driver.prepare(args))
CompilerDriver_ipt *driver = new CompilerDriver_ipt(objdb);
if (!driver->prepare(args))
{
usage(argv[0]);
exit(1);
}
driver.compile();
driver->compile();
int ret = (driver->getStatus() == BaseCompiler::FWCOMPILER_SUCCESS) ? 0 : 1;
delete driver;
delete objdb;
return (driver.getStatus() == BaseCompiler::FWCOMPILER_SUCCESS) ? 0 : 1;
return ret;
} catch(const FWException &ex)
{

472
src/iptlib/AutomaticRules_ipt.cpp Normal file
View File

@ -0,0 +1,472 @@
/*
Firewall Builder
Copyright (C) 2011 NetCitadel, LLC
Author: Vadim Kurland vadim@fwbuilder.org
This program is free software which we release under the GNU General Public
License. You may redistribute and/or modify this program under the terms
of that license as published by the Free Software Foundation; either
version 2 of the License, or (at your option) any later version.
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
To get a copy of the GNU General Public License, write to the Free Software
Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
*/
#include "AutomaticRules_ipt.h"
#include "fwbuilder/Address.h"
#include "fwbuilder/FWException.h"
#include "fwbuilder/FWObjectDatabase.h"
#include "fwbuilder/Firewall.h"
#include "fwbuilder/Interface.h"
#include "fwbuilder/Library.h"
#include "fwbuilder/Resources.h"
#include "fwbuilder/Rule.h"
#include "fwbuilder/RuleElement.h"
#include "fwbuilder/Policy.h"
#include "fwbuilder/StateSyncClusterGroup.h"
#include "fwbuilder/UDPService.h"
#include "fwbuilder/FailoverClusterGroup.h"
#include "fwbuilder/IPService.h"
#include <QString>
using namespace fwcompiler;
using namespace libfwbuilder;
using namespace std;
PolicyRule* AutomaticRules_ipt::addMgmtRule(
Address* src, Address* dst, Service* service, Interface* iface,
const PolicyRule::Direction direction,
const PolicyRule::Action action,
const string &label,
bool related)
{
PolicyRule *rule = AutomaticRules::addMgmtRule(src, dst, service,
iface, direction, action,
label);
FWOptions *ruleopt = rule->getOptionsObject(); assert(ruleopt!=NULL);
if (related)
{
ruleopt->setBool("stateless", false);
ruleopt->setBool("accept_established", true);
} else
{
ruleopt->setBool("stateless", true);
}
ruleopt->setBool("firewall_is_part_of_any_and_networks", true);
return rule;
}
void AutomaticRules_ipt::addConntrackRule()
{
FWOptions* options = fw->getOptionsObject();
string conntrack_iface_name = options->getStr("state_sync_interface");
if (conntrack_iface_name.empty())
{
/* CONNTRACK not active, nothing left to do */
return;
}
string conntrack_group_id = options->getStr("state_sync_group_id");
StateSyncClusterGroup *state_sync_group =
StateSyncClusterGroup::cast(
ruleset->getRoot()->findInIndex(
FWObjectDatabase::getIntId(conntrack_group_id)));
Resources *os_res = Resources::os_res[fw->getStr("host_OS")];
assert(os_res != NULL);
string default_address =
os_res->getResourceStr("/FWBuilderResources/Target/protocols/conntrack/default_address");
string default_port =
os_res->getResourceStr("/FWBuilderResources/Target/protocols/conntrack/default_port");
bool ucast = state_sync_group->getOptionsObject()->getBool("conntrack_unicast");
string addr = state_sync_group->getOptionsObject()->getStr("conntrack_address");
if (addr.empty()) addr = default_address;
try
{
InetAddr(addr);
} catch (FWException &ex)
{
try
{
InetAddr(AF_INET6, addr);
} catch (FWException &ex)
{
throw FWException(string("Invalid IP address for conntrack: ") + addr);
}
}
string port = state_sync_group->getOptionsObject()->getStr("conntrack_port");
if (port.empty()) port = default_port;
/* Add CONNTRACK-Address to database */
Address *conntrack_dst = Address::cast(ruleset->getRoot()->create(IPv4::TYPENAME));
conntrack_dst->setName("CONNTRACK-Address");
conntrack_dst->setAddress(InetAddr(addr));
// Why the whole multicast adress range ?
//conntrack_dst->setNetmask(InetAddr("240.0.0.0"));
conntrack_dst->setComment("CONNTRACK Multicast Address");
persistent_objects->add(conntrack_dst);
UDPService *conntrack_srv = UDPService::cast(ruleset->getRoot()->create(UDPService::TYPENAME));
conntrack_srv->setName("CONNTRACK-UDP");
conntrack_srv->setDstRangeStart(atoi(port.c_str()));
conntrack_srv->setDstRangeEnd(atoi(port.c_str()));
conntrack_srv->setComment("CONNTRACK UDP port");
persistent_objects->add(conntrack_srv);
/* Find conntrack interface */
Interface* conntrack_iface = Interface::cast(fw->findObjectByName(Interface::TYPENAME, conntrack_iface_name));
if (conntrack_iface == NULL)
{
throw FWException(
"Unable to get CONNTRACK interface ("+ conntrack_iface_name +")");
}
/* Add automatic rules for CONNTRACK */
if (ucast)
{
Interface *fw_iface = NULL;
list<Interface*> other_interfaces;
for (FWObjectTypedChildIterator it =
state_sync_group->findByType(FWObjectReference::TYPENAME);
it != it.end(); ++it)
{
Interface *iface =
Interface::cast(FWObjectReference::getObject(*it));
assert(iface);
if (iface->isChildOf(fw))
{
fw_iface = iface;
} else
{
other_interfaces.push_back(iface);
}
}
for (list<Interface*>::iterator it=other_interfaces.begin(); it!=other_interfaces.end(); ++it)
{
Interface *other_iface = *it;
addMgmtRule(other_iface,
fw,
conntrack_srv,
fw_iface,
PolicyRule::Inbound,
PolicyRule::Accept,
"CONNTRACK");
addMgmtRule(fw,
other_iface,
conntrack_srv,
fw_iface,
PolicyRule::Outbound,
PolicyRule::Accept,
"CONNTRACK");
}
} else
{
addMgmtRule(NULL,
conntrack_dst,
conntrack_srv,
conntrack_iface,
PolicyRule::Inbound,
PolicyRule::Accept,
"CONNTRACK");
addMgmtRule(fw,
conntrack_dst,
conntrack_srv,
conntrack_iface,
PolicyRule::Outbound,
PolicyRule::Accept,
"CONNTRACK");
}
}
void AutomaticRules_ipt::addFailoverRules()
{
Resources *os_res = Resources::os_res[fw->getStr("host_OS")];
assert(os_res != NULL);
string default_heartbeat_port =
os_res->getResourceStr(
"/FWBuilderResources/Target/protocols/heartbeat/default_port");
string default_heartbeat_address =
os_res->getResourceStr(
"/FWBuilderResources/Target/protocols/heartbeat/default_address");
string default_openais_port =
os_res->getResourceStr(
"/FWBuilderResources/Target/protocols/openais/default_port");
string default_openais_address =
os_res->getResourceStr(
"/FWBuilderResources/Target/protocols/openais/default_address");
FWObjectTypedChildIterator interfaces = fw->findByType(Interface::TYPENAME);
for (; interfaces != interfaces.end(); ++interfaces)
{
Interface *iface = Interface::cast(*interfaces);
/*
We add copies of cluster interface objects to fw objects
so each interface appears twice, the original interface
of the firewall, plus a copy of the cluster
interface. To deduplicate will use only copies of
cluster interfaces because these include VRRP interfaces.
*/
if (iface->isFailoverInterface() &&
iface->getOptionsObject()->getBool("cluster_interface"))
{
FWObject *failover_group =
iface->getFirstByType(FailoverClusterGroup::TYPENAME);
PolicyRule *rule = NULL;
string fw_iface_id = iface->getOptionsObject()->getStr("base_interface_id");
Interface *fw_iface =
Interface::cast(
ruleset->getRoot()->findInIndex(FWObjectDatabase::getIntId(fw_iface_id)));
if (fw_iface == NULL)
{
throw FWException(
QString("Can not find interface of the firewall "
"for the cluster failover group %1. ")
.arg(failover_group->getName().c_str()).toStdString());
}
if (failover_group->getStr("type") == "vrrp")
{
/* Add VRRP-Address to database */
Address *vrrp_dst = Address::cast(
ruleset->getRoot()->create(IPv4::TYPENAME));
vrrp_dst->setName("VRRP-Address");
vrrp_dst->setAddress(InetAddr("224.0.0.18"));
vrrp_dst->setNetmask(InetAddr(InetAddr::getAllOnes()));
vrrp_dst->setComment("VRRP Multicast Address");
persistent_objects->add(vrrp_dst);
bool use_ipsec_ah = false;
FWOptions *failover_opts =
FailoverClusterGroup::cast(failover_group)->getOptionsObject();
if (failover_opts)
{
use_ipsec_ah = failover_opts->getBool("vrrp_over_ipsec_ah");
}
/* Add VRRP-Service to database */
IPService* vrrp_srv = IPService::cast(
ruleset->getRoot()->create(IPService::TYPENAME));
vrrp_srv->setComment("VRRP service");
vrrp_srv->setProtocolNumber(112);
persistent_objects->add(vrrp_srv);
/*
* Add AH-Service to database.
* According to RFC 2338 section 5.3.6.3, VRRP can use
* IPsec AH.
*/
IPService* ah_srv = IPService::cast(
ruleset->getRoot()->create(IPService::TYPENAME));
ah_srv->setComment("IPSEC-AH");
ah_srv->setProtocolNumber(51);
persistent_objects->add(ah_srv);
for (FWObjectTypedChildIterator it =
failover_group->findByType(FWObjectReference::TYPENAME);
it != it.end(); ++it)
{
Interface *other_iface =
Interface::cast(FWObjectReference::getObject(*it));
assert(other_iface);
if (other_iface->getId() == fw_iface->getId()) continue;
// if interface is dynamic, we can't use it in the rule
// (because it belongs to another machine, not the fw
// we compile for so we can't use script). NULL means "any"
// in the call to addMgmtRule()
if (other_iface->isDyn()) other_iface = NULL;
if (!use_ipsec_ah)
{
addMgmtRule(other_iface, vrrp_dst, vrrp_srv, iface,
PolicyRule::Inbound, PolicyRule::Accept,
"VRRP");
} else
{
addMgmtRule(other_iface, vrrp_dst, ah_srv, iface,
PolicyRule::Inbound, PolicyRule::Accept,
"VRRP (with IPSEC-AH)");
}
}
// outbound rule does not use other_interface and
// should be created outside the loop to avoid
// duplicates. Duplicates happen when cluster has 3 or
// more members.
if (!use_ipsec_ah)
{
addMgmtRule(fw, vrrp_dst, vrrp_srv, iface,
PolicyRule::Outbound, PolicyRule::Accept,
"VRRP");
} else
{
addMgmtRule(fw, vrrp_dst, ah_srv, iface,
PolicyRule::Outbound, PolicyRule::Accept,
"VRRP (with IPSEC-AH)");
}
}
if (failover_group->getStr("type") == "heartbeat")
{
/*
* Note that iface is a copy of the cluster inetrface.
* Find interface of the member firewall fw that corresponds
* to the cluster interface iface
*/
bool ucast = FailoverClusterGroup::cast(failover_group)->
getOptionsObject()->getBool("heartbeat_unicast");
string addr = FailoverClusterGroup::cast(failover_group)->
getOptionsObject()->getStr("heartbeat_address");
if (addr.empty()) addr = default_heartbeat_address;
string port = FailoverClusterGroup::cast(failover_group)->
getOptionsObject()->getStr("heartbeat_port");
if (port.empty()) port = default_heartbeat_port;
UDPService *heartbeat_srv = UDPService::cast(
ruleset->getRoot()->create(UDPService::TYPENAME));
/* Add heartbeat-Address to database */
Address *heartbeat_dst = Address::cast(ruleset->getRoot()->create(
IPv4::TYPENAME));
heartbeat_dst->setName("HEARTBEAT-Address");
heartbeat_dst->setAddress(InetAddr(addr));
heartbeat_dst->setNetmask(InetAddr(InetAddr::getAllOnes()));
heartbeat_dst->setComment("HEARTBEAT Multicast Address");
persistent_objects->add(heartbeat_dst);
heartbeat_srv->setName("HEARTBEAT-UDP");
heartbeat_srv->setDstRangeStart(atoi(port.c_str()));
heartbeat_srv->setDstRangeEnd(atoi(port.c_str()));
heartbeat_srv->setComment("HEARTBEAT UDP port");
persistent_objects->add(heartbeat_srv);
// Heartbeat can use either multicast or unicast
for (FWObjectTypedChildIterator it =
failover_group->findByType(FWObjectReference::TYPENAME);
it != it.end(); ++it)
{
Interface *other_iface =
Interface::cast(FWObjectReference::getObject(*it));
assert(other_iface);
if (other_iface->getId() == fw_iface->getId()) continue;
// if interface is dynamic, we can't use it in the rule
// (because it belongs to another machine, not the fw
// we compile for so we can't use script). NULL means "any"
// in the call to addMgmtRule()
if (other_iface->isDyn()) other_iface = NULL;
if (ucast)
{
addMgmtRule(other_iface, fw, heartbeat_srv, fw_iface,
PolicyRule::Inbound, PolicyRule::Accept,
"heartbeat");
addMgmtRule(fw, other_iface, heartbeat_srv, fw_iface,
PolicyRule::Outbound, PolicyRule::Accept,
"heartbeat");
}
else
{
addMgmtRule(other_iface, heartbeat_dst, heartbeat_srv, fw_iface,
PolicyRule::Inbound, PolicyRule::Accept,
"heartbeat");
addMgmtRule(fw, heartbeat_dst, heartbeat_srv, fw_iface,
PolicyRule::Outbound, PolicyRule::Accept,
"heartbeat");
}
}
}
if (failover_group->getStr("type") == "openais")
{
string addr = FailoverClusterGroup::cast(failover_group)->
getOptionsObject()->getStr("openais_address");
if (addr.empty()) addr = default_openais_address;
string port = FailoverClusterGroup::cast(failover_group)->
getOptionsObject()->getStr("openais_port");
if (port.empty()) port = default_openais_port;
/* Add OPENAIS-Address to database */
Address *openais_dst = Address::cast(ruleset->getRoot()->create(
IPv4::TYPENAME));
openais_dst->setName("OPENAIS-Address");
openais_dst->setAddress(InetAddr(addr));
openais_dst->setNetmask(InetAddr(InetAddr::getAllOnes()));
openais_dst->setComment("OPENAIS Multicast Address");
persistent_objects->add(openais_dst);
UDPService *openais_srv = UDPService::cast(
ruleset->getRoot()->create(UDPService::TYPENAME));
openais_srv->setName("OPENAIS-UDP");
openais_srv->setDstRangeStart(atoi(port.c_str()));
openais_srv->setDstRangeEnd(atoi(port.c_str()));
openais_srv->setComment("OPENAIS UDP port");
persistent_objects->add(openais_srv);
for (FWObjectTypedChildIterator it =
failover_group->findByType(FWObjectReference::TYPENAME);
it != it.end(); ++it)
{
Interface *other_iface =
Interface::cast(FWObjectReference::getObject(*it));
assert(other_iface);
if (other_iface->getId() == fw_iface->getId()) continue;
// if interface is dynamic, we can't use it in the rule
// (because it belongs to another machine, not the fw
// we compile for so we can't use script). NULL means "any"
// in the call to addMgmtRule()
if (other_iface->isDyn()) other_iface = NULL;
addMgmtRule(other_iface, openais_dst, openais_srv, iface,
PolicyRule::Inbound, PolicyRule::Accept,
"openais");
addMgmtRule(fw, openais_dst, openais_srv, iface,
PolicyRule::Outbound, PolicyRule::Accept,
"openais");
}
}
if (rule)
{
FWOptions *ruleopt = rule->getOptionsObject();
assert(ruleopt!=NULL);
ruleopt->setInt("firewall_is_part_of_any_and_networks", 1);
}
}
}
}

68
src/iptlib/AutomaticRules_ipt.h Normal file
View File

@ -0,0 +1,68 @@
/*
Firewall Builder
Copyright (C) 2011 NetCitadel, LLC
Author: Vadim Kurland vadim@fwbuilder.org
This program is free software which we release under the GNU General Public
License. You may redistribute and/or modify this program under the terms
of that license as published by the Free Software Foundation; either
version 2 of the License, or (at your option) any later version.
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
To get a copy of the GNU General Public License, write to the Free Software
Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
*/
#ifndef __AUTOMATICRULES_IPT_HH__
#define __AUTOMATICRULES_IPT_HH__
#include "AutomaticRules.h"
namespace libfwbuilder
{
class Address;
class Firewall;
class Interface;
class Service;
};
namespace fwcompiler
{
class AutomaticRules_ipt : public AutomaticRules
{
public:
AutomaticRules_ipt(libfwbuilder::Firewall *fw,
libfwbuilder::Library *presistent_objects) :
AutomaticRules(fw, presistent_objects) {}
virtual libfwbuilder::PolicyRule* addMgmtRule(
libfwbuilder::Address* src,
libfwbuilder::Address* dst,
libfwbuilder::Service* service,
libfwbuilder::Interface* iface,
const libfwbuilder::PolicyRule::Direction direction,
const libfwbuilder::PolicyRule::Action action,
const std::string &label,
bool related = false);
void addConntrackRule();
void addFailoverRules();
};
};
#endif

20
src/iptlib/CompilerDriver_ipt.cpp
View File

@ -30,13 +30,19 @@
#include "PolicyCompiler_ipt.h"
#include "PolicyCompiler_secuwall.h"
#include "fwbuilder/Resources.h"
#include "fwbuilder/FWObjectDatabase.h"
#include "fwbuilder/Address.h"
#include "fwbuilder/FWException.h"
#include "fwbuilder/FWObjectDatabase.h"
#include "fwbuilder/Firewall.h"
#include "fwbuilder/Interface.h"
#include "fwbuilder/Library.h"
#include "fwbuilder/Resources.h"
#include "fwbuilder/Rule.h"
#include "fwbuilder/RuleSet.h"
#include "fwbuilder/StateSyncClusterGroup.h"
#include "fwbuilder/UDPService.h"
#include "fwbuilder/FailoverClusterGroup.h"
#include "fwbuilder/IPService.h"
#include <fstream>
#include <iostream>
@ -56,6 +62,10 @@ CompilerDriver_ipt::CompilerDriver_ipt(FWObjectDatabase *db) :
have_connmark_in_output = false;
}
CompilerDriver_ipt::~CompilerDriver_ipt()
{
}
// create a copy of itself, including objdb
CompilerDriver* CompilerDriver_ipt::clone()
{
@ -73,11 +83,10 @@ void CompilerDriver_ipt::assignRuleSetChain(RuleSet *ruleset)
if (rule == NULL) continue; // skip RuleSetOptions object
if (rule->isDisabled()) continue;
//rule->setStr("parent_rule_num", parentRuleNum);
if (!ruleset->isTop())
rule->setStr("ipt_chain", branch_name);
rule->setUniqueId( FWObjectDatabase::getStringId(rule->getId()) );
// ???
// rule->setUniqueId( FWObjectDatabase::getStringId(rule->getId()) );
}
}
@ -223,4 +232,3 @@ std::auto_ptr<PolicyCompiler_ipt> CompilerDriver_ipt::createPolicyCompiler(
return policy_compiler;
}

15
src/iptlib/CompilerDriver_ipt.h
View File

@ -40,18 +40,23 @@
#include <QMap>
namespace libfwbuilder {
namespace libfwbuilder
{
class FWObjectDatabase;
class Cluster;
class ClusterGroup;
class Firewall;
class RuleSet;
class Interface;
class Address;
class PolicyRule;
};
namespace fwcompiler {
namespace fwcompiler
{
class CompilerDriver_ipt : public CompilerDriver {
class CompilerDriver_ipt : public CompilerDriver
{
// commands that pass control to branch chains should go into
// POSTROUTING or PREROUTING chains depending on the targets used
@ -78,7 +83,8 @@ namespace fwcompiler {
public:
CompilerDriver_ipt(libfwbuilder::FWObjectDatabase *db);
virtual ~CompilerDriver_ipt();
// create a copy of itself, including objdb
virtual CompilerDriver* clone();
@ -120,7 +126,6 @@ public:
int policy_af,
std::map<const std::string, bool> &minus_n_commands_nat);
};
};

2
src/iptlib/CompilerDriver_ipt_nat.cpp
View File

@ -34,6 +34,7 @@
#include "fwbuilder/Firewall.h"
#include "fwbuilder/NAT.h"
#include "fwbuilder/Resources.h"
#include "fwbuilder/Library.h"
#include <fstream>
#include <iostream>
@ -80,6 +81,7 @@ bool CompilerDriver_ipt::processNatRuleSet(
nat_compiler->setSourceRuleSet( nat );
nat_compiler->setRuleSetName(branch_name);
nat_compiler->setPersistentObjects(persistent_objects);
nat_compiler->setSingleRuleCompileMode(single_rule_id);
nat_compiler->setDebugLevel( dl );

3
src/iptlib/CompilerDriver_ipt_policy.cpp
View File

@ -39,6 +39,7 @@
#include "fwbuilder/Interface.h"
#include "fwbuilder/Policy.h"
#include "fwbuilder/Resources.h"
#include "fwbuilder/Library.h"
#include <fstream>
#include <iostream>
@ -96,6 +97,7 @@ bool CompilerDriver_ipt::processPolicyRuleSet(
mangle_compiler->setSourceRuleSet( policy );
mangle_compiler->setRuleSetName(branch_name);
mangle_compiler->setPersistentObjects(persistent_objects);
mangle_compiler->setSingleRuleCompileMode(single_rule_id);
mangle_compiler->setDebugLevel( dl );
@ -171,6 +173,7 @@ bool CompilerDriver_ipt::processPolicyRuleSet(
policy_compiler->setSourceRuleSet( policy );
policy_compiler->setRuleSetName(branch_name);
policy_compiler->setPersistentObjects(persistent_objects);
if ( (policy_rules_count=policy_compiler->prolog()) > 0 )
{

54
src/iptlib/CompilerDriver_ipt_run.cpp
View File

@ -47,6 +47,8 @@
#include "OSConfigurator_linux24.h"
#include "OSConfigurator_secuwall.h"
#include "OSConfigurator_ipcop.h"
#include "combinedAddress.h"
#include "AutomaticRules_ipt.h"
#include "Configlet.h"
@ -66,6 +68,7 @@
#include "fwbuilder/Resources.h"
#include "fwbuilder/StateSyncClusterGroup.h"
#include "fwbuilder/FailoverClusterGroup.h"
#include "fwbuilder/Library.h"
#include <QString>
#include <QStringList>
@ -74,6 +77,7 @@
#include <QDir>
#include <QTextStream>
#include <QtDebug>
#include <QTime>
using namespace std;
@ -82,6 +86,14 @@ using namespace fwcompiler;
extern QString user_name;
FWObject* create_combinedAddress(int id)
{
FWObject *nobj = new combinedAddress();
if (id > -1) nobj->setId(id);
return nobj;
}
/*
* Go through paces to compile firewall which may be a member of a
* cluster. Note that both firewall and cluster are defined by their
@ -93,14 +105,17 @@ QString CompilerDriver_ipt::run(const std::string &cluster_id,
const std::string &firewall_id,
const std::string &single_rule_id)
{
Cluster *cluster = NULL;
if (!cluster_id.empty())
cluster = Cluster::cast(
objdb->findInIndex(objdb->getIntId(cluster_id)));
Firewall *fw = Firewall::cast(
objdb->findInIndex(objdb->getIntId(firewall_id)));
assert(fw);
FWObjectDatabase::registerObjectType(combinedAddress::TYPENAME,
&create_combinedAddress);
// see #2212 Create temporary copy of the firewall and cluster
// objects and pass them to the compilers.
Cluster *cluster = NULL;
Firewall *fw = NULL;
getFirewallAndClusterObjects(cluster_id, firewall_id, &cluster, &fw);
string generated_script;
@ -219,6 +234,23 @@ QString CompilerDriver_ipt::run(const std::string &cluster_id,
findBranchesInMangleTable(fw, all_policies);
findImportedRuleSets(fw, all_nat);
// assign unique rule ids that later will be used to generate
// chain names. This should be done after calls to
// findImportedRuleSets()
assignUniqueRuleIds(all_policies);
assignUniqueRuleIds(all_nat);
try
{
AutomaticRules_ipt auto_rules(fw, persistent_objects);
auto_rules.addConntrackRule();
auto_rules.addFailoverRules();
} catch (FWException &ex)
{
abort(ex.toString());
}
// command line options -4 and -6 control address family for which
// script will be generated. If "-4" is used, only ipv4 part will
// be generated. If "-6" is used, only ipv6 part will be generated.
@ -391,6 +423,7 @@ QString CompilerDriver_ipt::run(const std::string &cluster_id,
{
routing_compiler->setSourceRuleSet(routing);
routing_compiler->setRuleSetName(routing->getName());
routing_compiler->setPersistentObjects(persistent_objects);
routing_compiler->setSingleRuleCompileMode(single_rule_id);
routing_compiler->setDebugLevel( dl );
@ -409,6 +442,13 @@ QString CompilerDriver_ipt::run(const std::string &cluster_id,
all_errors.push_back(routing_compiler->getErrors("").c_str());
}
/*
* compilers detach persistent objects when they finish, this
* means at this point library persistent_objects is not part
* of any object tree.
*/
objdb->reparent(persistent_objects);
if (haveErrorsAndWarnings())
{
all_errors.push_front(getErrors("").c_str());

4
src/iptlib/MangleTableCompiler_ipt.cpp
View File

@ -51,8 +51,8 @@ int MangleTableCompiler_ipt::prolog()
int n = 0;
for(FWObject::iterator i=combined_ruleset->begin();
i!=combined_ruleset->end(); i++)
for(FWObject::iterator i=source_ruleset->begin();
i!=source_ruleset->end(); i++)
{
PolicyRule *r = PolicyRule::cast( *i );
if (r == NULL) continue; // skip RuleSetOptions object

19
src/iptlib/NATCompiler_ipt.cpp
View File

@ -217,7 +217,7 @@ int NATCompiler_ipt::prolog()
if ( iface->isDyn()) iface->setBool("use_var_address",true);
}
build_interface_groups(dbcopy, fw, ipv6, regular_interfaces);
build_interface_groups(dbcopy, persistent_objects, fw, ipv6, regular_interfaces);
}
string version = fw->getStr("version");
@ -265,7 +265,7 @@ void NATCompiler_ipt::_expand_interface(Rule *rule,
if (ip_addr!=NULL && use_mac && pa!=NULL)
{
combinedAddress *ca = new combinedAddress();
dbcopy->add(ca);
persistent_objects->add(ca);
dbcopy->addToIndex(ca);
ca->setName( "CA("+iface->getName()+")" );
ca->setAddress( *ip_addr );
@ -339,7 +339,7 @@ bool NATCompiler_ipt::ConvertLoadBalancingRules::processNext()
ar->setRangeEnd( *(al.back()) );
ar->setName(string("%")+al.front()->toString()
+"-"+al.back()->toString()+"%" );
compiler->dbcopy->add(ar,false);
compiler->persistent_objects->add(ar,false);
tdst->clearChildren();
tdst->addRef(ar);
@ -439,12 +439,15 @@ bool NATCompiler_ipt::splitSDNATRule::processNext()
* change OSrc
*/
odst=r->getODst();
odst = r->getODst();
odst->setNeg(false);
odst->clearChildren();
for (FWObject::iterator i=rule->getTDst()->begin(); i!=rule->getTDst()->end(); i++)
odst->add( *i );
{
FWObject *obj = FWObjectReference::getObject(*i);
odst->addRef(obj);
}
if ( ! rule->getTSrv()->isAny())
{
@ -478,7 +481,7 @@ bool NATCompiler_ipt::splitSDNATRule::processNext()
match_service = TCPUDPService::cast(
compiler->dbcopy->create(tsrv->getTypeName()));
match_service->setName(tsrv->getName() + "_dport");
compiler->dbcopy->add(match_service);
compiler->persistent_objects->add(match_service);
match_service->setDstRangeStart(tu_tsrv->getDstRangeStart());
match_service->setDstRangeEnd(tu_tsrv->getDstRangeEnd());
}
@ -757,9 +760,9 @@ bool NATCompiler_ipt::convertToAtomicportForOSrv::processNext()
FWObject *s;
s=r->getOSrv(); assert(s);
s = r->getOSrv(); assert(s);
s->clearChildren();
s->add( *i1 );
s->addRef(FWReference::getObject(*i1));
tmp_queue.push_back(r);
}

511
src/iptlib/PolicyCompiler_ipt.cpp
View File

@ -368,7 +368,7 @@ void PolicyCompiler_ipt::_expand_interface(Rule *rule,
if (use_mac)
{
combinedAddress *ca = new combinedAddress();
dbcopy->add(ca);
persistent_objects->add(ca);
ca->setName( "CA("+iface->getName()+")" );
ca->setAddress( *ip_addr );
ca->setNetmask( *ip_netm );
@ -466,44 +466,43 @@ int PolicyCompiler_ipt::prolog()
anytcp=dbcopy->createTCPService();
anytcp->setId(FWObjectDatabase::registerStringId(ANY_TCP_OBJ_ID));
anytcp->setName("AnyTCP");
dbcopy->add(anytcp);
persistent_objects->add(anytcp);
tcpsyn=dbcopy->createTCPService();
tcpsyn->setId(FWObjectDatabase::registerStringId(TCP_SYN_OBJ_ID));
tcpsyn->setName("tcpSYN");
tcpsyn->setTCPFlag(TCPService::SYN,true);
tcpsyn->setAllTCPFlagMasks();
dbcopy->add(tcpsyn);
persistent_objects->add(tcpsyn);
anyudp=dbcopy->createUDPService();
anyudp->setId(FWObjectDatabase::registerStringId(ANY_UDP_OBJ_ID));
anyudp->setName("AnyUDP");
dbcopy->add(anyudp);
persistent_objects->add(anyudp);
anyicmp=dbcopy->createICMPService();
anyicmp->setId(FWObjectDatabase::registerStringId(ANY_ICMP_OBJ_ID));
anyicmp->setName("AnyICMP");
dbcopy->add(anyicmp);
persistent_objects->add(anyicmp);
anyip=dbcopy->createIPService();
anyip->setId(FWObjectDatabase::registerStringId(ANY_IP_OBJ_ID));
anyip->setName("AnyIP");
dbcopy->add(anyip);
persistent_objects->add(anyip);
bcast255=dbcopy->createIPv4();
bcast255->setId(FWObjectDatabase::registerStringId(BCAST_255_OBJ_ID));
bcast255->setName("Broadcast_addr");
bcast255->setAddress(InetAddr::getAllOnes());
bcast255->setNetmask(InetAddr(InetAddr::getAllOnes()));
dbcopy->add(bcast255);
persistent_objects->add(bcast255);
bool global_afpa = fwopt->getBool("firewall_is_part_of_any_and_networks");
int n = 0;
for(FWObject::iterator i=combined_ruleset->begin();
i!=combined_ruleset->end(); i++)
for(FWObject::iterator i=source_ruleset->begin(); i!=source_ruleset->end(); i++)
{
Rule *r = Rule::cast( *i );
if (r == NULL) continue;
if (r->isDisabled()) continue;
FWOptions *ruleopt = r->getOptionsObject();
@ -532,17 +531,17 @@ int PolicyCompiler_ipt::prolog()
fwopt->getBool("use_m_set"));
actually_used_module_set = false;
build_interface_groups(dbcopy, fw, ipv6, regular_interfaces);
build_interface_groups(dbcopy, persistent_objects, fw, ipv6, regular_interfaces);
return n;
}
void PolicyCompiler_ipt::addPredefinedPolicyRules()
{
if (getSourceRuleSet()->isTop() && !inSingleRuleCompileMode())
{
insertConntrackRule();
insertFailoverRule();
}
// if (getSourceRuleSet()->isTop() && !inSingleRuleCompileMode())
// {
// insertConntrackRule();
// insertFailoverRule();
// }
}
bool PolicyCompiler_ipt::SkipActionContinueWithNoLogging::processNext()
@ -4500,52 +4499,60 @@ string PolicyCompiler_ipt::debugPrintRule(Rule *r)
ostringstream dst;
string srv=" ";
string time=" ";
string itf=" ";
ostringstream itf;
if (srcrel->getNeg()) src << "!";
if (dstrel->getNeg()) dst << "!";
if (srvrel->getNeg()) srv = "!";
if (intrel->getNeg()) time = "!";
if (itfrel->getNeg()) itf = "!";
if (itfrel->getNeg()) itf << "!";
if (i1!=srcrel->end()) {
FWObject *o=*i1;
if (FWReference::cast(o)!=NULL) o=FWReference::cast(o)->getPointer();
if (i1!=srcrel->end())
{
FWObject *o = FWReference::getObject(*i1);
src << o->getName();
if (Group::cast(o)!=NULL)
src << "[" << o->size() << "]";
}
if (i2!=dstrel->end()) {
FWObject *o=*i2;
if (FWReference::cast(o)!=NULL) o=FWReference::cast(o)->getPointer();
if (i2!=dstrel->end())
{
FWObject *o = FWReference::getObject(*i2);
dst << o->getName();
if (Group::cast(o)!=NULL)
dst << "[" << o->size() << "]";
}
if (i3!=srvrel->end()) {
FWObject *o=*i3;
if (FWReference::cast(o)!=NULL) o=FWReference::cast(o)->getPointer();
srv+=o->getName();
if (i3!=srvrel->end())
{
FWObject *o = FWReference::getObject(*i3);
srv += o->getName();
}
if (i4!=intrel->end()) {
FWObject *o=*i4;
if (FWReference::cast(o)!=NULL) o=FWReference::cast(o)->getPointer();
time+=o->getName();
if (i4!=intrel->end())
{
FWObject *o = FWReference::getObject(*i4);
time += o->getName();
}
if (i5!=itfrel->end()) {
FWObject *o=*i5;
if (FWReference::cast(o)!=NULL) o=FWReference::cast(o)->getPointer();
itf+=o->getName();
if (i5!=itfrel->end())
{
FWObject *o = FWReference::getObject(*i5);
Interface *iface = Interface::cast(o);
itf << o->getName() << "(" << o->getId() << ")";
if (iface)
{
if (iface->isDyn()) itf << "D";
if (iface->isUnnumbered()) itf << "U";
if (iface->isFailoverInterface()) itf << "F";
}
}
int w=0;
if (no==0) {
if (no==0)
{
str << rule->getLabel();
w=rule->getLabel().length();
w = rule->getLabel().length();
}
str << setw(15-w) << setfill(' ') << " ";
@ -4554,7 +4561,7 @@ string PolicyCompiler_ipt::debugPrintRule(Rule *r)
str << setw(18) << setfill(' ') << dst.str();
str << setw(12) << setfill(' ') << srv.c_str();
str << setw(10) << setfill(' ') << time.c_str();
str << setw(8) << setfill(' ') << itf.c_str();
str << setw(8) << setfill(' ') << itf.str();
if (no==0)
{
@ -4575,6 +4582,8 @@ string PolicyCompiler_ipt::debugPrintRule(Rule *r)
str << " pos=" << rule->getPosition();
str << " u=" << rule->getUniqueId();
str << " c=" << printChains(rule);
str << " t=" << rule->getStr("ipt_target");
@ -4677,430 +4686,6 @@ bool PolicyCompiler_ipt::newIptables(const string &version)
XMLTools::version_compare(version, "1.2.6")>0);
}
void PolicyCompiler_ipt::insertConntrackRule()
{
FWOptions* options = fw->getOptionsObject();
string conntrack_iface_name = options->getStr("state_sync_interface");
if (conntrack_iface_name.empty())
{
/* CONNTRACK not active, nothing left to do */
return;
}
string conntrack_group_id = options->getStr("state_sync_group_id");
StateSyncClusterGroup *state_sync_group =
StateSyncClusterGroup::cast(
dbcopy->findInIndex(
FWObjectDatabase::getIntId(conntrack_group_id)));
Resources *os_res = Resources::os_res[fw->getStr("host_OS")];
assert(os_res != NULL);
string default_address =
os_res->getResourceStr("/FWBuilderResources/Target/protocols/conntrack/default_address");
string default_port =
os_res->getResourceStr("/FWBuilderResources/Target/protocols/conntrack/default_port");
bool ucast = state_sync_group->getOptionsObject()->getBool("conntrack_unicast");
string addr = state_sync_group->getOptionsObject()->getStr("conntrack_address");
if (addr.empty()) addr = default_address;
try
{
InetAddr(addr);
} catch (FWException &ex)
{
try
{
InetAddr(AF_INET6, addr);
} catch (FWException &ex)
{
abort(string("Invalid IP address for conntrack: ") + addr);
}
}
string port = state_sync_group->getOptionsObject()->getStr("conntrack_port");
if (port.empty()) port = default_port;
/* Add CONNTRACK-Address to database */
Address *conntrack_dst = Address::cast(dbcopy->create(IPv4::TYPENAME));
conntrack_dst->setName("CONNTRACK-Address");
conntrack_dst->setAddress(InetAddr(addr));
// Why the whole multicast adress range ?
//conntrack_dst->setNetmask(InetAddr("240.0.0.0"));
conntrack_dst->setComment("CONNTRACK Multicast Address");
dbcopy->add(conntrack_dst);
UDPService *conntrack_srv = UDPService::cast(dbcopy->create(UDPService::TYPENAME));
conntrack_srv->setName("CONNTRACK-UDP");
conntrack_srv->setDstRangeStart(atoi(port.c_str()));
conntrack_srv->setDstRangeEnd(atoi(port.c_str()));
conntrack_srv->setComment("CONNTRACK UDP port");
dbcopy->add(conntrack_srv);
/* Find conntrack interface */
Interface* conntrack_iface = Interface::cast(fw->findObjectByName(Interface::TYPENAME, conntrack_iface_name));
if (conntrack_iface == NULL)
{
this->abort(
"Unable to get CONNTRACK interface ("+ conntrack_iface_name +")");
}
/* Add automatic rules for CONNTRACK */
if (ucast)
{
Interface *fw_iface = NULL;
list<Interface*> other_interfaces;
for (FWObjectTypedChildIterator it =
state_sync_group->findByType(FWObjectReference::TYPENAME);
it != it.end(); ++it)
{
Interface *iface =
Interface::cast(FWObjectReference::getObject(*it));
assert(iface);
if (iface->isChildOf(fw))
{
fw_iface = iface;
} else
{
other_interfaces.push_back(iface);
}
}
foreach(Interface *other_iface, other_interfaces)
{
addMgmtRule(other_iface,
fw,
conntrack_srv,
fw_iface,
PolicyRule::Inbound,
PolicyRule::Accept,
"CONNTRACK");
addMgmtRule(fw,
other_iface,
conntrack_srv,
fw_iface,
PolicyRule::Outbound,
PolicyRule::Accept,
"CONNTRACK");
}
} else
{
addMgmtRule(NULL,
conntrack_dst,
conntrack_srv,
conntrack_iface,
PolicyRule::Inbound,
PolicyRule::Accept,
"CONNTRACK");
addMgmtRule(fw,
conntrack_dst,
conntrack_srv,
conntrack_iface,
PolicyRule::Outbound,
PolicyRule::Accept,
"CONNTRACK");
}
}
void PolicyCompiler_ipt::insertFailoverRule()
{
Resources *os_res = Resources::os_res[fw->getStr("host_OS")];
assert(os_res != NULL);
string default_heartbeat_port =
os_res->getResourceStr(
"/FWBuilderResources/Target/protocols/heartbeat/default_port");
string default_heartbeat_address =
os_res->getResourceStr(
"/FWBuilderResources/Target/protocols/heartbeat/default_address");
string default_openais_port =
os_res->getResourceStr(
"/FWBuilderResources/Target/protocols/openais/default_port");
string default_openais_address =
os_res->getResourceStr(
"/FWBuilderResources/Target/protocols/openais/default_address");
FWObjectTypedChildIterator interfaces = fw->findByType(Interface::TYPENAME);
for (; interfaces != interfaces.end(); ++interfaces)
{
Interface *iface = Interface::cast(*interfaces);
/*
We add copies of cluster interface objects to fw objects
so each interface appears twice, the original interface
of the firewall, plus a copy of the cluster
interface. To deduplicate will use only copies of
cluster interfaces because these include VRRP interfaces.
*/
if (iface->isFailoverInterface() &&
iface->getOptionsObject()->getBool("cluster_interface"))
{
FWObject *failover_group =
iface->getFirstByType(FailoverClusterGroup::TYPENAME);
PolicyRule *rule = NULL;
string fw_iface_id = iface->getOptionsObject()->getStr("base_interface_id");
Interface *fw_iface =
Interface::cast(
dbcopy->findInIndex(FWObjectDatabase::getIntId(fw_iface_id)));
if (fw_iface == NULL)
{
warning(
QString("Can not find interface of the firewall "
"for the cluster failover group %1. "
"Falling back using cluster interface object.")
.arg(failover_group->getName().c_str()).toStdString());
fw_iface = iface;
}
if (failover_group->getStr("type") == "vrrp")
{
/* Add VRRP-Address to database */
Address *vrrp_dst = Address::cast(
dbcopy->create(IPv4::TYPENAME));
vrrp_dst->setName("VRRP-Address");
vrrp_dst->setAddress(InetAddr("224.0.0.18"));
vrrp_dst->setNetmask(InetAddr(InetAddr::getAllOnes()));
vrrp_dst->setComment("VRRP Multicast Address");
dbcopy->add(vrrp_dst);
bool use_ipsec_ah = false;
FWOptions *failover_opts =
FailoverClusterGroup::cast(failover_group)->getOptionsObject();
if (failover_opts)
{
use_ipsec_ah = failover_opts->getBool("vrrp_over_ipsec_ah");
}
/* Add VRRP-Service to database */
IPService* vrrp_srv = IPService::cast(
dbcopy->create(IPService::TYPENAME));
vrrp_srv->setComment("VRRP service");
vrrp_srv->setProtocolNumber(112);
dbcopy->add(vrrp_srv);
/*
* Add AH-Service to database.
* According to RFC 2338 section 5.3.6.3, VRRP can use
* IPsec AH.
*/
IPService* ah_srv = IPService::cast(
dbcopy->create(IPService::TYPENAME));
ah_srv->setComment("IPSEC-AH");
ah_srv->setProtocolNumber(51);
dbcopy->add(ah_srv);
for (FWObjectTypedChildIterator it =
failover_group->findByType(FWObjectReference::TYPENAME);
it != it.end(); ++it)
{
Interface *other_iface =
Interface::cast(FWObjectReference::getObject(*it));
assert(other_iface);
if (other_iface->getId() == fw_iface->getId()) continue;
// if interface is dynamic, we can't use it in the rule
// (because it belongs to another machine, not the fw
// we compile for so we can't use script). NULL means "any"
// in the call to addMgmtRule()
if (other_iface->isDyn()) other_iface = NULL;
if (!use_ipsec_ah)
{
addMgmtRule(other_iface, vrrp_dst, vrrp_srv, iface,
PolicyRule::Inbound, PolicyRule::Accept,
"VRRP");
} else
{
addMgmtRule(other_iface, vrrp_dst, ah_srv, iface,
PolicyRule::Inbound, PolicyRule::Accept,
"VRRP (with IPSEC-AH)");
}
}
// outbound rule does not use other_interface and
// should be created outside the loop to avoid
// duplicates. Duplicates happen when cluster has 3 or
// more members.
if (!use_ipsec_ah)
{
addMgmtRule(fw, vrrp_dst, vrrp_srv, iface,
PolicyRule::Outbound, PolicyRule::Accept,
"VRRP");
} else
{
addMgmtRule(fw, vrrp_dst, ah_srv, iface,
PolicyRule::Outbound, PolicyRule::Accept,
"VRRP (with IPSEC-AH)");
}
}
if (failover_group->getStr("type") == "heartbeat")
{
/*
* Note that iface is a copy of the cluster inetrface.
* Find interface of the member firewall fw that corresponds
* to the cluster interface iface
*/
bool ucast = FailoverClusterGroup::cast(failover_group)->
getOptionsObject()->getBool("heartbeat_unicast");
string addr = FailoverClusterGroup::cast(failover_group)->
getOptionsObject()->getStr("heartbeat_address");
if (addr.empty()) addr = default_heartbeat_address;
string port = FailoverClusterGroup::cast(failover_group)->
getOptionsObject()->getStr("heartbeat_port");
if (port.empty()) port = default_heartbeat_port;
UDPService *heartbeat_srv = UDPService::cast(
dbcopy->create(UDPService::TYPENAME));
/* Add heartbeat-Address to database */
Address *heartbeat_dst = Address::cast(dbcopy->create(
IPv4::TYPENAME));
heartbeat_dst->setName("HEARTBEAT-Address");
heartbeat_dst->setAddress(InetAddr(addr));
heartbeat_dst->setNetmask(InetAddr(InetAddr::getAllOnes()));
heartbeat_dst->setComment("HEARTBEAT Multicast Address");
dbcopy->add(heartbeat_dst);
heartbeat_srv->setName("HEARTBEAT-UDP");
heartbeat_srv->setDstRangeStart(atoi(port.c_str()));
heartbeat_srv->setDstRangeEnd(atoi(port.c_str()));
heartbeat_srv->setComment("HEARTBEAT UDP port");
dbcopy->add(heartbeat_srv);
// Heartbeat can use either multicast or unicast
for (FWObjectTypedChildIterator it =
failover_group->findByType(FWObjectReference::TYPENAME);
it != it.end(); ++it)
{
Interface *other_iface =
Interface::cast(FWObjectReference::getObject(*it));
assert(other_iface);
if (other_iface->getId() == fw_iface->getId()) continue;
// if interface is dynamic, we can't use it in the rule
// (because it belongs to another machine, not the fw
// we compile for so we can't use script). NULL means "any"
// in the call to addMgmtRule()
if (other_iface->isDyn()) other_iface = NULL;
if (ucast)
{
addMgmtRule(other_iface, fw, heartbeat_srv, fw_iface,
PolicyRule::Inbound, PolicyRule::Accept,
"heartbeat");
addMgmtRule(fw, other_iface, heartbeat_srv, fw_iface,
PolicyRule::Outbound, PolicyRule::Accept,
"heartbeat");
}
else
{
addMgmtRule(other_iface, heartbeat_dst, heartbeat_srv, fw_iface,
PolicyRule::Inbound, PolicyRule::Accept,
"heartbeat");
addMgmtRule(fw, heartbeat_dst, heartbeat_srv, fw_iface,
PolicyRule::Outbound, PolicyRule::Accept,
"heartbeat");
}
}
}
if (failover_group->getStr("type") == "openais")
{
string addr = FailoverClusterGroup::cast(failover_group)->
getOptionsObject()->getStr("openais_address");
if (addr.empty()) addr = default_openais_address;
string port = FailoverClusterGroup::cast(failover_group)->
getOptionsObject()->getStr("openais_port");
if (port.empty()) port = default_openais_port;
/* Add OPENAIS-Address to database */
Address *openais_dst = Address::cast(dbcopy->create(
IPv4::TYPENAME));
openais_dst->setName("OPENAIS-Address");
openais_dst->setAddress(InetAddr(addr));
openais_dst->setNetmask(InetAddr(InetAddr::getAllOnes()));
openais_dst->setComment("OPENAIS Multicast Address");
dbcopy->add(openais_dst);
UDPService *openais_srv = UDPService::cast(
dbcopy->create(UDPService::TYPENAME));
openais_srv->setName("OPENAIS-UDP");
openais_srv->setDstRangeStart(atoi(port.c_str()));
openais_srv->setDstRangeEnd(atoi(port.c_str()));
openais_srv->setComment("OPENAIS UDP port");
dbcopy->add(openais_srv);
for (FWObjectTypedChildIterator it =
failover_group->findByType(FWObjectReference::TYPENAME);
it != it.end(); ++it)
{
Interface *other_iface =
Interface::cast(FWObjectReference::getObject(*it));
assert(other_iface);
if (other_iface->getId() == fw_iface->getId()) continue;
// if interface is dynamic, we can't use it in the rule
// (because it belongs to another machine, not the fw
// we compile for so we can't use script). NULL means "any"
// in the call to addMgmtRule()
if (other_iface->isDyn()) other_iface = NULL;
addMgmtRule(other_iface, openais_dst, openais_srv, iface,
PolicyRule::Inbound, PolicyRule::Accept,
"openais");
addMgmtRule(fw, openais_dst, openais_srv, iface,
PolicyRule::Outbound, PolicyRule::Accept,
"openais");
}
}
if (rule)
{
FWOptions *ruleopt = rule->getOptionsObject();
assert(ruleopt!=NULL);
ruleopt->setInt("firewall_is_part_of_any_and_networks", 1);
}
}
}
}
/* TODO: Add error-handling (exceptions) */
PolicyRule* PolicyCompiler_ipt::addMgmtRule(Address* src,
Address* dst,
Service* service,
Interface* iface,
const PolicyRule::Direction direction,
const PolicyRule::Action action,
const string label,
const bool related)
{
PolicyRule *rule = PolicyCompiler::addMgmtRule(src, dst, service,
iface, direction, action,
label);
FWOptions *ruleopt = rule->getOptionsObject(); assert(ruleopt!=NULL);
if (related)
{
ruleopt->setBool("stateless", false);
ruleopt->setBool("accept_established", true);
} else
{
ruleopt->setBool("stateless", true);
}
ruleopt->setBool("firewall_is_part_of_any_and_networks", true);
return rule;
}
list<string> PolicyCompiler_ipt::getUsedChains()
{
list<string> res;

13
src/iptlib/PolicyCompiler_ipt.h
View File

@ -101,19 +101,6 @@ protected:
bool isChainDescendantOfOutput(const std::string &chain_name);
bool isChainDescendantOfInput(const std::string &chain_name);
void insertConntrackRule();
void insertFailoverRule();
libfwbuilder::PolicyRule* addMgmtRule(
libfwbuilder::Address* src,
libfwbuilder::Address* dst,
libfwbuilder::Service* service,
libfwbuilder::Interface* iface,
const libfwbuilder::PolicyRule::Direction direction,
const libfwbuilder::PolicyRule::Action action,
const std::string label,
const bool related = false);
std::string getInterfaceVarName(libfwbuilder::FWObject *iface,
bool v6=false);
std::string getAddressTableVarName(libfwbuilder::FWObject *iface);

2
src/iptlib/iptlib.pro
View File

@ -28,6 +28,7 @@ SOURCES = CompilerDriver_ipt.cpp \
RoutingCompiler_ipt.cpp \
RoutingCompiler_ipt_writers.cpp \
combinedAddress.cpp \
AutomaticRules_ipt.cpp \
utils.cpp
HEADERS = ../../config.h \
@ -42,6 +43,7 @@ HEADERS = ../../config.h \
PolicyCompiler_secuwall.h \
RoutingCompiler_ipt.h \
combinedAddress.h \
AutomaticRules_ipt.h \
utils.h
CONFIG += staticlib

6
src/iptlib/utils.cpp
View File

@ -36,12 +36,12 @@ using namespace std;
void build_interface_groups(
FWObjectDatabase *dbcopy, Firewall *fw, bool ipv6,
FWObjectDatabase *dbcopy, Library *persistent_objects, Firewall *fw, bool ipv6,
QMap<QString, libfwbuilder::FWObject*> &regular_interfaces)
{
// object group that will hold all regular inetrfaces
FWObject *all_itf_group = dbcopy->create(ObjectGroup::TYPENAME);
dbcopy->add(all_itf_group);
persistent_objects->add(all_itf_group);
all_itf_group->setName("*");
regular_interfaces["*"] = all_itf_group;
@ -84,7 +84,7 @@ void build_interface_groups(
if (regular_interfaces.count(iname) == 0)
{
FWObject *itf_group = dbcopy->create(ObjectGroup::TYPENAME);
dbcopy->add(itf_group);
persistent_objects->add(itf_group);
itf_group->setName(iname.toStdString());
regular_interfaces[iname] = itf_group;
}

5
src/iptlib/utils.h
View File

@ -23,11 +23,14 @@
#include "fwbuilder/FWObjectDatabase.h"
#include "fwbuilder/Firewall.h"
#include "fwbuilder/Library.h"
#include <QMap>
#include <QString>
extern void build_interface_groups(
libfwbuilder::FWObjectDatabase *dbcopy, libfwbuilder::Firewall *fw, bool ipv6,
libfwbuilder::FWObjectDatabase *dbcopy,
libfwbuilder::Library *persistent_objects,
libfwbuilder::Firewall *fw, bool ipv6,
QMap<QString, libfwbuilder::FWObject*> &regular_interfaces);

16
src/libfwbuilder/src/fwbuilder/AddressTable.cpp
View File

@ -88,11 +88,21 @@ xmlNodePtr AddressTable::toXML(xmlNodePtr parent) throw(FWException)
return me;
}
/*
* read file specified by the "filename" attribute and interpret lines
* as addresses. Create corresponding address or network objects, add
* them to the object database and add references to them to @this. If
* file does not exist and we run in test mode, create dummy object
* and add it to the database and referece to it, then throw
* exception.
*
* TODO: new objects should be added to some kind of special group in
* the object tree, something with the name "tmp" or similar.
*/
void AddressTable::loadFromSource(bool ipv6, bool test_mode) throw(FWException)
{
ifstream fs(getStr("filename").c_str());
ostringstream exmess;
FWObject *root = getParent();
string buf;
size_type pos;
int line = 1;
@ -160,10 +170,10 @@ void AddressTable::loadFromSource(bool ipv6, bool test_mode) throw(FWException)
if (new_addr)
{
root->add(new_addr);
new_addr->setName(buf);
if (validateChild(new_addr))
{
getRoot()->add(new_addr);
addRef(new_addr);
cntr++;
}
@ -193,10 +203,10 @@ void AddressTable::loadFromSource(bool ipv6, bool test_mode) throw(FWException)
net->setAddressNetmask("192.0.2.0/24");
new_addr = net;
}
root->add(new_addr);
new_addr->setName(buf);
if (validateChild(new_addr))
{
getRoot()->add(new_addr);
addRef(new_addr);
cntr++;
}

12
src/libfwbuilder/src/fwbuilder/DNSName.cpp
View File

@ -108,6 +108,16 @@ xmlNodePtr DNSName::toXML(xmlNodePtr parent) throw(FWException)
}
/*
* take domain name from the "dnsrec" attribute and try to run DNS
* query. If successful, create corresponding IPv4 or IPv6 object, add
* it to the object database and add reference to it to @this. If
* unsuccessful, create dummy object and add it to the database and
* referece to it, then throw exception.
*
* TODO: new object should be added to some kind of special group in
* the object tree, something with the name "tmp" or similar.
*/
void DNSName::loadFromSource(bool ipv6, bool test_mode) throw(FWException)
{
int af_type = (ipv6)?AF_INET6:AF_INET;
@ -122,6 +132,7 @@ void DNSName::loadFromSource(bool ipv6, bool test_mode) throw(FWException)
Address *a = NULL;
if (ipv6) { a = getRoot()->createIPv6(); af = AF_INET6; }
else a = getRoot()->createIPv4();
getRoot()->add(a);
a->setAddress(*i);
a->setNetmask(InetAddr::getAllOnes(af));
addRef(a);
@ -159,6 +170,7 @@ void DNSName::loadFromSource(bool ipv6, bool test_mode) throw(FWException)
a->setAddress("192.0.2.1");
a->setNetmask(InetAddr::getAllOnes(af));
}
getRoot()->add(a);
addRef(a);
a->setBool(".rule_error", true);
a->setStr(".error_msg", err.str());

196
src/libfwbuilder/src/fwbuilder/FWObject.cpp
View File

@ -215,7 +215,7 @@ FWObject::FWObject(const FWObject &c) : list<FWObject*>(c)
FWObject::~FWObject()
{
busy = true; // ignore read-only
destroyChildren();
if (size() > 0) destroyChildren();
data.clear();
private_data.clear();
}
@ -517,21 +517,36 @@ FWObjectDatabase* FWObject::getRoot() const
return dbroot;
}
string FWObject::getPath(bool relative) const
class pathAccumulator : public string
{
string res;
const FWObject *p=this;
bool first=true;
public:
void operator()(const string &s)
{
append("/" + s);
}
};
string FWObject::getPath(bool relative, bool detailed) const
{
list<string> res;
const FWObject *p = this;
if (p == NULL) res.push_front("(0x0)");
while (p!=NULL)
{
if (relative && Library::isA(p)) return res;
if (!first) res="/"+res;
res=p->getName()+res;
p=p->getParent();
first=false;
if (relative && Library::isA(p)) break;
ostringstream s;
s << p->getName();
if (detailed)
{
s << "(" << p << ")";
}
res.push_front(s.str());
p = p->getParent();
}
res="/"+res;
return res;
return std::for_each(res.begin(), res.end(), pathAccumulator());
}
const string& FWObject::getComment() const
@ -748,7 +763,7 @@ void FWObject::_adopt(FWObject *obj)
void FWObject::addAt(int where_id, FWObject *obj)
{
FWObject *p=getRoot()->findInIndex( where_id );
FWObject *p = getRoot()->findInIndex( where_id );
assert (p!=NULL);
p->add(obj);
}
@ -757,6 +772,38 @@ void FWObject::add(FWObject *obj, bool validate)
{
checkReadOnly();
FWObject *old_parent = obj->getParent();
if (old_parent != NULL)
{
cerr << "WARNING: object " << obj << " "
<< "(name: " << obj->getName()
<< " type: " << obj->getTypeName() << ") "
<< "that is a child of " << old_parent << " "
<< "(name: " << old_parent->getName()
<< " type: " << old_parent->getTypeName() << ") "
<< "is being added to the new parent " << this << " "
<< "(name: " << getName()
<< " type: " << getTypeName() << ") "
<< endl;
assert(old_parent == NULL);
}
// do not allow to add the same object twice
if (old_parent == this)
{
cerr << "WARNING: object " << obj << " "
<< "(name: " << obj->getName()
<< " type: " << obj->getTypeName() << ") "
<< "that is a child of " << old_parent << " "
<< "(name: " << old_parent->getName()
<< " type: " << old_parent->getTypeName() << ") "
<< "is being added to the same parent again"
<< endl;
assert(old_parent != this);
}
if (!validate || validateChild(obj))
{
push_back(obj);
@ -765,6 +812,17 @@ void FWObject::add(FWObject *obj, bool validate)
}
}
void FWObject::reparent(FWObject *obj, bool validate)
{
FWObject *old_parent = obj->getParent();
if (old_parent != NULL && old_parent != this)
{
old_parent->remove(obj, false);
add(obj, validate);
obj->fixTree();
}
}
FWReference* FWObject::createRef()
{
// FWObjectReference *ref=new FWObjectReference();
@ -843,7 +901,7 @@ void FWObject::swapObjects(FWObject *o1, FWObject *o2)
void FWObject::remove(FWObject *obj, bool delete_if_last)
{
FWObject::iterator fi=std::find(begin(), end(), obj);
if(fi!=end())
if (fi!=end())
{
checkReadOnly();
@ -851,12 +909,14 @@ void FWObject::remove(FWObject *obj, bool delete_if_last)
setDirty(true);
obj->unref();
if (delete_if_last && obj->ref_counter==0)
if (delete_if_last && obj->ref_counter <= 0)
{
FWObjectDatabase *db = getRoot();
if (db) db->removeFromIndex(obj->getId());
delete obj;
}
obj->parent = NULL;
}
}
@ -948,22 +1008,9 @@ set<FWReference*> FWObject::findAllReferences(const FWObject *obj)
return res;
}
bool FWObject::validateChild(FWObject *obj)
bool FWObject::validateChild(FWObject*)
{
return true;
/*
* Check if object "this" is a descendant of object "obj" to avoid loops
*
* check disabled for now since we need to be able to add firewall to its
* own policy
*/
FWObject *p;
p=this;
do {
if (p==obj) return false;
} while ((p=p->getParent())!=NULL);
return true;
}
/*
@ -972,14 +1019,41 @@ bool FWObject::validateChild(FWObject *obj)
*/
void FWObject::destroyChildren()
{
#ifdef DEBUG_DESTROY_CHILDREN
cerr << "destroyChildren() " << this
<< " name=" << name
<< " type=" << getTypeName()
<< " parent=" << getParent()
<< " path=" << getPath()
<< endl;
#endif
FWObjectDatabase *dbr = getRoot();
while (size() > 0)
{
FWObject *o = front();
#ifdef DEBUG_DESTROY_CHILDREN
cerr << " " << this
<< " size=" << size()
<< " o=" << o
<< " o->size=" << o->size()
<< endl;
#endif
if (o)
{
if (o->size()) o->destroyChildren();
if (dbr && !dbr->busy) dbr->removeFromIndex( o->getId() );
#ifdef DEBUG_DESTROY_CHILDREN
cerr << " " << this
<< " delete " << o
<< " " << o->name
<< " " << o->getTypeName()
<< endl;
#endif
delete o;
}
pop_front();
@ -990,23 +1064,65 @@ void FWObject::destroyChildren()
/*
* Walks the tree, looking for objects that are referenced by two parents
*/
void FWObject::findDuplicateLinksInTree()
bool FWObject::verifyTree()
{
bool res = false;
for(list<FWObject*>::iterator m=begin(); m!=end(); ++m)
{
FWObject *o = *m;
if (o->getParent() != this)
FWObject *o_parent = o->getParent();
if (o_parent != this)
{
cerr << "Object '" << o->getName() << "' (" << o->getTypeName() << ") "
<< " has two parents in the tree: "
<< o->getParent()->getRoot() << "::"
<< o->getParent()->getPath(true)
<< " and "
<< getRoot() << "::"
<< getPath(true)
<< endl;
if (o_parent != NULL)
{
cerr << "WARNING: Object " << o << " (name: '" << o->getName()
<< "' type: " << o->getTypeName() << ")"
<< " has two parents in the tree:" << endl;
cerr << " " << o_parent->getPath(false, true) << endl;
cerr << " " << getPath(false, true) << endl;
bool o_parent_real = false;
for (FWObject::iterator k=o_parent->begin(); k!=o_parent->end(); ++k)
{
FWObject *o1 = *k;
if (o1 == o) { o_parent_real = true; break; }
}
if ( ! o_parent_real)
{
cerr << "WARNING: Parent " << o_parent_real
<< " does not have child "
<< o << endl;
}
} else
{
cerr << "WARNING: Object " << o << " (name: '" << o->getName()
<< "' type: " << o->getTypeName() << ")"
<< " was not correctly added to its parent "
<< "(getParent()==NULL):" << endl;
cerr << " " << getPath(false, true) << endl;
}
o->dump(true, false); // recursive, not brief
res = true;
}
o->findDuplicateLinksInTree();
res |= o->verifyTree();
}
return res;
}
void FWObject::fixTree()
{
getRoot()->addToIndex(this);
for(list<FWObject*>::iterator m=begin(); m!=end(); ++m)
{
FWObject *o = *m;
if (o->getRoot() != getRoot()) o->setRoot(getRoot());
if (o->getParent() != this) o->setParent(this);
getRoot()->addToIndex(o);
o->fixTree();
}
}

21
src/libfwbuilder/src/fwbuilder/FWObject.h
View File

@ -354,13 +354,18 @@ public:
* is true, the path is built relative to the library 'this' is
* a part of (name of the library is not included).
*/
std::string getPath(bool relative=false) const;
std::string getPath(bool relative=false, bool detailed=false) const;
void addAt(int where_id, FWObject *obj);
virtual void add(FWObject *obj,bool validate=true);
virtual void insert_before(FWObject *o1,FWObject *obj);
virtual void insert_after(FWObject *o1,FWObject *obj);
/**
* call add(), but first remove() object from its old parent
*/
virtual void reparent(FWObject *obj,bool validate=true);
/**
* In direct children of 'this' swaps all references
* to o1 with o2 and vice versa.
@ -432,8 +437,20 @@ public:
/**
* Walks the tree, looking for objects that are referenced by two parents
* or those with this->parent == NULL. Prints report to stderr and
* returns true if such objects have been found.
*/
void findDuplicateLinksInTree();
bool verifyTree();
/**
* sometimes we need to move object subtree from one object
* database to another. For example, this can be a useful
* mechanism to maintain persistent objects between compiler
* passes. However when the object and its children are added to
* the new tree, "parent" and "root" pointers in obejcts still
* point to the old object tree and need to be fixed.
*/
void fixTree();
int getChildrenCount() const;

2
src/libfwbuilder/src/fwbuilder/FWObjectDatabase.cpp
View File

@ -165,7 +165,7 @@ FWObjectDatabase::FWObjectDatabase(FWObjectDatabase& d) :
FWObjectDatabase::~FWObjectDatabase()
{
busy = true;
//findDuplicateLinksInTree(); // debugging
//verifyTree(); // debugging
destroyChildren();
}

38
src/libfwbuilder/src/fwbuilder/Firewall.cpp
View File

@ -29,29 +29,24 @@
#include <fwbuilder/libfwbuilder-config.h>
#include <fwbuilder/Firewall.h>
#include <fwbuilder/FWObjectDatabase.h>
#include <fwbuilder/FWObjectReference.h>
#include <fwbuilder/FWOptions.h>
#include <fwbuilder/Interface.h>
#include <fwbuilder/StateSyncClusterGroup.h>
#include <fwbuilder/FailoverClusterGroup.h>
#include <fwbuilder/Management.h>
#include <fwbuilder/Firewall.h>
#include <fwbuilder/IPv4.h>
#include <fwbuilder/IPv6.h>
#include <fwbuilder/Policy.h>
#include <fwbuilder/Interface.h>
#include <fwbuilder/Management.h>
#include <fwbuilder/NAT.h>
#include <fwbuilder/Policy.h>
#include <fwbuilder/Routing.h>
#include <iostream>
#include <fwbuilder/RuleElement.h>
#include <fwbuilder/StateSyncClusterGroup.h>
#include <fwbuilder/XMLTools.h>
#include <iostream>
#include <algorithm>
using namespace std;
using namespace libfwbuilder;
@ -310,8 +305,6 @@ FWObject& Firewall::duplicate(const FWObject *obj,
{
string err="Error creating object with type: ";
map<int, int> id_mapping;
checkReadOnly();
bool xro = obj->getRO();
@ -322,29 +315,31 @@ FWObject& Firewall::duplicate(const FWObject *obj,
destroyChildren();
duplicateInterfaces(this, obj, id_mapping, preserve_id);
id_mapping_for_duplicate.clear();
duplicateInterfaces(this, obj, id_mapping_for_duplicate, preserve_id);
for (FWObjectTypedChildIterator it = obj->findByType(Policy::TYPENAME);
it != it.end(); ++it)
{
FWObject *new_ruleset = addCopyOf(*it, preserve_id);
id_mapping[(*it)->getId()] = new_ruleset->getId();
id_mapping_for_duplicate[(*it)->getId()] = new_ruleset->getId();
}
for (FWObjectTypedChildIterator it = obj->findByType(NAT::TYPENAME);
it != it.end(); ++it)
{
FWObject *new_ruleset = addCopyOf(*it, preserve_id);
id_mapping[(*it)->getId()] = new_ruleset->getId();
id_mapping_for_duplicate[(*it)->getId()] = new_ruleset->getId();
}
for (FWObjectTypedChildIterator it = obj->findByType(Routing::TYPENAME);
it != it.end(); ++it)
{
FWObject *new_ruleset = addCopyOf(*it, preserve_id);
id_mapping[(*it)->getId()] = new_ruleset->getId();
id_mapping_for_duplicate[(*it)->getId()] = new_ruleset->getId();
}
// replace references to old fw (obj) with references to this fw
id_mapping[obj->getId()] = getId();
id_mapping_for_duplicate[obj->getId()] = getId();
FWObject *o=obj->getFirstByType( Management::TYPENAME );
addCopyOf(o,preserve_id);
@ -354,7 +349,7 @@ FWObject& Firewall::duplicate(const FWObject *obj,
// replace references to old objects in rules
map<int, int>::iterator it;
for (it=id_mapping.begin(); it!=id_mapping.end(); ++it)
for (it=id_mapping_for_duplicate.begin(); it!=id_mapping_for_duplicate.end(); ++it)
{
int old_id = it->first;
int new_id = it->second;
@ -459,3 +454,8 @@ list<Interface*> Firewall::getInterfacesByType(const string &iface_type)
return res;
}
void Firewall::assignUniqueRuleIds()
{
std::for_each(begin(), end(), RuleSet::UniqueRuleIdsSetter());
}

24
src/libfwbuilder/src/fwbuilder/Firewall.h
View File

@ -31,6 +31,8 @@
#include <time.h> // for time_t
#include <list>
#include <map>
namespace libfwbuilder
{
@ -42,7 +44,8 @@ namespace libfwbuilder
class Firewall : public Host
{
std::map<int, int> id_mapping_for_duplicate;
void duplicateInterfaces(FWObject *target,
const FWObject *source,
std::map<int,int> &id_mapping,
@ -70,7 +73,7 @@ public:
/**
* verify whether given object type is approppriate as a child
*/
virtual bool validateChild(FWObject *o);
virtual bool validateChild(FWObject *o);
virtual FWOptions* getOptionsObject();
@ -91,10 +94,27 @@ public:
*/
virtual FWObject& duplicateForUndo(const FWObject *obj) throw(FWException);
/*
* Return id mapping table created during latest run of duplicate()
*/
const std::map<int, int>& getIDMappingTable()
{
return id_mapping_for_duplicate;
}
Policy *getPolicy();
NAT *getNAT();
Routing *getRouting();
/**
* scan all rules of all rule sets and call setUniqueId() to set
* unique string id for each rule. These IDs will be carried
* through calls to duplicate() when firewall object and its rule
* sets are cloned. These IDs are used by compilers to generate
* stable labels for chains and such.
*/
void assignUniqueRuleIds();
/**
* Return list of interfaces of given type. This walks all interfaces recursively,
* including subinterfaces.

1
src/libfwbuilder/src/fwbuilder/Rule.cpp
View File

@ -90,7 +90,6 @@ FWObject& Rule::shallowDuplicate(const FWObject *x,
unique_id = rx->unique_id;
abs_rule_number = rx->abs_rule_number;
compiler_message = rx->compiler_message;
return FWObject::shallowDuplicate(x,preserve_id);
}

27
src/libfwbuilder/src/fwbuilder/RuleSet.cpp
View File

@ -170,10 +170,10 @@ Rule* RuleSet::insertRuleAtTop(bool hidden_rule)
Rule* RuleSet::insertRuleBefore(int rule_n)
{
Rule *old_rule=getRuleByNum(rule_n);
Rule *r=createRule();
Rule *old_rule = getRuleByNum(rule_n);
Rule *r = createRule();
if (old_rule==NULL) add(r);
else insert_before(old_rule,r);
else insert_before(old_rule, r);
renumberRules();
return(r);
}
@ -182,8 +182,14 @@ Rule* RuleSet::appendRuleAtBottom(bool hidden_rule)
{
Rule *r = createRule();
r->setHidden(hidden_rule);
int last_rule_position = Rule::cast(back())->getPosition();
if (hidden_rule) r->setPosition(last_rule_position + 1000);
int last_rule_position;
Rule *last_rule = Rule::cast(back());
if (last_rule != NULL)
{
last_rule_position = last_rule->getPosition() + 1000;
} else
last_rule_position = 1000;
if (hidden_rule) r->setPosition(last_rule_position);
add(r); // FWObject::add adds to the end of the list
renumberRules();
return(r);
@ -364,4 +370,15 @@ int RuleSet::getRuleSetSize()
return getChildrenCount() - 1;
}
void RuleSet::assignUniqueRuleIds()
{
for (FWObject::iterator it=begin(); it!=end(); ++it)
{
Rule *r = Rule::cast(*it);
if (r != NULL)
r->setUniqueId(FWObjectDatabase::getStringId((*it)->getId()) );
}
}

21
src/libfwbuilder/src/fwbuilder/RuleSet.h
View File

@ -114,12 +114,31 @@ class RuleSet : public FWObject
int getRuleSetSize();
virtual Rule* createRule() =0;
virtual Rule* createRule() = 0;
virtual bool isPrimaryObject() const { return false; }
void renumberRules();
/**
* scan all rules of all rule sets and call setUniqueId() to set
* unique string id for each rule. These IDs will be carried
* through calls to duplicate() when firewall object and its rule
* sets are cloned. These IDs are used by compilers to generate
* stable labels for chains and such.
*/
void assignUniqueRuleIds();
struct UniqueRuleIdsSetter
{
void operator()(FWObject *o)
{
RuleSet *rs = RuleSet::cast(o);
if (rs != NULL) rs->assignUniqueRuleIds();
}
};
}; //__RULESET_HH_FLAG__
}

150
src/libfwbuilder/src/fwcompiler/Compiler.cpp
View File

@ -29,33 +29,34 @@
#include "fwbuilder/libfwbuilder-config.h"
#include "fwbuilder/FWServiceReference.h"
#include "fwbuilder/FWObjectReference.h"
#include "fwbuilder/AddressRange.h"
#include "fwbuilder/RuleElement.h"
#include "fwbuilder/Cluster.h"
#include "fwbuilder/Firewall.h"
#include "fwbuilder/Network.h"
#include "fwbuilder/NetworkIPv6.h"
#include "fwbuilder/IPService.h"
#include "fwbuilder/ICMPService.h"
#include "fwbuilder/ICMP6Service.h"
#include "fwbuilder/TCPService.h"
#include "fwbuilder/UDPService.h"
#include "fwbuilder/CustomService.h"
#include "fwbuilder/Policy.h"
#include "fwbuilder/Rule.h"
#include "fwbuilder/RuleSet.h"
#include "fwbuilder/Interface.h"
#include "fwbuilder/DNSName.h"
#include "fwbuilder/FWException.h"
#include "fwbuilder/FWObjectDatabase.h"
#include "fwbuilder/FWObjectReference.h"
#include "fwbuilder/FWServiceReference.h"
#include "fwbuilder/FailoverClusterGroup.h"
#include "fwbuilder/Firewall.h"
#include "fwbuilder/Group.h"
#include "fwbuilder/ICMP6Service.h"
#include "fwbuilder/ICMPService.h"
#include "fwbuilder/IPService.h"
#include "fwbuilder/IPv4.h"
#include "fwbuilder/IPv6.h"
#include "fwbuilder/DNSName.h"
#include "fwbuilder/Interface.h"
#include "fwbuilder/Library.h"
#include "fwbuilder/MultiAddress.h"
#include "fwbuilder/FailoverClusterGroup.h"
#include "fwbuilder/FWObjectDatabase.h"
#include "fwbuilder/Network.h"
#include "fwbuilder/NetworkIPv6.h"
#include "fwbuilder/Policy.h"
#include "fwbuilder/Rule.h"
#include "fwbuilder/RuleElement.h"
#include "fwbuilder/RuleSet.h"
#include "fwbuilder/TCPService.h"
#include "fwbuilder/UDPService.h"
#include "fwbuilder/XMLTools.h"
#include "fwbuilder/FWException.h"
#include "fwbuilder/Group.h"
#include <iostream>
#include <iomanip>
@ -70,8 +71,6 @@ using namespace fwcompiler;
using namespace std;
Compiler::~Compiler() {}
int Compiler::prolog()
{
temp = new Group();
@ -141,7 +140,6 @@ void Compiler::_init(FWObjectDatabase *_db, Firewall *_fw)
_cntr_ = 1;
temp_ruleset = NULL;
combined_ruleset = NULL;
debug = 0;
debug_rule = -1;
@ -151,15 +149,28 @@ void Compiler::_init(FWObjectDatabase *_db, Firewall *_fw)
single_rule_ruleset_name = "";
single_rule_position = -1;
fw_id = _fw->getId();
fwopt = _fw->getOptionsObject();
dbcopy = NULL;
persistent_objects = NULL;
fw = NULL;
fwopt = NULL;
fw_id = -1;
assert(_fw->getRoot() == _db);
if (_db != NULL && _fw != NULL)
{
assert(_fw->getRoot() == _db);
string fw_str_id = FWObjectDatabase::getStringId(_fw->getId());
dbcopy = new FWObjectDatabase(*_db); // copies entire tree
fw = Firewall::cast(dbcopy->findInIndex(FWObjectDatabase::getIntId(fw_str_id)));
dbcopy = _db;
fw = _fw;
fwopt = fw->getOptionsObject();
fw_id = fw->getId();
// string fw_str_id = FWObjectDatabase::getStringId(_fw->getId());
// dbcopy = new FWObjectDatabase(*_db); // copies entire tree
// fw = Firewall::cast(
// dbcopy->findInIndex(FWObjectDatabase::getIntId(fw_str_id)));
// fwopt = fw->getOptionsObject();
// fw_id = fw->getId();
}
}
Compiler::Compiler(FWObjectDatabase *_db, Firewall *fw, bool ipv6_policy)
@ -169,6 +180,7 @@ Compiler::Compiler(FWObjectDatabase *_db, Firewall *fw, bool ipv6_policy)
osconfigurator = NULL;
countIPv6Rules = 0;
ipv6 = ipv6_policy;
persistent_objects = NULL;
_init(_db, fw);
}
@ -180,6 +192,7 @@ Compiler::Compiler(FWObjectDatabase *_db, Firewall *fw, bool ipv6_policy,
osconfigurator = _oscnf;
countIPv6Rules = 0;
ipv6 = ipv6_policy;
persistent_objects = NULL;
_init(_db, fw);
}
@ -193,9 +206,9 @@ Compiler::Compiler(FWObjectDatabase*, bool ipv6_policy)
ipv6 = ipv6_policy;
initialized = false;
_cntr_ = 1;
persistent_objects = NULL;
fw = NULL;
temp_ruleset = NULL;
combined_ruleset = NULL;
debug = 0;
debug_rule = -1;
rule_debug_on = false;
@ -203,6 +216,41 @@ Compiler::Compiler(FWObjectDatabase*, bool ipv6_policy)
single_rule_mode = false;
}
Compiler::~Compiler()
{
#ifdef DBCOPY_IS_TRUE_COPY
if (dbcopy)
{
if (dbcopy->verifyTree())
{
cerr << "source_ruleset=" << source_ruleset << endl;
cerr << "temp_ruleset=" << temp_ruleset << endl;
// dbcopy->dump(true, true);
}
if (persistent_objects != NULL)
dbcopy->remove(persistent_objects, false);
delete dbcopy;
}
#endif
dbcopy = NULL;
}
void Compiler::setPersistentObjects(Library* po)
{
persistent_objects = po;
dbcopy->reparent(persistent_objects);
persistent_objects->fixTree();
}
void Compiler::setSourceRuleSet(RuleSet *rs)
{
FWObject *copy_rs = dbcopy->findInIndex(rs->getId());
source_ruleset = RuleSet::cast(copy_rs);
}
void Compiler::setSingleRuleCompileMode(const string &rule_id)
{
if (!rule_id.empty())
@ -241,8 +289,6 @@ string Compiler::getUniqueRuleLabel()
void Compiler::compile()
{
assert(fw);
assert(combined_ruleset);
}
void Compiler::_expand_group_recursive(FWObject *o, list<FWObject*> &ol)
@ -261,6 +307,7 @@ void Compiler::_expand_group_recursive(FWObject *o, list<FWObject*> &ol)
* run-time address tables
*/
MultiAddress *adt = MultiAddress::cast(o);
if ((Group::cast(o)!=NULL && adt==NULL) ||
(adt!=NULL && adt->isCompileTime()))
{
@ -568,7 +615,7 @@ void Compiler::_expandAddressRanges(Rule *rule, FWObject *re)
h->setName(string("%n-")+(*i).toString()+string("%") );
h->setNetmask(*(i->getNetmaskPtr()));
h->setAddress(*(i->getAddressPtr()));
dbcopy->add(h,false);
persistent_objects->add(h, false);
cl.push_back(h);
}
}
@ -592,10 +639,11 @@ void Compiler::normalizePortRange(int &rs,int &re)
void Compiler::debugRule()
{
for (FWObject::iterator i=combined_ruleset->begin();
i!=combined_ruleset->end(); i++)
for (FWObject::iterator i=source_ruleset->begin();
i!=source_ruleset->end(); i++)
{
Rule *rule = Rule::cast( *i );
if (rule == NULL) continue;
if (rule_debug_on && rule->getPosition()==debug_rule )
{
info(debugPrintRule(rule));
@ -667,19 +715,20 @@ bool Compiler::Begin::processNext()
assert(compiler!=NULL);
if (!init)
{
for (FWObject::iterator i=compiler->combined_ruleset->begin();
i!=compiler->combined_ruleset->end(); ++i)
for (FWObject::iterator i=compiler->source_ruleset->begin();
i!=compiler->source_ruleset->end(); ++i)
{
Rule *rule = Rule::cast(*i);
if (rule == NULL) continue;
if (rule->isDisabled()) continue;
Rule *r = Rule::cast(compiler->dbcopy->create(rule->getTypeName()));
compiler->temp_ruleset->add(r);
r->duplicate(rule);
tmp_queue.push_back( r );
}
init=true;
if (!name.empty())
compiler->info(string(" ") + name);
init = true;
if (!name.empty()) compiler->info(string(" ") + name);
return true;
}
@ -959,28 +1008,31 @@ bool Compiler::eliminateDuplicatesInRE::processNext()
{
Rule *rule=prev_processor->getNextRule(); if (rule==NULL) return false;
if (comparator==NULL) comparator=new equalObj();
if (comparator==NULL) comparator = new equalObj();
RuleElement *re=RuleElement::cast(rule->getFirstByType(re_type));
RuleElement *re = RuleElement::cast(rule->getFirstByType(re_type));
vector<FWObject*> cl;
list<FWObject*> cl;
for(list<FWObject*>::iterator i=re->begin(); i!=re->end(); ++i)
{
FWObject *obj = FWReference::getObject(*i);
if (obj == NULL) continue;
comparator->set(obj);
bool found=false;
for (vector<FWObject*>::iterator i1=cl.begin(); i1!=cl.end(); ++i1)
bool found = false;
for (list<FWObject*>::iterator i1=cl.begin(); i1!=cl.end(); ++i1)
{
if ( (*comparator)( (*i1) ) ) { found=true; break; }
FWObject *o2 = *i1;
if ( (*comparator)(o2) ) { found=true; break; }
}
if (!found) cl.push_back(obj);
}
if (!cl.empty())
{
re->clearChildren();
for (vector<FWObject*>::iterator i1=cl.begin(); i1!=cl.end(); ++i1)
for (list<FWObject*>::iterator i1=cl.begin(); i1!=cl.end(); ++i1)
re->addRef( (*i1) );
}
@ -1191,7 +1243,7 @@ bool Compiler::swapMultiAddressObjectsInRE::processNext()
mart->setId( mart_id );
compiler->dbcopy->addToIndex(mart);
compiler->dbcopy->add(mart);
compiler->persistent_objects->add(mart);
}
re->removeRef(ma);
re->addRef(mart);

11
src/libfwbuilder/src/fwcompiler/Compiler.h
View File

@ -213,7 +213,7 @@ protected:
int fw_id;
libfwbuilder::FWOptions *fwopt;
public:
public:
int debug;
int debug_rule;
@ -226,12 +226,12 @@ protected:
fwcompiler::OSConfigurator *osconfigurator;
libfwbuilder::FWObjectDatabase *dbcopy;
libfwbuilder::Library *persistent_objects;
libfwbuilder::Firewall *fw;
std::string ruleSetName;;
libfwbuilder::RuleSet *source_ruleset;
libfwbuilder::RuleSet *combined_ruleset;
libfwbuilder::RuleSet *temp_ruleset;
libfwbuilder::Group *temp;
@ -927,11 +927,13 @@ protected:
void setSingleRuleCompileMode(const std::string &rule_id);
bool inSingleRuleCompileMode() { return single_rule_mode; }
void setSourceRuleSet(libfwbuilder::RuleSet *rs) { source_ruleset = rs; }
void setSourceRuleSet(libfwbuilder::RuleSet *rs);
libfwbuilder::RuleSet* getSourceRuleSet() { return source_ruleset; }
void setRuleSetName(const std::string &name) { ruleSetName = name; }
std::string getRuleSetName() { return ruleSetName; }
void setPersistentObjects(libfwbuilder::Library* po);
std::string getCompiledScript();
int getCompiledScriptLength();
@ -955,8 +957,7 @@ protected:
bool suppress_comment=false);
/**
* prolog should pack rules into combined_ruleset and return
* number of rules found
* prolog return number of rules found
*/
virtual int prolog();
virtual void compile();

48
src/libfwbuilder/src/fwcompiler/NATCompiler.cpp
View File

@ -56,44 +56,24 @@ int NATCompiler::prolog()
NAT *nat = NAT::cast(fw->getFirstByType(NAT::TYPENAME));
assert(nat);
combined_ruleset = new NAT();
fw->add( combined_ruleset );
if (source_ruleset == NULL) source_ruleset = nat;
source_ruleset->renumberRules();
temp_ruleset = new NAT(); // working copy of the policy
fw->add( temp_ruleset );
temp_ruleset->setName(source_ruleset->getName());
/*
* build combined policy by collapsing all the rules together.
* store ID of the interface in each rule of interface policy.
*
* also calculate global numbers for all rules and store them, too.
* These are used to detect rule shadowing.
*/
int global_num=0;
// list<FWObject*> l3=nat->getByType(NATRule::TYPENAME);
// for (list<FWObject*>::iterator j=l3.begin(); j!=l3.end(); ++j) {
RuleSet *ruleset = source_ruleset;
if (ruleset == NULL)
{
source_ruleset = RuleSet::cast(nat);
ruleset = nat;
}
ruleset->renumberRules();
combined_ruleset->setName(ruleset->getName());
temp_ruleset->setName(ruleset->getName());
int global_num = 0;
string label_prefix = "";
if (ruleset->getName() != "NAT") label_prefix = ruleset->getName();
if (source_ruleset->getName() != "NAT") label_prefix = source_ruleset->getName();
for (FWObject::iterator i=ruleset->begin(); i!=ruleset->end(); i++)
int rule_counter = 0;
for (FWObject::iterator i=source_ruleset->begin(); i!=source_ruleset->end(); i++)
{
Rule *r= Rule::cast(*i);
Rule *r = Rule::cast(*i);
if (r == NULL) continue; // skip RuleSetOptions object
/*
@ -108,16 +88,16 @@ int NATCompiler::prolog()
//if (r->isDisabled()) continue;
//r->setInterfaceId(-1);
if (r->getLabel().empty())
r->setLabel( createRuleLabel(label_prefix, "NAT", r->getPosition()) );
r->setLabel( createRuleLabel(label_prefix, "NAT", r->getPosition()) );
r->setAbsRuleNumber(global_num); global_num++;
r->setUniqueId( FWObjectDatabase::getStringId(r->getId()) );
combined_ruleset->add( r );
rule_counter++;
}
initialized=true;
initialized = true;
return combined_ruleset->size();
return rule_counter;
}

88
src/libfwbuilder/src/fwcompiler/PolicyCompiler.cpp
View File

@ -70,29 +70,22 @@ int PolicyCompiler::prolog()
Policy *policy = Policy::cast(fw->getFirstByType(Policy::TYPENAME));
assert(policy);
combined_ruleset = new Policy(); // combined ruleset (all interface policies and global policy)
fw->add( combined_ruleset );
if (source_ruleset == NULL) source_ruleset = policy;
source_ruleset->renumberRules();
temp_ruleset = new Policy(); // working copy of the policy
fw->add( temp_ruleset );
int global_num=0;
temp_ruleset->setName(source_ruleset->getName());
RuleSet *ruleset = source_ruleset;
if (ruleset == NULL)
{
source_ruleset = RuleSet::cast(policy);
ruleset = policy;
}
ruleset->renumberRules();
combined_ruleset->setName(ruleset->getName());
temp_ruleset->setName(ruleset->getName());
int global_num = 0;
string label_prefix = "";
if (ruleset->getName() != "Policy") label_prefix = ruleset->getName();
if (source_ruleset->getName() != "Policy") label_prefix = source_ruleset->getName();
for (FWObject::iterator i=ruleset->begin(); i!=ruleset->end(); i++)
int rule_counter = 0;
for (FWObject::iterator i=source_ruleset->begin(); i!=source_ruleset->end(); i++)
{
PolicyRule *r = PolicyRule::cast(*i);
if (r == NULL) continue; // skip RuleSetOptions object
@ -108,33 +101,37 @@ int PolicyCompiler::prolog()
*/
//if (r->isDisabled()) continue;
RuleElementItf *itfre = r->getItf();
assert(itfre);
if (r->getLabel().empty())
{
RuleElementItf *itfre = r->getItf();
assert(itfre);
if (itfre->isAny())
{
r->setLabel( createRuleLabel(label_prefix,
"global", r->getPosition()) );
} else
{
string interfaces = "";
for (FWObject::iterator i=itfre->begin(); i!=itfre->end(); ++i)
if (itfre->isAny())
{
FWObject *o = FWReference::getObject(*i);
if (interfaces!="") interfaces += ",";
interfaces += o->getName();
r->setLabel( createRuleLabel(label_prefix,
"global", r->getPosition()) );
} else
{
string interfaces = "";
for (FWObject::iterator i=itfre->begin(); i!=itfre->end(); ++i)
{
FWObject *o = FWReference::getObject(*i);
if (interfaces!="") interfaces += ",";
interfaces += o->getName();
}
r->setLabel( createRuleLabel(label_prefix,
interfaces, r->getPosition()) );
}
r->setLabel( createRuleLabel(label_prefix,
interfaces, r->getPosition()) );
}
r->setAbsRuleNumber(global_num); global_num++;
r->setUniqueId( FWObjectDatabase::getStringId(r->getId()) );
combined_ruleset->add( r );
r->setAbsRuleNumber(global_num);
global_num++;
rule_counter++;
}
initialized=true;
initialized = true;
return combined_ruleset->size();
return rule_counter;
}
@ -1138,16 +1135,19 @@ string PolicyCompiler::debugPrintRule(Rule *r)
srv_id = o->getId();
}
if (i4!=itfrel->end()) {
FWObject *o=*i4;
if (FWReference::cast(o)!=NULL) o=FWReference::cast(o)->getPointer();
itf+=o->getName();
if (i4!=itfrel->end())
{
ostringstream str;
FWObject *o = FWReference::getObject(*i4);
str << o->getName() << "(" << o->getId() << ")";
itf += str.str();
}
int w=0;
if (no==0) {
int w = 0;
if (no==0)
{
str << rule->getLabel();
w=rule->getLabel().length();
w = rule->getLabel().length();
}
str << setw(10-w) << setfill(' ') << " ";
@ -1183,7 +1183,7 @@ PolicyRule* PolicyCompiler::addMgmtRule(Address* src,
const PolicyRule::Action action,
const string &label)
{
assert(combined_ruleset != NULL);
assert(source_ruleset != NULL);
/* Insert PolicyRules at top so they do not get shadowed by other
* rules. Call insertRuleAtTop() with hidden_rule argument true to
@ -1192,7 +1192,7 @@ PolicyRule* PolicyCompiler::addMgmtRule(Address* src,
* rules are not considered for shadowing.
*/
PolicyRule* rule = PolicyRule::cast(combined_ruleset->insertRuleAtTop(true));
PolicyRule* rule = PolicyRule::cast(source_ruleset->insertRuleAtTop(true));
assert(rule != NULL);
ostringstream str;

4
src/libfwbuilder/src/fwcompiler/PolicyCompiler.h
View File

@ -50,10 +50,10 @@ namespace fwcompiler {
protected:
/**
* this method scans combined_ruleset looking for atomic rule
* this method scans source_ruleset looking for atomic rule
* which yields non-empty intersection with atomic rule r.
*
* it can start scan either from the beginning of combined_ruleset,
* it can start scan either from the beginning of source_ruleset,
* or from iterator 'start_here'
*
* it returns iterator pointing at rule it has found (so we

16
src/libfwbuilder/src/fwcompiler/Preprocessor.cpp
View File

@ -45,17 +45,27 @@ using namespace std;
static int infinite_recursion_breaker = 0;
string Preprocessor::myPlatformName() { return "generic_preprocessor"; }
Preprocessor::~Preprocessor() {}
Preprocessor::~Preprocessor()
{
dbcopy = NULL;
}
Preprocessor::Preprocessor(FWObjectDatabase *_db,
Firewall *fw, bool ipv6_policy) :
Compiler(_db, fw, ipv6_policy)
Firewall *_fw, bool ipv6_policy) :
Compiler(NULL, _fw, ipv6_policy)
{
// This is the main difference between Preprocessor and other
// compilers. All compilers create a copy of the whole database
// and work with it, but Preprocessor works with the original
// database. Therefore it copies only pointer here.
dbcopy = _db;
fw_id = _fw->getId();
fwopt = _fw->getOptionsObject();
string fw_str_id = FWObjectDatabase::getStringId(_fw->getId());
fw = Firewall::cast(
dbcopy->findInIndex(FWObjectDatabase::getIntId(fw_str_id)));
}
void Preprocessor::convertObject(FWObject *obj)

88
src/libfwbuilder/src/fwcompiler/RoutingCompiler.cpp
View File

@ -72,48 +72,34 @@ int RoutingCompiler::prolog()
Routing *routing = Routing::cast(fw->getFirstByType(Routing::TYPENAME));
assert(routing);
combined_ruleset = new Routing(); // combined ruleset
fw->add( combined_ruleset );
if (source_ruleset == NULL) source_ruleset = routing;
source_ruleset->renumberRules();
temp_ruleset = new Routing(); // working copy of the routing
fw->add( temp_ruleset );
combined_ruleset->setName(routing->getName());
temp_ruleset->setName(routing->getName());
temp_ruleset->setName(source_ruleset->getName());
routing->renumberRules();
list<FWObject*> l = routing->getByType(RoutingRule::TYPENAME);
for (list<FWObject*>::iterator j=l.begin(); j!=l.end(); ++j)
int rule_counter = 0;
for (FWObject::iterator i=source_ruleset->begin(); i!=source_ruleset->end(); i++)
{
Rule *r= Rule::cast(*j);
Rule *r = Rule::cast(*i);
if (r == NULL) continue; // skip RuleSetOptions object
/*
* do not remove disabled rules just yet because some
* compilers might use RuleSet::insertRuleAtTop() and other
* similar methods from prolog() or
* addPredefinedPolicyRules()() and these methods renumber
* rules (labels stop matching rule positions when this is
* done because labels are configured in prolog() method of
* the base class. See fwbuilder ticket 1173)
*/
// if (r->isDisabled()) continue;
if (r->getLabel().empty())
r->setLabel( createRuleLabel("", "main", r->getPosition()) );
// r->setInterfaceId(-1);
r->setLabel( createRuleLabel("", "main", r->getPosition()) );
combined_ruleset->add( r );
rule_counter++;
}
initialized=true;
initialized = true;
return combined_ruleset->size();
return rule_counter;
}
bool RoutingCompiler::cmpRules(const RoutingRule &r1,
const RoutingRule &r2)
bool RoutingCompiler::cmpRules(const RoutingRule &r1, const RoutingRule &r2)
{
if (r1.getRDst()!=r2.getRDst()) return false;
if (r1.getRGtw()!=r2.getRGtw()) return false;
@ -125,11 +111,11 @@ bool RoutingCompiler::cmpRules(const RoutingRule &r1,
string RoutingCompiler::debugPrintRule(Rule *r)
{
RoutingRule *rule=RoutingRule::cast(r);
RoutingRule *rule = RoutingRule::cast(r);
RuleElementRDst *dstrel=rule->getRDst();
RuleElementRItf *itfrel=rule->getRItf();
RuleElementRGtw *gtwrel=rule->getRGtw();
RuleElementRDst *dstrel = rule->getRDst();
RuleElementRItf *itfrel = rule->getRItf();
RuleElementRGtw *gtwrel = rule->getRGtw();
ostringstream str;
@ -138,27 +124,27 @@ string RoutingCompiler::debugPrintRule(Rule *r)
string dst, itf, gtw;
FWObject *obj = FWReference::getObject(itfrel->front());
itf = obj->getName();
itf = (obj) ? obj->getName() : "NULL";
obj = FWReference::getObject(gtwrel->front());
gtw = obj->getName();
gtw = (obj) ? obj->getName() : "NULL";
int no=0;
FWObject::iterator i1=dstrel->begin();
int no = 0;
FWObject::iterator i1 = dstrel->begin();
while ( i1!=dstrel->end())
{
str << endl;
dst = " ";
if (i1!=dstrel->end())
if (i1 != dstrel->end())
{
FWObject *o = FWReference::getObject(*i1);
dst = o->getName();
dst = (o) ? o->getName() : "NULL";
}
int w=0;
int w = 0;
if (no==0)
{
str << rule->getLabel();
@ -174,7 +160,7 @@ string RoutingCompiler::debugPrintRule(Rule *r)
++no;
if ( i1!=dstrel->end() ) ++i1;
if ( i1 != dstrel->end() ) ++i1;
}
return str.str();
}
@ -199,21 +185,15 @@ bool RoutingCompiler::ConvertToAtomicForDST::processNext()
//RuleElementSrc *src=rule->getSrc(); assert(src);
RuleElementRDst *dst=rule->getRDst(); assert(dst);
for (FWObject::iterator it=dst->begin(); it!=dst->end(); ++it)
{
RoutingRule *r = compiler->dbcopy->createRoutingRule();
r->duplicate(rule);
compiler->temp_ruleset->add(r);
FWObject *s;
//s=r->getSrc(); assert(s);
//s->clearChildren();
//s->add( *i1 );
s=r->getRDst(); assert(s);
FWObject *s = r->getRDst(); assert(s);
s->clearChildren();
s->add( *it );
s->addRef(FWReference::getObject(*it));
tmp_queue.push_back(r);
}
@ -532,7 +512,6 @@ bool RoutingCompiler::rItfChildOfFw::processNext()
if (itfrel->isAny()) return true;
FWObject *o = FWReference::cast(itfrel->front())->getPointer();
if (o->isChildOf(compiler->fw)) return true;
// the interface is not a child of the firewall. Could be
// cluster interface though. In that case make sure the
@ -540,14 +519,19 @@ bool RoutingCompiler::rItfChildOfFw::processNext()
Interface *iface = Interface::cast(o);
if (iface)
{
Cluster *cluster = Cluster::cast(iface->getParentHost());
FWObject *parent = iface->getParentHost();
if (parent->getId() == compiler->fw->getId()) return true;
Cluster *cluster = Cluster::cast(parent);
if (cluster)
{
list<Firewall*> members;
cluster->getMembersList(members);
if (std::find(members.begin(), members.end(),
compiler->fw) != members.end())
return true;
list<Firewall*>::iterator it;
for (it=members.begin(); it!=members.end(); ++it)
{
if ((*it)->getId() == compiler->fw->getId()) return true;
}
}
}
string msg;

11
src/libfwbuilder/src/fwcompiler/RoutingCompiler.h
View File

@ -37,8 +37,8 @@
#include <string>
namespace fwcompiler {
namespace fwcompiler
{
using namespace std;
#define DECLARE_ROUTING_RULE_PROCESSOR(_Name) \
@ -52,12 +52,13 @@ namespace fwcompiler {
};
class RoutingCompiler : public Compiler {
class RoutingCompiler : public Compiler
{
public:
RoutingCompiler(libfwbuilder::FWObjectDatabase *_db,
libfwbuilder::Firewall *fw, bool ipv6_policy,
libfwbuilder::Firewall *fw,
bool ipv6_policy,
fwcompiler::OSConfigurator *_oscnf) :
Compiler(_db, fw, ipv6_policy, _oscnf) {}

12
src/pf/pf.cpp
View File

@ -147,15 +147,19 @@ int main(int argc, char **argv)
FWObject *slib = objdb->getById(FWObjectDatabase::STANDARD_LIB_ID);
if (slib && slib->isReadOnly()) slib->setReadOnly(false);
CompilerDriver_pf driver(objdb);
if (!driver.prepare(args))
CompilerDriver_pf *driver = new CompilerDriver_pf(objdb);
if (!driver->prepare(args))
{
usage(argv[0]);
exit(1);
}
driver.compile();
driver->compile();
int ret = (driver->getStatus() == BaseCompiler::FWCOMPILER_SUCCESS) ? 0 : 1;
delete driver;
delete objdb;
return (driver.getStatus() == BaseCompiler::FWCOMPILER_SUCCESS) ? 0 : 1;
return ret;
} catch(const FWException &ex)
{

41
src/pflib/CompilerDriver_ipf_run.cpp
View File

@ -45,27 +45,21 @@
#include "OSConfigurator_freebsd.h"
#include "OSConfigurator_solaris.h"
#include "fwbuilder/Resources.h"
#include "fwbuilder/FWObjectDatabase.h"
#include "fwbuilder/XMLTools.h"
#include "fwbuilder/FWException.h"
#include "fwbuilder/Firewall.h"
#include "fwbuilder/Interface.h"
#include "fwbuilder/Policy.h"
#include "fwbuilder/NAT.h"
#include "fwcompiler/Preprocessor.h"
#include "fwbuilder/Resources.h"
#include "fwbuilder/FWObjectDatabase.h"
#include "fwbuilder/FWException.h"
#include "fwbuilder/Cluster.h"
#include "fwbuilder/ClusterGroup.h"
#include "fwbuilder/FWException.h"
#include "fwbuilder/FWObjectDatabase.h"
#include "fwbuilder/FailoverClusterGroup.h"
#include "fwbuilder/Firewall.h"
#include "fwbuilder/Interface.h"
#include "fwbuilder/Library.h"
#include "fwbuilder/NAT.h"
#include "fwbuilder/Policy.h"
#include "fwbuilder/Resources.h"
#include "fwbuilder/StateSyncClusterGroup.h"
#include "fwbuilder/FailoverClusterGroup.h"
#include "fwbuilder/XMLTools.h"
#include "fwcompiler/Preprocessor.h"
#include <QStringList>
#include <QFileInfo>
@ -165,13 +159,9 @@ QString CompilerDriver_ipf::run(const std::string &cluster_id,
const std::string &single_rule_id)
{
Cluster *cluster = NULL;
if (!cluster_id.empty())
cluster = Cluster::cast(
objdb->findInIndex(objdb->getIntId(cluster_id)));
Firewall *fw = NULL;
Firewall *fw = Firewall::cast(
objdb->findInIndex(objdb->getIntId(firewall_id)));
assert(fw);
getFirewallAndClusterObjects(cluster_id, firewall_id, &cluster, &fw);
try
{
@ -229,6 +219,7 @@ QString CompilerDriver_ipf::run(const std::string &cluster_id,
c.setSourceRuleSet(Policy::cast(policy));
c.setRuleSetName(policy->getName());
c.setPersistentObjects(persistent_objects);
c.setSingleRuleCompileMode(single_rule_id);
c.setDebugLevel( dl );
@ -250,6 +241,7 @@ QString CompilerDriver_ipf::run(const std::string &cluster_id,
n.setSourceRuleSet(NAT::cast(nat));
n.setRuleSetName(nat->getName());
n.setPersistentObjects(persistent_objects);
n.setSingleRuleCompileMode(single_rule_id);
n.setDebugLevel( dl );
@ -265,6 +257,13 @@ QString CompilerDriver_ipf::run(const std::string &cluster_id,
n.epilog();
}
/*
* compilers detach persistent objects when they finish, this
* means at this point library persistent_objects is not part
* of any object tree.
*/
objdb->reparent(persistent_objects);
if (haveErrorsAndWarnings())
{
all_errors.push_front(getErrors("").c_str());

47
src/pflib/CompilerDriver_ipfw_run.cpp
View File

@ -42,26 +42,21 @@
#include "OSConfigurator_freebsd.h"
#include "OSConfigurator_macosx.h"
#include "fwbuilder/Resources.h"
#include "fwbuilder/FWObjectDatabase.h"
#include "fwbuilder/XMLTools.h"
#include "fwbuilder/FWException.h"
#include "fwbuilder/Firewall.h"
#include "fwbuilder/Interface.h"
#include "fwbuilder/Policy.h"
#include "fwbuilder/NAT.h"
#include "fwcompiler/Preprocessor.h"
#include "fwbuilder/FWObjectDatabase.h"
#include "fwbuilder/FWException.h"
#include "fwbuilder/Cluster.h"
#include "fwbuilder/ClusterGroup.h"
#include "fwbuilder/FWException.h"
#include "fwbuilder/FWObjectDatabase.h"
#include "fwbuilder/FailoverClusterGroup.h"
#include "fwbuilder/Firewall.h"
#include "fwbuilder/Interface.h"
#include "fwbuilder/Library.h"
#include "fwbuilder/NAT.h"
#include "fwbuilder/Policy.h"
#include "fwbuilder/Resources.h"
#include "fwbuilder/StateSyncClusterGroup.h"
#include "fwbuilder/FailoverClusterGroup.h"
#include "fwbuilder/XMLTools.h"
#include "fwcompiler/Preprocessor.h"
#include <QStringList>
#include <QFileInfo>
@ -114,13 +109,9 @@ QString CompilerDriver_ipfw::run(const std::string &cluster_id,
const std::string &single_rule_id)
{
Cluster *cluster = NULL;
if (!cluster_id.empty())
cluster = Cluster::cast(
objdb->findInIndex(objdb->getIntId(cluster_id)));
Firewall *fw = NULL;
Firewall *fw = Firewall::cast(
objdb->findInIndex(objdb->getIntId(firewall_id)));
assert(fw);
getFirewallAndClusterObjects(cluster_id, firewall_id, &cluster, &fw);
try
{
@ -174,6 +165,13 @@ QString CompilerDriver_ipfw::run(const std::string &cluster_id,
findImportedRuleSets(fw, all_policies);
// assign unique rule ids that later will be used to generate
// chain names. This should be done after calls to
// findImportedRuleSets()
// NB: these ids are not used by this compiler
assignUniqueRuleIds(all_policies);
// command line options -4 and -6 control address family for which
// script will be generated. If "-4" is used, only ipv4 part will
// be generated. If "-6" is used, only ipv6 part will be generated.
@ -238,6 +236,8 @@ QString CompilerDriver_ipfw::run(const std::string &cluster_id,
c.setIPFWNumber(ipfw_rule_number);
c.setSourceRuleSet( policy );
c.setRuleSetName(branch_name);
c.setPersistentObjects(persistent_objects);
c.setSingleRuleCompileMode(single_rule_id);
c.setDebugLevel( dl );
if (rule_debug_on) c.setDebugRule( drp );
@ -286,6 +286,13 @@ QString CompilerDriver_ipfw::run(const std::string &cluster_id,
generated_script += c_str.str();
}
/*
* compilers detach persistent objects when they finish, this
* means at this point library persistent_objects is not part
* of any object tree.
*/
objdb->reparent(persistent_objects);
if (haveErrorsAndWarnings())
{
all_errors.push_front(getErrors("").c_str());

61
src/pflib/CompilerDriver_pf_run.cpp
View File

@ -50,30 +50,24 @@
#include "OSConfigurator_freebsd.h"
#include "OSConfigurator_solaris.h"
#include "fwbuilder/Resources.h"
#include "fwbuilder/FWObjectDatabase.h"
#include "fwbuilder/XMLTools.h"
#include "fwbuilder/Cluster.h"
#include "fwbuilder/ClusterGroup.h"
#include "fwbuilder/FWException.h"
#include "fwbuilder/FWObjectDatabase.h"
#include "fwbuilder/FailoverClusterGroup.h"
#include "fwbuilder/Firewall.h"
#include "fwbuilder/Interface.h"
#include "fwbuilder/Policy.h"
#include "fwbuilder/Library.h"
#include "fwbuilder/NAT.h"
#include "fwbuilder/Policy.h"
#include "fwbuilder/Resources.h"
#include "fwbuilder/Routing.h"
#include "fwbuilder/StateSyncClusterGroup.h"
#include "fwbuilder/XMLTools.h"
#include "fwcompiler/Preprocessor.h"
#include "fwcompiler/exceptions.h"
#include "fwbuilder/Resources.h"
#include "fwbuilder/FWObjectDatabase.h"
#include "fwbuilder/FWException.h"
#include "fwbuilder/Cluster.h"
#include "fwbuilder/ClusterGroup.h"
#include "fwbuilder/Firewall.h"
#include "fwbuilder/Interface.h"
#include "fwbuilder/Policy.h"
#include "fwbuilder/StateSyncClusterGroup.h"
#include "fwbuilder/FailoverClusterGroup.h"
#include <QStringList>
#include <QFileInfo>
#include <QFile>
@ -212,13 +206,9 @@ QString CompilerDriver_pf::run(const std::string &cluster_id,
const std::string &single_rule_id)
{
Cluster *cluster = NULL;
if (!cluster_id.empty())
cluster = Cluster::cast(
objdb->findInIndex(objdb->getIntId(cluster_id)));
Firewall *fw = NULL;
Firewall *fw = Firewall::cast(
objdb->findInIndex(objdb->getIntId(firewall_id)));
assert(fw);
getFirewallAndClusterObjects(cluster_id, firewall_id, &cluster, &fw);
try
{
@ -288,6 +278,14 @@ QString CompilerDriver_pf::run(const std::string &cluster_id,
findImportedRuleSets(fw, all_policies);
findImportedRuleSets(fw, all_nat);
// assign unique rule ids that later will be used to generate
// chain names. This should be done after calls to
// findImportedRuleSets()
// NB: these ids are not really used by compiler for PF
assignUniqueRuleIds(all_policies);
assignUniqueRuleIds(all_nat);
list<FWObject*> all_rulesets;
all_rulesets.insert(
all_rulesets.begin(), all_policies.begin(), all_policies.end());
@ -459,7 +457,8 @@ QString CompilerDriver_pf::run(const std::string &cluster_id,
if (table_factories.count(ruleset_name) == 0)
{
table_factories[ruleset_name] = new fwcompiler::TableFactory(this);
table_factories[ruleset_name] =
new fwcompiler::TableFactory(this, persistent_objects);
}
NATCompiler_pf n( objdb, fw, ipv6_policy, oscnf.get(),
@ -468,6 +467,7 @@ QString CompilerDriver_pf::run(const std::string &cluster_id,
n.setSourceRuleSet( nat );
n.setRuleSetName(nat->getName());
n.setPersistentObjects(persistent_objects);
n.setSingleRuleCompileMode(single_rule_id);
n.setDebugLevel( dl );
@ -532,7 +532,8 @@ QString CompilerDriver_pf::run(const std::string &cluster_id,
if (table_factories.count(ruleset_name) == 0)
{
table_factories[ruleset_name] = new fwcompiler::TableFactory(this);
table_factories[ruleset_name] =
new fwcompiler::TableFactory(this, persistent_objects);
}
PolicyCompiler_pf c( objdb, fw, ipv6_policy, oscnf.get(),
@ -542,6 +543,7 @@ QString CompilerDriver_pf::run(const std::string &cluster_id,
c.setSourceRuleSet( policy );
c.setRuleSetName(policy->getName());
c.setPersistentObjects(persistent_objects);
c.setSingleRuleCompileMode(single_rule_id);
c.setDebugLevel( dl );
@ -609,6 +611,7 @@ QString CompilerDriver_pf::run(const std::string &cluster_id,
{
routing_compiler->setSourceRuleSet(routing);
routing_compiler->setRuleSetName(routing->getName());
routing_compiler->setPersistentObjects(persistent_objects);
routing_compiler->setSingleRuleCompileMode(single_rule_id);
routing_compiler->setDebugLevel( dl );
@ -629,6 +632,12 @@ QString CompilerDriver_pf::run(const std::string &cluster_id,
routing_script += routing_compiler->getCompiledScript();
}
/*
* compilers detach persistent objects when they finish, this
* means at this point library persistent_objects is not part
* of any object tree.
*/
objdb->reparent(persistent_objects);
if (haveErrorsAndWarnings())
{
@ -703,7 +712,13 @@ QString CompilerDriver_pf::run(const std::string &cluster_id,
if (ruleset_name == "__main__")
{
printStaticOptions(pf_str, fw);
// attach persistent_tables subtree inside TableFactory object
// to the object tree
table_factories[ruleset_name]->init(objdb);
pf_str << table_factories[ruleset_name]->PrintTables();
if (prolog_place == "pf_file_after_tables")
printProlog(pf_str, pre_hook);
} else

21
src/pflib/NATCompiler_ipf.cpp
View File

@ -27,19 +27,20 @@
#include "NATCompiler_ipf.h"
#include "fwbuilder/FWObjectDatabase.h"
#include "fwbuilder/RuleElement.h"
#include "fwbuilder/NAT.h"
#include "fwbuilder/AddressRange.h"
#include "fwbuilder/IPService.h"
#include "fwbuilder/AddressTable.h"
#include "fwbuilder/FWObjectDatabase.h"
#include "fwbuilder/Firewall.h"
#include "fwbuilder/Host.h"
#include "fwbuilder/ICMPService.h"
#include "fwbuilder/IPService.h"
#include "fwbuilder/Interface.h"
#include "fwbuilder/Library.h"
#include "fwbuilder/NAT.h"
#include "fwbuilder/Network.h"
#include "fwbuilder/RuleElement.h"
#include "fwbuilder/TCPService.h"
#include "fwbuilder/UDPService.h"
#include "fwbuilder/Host.h"
#include "fwbuilder/Network.h"
#include "fwbuilder/Interface.h"
#include "fwbuilder/Firewall.h"
#include "fwbuilder/AddressTable.h"
#include <QString>
@ -165,7 +166,7 @@ bool NATCompiler_ipf::ExpandPortRange::processNext()
newSrv->duplicate(osrv,true);
TCPUDPService::cast(newSrv)->setDstRangeStart(p);
TCPUDPService::cast(newSrv)->setDstRangeEnd(p);
compiler->dbcopy->add(newSrv,false);
compiler->persistent_objects->add(newSrv,false);
compiler->dbcopy->addToIndex(newSrv);
RuleElementOSrv *nosrv = r->getOSrv();

40
src/pflib/NATCompiler_pf.cpp
View File

@ -29,21 +29,22 @@
#include "fwcompiler/OSConfigurator.h"
#include "fwbuilder/RuleElement.h"
#include "fwbuilder/NAT.h"
#include "fwbuilder/AddressRange.h"
#include "fwbuilder/IPService.h"
#include "fwbuilder/AddressTable.h"
#include "fwbuilder/Cluster.h"
#include "fwbuilder/FailoverClusterGroup.h"
#include "fwbuilder/Firewall.h"
#include "fwbuilder/Host.h"
#include "fwbuilder/ICMPService.h"
#include "fwbuilder/IPService.h"
#include "fwbuilder/IPv4.h"
#include "fwbuilder/Interface.h"
#include "fwbuilder/Library.h"
#include "fwbuilder/NAT.h"
#include "fwbuilder/Network.h"
#include "fwbuilder/RuleElement.h"
#include "fwbuilder/TCPService.h"
#include "fwbuilder/UDPService.h"
#include "fwbuilder/Host.h"
#include "fwbuilder/Network.h"
#include "fwbuilder/Interface.h"
#include "fwbuilder/IPv4.h"
#include "fwbuilder/Firewall.h"
#include "fwbuilder/AddressTable.h"
#include "fwbuilder/FailoverClusterGroup.h"
#include "fwbuilder/Cluster.h"
#include <iostream>
#include <iomanip>
@ -94,7 +95,7 @@ int NATCompiler_pf::prolog()
IPv4::cast(loopback_address)->setAddress(InetAddr::getLoopbackAddr());
dbcopy->add(loopback_address,false);
persistent_objects->add(loopback_address,false);
if (tables)
{
@ -279,7 +280,10 @@ bool NATCompiler_pf::splitSDNATRule::processNext()
odst=r->getODst();
odst->clearChildren();
for (FWObject::iterator i=rule->getTDst()->begin(); i!=rule->getTDst()->end(); i++)
odst->add( *i );
{
FWObject *o = FWReference::getObject(*i);
odst->addRef(o);
}
if ( ! rule->getTSrv()->isAny())
{
@ -317,7 +321,7 @@ bool NATCompiler_pf::splitSDNATRule::processNext()
match_service = TCPUDPService::cast(
compiler->dbcopy->create(tsrv->getTypeName()));
match_service->setName(tsrv->getName() + "_dport");
compiler->dbcopy->add(match_service);
compiler->persistent_objects->add(match_service);
match_service->setDstRangeStart(tu_tsrv->getDstRangeStart());
match_service->setDstRangeEnd(tu_tsrv->getDstRangeEnd());
}
@ -1014,7 +1018,7 @@ bool NATCompiler_pf::swapAddressTableObjectsInRE::processNext()
mart->setId( mart_id );
compiler->dbcopy->addToIndex(mart);
compiler->dbcopy->add(mart);
compiler->persistent_objects->add(mart);
// register this object as a table
string tblname = atbl->getName();
@ -1311,3 +1315,9 @@ void NATCompiler_pf::compile()
void NATCompiler_pf::epilog()
{
}
NATCompiler_pf::~NATCompiler_pf()
{
//if (tables) tables->detach();
}

19
src/pflib/NATCompiler_pf.h
View File

@ -63,15 +63,20 @@ namespace fwcompiler
struct redirectRuleInfo
{
std::string natrule_label;
libfwbuilder::FWObject *old_tdst;
libfwbuilder::FWObject *new_tdst;
libfwbuilder::Service *tsrv;
std::string natrule_label;
int old_tdst;
int new_tdst;
int tsrv;
redirectRuleInfo(const std::string &rl,
libfwbuilder::FWObject *oa,
libfwbuilder::FWObject *na,
libfwbuilder::Service *s)
{ natrule_label=rl; old_tdst=oa; new_tdst=na; tsrv=s; }
{
natrule_label = rl;
old_tdst = oa->getId();
new_tdst = na->getId();
tsrv = s->getId();
}
};
@ -388,12 +393,12 @@ namespace fwcompiler
bool ipv6_policy,
fwcompiler::OSConfigurator *_oscnf,
TableFactory *tbf = NULL
) :
NATCompiler(_db, fw, ipv6_policy, _oscnf)
) : NATCompiler(_db, fw, ipv6_policy, _oscnf)
{
tables = tbf;
}
virtual ~NATCompiler_pf();
virtual int prolog();
virtual void compile();

2
src/pflib/OSConfigurator_bsd.cpp
View File

@ -75,7 +75,7 @@ void OSConfigurator_bsd::addVirtualAddressForNAT(const Address *addr)
FWObject *iaddr = findAddressFor(addr, fw );
if (iaddr!=NULL)
{
virtual_addresses.insert(addr);
virtual_addresses.insert(addr->getId());
} else
warning("Can not add virtual address " +
addr->getAddressPtr()->toString() );

2
src/pflib/OSConfigurator_bsd.h
View File

@ -55,7 +55,7 @@ protected:
QMap<QString, QStringList> interface_configuration_lines;
QStringList cloned_interfaces;
std::set<const libfwbuilder::Address*> virtual_addresses;
std::set<int> virtual_addresses;
virtual void setKernelVariable(libfwbuilder::Firewall *fw,
const std::string &var_name,

4
src/pflib/OSConfigurator_bsd_interfaces.cpp
View File

@ -248,10 +248,10 @@ string OSConfigurator_bsd::configureInterfaces()
if (ipaddr->isV6()) have_ipv6 = true;
}
set<const Address*>::iterator it;
set<int>::iterator it;
for (it=virtual_addresses.begin(); it!=virtual_addresses.end(); ++it)
{
const Address *addr = *it;
const Address *addr = Address::constcast(dbcopy->findInIndex(*it));
const InetAddr *ipaddr = addr->getAddressPtr();
FWObject *iaddr = findAddressFor(addr, fw );
if (iaddr!=NULL)

19
src/pflib/PolicyCompiler_ipf.cpp
View File

@ -28,16 +28,17 @@
#include "PolicyCompiler_ipf.h"
#include "fwcompiler/Compiler.h"
#include "fwbuilder/AddressTable.h"
#include "fwbuilder/FWObjectDatabase.h"
#include "fwbuilder/RuleElement.h"
#include "fwbuilder/IPService.h"
#include "fwbuilder/Firewall.h"
#include "fwbuilder/ICMPService.h"
#include "fwbuilder/IPService.h"
#include "fwbuilder/Interface.h"
#include "fwbuilder/Library.h"
#include "fwbuilder/Policy.h"
#include "fwbuilder/RuleElement.h"
#include "fwbuilder/TCPService.h"
#include "fwbuilder/UDPService.h"
#include "fwbuilder/Policy.h"
#include "fwbuilder/Interface.h"
#include "fwbuilder/Firewall.h"
#include "fwbuilder/AddressTable.h"
#include <iostream>
@ -55,15 +56,15 @@ int PolicyCompiler_ipf::prolog()
anytcp = dbcopy->createTCPService();
anytcp->setId(FWObjectDatabase::generateUniqueId()); //ANY_TCP_OBJ_ID);
dbcopy->add(anytcp,false);
persistent_objects->add(anytcp,false);
anyudp=dbcopy->createUDPService();
anyudp->setId(FWObjectDatabase::generateUniqueId()); //ANY_UDP_OBJ_ID);
dbcopy->add(anyudp,false);
persistent_objects->add(anyudp,false);
anyicmp=dbcopy->createICMPService();
anyicmp->setId(FWObjectDatabase::generateUniqueId()); //ANY_ICMP_OBJ_ID);
dbcopy->add(anyicmp,false);
persistent_objects->add(anyicmp,false);
return n;
}

19
src/pflib/PolicyCompiler_ipfw.cpp
View File

@ -28,16 +28,17 @@
#include "PolicyCompiler_ipfw.h"
#include "fwcompiler/Compiler.h"
#include "fwbuilder/AddressTable.h"
#include "fwbuilder/FWObjectDatabase.h"
#include "fwbuilder/RuleElement.h"
#include "fwbuilder/IPService.h"
#include "fwbuilder/Firewall.h"
#include "fwbuilder/ICMPService.h"
#include "fwbuilder/IPService.h"
#include "fwbuilder/Interface.h"
#include "fwbuilder/Library.h"
#include "fwbuilder/Policy.h"
#include "fwbuilder/RuleElement.h"
#include "fwbuilder/TCPService.h"
#include "fwbuilder/UDPService.h"
#include "fwbuilder/Policy.h"
#include "fwbuilder/Interface.h"
#include "fwbuilder/Firewall.h"
#include "fwbuilder/AddressTable.h"
#include <iostream>
@ -55,15 +56,15 @@ int PolicyCompiler_ipfw::prolog()
anytcp=dbcopy->createTCPService();
anytcp->setId(FWObjectDatabase::generateUniqueId()); // ANY_TCP_OBJ_ID);
dbcopy->add(anytcp,false);
persistent_objects->add(anytcp,false);
anyudp=dbcopy->createUDPService();
anyudp->setId(FWObjectDatabase::generateUniqueId()); //ANY_UDP_OBJ_ID);
dbcopy->add(anyudp,false);
persistent_objects->add(anyudp,false);
anyicmp=dbcopy->createICMPService();
anyicmp->setId(FWObjectDatabase::generateUniqueId()); //ANY_ICMP_OBJ_ID);
dbcopy->add(anyicmp,false);
persistent_objects->add(anyicmp,false);
return n;

98
src/pflib/PolicyCompiler_pf.cpp
View File

@ -28,20 +28,21 @@
#include "PolicyCompiler_pf.h"
#include "NATCompiler_pf.h"
#include "fwbuilder/FWObjectDatabase.h"
#include "fwbuilder/RuleElement.h"
#include "fwbuilder/IPService.h"
#include "fwbuilder/ICMPService.h"
#include "fwbuilder/TCPService.h"
#include "fwbuilder/UDPService.h"
#include "fwbuilder/TagService.h"
#include "fwbuilder/Policy.h"
#include "fwbuilder/Interface.h"
#include "fwbuilder/Firewall.h"
#include "fwbuilder/Network.h"
#include "fwbuilder/AddressTable.h"
#include "fwbuilder/FWObjectDatabase.h"
#include "fwbuilder/FailoverClusterGroup.h"
#include "fwbuilder/Firewall.h"
#include "fwbuilder/ICMPService.h"
#include "fwbuilder/IPService.h"
#include "fwbuilder/Interface.h"
#include "fwbuilder/Library.h"
#include "fwbuilder/Network.h"
#include "fwbuilder/Policy.h"
#include "fwbuilder/RuleElement.h"
#include "fwbuilder/StateSyncClusterGroup.h"
#include "fwbuilder/TCPService.h"
#include "fwbuilder/TagService.h"
#include "fwbuilder/UDPService.h"
#include <algorithm>
#include <functional>
@ -156,7 +157,7 @@ bool PolicyCompiler_pf::swapAddressTableObjectsInRE::processNext()
mart->setId( mart_id );
compiler->dbcopy->addToIndex(mart);
compiler->dbcopy->add(mart);
compiler->persistent_objects->add(mart);
// register this object as a table
string tblname = atbl->getName();
@ -418,7 +419,7 @@ void PolicyCompiler_pf::addDefaultPolicyRule()
ssh->setDstRangeEnd(22);
ssh->setName("mgmt_ssh");
dbcopy->add(ssh,false);
persistent_objects->add(ssh,false);
string mgmt_addr = getCachedFwOpt()->getStr("mgmt_addr");
InetAddr addr;
@ -452,12 +453,13 @@ void PolicyCompiler_pf::addDefaultPolicyRule()
mgmt_workstation->setName("mgmt_addr");
mgmt_workstation->setAddress(addr);
mgmt_workstation->setNetmask(netmask);
// IPv4 *mgmt_workstation = IPv4::cast(dbcopy->create(IPv4::TYPENAME));
// mgmt_workstation->setAddress(getCachedFwOpt()->getStr("mgmt_addr"));
dbcopy->add(mgmt_workstation,false);
persistent_objects->add(mgmt_workstation,false);
// r = dbcopy->createPolicyRule();
// source_ruleset->push_front(r);
r = PolicyRule::cast(source_ruleset->insertRuleAtTop(true));
r = dbcopy->createPolicyRule();
temp_ruleset->add(r);
r->setAction(PolicyRule::Accept);
r->setLogging(false);
r->setDirection(PolicyRule::Inbound);
@ -479,17 +481,17 @@ void PolicyCompiler_pf::addDefaultPolicyRule()
RuleElement *srv = r->getSrv();
assert(srv!=NULL);
srv->addRef(ssh);
combined_ruleset->push_front(r);
}
insertCarpRule();
insertPfsyncRule();
PolicyRule *r = dbcopy->createPolicyRule();
// PolicyRule *r = dbcopy->createPolicyRule();
// source_ruleset->push_back(r);
PolicyRule *r = PolicyRule::cast(source_ruleset->appendRuleAtBottom(true));
FWOptions *ruleopt;
temp_ruleset->add(r);
r->setAction(PolicyRule::Deny);
r->setLogging(getCachedFwOpt()->getBool("fallback_log"));
r->setDirection(PolicyRule::Both);
@ -500,7 +502,6 @@ void PolicyCompiler_pf::addDefaultPolicyRule()
r->setLabel("fallback rule");
ruleopt = r->getOptionsObject();
ruleopt->setBool("stateless", true);
combined_ruleset->push_back(r);
}
}
@ -749,12 +750,11 @@ bool PolicyCompiler_pf::doSrvNegation::processNext()
bool PolicyCompiler_pf::addLoopbackForRedirect::processNext()
{
PolicyRule *rule=getNext(); if (rule==NULL) return false;
PolicyCompiler_pf *pf_comp=dynamic_cast<PolicyCompiler_pf*>(compiler);
PolicyRule *rule = getNext(); if (rule==NULL) return false;
PolicyCompiler_pf *pf_comp = dynamic_cast<PolicyCompiler_pf*>(compiler);
// RuleElementSrc *src=rule->getSrc();
RuleElementDst *dst=rule->getDst();
RuleElementSrv *srv=rule->getSrv();
RuleElementDst *dst = rule->getDst();
RuleElementSrv *srv = rule->getSrv();
if (pf_comp->redirect_rules_info==NULL)
compiler->abort(
@ -764,41 +764,34 @@ bool PolicyCompiler_pf::addLoopbackForRedirect::processNext()
tmp_queue.push_back(rule);
//const list<NATCompiler_pf::redirectRuleInfo> lst =
// pf_comp->natcmp->getRedirRulesInfo();
if (pf_comp->redirect_rules_info->empty()) return true;
/*
* struct redirectRuleInfo {
* string natrule_label;
* Address *tdst;
* Service *tsrv;
* };
*/
for (FWObject::iterator i=srv->begin(); i!=srv->end(); i++)
{
FWObject *o1= *i;
if (FWReference::cast(o1)!=NULL) o1=FWReference::cast(o1)->getPointer();
Service *s=Service::cast( o1 );
FWObject *o1 = FWReference::getObject(*i);
Service *s = Service::cast( o1 );
assert(s);
for (FWObject::iterator j=dst->begin(); j!=dst->end(); j++)
{
FWObject *o2= *j;
if (FWReference::cast(o2)!=NULL) o2=FWReference::cast(o2)->getPointer();
Address *a=Address::cast( o2 );
FWObject *o2 = FWReference::getObject(*j);
Address *a = Address::cast( o2 );
assert(a);
list<NATCompiler_pf::redirectRuleInfo>::const_iterator k;
for (k=pf_comp->redirect_rules_info->begin();
k!=pf_comp->redirect_rules_info->end(); ++k)
{
if ( *a == *(k->old_tdst) && *s == *(k->tsrv) )
Address *old_tdst_obj = Address::cast(
compiler->dbcopy->findInIndex(k->old_tdst));
Service *tsrv_obj = Service::cast(
compiler->dbcopy->findInIndex(k->tsrv));
if ( *a == *(old_tdst_obj) && *s == *(tsrv_obj) )
{
// insert address used for redirection in the NAT rule.
dst->addRef( k->new_tdst );
FWObject *new_tdst_obj = compiler->dbcopy->findInIndex(k->new_tdst);
dst->addRef(new_tdst_obj);
return true;
}
}
@ -1124,7 +1117,7 @@ void PolicyCompiler_pf::insertCarpRule()
IPService* carp_service = IPService::cast(dbcopy->create(IPService::TYPENAME));
carp_service->setComment("CARP service");
carp_service->setProtocolNumber(112);
dbcopy->add(carp_service);
persistent_objects->add(carp_service);
FWObjectTypedChildIterator interfaces = fw->findByType(Interface::TYPENAME);
for (; interfaces != interfaces.end(); ++interfaces)
@ -1170,7 +1163,7 @@ void PolicyCompiler_pf::insertPfsyncRule()
IPService* pfsync_service = IPService::cast(dbcopy->create(IPService::TYPENAME));
pfsync_service->setComment("pfsync service");
pfsync_service->setProtocolNumber(240);
dbcopy->add(pfsync_service);
persistent_objects->add(pfsync_service);
FWObjectTypedChildIterator interfaces = fw->findByType(Interface::TYPENAME);
for (; interfaces != interfaces.end(); ++interfaces)
@ -1211,4 +1204,7 @@ bool PolicyCompiler_pf::checkForShadowingPlatformSpecific(PolicyRule *,
return true;
}
PolicyCompiler_pf::~PolicyCompiler_pf()
{
// if (tables) tables->detach();
}

2
src/pflib/PolicyCompiler_pf.h
View File

@ -443,6 +443,8 @@ namespace fwcompiler
tables = tbf;
}
virtual ~PolicyCompiler_pf();
virtual int prolog();
virtual void compile();
virtual void epilog();

40
src/pflib/TableFactory.cpp
View File

@ -27,13 +27,14 @@
#include "TableFactory.h"
#include "fwbuilder/FWObjectDatabase.h"
#include "fwbuilder/RuleElement.h"
#include "fwbuilder/Interface.h"
#include "fwbuilder/Firewall.h"
#include "fwbuilder/Rule.h"
#include "fwbuilder/DNSName.h"
#include "fwbuilder/AddressTable.h"
#include "fwbuilder/DNSName.h"
#include "fwbuilder/FWObjectDatabase.h"
#include "fwbuilder/Firewall.h"
#include "fwbuilder/Interface.h"
#include "fwbuilder/Library.h"
#include "fwbuilder/Rule.h"
#include "fwbuilder/RuleElement.h"
#include <algorithm>
#include <functional>
@ -47,23 +48,26 @@ using namespace libfwbuilder;
using namespace fwcompiler;
using namespace std;
TableFactory::TableFactory(BaseCompiler *comp)
TableFactory::TableFactory(BaseCompiler *comp, Library *persistent_objects)
{
compiler = comp;
ruleSetName = "";
dbroot = NULL;
persistent_tables = new ObjectGroup();
persistent_tables->setName("PF Tables");
persistent_objects->add(persistent_tables);
}
void TableFactory::init(FWObjectDatabase *_dbr)
{
dbroot = _dbr;
dbroot->add(persistent_tables);
dbroot->addToIndex(persistent_tables);
for (FWObject::iterator i=persistent_tables->begin(); i!=persistent_tables->end(); i++)
{
dbroot->addToIndex(*i);
}
// dbroot->add(persistent_tables);
// persistent_tables->fixTree();
}
void TableFactory::detach()
{
// dbroot->remove(persistent_tables, false);
}
struct joinIDs : public unary_function<string, void>
@ -149,8 +153,7 @@ void TableFactory::createTablesForRE(RuleElement *re,Rule *rule)
for (FWObject::iterator i=re->begin(); i!=re->end(); i++)
{
FWObject *o= *i;
if (FWReference::cast(o)!=NULL) o=FWReference::cast(o)->getPointer();
FWObject *o = FWReference::getObject(*i);
tblgrp->addRef( o );
}
}
@ -190,11 +193,8 @@ string TableFactory::PrintTables()
for (FWObject::iterator i=grp->begin(); i!=grp->end(); i++)
{
if (i!=grp->begin()) output << ", ";
FWObject *o= *i;
if (FWReference::cast(o)!=NULL) o=FWReference::cast(o)->getPointer();
if (o==NULL)
compiler->abort("broken table object ");
FWObject *o = FWReference::getObject(*i);
if (o==NULL) compiler->abort("broken table object ");
MultiAddressRunTime *atrt = MultiAddressRunTime::cast(o);
if (atrt!=NULL)

3
src/pflib/TableFactory.h
View File

@ -53,9 +53,10 @@ namespace fwcompiler {
std::string ruleSetName;
public:
TableFactory(BaseCompiler *comp);
TableFactory(BaseCompiler *comp, libfwbuilder::Library *persistent_objects);
void init(libfwbuilder::FWObjectDatabase *_dbroot);
void detach();
void setRuleSetName(const std::string &rsn="") { ruleSetName=rsn; }

12
src/pix/pix.cpp
View File

@ -162,21 +162,23 @@ int main(int argc, char **argv)
FWObject *slib = objdb->getById(FWObjectDatabase::STANDARD_LIB_ID);
if (slib && slib->isReadOnly()) slib->setReadOnly(false);
CompilerDriver_pix driver(objdb);
if (!driver.prepare(args))
CompilerDriver_pix *driver = new CompilerDriver_pix(objdb);
if (!driver->prepare(args))
{
usage(argv[0]);
exit(1);
}
if (only_print_inspection_code)
{
cout << driver.protocolInspectorCommands();
cout << driver->protocolInspectorCommands();
} else
driver.compile();
driver->compile();
int ret = (driver->getStatus() == BaseCompiler::FWCOMPILER_SUCCESS) ? 0 : 1;
delete driver;
delete objdb;
return (driver.getStatus() == BaseCompiler::FWCOMPILER_SUCCESS) ? 0 : 1;
return ret;
} catch(libfwbuilder::FWException &ex)
{

11
src/procurve_acl/procurve_acl.cpp
View File

@ -153,17 +153,20 @@ int main(int argc, char **argv)
FWObject *slib = objdb->getById(FWObjectDatabase::STANDARD_LIB_ID);
if (slib && slib->isReadOnly()) slib->setReadOnly(false);
CompilerDriver_procurve_acl driver(objdb);
if (!driver.prepare(args))
CompilerDriver_procurve_acl *driver = new CompilerDriver_procurve_acl(objdb);
if (!driver->prepare(args))
{
usage(argv[0]);
exit(1);
}
driver.compile();
driver->compile();
int ret = (driver->getStatus() == BaseCompiler::FWCOMPILER_SUCCESS) ? 0 : 1;
delete driver;
delete objdb;
return (driver.getStatus() == BaseCompiler::FWCOMPILER_SUCCESS) ? 0 : 1;
return ret;
} catch(libfwbuilder::FWException &ex)
{

4
test/iosacl/auto-interface-test.fw.orig
View File

@ -1,9 +1,9 @@
!
! This is automatically generated file. DO NOT MODIFY !
!
! Firewall Builder fwb_iosacl v4.2.0.3483
! Firewall Builder fwb_iosacl v4.2.0.3499
!
! Generated Sun Feb 20 21:26:38 2011 PST by vadim
! Generated Fri Mar 11 12:19:47 2011 PST by vadim
!
! Compiled for iosacl 12.1
!

4
test/iosacl/c3620.fw.orig
View File

@ -1,9 +1,9 @@
!
! This is automatically generated file. DO NOT MODIFY !
!
! Firewall Builder fwb_iosacl v4.2.0.3483
! Firewall Builder fwb_iosacl v4.2.0.3499
!
! Generated Sun Feb 20 21:26:38 2011 PST by vadim
! Generated Fri Mar 11 12:19:47 2011 PST by vadim
!
! Compiled for iosacl 12.1
!

4
test/iosacl/ccie4u-r1.fw.orig
View File

@ -1,9 +1,9 @@
!
! This is automatically generated file. DO NOT MODIFY !
!
! Firewall Builder fwb_iosacl v4.2.0.3483
! Firewall Builder fwb_iosacl v4.2.0.3499
!
! Generated Sun Feb 20 21:26:39 2011 PST by vadim
! Generated Fri Mar 11 12:19:48 2011 PST by vadim
!
! Compiled for iosacl 12.1
!

4
test/iosacl/dynamips1-og.fw.orig
View File

@ -1,9 +1,9 @@
!
! This is automatically generated file. DO NOT MODIFY !
!
! Firewall Builder fwb_iosacl v4.2.0.3483
! Firewall Builder fwb_iosacl v4.2.0.3499
!
! Generated Sun Feb 20 21:26:39 2011 PST by vadim
! Generated Fri Mar 11 12:19:48 2011 PST by vadim
!
! Compiled for iosacl 12.4
!

4
test/iosacl/firewall-ipv6-1.fw.orig
View File

@ -1,9 +1,9 @@
!
! This is automatically generated file. DO NOT MODIFY !
!
! Firewall Builder fwb_iosacl v4.2.0.3483
! Firewall Builder fwb_iosacl v4.2.0.3499
!
! Generated Sun Feb 20 21:26:39 2011 PST by vadim
! Generated Fri Mar 11 12:19:48 2011 PST by vadim
!
! Compiled for iosacl 12.1
!

4
test/iosacl/firewall-ipv6-2.fw.orig
View File

@ -1,9 +1,9 @@
!
! This is automatically generated file. DO NOT MODIFY !
!
! Firewall Builder fwb_iosacl v4.2.0.3483
! Firewall Builder fwb_iosacl v4.2.0.3499
!
! Generated Sun Feb 20 21:26:39 2011 PST by vadim
! Generated Fri Mar 11 12:19:48 2011 PST by vadim
!
! Compiled for iosacl 12.1
!

4
test/iosacl/firewall-ipv6-3.fw.orig
View File

@ -1,9 +1,9 @@
!
! This is automatically generated file. DO NOT MODIFY !
!
! Firewall Builder fwb_iosacl v4.2.0.3483
! Firewall Builder fwb_iosacl v4.2.0.3499
!
! Generated Sun Feb 20 21:26:40 2011 PST by vadim
! Generated Fri Mar 11 12:19:49 2011 PST by vadim
!
! Compiled for iosacl 12.1
!

4
test/iosacl/testios1-1.fw.orig
View File

@ -1,9 +1,9 @@
!
! This is automatically generated file. DO NOT MODIFY !
!
! Firewall Builder fwb_iosacl v4.2.0.3483
! Firewall Builder fwb_iosacl v4.2.0.3499
!
! Generated Sun Feb 20 21:26:40 2011 PST by vadim
! Generated Fri Mar 11 12:19:49 2011 PST by vadim
!
! Compiled for iosacl 12.1
!

4
test/iosacl/testios1.fw.orig
View File

@ -1,9 +1,9 @@
!
! This is automatically generated file. DO NOT MODIFY !
!
! Firewall Builder fwb_iosacl v4.2.0.3483
! Firewall Builder fwb_iosacl v4.2.0.3499
!
! Generated Sun Feb 20 21:26:40 2011 PST by vadim
! Generated Fri Mar 11 12:19:49 2011 PST by vadim
!
! Compiled for iosacl 12.1
!

4
test/iosacl/testios2.fw.orig
View File

@ -1,9 +1,9 @@
!
! This is automatically generated file. DO NOT MODIFY !
!
! Firewall Builder fwb_iosacl v4.2.0.3483
! Firewall Builder fwb_iosacl v4.2.0.3499
!
! Generated Sun Feb 20 21:26:40 2011 PST by vadim
! Generated Fri Mar 11 12:19:49 2011 PST by vadim
!
! Compiled for iosacl 12.1
!

4
test/iosacl/testios20-v12.3.fw.orig
View File

@ -1,9 +1,9 @@
!
! This is automatically generated file. DO NOT MODIFY !
!
! Firewall Builder fwb_iosacl v4.2.0.3483
! Firewall Builder fwb_iosacl v4.2.0.3499
!
! Generated Sun Feb 20 21:26:41 2011 PST by vadim
! Generated Fri Mar 11 12:19:49 2011 PST by vadim
!
! Compiled for iosacl 12.3
!

4
test/iosacl/testios20.fw.orig
View File

@ -1,9 +1,9 @@
!
! This is automatically generated file. DO NOT MODIFY !
!
! Firewall Builder fwb_iosacl v4.2.0.3483
! Firewall Builder fwb_iosacl v4.2.0.3499
!
! Generated Sun Feb 20 21:26:41 2011 PST by vadim
! Generated Fri Mar 11 12:19:49 2011 PST by vadim
!
! Compiled for iosacl 12.4
!

4
test/iosacl/testios3.fw.orig
View File

@ -1,9 +1,9 @@
!
! This is automatically generated file. DO NOT MODIFY !
!
! Firewall Builder fwb_iosacl v4.2.0.3483
! Firewall Builder fwb_iosacl v4.2.0.3499
!
! Generated Sun Feb 20 21:26:41 2011 PST by vadim
! Generated Fri Mar 11 12:19:50 2011 PST by vadim
!
! Compiled for iosacl 12.1
!

4
test/iosacl/testios4.fw.orig
View File

@ -1,9 +1,9 @@
!
! This is automatically generated file. DO NOT MODIFY !
!
! Firewall Builder fwb_iosacl v4.2.0.3483
! Firewall Builder fwb_iosacl v4.2.0.3499
!
! Generated Sun Feb 20 21:26:41 2011 PST by vadim
! Generated Fri Mar 11 12:19:50 2011 PST by vadim
!
! Compiled for iosacl 12.4
!

4
test/iosacl/testios5-1.fw.orig
View File

@ -1,9 +1,9 @@
!
! This is automatically generated file. DO NOT MODIFY !
!
! Firewall Builder fwb_iosacl v4.2.0.3483
! Firewall Builder fwb_iosacl v4.2.0.3499
!
! Generated Sun Feb 20 21:26:42 2011 PST by vadim
! Generated Fri Mar 11 12:19:50 2011 PST by vadim
!
! Compiled for iosacl 12.4
!

4
test/iosacl/testios5.fw.orig
View File

@ -1,9 +1,9 @@
!
! This is automatically generated file. DO NOT MODIFY !
!
! Firewall Builder fwb_iosacl v4.2.0.3483
! Firewall Builder fwb_iosacl v4.2.0.3499
!
! Generated Sun Feb 20 21:26:42 2011 PST by vadim
! Generated Fri Mar 11 12:19:50 2011 PST by vadim
!
! Compiled for iosacl 12.4
!

6
test/ipt/cluster1_secuwall-1.fw.orig
View File

@ -2,9 +2,9 @@
#
# This is automatically generated file. DO NOT MODIFY !
#
# Firewall Builder fwb_ipt v4.2.0.3498
# Firewall Builder fwb_ipt v4.2.0.3499
#
# Generated Tue Mar 8 18:59:33 2011 PST by vadim
# Generated Thu Mar 10 21:52:44 2011 PST by vadim
#
# files: * cluster1_secuwall-1.fw /etc/cluster1_secuwall-1.fw
#
@ -588,7 +588,7 @@ test -z "$cmd" && {
case "$cmd" in
start)
log "Activating firewall script generated Tue Mar 8 18:59:33 2011 by vadim"
log "Activating firewall script generated Thu Mar 10 21:52:44 2011 by vadim"
log "Database was cluster-tests.fwb"
check_tools
check_run_time_address_table_files

6
test/ipt/firewall-base-rulesets.fw.orig
View File

@ -2,9 +2,9 @@
#
# This is automatically generated file. DO NOT MODIFY !
#
# Firewall Builder fwb_ipt v4.2.0.3498
# Firewall Builder fwb_ipt v4.2.0.3499
#
# Generated Tue Mar 8 18:58:32 2011 PST by vadim
# Generated Thu Mar 10 21:51:50 2011 PST by vadim
#
# files: * firewall-base-rulesets.fw /etc/fw/firewall-base-rulesets.fw
#
@ -445,7 +445,7 @@ test -z "$cmd" && {
case "$cmd" in
start)
log "Activating firewall script generated Tue Mar 8 18:58:32 2011 by vadim"
log "Activating firewall script generated Thu Mar 10 21:51:50 2011 by vadim"
check_tools
prolog_commands
check_run_time_address_table_files

6
test/ipt/firewall-ipv6-1.fw.orig
View File

@ -2,9 +2,9 @@
#
# This is automatically generated file. DO NOT MODIFY !
#
# Firewall Builder fwb_ipt v4.2.0.3498
# Firewall Builder fwb_ipt v4.2.0.3499
#
# Generated Tue Mar 8 18:58:39 2011 PST by vadim
# Generated Thu Mar 10 21:51:55 2011 PST by vadim
#
# files: * firewall-ipv6-1.fw /etc/firewall-ipv6-1.fw
#
@ -702,7 +702,7 @@ test -z "$cmd" && {
case "$cmd" in
start)
log "Activating firewall script generated Tue Mar 8 18:58:39 2011 by vadim"
log "Activating firewall script generated Thu Mar 10 21:51:55 2011 by vadim"
check_tools
prolog_commands
check_run_time_address_table_files

6
test/ipt/firewall-ipv6-2.fw.orig
View File

@ -2,9 +2,9 @@
#
# This is automatically generated file. DO NOT MODIFY !
#
# Firewall Builder fwb_ipt v4.2.0.3498
# Firewall Builder fwb_ipt v4.2.0.3499
#
# Generated Tue Mar 8 18:58:43 2011 PST by vadim
# Generated Thu Mar 10 13:14:16 2011 PST by vadim
#
# files: * firewall-ipv6-2.fw /etc/firewall-ipv6-2.fw
#
@ -966,7 +966,7 @@ test -z "$cmd" && {
case "$cmd" in
start)
log "Activating firewall script generated Tue Mar 8 18:58:43 2011 by vadim"
log "Activating firewall script generated Thu Mar 10 13:14:16 2011 by vadim"
check_tools
prolog_commands
check_run_time_address_table_files

6
test/ipt/firewall-ipv6-3.fw.orig
View File

@ -2,9 +2,9 @@
#
# This is automatically generated file. DO NOT MODIFY !
#
# Firewall Builder fwb_ipt v4.2.0.3498
# Firewall Builder fwb_ipt v4.2.0.3499
#
# Generated Tue Mar 8 18:58:50 2011 PST by vadim
# Generated Thu Mar 10 21:52:04 2011 PST by vadim
#
# files: * firewall-ipv6-3.fw /etc/firewall-ipv6-3.fw
#
@ -596,7 +596,7 @@ test -z "$cmd" && {
case "$cmd" in
start)
log "Activating firewall script generated Tue Mar 8 18:58:50 2011 by vadim"
log "Activating firewall script generated Thu Mar 10 21:52:04 2011 by vadim"
check_tools
prolog_commands
check_run_time_address_table_files

6
test/ipt/firewall-ipv6-4-1.fw.orig
View File

@ -2,9 +2,9 @@
#
# This is automatically generated file. DO NOT MODIFY !
#
# Firewall Builder fwb_ipt v4.2.0.3498
# Firewall Builder fwb_ipt v4.2.0.3499
#
# Generated Tue Mar 8 18:59:00 2011 PST by vadim
# Generated Thu Mar 10 21:52:13 2011 PST by vadim
#
# files: * firewall-ipv6-4-1.fw /etc/firewall-ipv6-4-1.fw
#
@ -545,7 +545,7 @@ test -z "$cmd" && {
case "$cmd" in
start)
log "Activating firewall script generated Tue Mar 8 18:59:00 2011 by vadim"
log "Activating firewall script generated Thu Mar 10 21:52:13 2011 by vadim"
check_tools
prolog_commands
check_run_time_address_table_files

6
test/ipt/firewall-ipv6-4.fw.orig
View File

@ -2,9 +2,9 @@
#
# This is automatically generated file. DO NOT MODIFY !
#
# Firewall Builder fwb_ipt v4.2.0.3498
# Firewall Builder fwb_ipt v4.2.0.3499
#
# Generated Tue Mar 8 18:58:52 2011 PST by vadim
# Generated Thu Mar 10 21:52:08 2011 PST by vadim
#
# files: * firewall-ipv6-4.fw /etc/firewall-ipv6-4.fw
#
@ -581,7 +581,7 @@ test -z "$cmd" && {
case "$cmd" in
start)
log "Activating firewall script generated Tue Mar 8 18:58:52 2011 by vadim"
log "Activating firewall script generated Thu Mar 10 21:52:08 2011 by vadim"
check_tools
prolog_commands
check_run_time_address_table_files

6
test/ipt/firewall-ipv6-5.fw.orig
View File

@ -2,9 +2,9 @@
#
# This is automatically generated file. DO NOT MODIFY !
#
# Firewall Builder fwb_ipt v4.2.0.3498
# Firewall Builder fwb_ipt v4.2.0.3499
#
# Generated Tue Mar 8 18:58:55 2011 PST by vadim
# Generated Thu Mar 10 21:52:11 2011 PST by vadim
#
# files: * firewall-ipv6-5.fw /etc/firewall-ipv6-5.fw
#
@ -412,7 +412,7 @@ test -z "$cmd" && {
case "$cmd" in
start)
log "Activating firewall script generated Tue Mar 8 18:58:55 2011 by vadim"
log "Activating firewall script generated Thu Mar 10 21:52:11 2011 by vadim"
check_tools
prolog_commands
check_run_time_address_table_files

6
test/ipt/firewall-ipv6-6.fw.orig
View File

@ -2,9 +2,9 @@
#
# This is automatically generated file. DO NOT MODIFY !
#
# Firewall Builder fwb_ipt v4.2.0.3498
# Firewall Builder fwb_ipt v4.2.0.3499
#
# Generated Tue Mar 8 18:58:59 2011 PST by vadim
# Generated Thu Mar 10 21:52:15 2011 PST by vadim
#
# files: * firewall-ipv6-6.fw /etc/firewall-ipv6-6.fw
#
@ -399,7 +399,7 @@ test -z "$cmd" && {
case "$cmd" in
start)
log "Activating firewall script generated Tue Mar 8 18:58:59 2011 by vadim"
log "Activating firewall script generated Thu Mar 10 21:52:15 2011 by vadim"
check_tools
prolog_commands
check_run_time_address_table_files

6
test/ipt/firewall-ipv6-7.fw.orig
View File

@ -2,9 +2,9 @@
#
# This is automatically generated file. DO NOT MODIFY !
#
# Firewall Builder fwb_ipt v4.2.0.3498
# Firewall Builder fwb_ipt v4.2.0.3499
#
# Generated Tue Mar 8 18:59:03 2011 PST by vadim
# Generated Thu Mar 10 21:52:16 2011 PST by vadim
#
# files: * firewall-ipv6-7.fw /etc/firewall-ipv6-7.fw
#
@ -443,7 +443,7 @@ test -z "$cmd" && {
case "$cmd" in
start)
log "Activating firewall script generated Tue Mar 8 18:59:03 2011 by vadim"
log "Activating firewall script generated Thu Mar 10 21:52:16 2011 by vadim"
check_tools
prolog_commands
check_run_time_address_table_files

6
test/ipt/firewall-ipv6-8.fw.orig
View File

@ -2,9 +2,9 @@
#
# This is automatically generated file. DO NOT MODIFY !
#
# Firewall Builder fwb_ipt v4.2.0.3498
# Firewall Builder fwb_ipt v4.2.0.3499
#
# Generated Tue Mar 8 18:59:05 2011 PST by vadim
# Generated Thu Mar 10 21:52:19 2011 PST by vadim
#
# files: * firewall-ipv6-8.fw /etc/firewall-ipv6-8.fw
#
@ -484,7 +484,7 @@ test -z "$cmd" && {
case "$cmd" in
start)
log "Activating firewall script generated Tue Mar 8 18:59:05 2011 by vadim"
log "Activating firewall script generated Thu Mar 10 21:52:19 2011 by vadim"
check_tools
prolog_commands
check_run_time_address_table_files

6
test/ipt/firewall-ipv6-ipt-reset-prolog-after-flush.fw.orig
View File

@ -2,9 +2,9 @@
#
# This is automatically generated file. DO NOT MODIFY !
#
# Firewall Builder fwb_ipt v4.2.0.3498
# Firewall Builder fwb_ipt v4.2.0.3499
#
# Generated Tue Mar 8 18:59:07 2011 PST by vadim
# Generated Thu Mar 10 21:52:20 2011 PST by vadim
#
# files: * firewall-ipv6-ipt-reset-prolog-after-flush.fw /etc/firewall-ipv6-ipt-reset-prolog-after-flush.fw
#
@ -450,7 +450,7 @@ test -z "$cmd" && {
case "$cmd" in
start)
log "Activating firewall script generated Tue Mar 8 18:59:07 2011 by vadim"
log "Activating firewall script generated Thu Mar 10 21:52:20 2011 by vadim"
check_tools
prolog_commands
check_run_time_address_table_files

6
test/ipt/firewall-ipv6-ipt-reset-prolog-after-interfaces.fw.orig
View File

@ -2,9 +2,9 @@
#
# This is automatically generated file. DO NOT MODIFY !
#
# Firewall Builder fwb_ipt v4.2.0.3498
# Firewall Builder fwb_ipt v4.2.0.3499
#
# Generated Tue Mar 8 18:59:09 2011 PST by vadim
# Generated Thu Mar 10 21:52:22 2011 PST by vadim
#
# files: * firewall-ipv6-ipt-reset-prolog-after-interfaces.fw /etc/firewall-ipv6-ipt-reset-prolog-after-interfaces.fw
#
@ -450,7 +450,7 @@ test -z "$cmd" && {
case "$cmd" in
start)
log "Activating firewall script generated Tue Mar 8 18:59:09 2011 by vadim"
log "Activating firewall script generated Thu Mar 10 21:52:22 2011 by vadim"
check_tools
check_run_time_address_table_files

6
test/ipt/firewall-ipv6-ipt-reset-prolog-top.fw.orig
View File

@ -2,9 +2,9 @@
#
# This is automatically generated file. DO NOT MODIFY !
#
# Firewall Builder fwb_ipt v4.2.0.3498
# Firewall Builder fwb_ipt v4.2.0.3499
#
# Generated Tue Mar 8 18:59:11 2011 PST by vadim
# Generated Thu Mar 10 21:52:24 2011 PST by vadim
#
# files: * firewall-ipv6-ipt-reset-prolog-top.fw /etc/firewall-ipv6-ipt-reset-prolog-top.fw
#
@ -450,7 +450,7 @@ test -z "$cmd" && {
case "$cmd" in
start)
log "Activating firewall script generated Tue Mar 8 18:59:11 2011 by vadim"
log "Activating firewall script generated Thu Mar 10 21:52:24 2011 by vadim"
check_tools
prolog_commands
check_run_time_address_table_files

6
test/ipt/firewall-ipv6-prolog-after-flush.fw.orig
View File

@ -2,9 +2,9 @@
#
# This is automatically generated file. DO NOT MODIFY !
#
# Firewall Builder fwb_ipt v4.2.0.3498
# Firewall Builder fwb_ipt v4.2.0.3499
#
# Generated Tue Mar 8 18:59:13 2011 PST by vadim
# Generated Thu Mar 10 21:52:26 2011 PST by vadim
#
# files: * firewall-ipv6-prolog-after-flush.fw /etc/firewall-ipv6-prolog-after-flush.fw
#
@ -420,7 +420,7 @@ test -z "$cmd" && {
case "$cmd" in
start)
log "Activating firewall script generated Tue Mar 8 18:59:13 2011 by vadim"
log "Activating firewall script generated Thu Mar 10 21:52:26 2011 by vadim"
check_tools
check_run_time_address_table_files

6
test/ipt/firewall-ipv6-prolog-after-interfaces.fw.orig
View File

@ -2,9 +2,9 @@
#
# This is automatically generated file. DO NOT MODIFY !
#
# Firewall Builder fwb_ipt v4.2.0.3498
# Firewall Builder fwb_ipt v4.2.0.3499
#
# Generated Tue Mar 8 18:59:15 2011 PST by vadim
# Generated Thu Mar 10 21:52:27 2011 PST by vadim
#
# files: * firewall-ipv6-prolog-after-interfaces.fw /etc/firewall-ipv6-prolog-after-interfaces.fw
#
@ -420,7 +420,7 @@ test -z "$cmd" && {
case "$cmd" in
start)
log "Activating firewall script generated Tue Mar 8 18:59:15 2011 by vadim"
log "Activating firewall script generated Thu Mar 10 21:52:27 2011 by vadim"
check_tools
check_run_time_address_table_files

6
test/ipt/firewall-ipv6-prolog-top.fw.orig
View File

@ -2,9 +2,9 @@
#
# This is automatically generated file. DO NOT MODIFY !
#
# Firewall Builder fwb_ipt v4.2.0.3498
# Firewall Builder fwb_ipt v4.2.0.3499
#
# Generated Tue Mar 8 18:59:17 2011 PST by vadim
# Generated Thu Mar 10 21:52:29 2011 PST by vadim
#
# files: * firewall-ipv6-prolog-top.fw /etc/firewall-ipv6-prolog-top.fw
#
@ -420,7 +420,7 @@ test -z "$cmd" && {
case "$cmd" in
start)
log "Activating firewall script generated Tue Mar 8 18:59:17 2011 by vadim"
log "Activating firewall script generated Thu Mar 10 21:52:29 2011 by vadim"
check_tools
prolog_commands
check_run_time_address_table_files

6
test/ipt/firewall-server-1-s.fw.orig
View File

@ -2,9 +2,9 @@
#
# This is automatically generated file. DO NOT MODIFY !
#
# Firewall Builder fwb_ipt v4.2.0.3498
# Firewall Builder fwb_ipt v4.2.0.3499
#
# Generated Tue Mar 8 18:59:18 2011 PST by vadim
# Generated Thu Mar 10 21:52:30 2011 PST by vadim
#
# files: * firewall-server-1-s.fw /etc/fw/firewall-server-1-s.fw
#
@ -393,7 +393,7 @@ test -z "$cmd" && {
case "$cmd" in
start)
log "Activating firewall script generated Tue Mar 8 18:59:18 2011 by vadim"
log "Activating firewall script generated Thu Mar 10 21:52:30 2011 by vadim"
check_tools
prolog_commands
check_run_time_address_table_files

6
test/ipt/firewall.fw.orig
View File

@ -2,9 +2,9 @@
#
# This is automatically generated file. DO NOT MODIFY !
#
# Firewall Builder fwb_ipt v4.2.0.3498
# Firewall Builder fwb_ipt v4.2.0.3499
#
# Generated Tue Mar 8 18:55:56 2011 PST by vadim
# Generated Thu Mar 10 21:49:22 2011 PST by vadim
#
# files: * firewall.fw /etc/fw/firewall.fw
#
@ -1361,7 +1361,7 @@ test -z "$cmd" && {
case "$cmd" in
start)
log "Activating firewall script generated Tue Mar 8 18:55:56 2011 by vadim"
log "Activating firewall script generated Thu Mar 10 21:49:22 2011 by vadim"
check_tools
prolog_commands
check_run_time_address_table_files

6
test/ipt/firewall1.fw.orig
View File

@ -2,9 +2,9 @@
#
# This is automatically generated file. DO NOT MODIFY !
#
# Firewall Builder fwb_ipt v4.2.0.3498
# Firewall Builder fwb_ipt v4.2.0.3499
#
# Generated Tue Mar 8 18:55:58 2011 PST by vadim
# Generated Thu Mar 10 21:49:24 2011 PST by vadim
#
# files: * firewall1.fw /etc/fw/firewall1.fw
#
@ -1252,7 +1252,7 @@ test -z "$cmd" && {
case "$cmd" in
start)
log "Activating firewall script generated Tue Mar 8 18:55:58 2011 by vadim"
log "Activating firewall script generated Thu Mar 10 21:49:24 2011 by vadim"
check_tools
check_run_time_address_table_files

6
test/ipt/firewall10.fw.orig
View File

@ -2,9 +2,9 @@
#
# This is automatically generated file. DO NOT MODIFY !
#
# Firewall Builder fwb_ipt v4.2.0.3498
# Firewall Builder fwb_ipt v4.2.0.3499
#
# Generated Tue Mar 8 18:55:59 2011 PST by vadim
# Generated Thu Mar 10 21:49:25 2011 PST by vadim
#
# files: * firewall10.fw /etc/fw/firewall10.fw
#
@ -473,7 +473,7 @@ test -z "$cmd" && {
case "$cmd" in
start)
log "Activating firewall script generated Tue Mar 8 18:55:59 2011 by vadim"
log "Activating firewall script generated Thu Mar 10 21:49:25 2011 by vadim"
check_tools
prolog_commands
check_run_time_address_table_files

6
test/ipt/firewall11.fw.orig
View File

@ -2,9 +2,9 @@
#
# This is automatically generated file. DO NOT MODIFY !
#
# Firewall Builder fwb_ipt v4.2.0.3498
# Firewall Builder fwb_ipt v4.2.0.3499
#
# Generated Tue Mar 8 18:56:01 2011 PST by vadim
# Generated Thu Mar 10 21:49:27 2011 PST by vadim
#
# files: * firewall11.fw /etc/fw/firewall11.fw
#
@ -589,7 +589,7 @@ test -z "$cmd" && {
case "$cmd" in
start)
log "Activating firewall script generated Tue Mar 8 18:56:01 2011 by vadim"
log "Activating firewall script generated Thu Mar 10 21:49:27 2011 by vadim"
check_tools
prolog_commands
check_run_time_address_table_files

6
test/ipt/firewall12.fw.orig
View File

@ -2,9 +2,9 @@
#
# This is automatically generated file. DO NOT MODIFY !
#
# Firewall Builder fwb_ipt v4.2.0.3498
# Firewall Builder fwb_ipt v4.2.0.3499
#
# Generated Tue Mar 8 18:56:02 2011 PST by vadim
# Generated Thu Mar 10 21:49:28 2011 PST by vadim
#
# files: * firewall12.fw /etc/fw/firewall12.fw
#
@ -511,7 +511,7 @@ test -z "$cmd" && {
case "$cmd" in
start)
log "Activating firewall script generated Tue Mar 8 18:56:02 2011 by vadim"
log "Activating firewall script generated Thu Mar 10 21:49:28 2011 by vadim"
check_tools
prolog_commands
check_run_time_address_table_files

6
test/ipt/firewall13.fw.orig
View File

@ -2,9 +2,9 @@
#
# This is automatically generated file. DO NOT MODIFY !
#
# Firewall Builder fwb_ipt v4.2.0.3498
# Firewall Builder fwb_ipt v4.2.0.3499
#
# Generated Tue Mar 8 18:56:04 2011 PST by vadim
# Generated Thu Mar 10 21:49:29 2011 PST by vadim
#
# files: * firewall13.fw /etc/fw/firewall13.fw
#
@ -385,7 +385,7 @@ test -z "$cmd" && {
case "$cmd" in
start)
log "Activating firewall script generated Tue Mar 8 18:56:04 2011 by vadim"
log "Activating firewall script generated Thu Mar 10 21:49:29 2011 by vadim"
check_tools
prolog_commands
check_run_time_address_table_files

6
test/ipt/firewall14.fw.orig
View File

@ -2,9 +2,9 @@
#
# This is automatically generated file. DO NOT MODIFY !
#
# Firewall Builder fwb_ipt v4.2.0.3498
# Firewall Builder fwb_ipt v4.2.0.3499
#
# Generated Tue Mar 8 18:56:05 2011 PST by vadim
# Generated Thu Mar 10 21:49:30 2011 PST by vadim
#
# files: * firewall14.fw /etc/fw/firewall14.fw
#
@ -404,7 +404,7 @@ test -z "$cmd" && {
case "$cmd" in
start)
log "Activating firewall script generated Tue Mar 8 18:56:05 2011 by vadim"
log "Activating firewall script generated Thu Mar 10 21:49:30 2011 by vadim"
check_tools
prolog_commands
check_run_time_address_table_files

6
test/ipt/firewall15.fw.orig
View File

@ -2,9 +2,9 @@
#
# This is automatically generated file. DO NOT MODIFY !
#
# Firewall Builder fwb_ipt v4.2.0.3498
# Firewall Builder fwb_ipt v4.2.0.3499
#
# Generated Tue Mar 8 18:56:07 2011 PST by vadim
# Generated Thu Mar 10 21:49:32 2011 PST by vadim
#
# files: * firewall15.fw /etc/fw/firewall15.fw
#
@ -388,7 +388,7 @@ test -z "$cmd" && {
case "$cmd" in
start)
log "Activating firewall script generated Tue Mar 8 18:56:07 2011 by vadim"
log "Activating firewall script generated Thu Mar 10 21:49:32 2011 by vadim"
check_tools
prolog_commands
check_run_time_address_table_files

6
test/ipt/firewall16.fw.orig
View File

@ -2,9 +2,9 @@
#
# This is automatically generated file. DO NOT MODIFY !
#
# Firewall Builder fwb_ipt v4.2.0.3498
# Firewall Builder fwb_ipt v4.2.0.3499
#
# Generated Tue Mar 8 18:56:08 2011 PST by vadim
# Generated Thu Mar 10 21:49:33 2011 PST by vadim
#
# files: * firewall16.fw /etc/fw/firewall16.fw
#
@ -492,7 +492,7 @@ test -z "$cmd" && {
case "$cmd" in
start)
log "Activating firewall script generated Tue Mar 8 18:56:08 2011 by vadim"
log "Activating firewall script generated Thu Mar 10 21:49:33 2011 by vadim"
check_tools
prolog_commands
check_run_time_address_table_files

6
test/ipt/firewall17.fw.orig
View File

@ -2,9 +2,9 @@
#
# This is automatically generated file. DO NOT MODIFY !
#
# Firewall Builder fwb_ipt v4.2.0.3498
# Firewall Builder fwb_ipt v4.2.0.3499
#
# Generated Tue Mar 8 18:56:10 2011 PST by vadim
# Generated Thu Mar 10 21:49:35 2011 PST by vadim
#
# files: * firewall17.fw /etc/fw/firewall17.fw
#
@ -471,7 +471,7 @@ test -z "$cmd" && {
case "$cmd" in
start)
log "Activating firewall script generated Tue Mar 8 18:56:10 2011 by vadim"
log "Activating firewall script generated Thu Mar 10 21:49:35 2011 by vadim"
check_tools
prolog_commands
check_run_time_address_table_files

6
test/ipt/firewall18.fw.orig
View File

@ -2,9 +2,9 @@
#
# This is automatically generated file. DO NOT MODIFY !
#
# Firewall Builder fwb_ipt v4.2.0.3498
# Firewall Builder fwb_ipt v4.2.0.3499
#
# Generated Tue Mar 8 18:56:11 2011 PST by vadim
# Generated Thu Mar 10 21:49:36 2011 PST by vadim
#
# files: * firewall18.fw /etc/fw/firewall18.fw
#
@ -504,7 +504,7 @@ test -z "$cmd" && {
case "$cmd" in
start)
log "Activating firewall script generated Tue Mar 8 18:56:11 2011 by vadim"
log "Activating firewall script generated Thu Mar 10 21:49:36 2011 by vadim"
check_tools
prolog_commands
check_run_time_address_table_files

6
test/ipt/firewall19.fw.orig
View File

@ -2,9 +2,9 @@
#
# This is automatically generated file. DO NOT MODIFY !
#
# Firewall Builder fwb_ipt v4.2.0.3498
# Firewall Builder fwb_ipt v4.2.0.3499
#
# Generated Tue Mar 8 18:56:13 2011 PST by vadim
# Generated Thu Mar 10 21:49:38 2011 PST by vadim
#
# files: * firewall19.fw /etc/fw/firewall19.fw
#
@ -508,7 +508,7 @@ test -z "$cmd" && {
case "$cmd" in
start)
log "Activating firewall script generated Tue Mar 8 18:56:13 2011 by vadim"
log "Activating firewall script generated Thu Mar 10 21:49:38 2011 by vadim"
check_tools
prolog_commands
check_run_time_address_table_files

6
test/ipt/firewall2-1.fw.orig
View File

@ -2,9 +2,9 @@
#
# This is automatically generated file. DO NOT MODIFY !
#
# Firewall Builder fwb_ipt v4.2.0.3498
# Firewall Builder fwb_ipt v4.2.0.3499
#
# Generated Tue Mar 8 18:56:24 2011 PST by vadim
# Generated Thu Mar 10 21:49:47 2011 PST by vadim
#
# files: * firewall2-1.fw /etc/fw/firewall2-1.fw
#
@ -1430,7 +1430,7 @@ test -z "$cmd" && {
case "$cmd" in
start)
log "Activating firewall script generated Tue Mar 8 18:56:24 2011 by vadim"
log "Activating firewall script generated Thu Mar 10 21:49:47 2011 by vadim"
check_tools
check_run_time_address_table_files

6
test/ipt/firewall2-2.fw.orig
View File

@ -2,9 +2,9 @@
#
# This is automatically generated file. DO NOT MODIFY !
#
# Firewall Builder fwb_ipt v4.2.0.3498
# Firewall Builder fwb_ipt v4.2.0.3499
#
# Generated Tue Mar 8 18:56:28 2011 PST by vadim
# Generated Thu Mar 10 21:49:51 2011 PST by vadim
#
# files: * firewall2-2.fw /etc/fw/firewall2-2.fw
#
@ -1259,7 +1259,7 @@ test -z "$cmd" && {
case "$cmd" in
start)
log "Activating firewall script generated Tue Mar 8 18:56:28 2011 by vadim"
log "Activating firewall script generated Thu Mar 10 21:49:51 2011 by vadim"
check_tools
check_run_time_address_table_files

6
test/ipt/firewall2-3.fw.orig
View File

@ -2,9 +2,9 @@
#
# This is automatically generated file. DO NOT MODIFY !
#
# Firewall Builder fwb_ipt v4.2.0.3498
# Firewall Builder fwb_ipt v4.2.0.3499
#
# Generated Tue Mar 8 18:56:31 2011 PST by vadim
# Generated Thu Mar 10 21:49:55 2011 PST by vadim
#
# files: * firewall2-3.fw /etc/fw/firewall2-3.fw
#
@ -1118,7 +1118,7 @@ test -z "$cmd" && {
case "$cmd" in
start)
log "Activating firewall script generated Tue Mar 8 18:56:31 2011 by vadim"
log "Activating firewall script generated Thu Mar 10 21:49:55 2011 by vadim"
check_tools
check_run_time_address_table_files

6
test/ipt/firewall2-4.fw.orig
View File

@ -2,9 +2,9 @@
#
# This is automatically generated file. DO NOT MODIFY !
#
# Firewall Builder fwb_ipt v4.2.0.3498
# Firewall Builder fwb_ipt v4.2.0.3499
#
# Generated Tue Mar 8 18:56:35 2011 PST by vadim
# Generated Thu Mar 10 21:49:59 2011 PST by vadim
#
# files: * firewall2-4.fw /etc/fw/firewall2-4.fw
#
@ -424,7 +424,7 @@ test -z "$cmd" && {
case "$cmd" in
start)
log "Activating firewall script generated Tue Mar 8 18:56:35 2011 by vadim"
log "Activating firewall script generated Thu Mar 10 21:49:59 2011 by vadim"
check_tools
check_run_time_address_table_files

6
test/ipt/firewall2-5.fw.orig
View File

@ -2,9 +2,9 @@
#
# This is automatically generated file. DO NOT MODIFY !
#
# Firewall Builder fwb_ipt v4.2.0.3498
# Firewall Builder fwb_ipt v4.2.0.3499
#
# Generated Tue Mar 8 18:56:38 2011 PST by vadim
# Generated Thu Mar 10 21:50:02 2011 PST by vadim
#
# files: * firewall2-5.fw /etc/fw/firewall2-5.fw
#
@ -455,7 +455,7 @@ test -z "$cmd" && {
case "$cmd" in
start)
log "Activating firewall script generated Tue Mar 8 18:56:38 2011 by vadim"
log "Activating firewall script generated Thu Mar 10 21:50:02 2011 by vadim"
check_tools
check_run_time_address_table_files

6
test/ipt/firewall2-6.fw.orig
View File

@ -2,9 +2,9 @@
#
# This is automatically generated file. DO NOT MODIFY !
#
# Firewall Builder fwb_ipt v4.2.0.3498
# Firewall Builder fwb_ipt v4.2.0.3499
#
# Generated Tue Mar 8 18:56:43 2011 PST by vadim
# Generated Thu Mar 10 21:50:05 2011 PST by vadim
#
# files: * firewall2-6.fw /etc/fw/firewall2-6.fw
#
@ -482,7 +482,7 @@ test -z "$cmd" && {
case "$cmd" in
start)
log "Activating firewall script generated Tue Mar 8 18:56:43 2011 by vadim"
log "Activating firewall script generated Thu Mar 10 21:50:05 2011 by vadim"
check_tools
check_run_time_address_table_files

6
test/ipt/firewall2-7.fw.orig
View File

@ -2,9 +2,9 @@
#
# This is automatically generated file. DO NOT MODIFY !
#
# Firewall Builder fwb_ipt v4.2.0.3498
# Firewall Builder fwb_ipt v4.2.0.3499
#
# Generated Tue Mar 8 18:56:46 2011 PST by vadim
# Generated Thu Mar 10 21:50:09 2011 PST by vadim
#
# files: * firewall2-7.fw /etc/fw/firewall2-7.fw
#
@ -424,7 +424,7 @@ test -z "$cmd" && {
case "$cmd" in
start)
log "Activating firewall script generated Tue Mar 8 18:56:46 2011 by vadim"
log "Activating firewall script generated Thu Mar 10 21:50:09 2011 by vadim"
check_tools
check_run_time_address_table_files

6
test/ipt/firewall2.fw.orig
View File

@ -2,9 +2,9 @@
#
# This is automatically generated file. DO NOT MODIFY !
#
# Firewall Builder fwb_ipt v4.2.0.3498
# Firewall Builder fwb_ipt v4.2.0.3499
#
# Generated Tue Mar 8 18:56:16 2011 PST by vadim
# Generated Thu Mar 10 21:49:40 2011 PST by vadim
#
# files: * firewall2.fw /etc/fw/firewall2.fw
#
@ -1482,7 +1482,7 @@ test -z "$cmd" && {
case "$cmd" in
start)
log "Activating firewall script generated Tue Mar 8 18:56:16 2011 by vadim"
log "Activating firewall script generated Thu Mar 10 21:49:40 2011 by vadim"
check_tools
check_run_time_address_table_files

6
test/ipt/firewall20-ipv6.fw.orig
View File

@ -2,9 +2,9 @@
#
# This is automatically generated file. DO NOT MODIFY !
#
# Firewall Builder fwb_ipt v4.2.0.3498
# Firewall Builder fwb_ipt v4.2.0.3499
#
# Generated Tue Mar 8 18:56:19 2011 PST by vadim
# Generated Thu Mar 10 21:49:43 2011 PST by vadim
#
# files: * firewall20-ipv6.fw /etc/fw/firewall20-ipv6.fw
#
@ -456,7 +456,7 @@ test -z "$cmd" && {
case "$cmd" in
start)
log "Activating firewall script generated Tue Mar 8 18:56:19 2011 by vadim"
log "Activating firewall script generated Thu Mar 10 21:49:43 2011 by vadim"
check_tools
prolog_commands
check_run_time_address_table_files

6
test/ipt/firewall20.fw.orig
View File

@ -2,9 +2,9 @@
#
# This is automatically generated file. DO NOT MODIFY !
#
# Firewall Builder fwb_ipt v4.2.0.3498
# Firewall Builder fwb_ipt v4.2.0.3499
#
# Generated Tue Mar 8 18:56:16 2011 PST by vadim
# Generated Thu Mar 10 21:49:41 2011 PST by vadim
#
# files: * firewall20.fw /etc/fw/firewall20.fw
#
@ -674,7 +674,7 @@ test -z "$cmd" && {
case "$cmd" in
start)
log "Activating firewall script generated Tue Mar 8 18:56:16 2011 by vadim"
log "Activating firewall script generated Thu Mar 10 21:49:41 2011 by vadim"
check_tools
prolog_commands
check_run_time_address_table_files

6
test/ipt/firewall21-1.fw.orig
View File

@ -2,9 +2,9 @@
#
# This is automatically generated file. DO NOT MODIFY !
#
# Firewall Builder fwb_ipt v4.2.0.3498
# Firewall Builder fwb_ipt v4.2.0.3499
#
# Generated Tue Mar 8 18:56:23 2011 PST by vadim
# Generated Thu Mar 10 21:49:47 2011 PST by vadim
#
# files: * firewall21-1.fw /etc/fw/firewall21-1.fw
#
@ -470,7 +470,7 @@ test -z "$cmd" && {
case "$cmd" in
start)
log "Activating firewall script generated Tue Mar 8 18:56:23 2011 by vadim"
log "Activating firewall script generated Thu Mar 10 21:49:47 2011 by vadim"
check_tools
prolog_commands
check_run_time_address_table_files

6
test/ipt/firewall21.fw.orig
View File

@ -2,9 +2,9 @@
#
# This is automatically generated file. DO NOT MODIFY !
#
# Firewall Builder fwb_ipt v4.2.0.3498
# Firewall Builder fwb_ipt v4.2.0.3499
#
# Generated Tue Mar 8 18:56:20 2011 PST by vadim
# Generated Thu Mar 10 21:49:44 2011 PST by vadim
#
# files: * firewall21.fw /etc/fw/firewall21.fw
#
@ -469,7 +469,7 @@ test -z "$cmd" && {
case "$cmd" in
start)
log "Activating firewall script generated Tue Mar 8 18:56:20 2011 by vadim"
log "Activating firewall script generated Thu Mar 10 21:49:44 2011 by vadim"
check_tools
prolog_commands
check_run_time_address_table_files

6
test/ipt/firewall22.fw.orig
View File

@ -2,9 +2,9 @@
#
# This is automatically generated file. DO NOT MODIFY !
#
# Firewall Builder fwb_ipt v4.2.0.3498
# Firewall Builder fwb_ipt v4.2.0.3499
#
# Generated Tue Mar 8 18:56:26 2011 PST by vadim
# Generated Thu Mar 10 21:49:50 2011 PST by vadim
#
# files: * firewall22.fw /etc/fw/firewall22.fw
#
@ -390,7 +390,7 @@ test -z "$cmd" && {
case "$cmd" in
start)
log "Activating firewall script generated Tue Mar 8 18:56:26 2011 by vadim"
log "Activating firewall script generated Thu Mar 10 21:49:50 2011 by vadim"
check_tools
prolog_commands
check_run_time_address_table_files

6
test/ipt/firewall23-1.fw.orig
View File

@ -2,9 +2,9 @@
#
# This is automatically generated file. DO NOT MODIFY !
#
# Firewall Builder fwb_ipt v4.2.0.3498
# Firewall Builder fwb_ipt v4.2.0.3499
#
# Generated Tue Mar 8 18:56:32 2011 PST by vadim
# Generated Thu Mar 10 21:49:56 2011 PST by vadim
#
# files: * firewall23-1.fw /etc/fw/firewall23-1.fw
#
@ -561,7 +561,7 @@ test -z "$cmd" && {
case "$cmd" in
start)
log "Activating firewall script generated Tue Mar 8 18:56:32 2011 by vadim"
log "Activating firewall script generated Thu Mar 10 21:49:56 2011 by vadim"
check_tools
prolog_commands
check_run_time_address_table_files

6
test/ipt/firewall23.fw.orig
View File

@ -2,9 +2,9 @@
#
# This is automatically generated file. DO NOT MODIFY !
#
# Firewall Builder fwb_ipt v4.2.0.3498
# Firewall Builder fwb_ipt v4.2.0.3499
#
# Generated Tue Mar 8 18:56:29 2011 PST by vadim
# Generated Thu Mar 10 21:49:53 2011 PST by vadim
#
# files: * firewall23.fw /etc/fw/firewall23.fw
#
@ -476,7 +476,7 @@ test -z "$cmd" && {
case "$cmd" in
start)
log "Activating firewall script generated Tue Mar 8 18:56:29 2011 by vadim"
log "Activating firewall script generated Thu Mar 10 21:49:53 2011 by vadim"
check_tools
prolog_commands
check_run_time_address_table_files

6
test/ipt/firewall24.fw.orig
View File

@ -2,9 +2,9 @@
#
# This is automatically generated file. DO NOT MODIFY !
#
# Firewall Builder fwb_ipt v4.2.0.3498
# Firewall Builder fwb_ipt v4.2.0.3499
#
# Generated Tue Mar 8 18:56:35 2011 PST by vadim
# Generated Thu Mar 10 21:49:58 2011 PST by vadim
#
# files: * firewall24.fw /etc/fw/firewall24.fw
#
@ -493,7 +493,7 @@ test -z "$cmd" && {
case "$cmd" in
start)
log "Activating firewall script generated Tue Mar 8 18:56:35 2011 by vadim"
log "Activating firewall script generated Thu Mar 10 21:49:58 2011 by vadim"
check_tools
prolog_commands
check_run_time_address_table_files

6
test/ipt/firewall25.fw.orig
View File

@ -2,9 +2,9 @@
#
# This is automatically generated file. DO NOT MODIFY !
#
# Firewall Builder fwb_ipt v4.2.0.3498
# Firewall Builder fwb_ipt v4.2.0.3499
#
# Generated Tue Mar 8 18:56:39 2011 PST by vadim
# Generated Thu Mar 10 21:50:02 2011 PST by vadim
#
# files: * firewall25.fw /etc/fw/firewall25.fw
#
@ -689,7 +689,7 @@ test -z "$cmd" && {
case "$cmd" in
start)
log "Activating firewall script generated Tue Mar 8 18:56:39 2011 by vadim"
log "Activating firewall script generated Thu Mar 10 21:50:02 2011 by vadim"
check_tools
prolog_commands
check_run_time_address_table_files

6
test/ipt/firewall26.fw.orig
View File

@ -2,9 +2,9 @@
#
# This is automatically generated file. DO NOT MODIFY !
#
# Firewall Builder fwb_ipt v4.2.0.3498
# Firewall Builder fwb_ipt v4.2.0.3499
#
# Generated Tue Mar 8 18:56:42 2011 PST by vadim
# Generated Thu Mar 10 21:50:05 2011 PST by vadim
#
# files: * firewall26.fw /etc/fw/firewall26.fw
#
@ -562,7 +562,7 @@ test -z "$cmd" && {
case "$cmd" in
start)
log "Activating firewall script generated Tue Mar 8 18:56:42 2011 by vadim"
log "Activating firewall script generated Thu Mar 10 21:50:05 2011 by vadim"
check_tools
prolog_commands
check_run_time_address_table_files

6
test/ipt/firewall27.fw.orig
View File

@ -2,9 +2,9 @@
#
# This is automatically generated file. DO NOT MODIFY !
#
# Firewall Builder fwb_ipt v4.2.0.3498
# Firewall Builder fwb_ipt v4.2.0.3499
#
# Generated Tue Mar 8 18:56:45 2011 PST by vadim
# Generated Thu Mar 10 21:50:08 2011 PST by vadim
#
# files: * firewall27.fw /etc/fw/firewall27.fw
#
@ -546,7 +546,7 @@ test -z "$cmd" && {
case "$cmd" in
start)
log "Activating firewall script generated Tue Mar 8 18:56:45 2011 by vadim"
log "Activating firewall script generated Thu Mar 10 21:50:08 2011 by vadim"
check_tools
prolog_commands
check_run_time_address_table_files

6
test/ipt/firewall28.fw.orig
View File

@ -2,9 +2,9 @@
#
# This is automatically generated file. DO NOT MODIFY !
#
# Firewall Builder fwb_ipt v4.2.0.3498
# Firewall Builder fwb_ipt v4.2.0.3499
#
# Generated Tue Mar 8 18:56:48 2011 PST by vadim
# Generated Thu Mar 10 21:50:11 2011 PST by vadim
#
# files: * firewall28.fw /etc/fw/firewall28.fw
#
@ -409,7 +409,7 @@ test -z "$cmd" && {
case "$cmd" in
start)
log "Activating firewall script generated Tue Mar 8 18:56:48 2011 by vadim"
log "Activating firewall script generated Thu Mar 10 21:50:11 2011 by vadim"
check_tools
prolog_commands
check_run_time_address_table_files

6
test/ipt/firewall29.fw.orig
View File

@ -2,9 +2,9 @@
#
# This is automatically generated file. DO NOT MODIFY !
#
# Firewall Builder fwb_ipt v4.2.0.3498
# Firewall Builder fwb_ipt v4.2.0.3499
#
# Generated Tue Mar 8 18:56:49 2011 PST by vadim
# Generated Thu Mar 10 21:50:12 2011 PST by vadim
#
# files: * firewall29.fw /etc/fw/firewall29.fw
#
@ -440,7 +440,7 @@ test -z "$cmd" && {
case "$cmd" in
start)
log "Activating firewall script generated Tue Mar 8 18:56:49 2011 by vadim"
log "Activating firewall script generated Thu Mar 10 21:50:12 2011 by vadim"
check_tools
prolog_commands
check_run_time_address_table_files

6
test/ipt/firewall3.fw.orig
View File

@ -2,9 +2,9 @@
#
# This is automatically generated file. DO NOT MODIFY !
#
# Firewall Builder fwb_ipt v4.2.0.3498
# Firewall Builder fwb_ipt v4.2.0.3499
#
# Generated Tue Mar 8 18:56:51 2011 PST by vadim
# Generated Thu Mar 10 21:50:14 2011 PST by vadim
#
# files: * firewall3.fw /etc/fw/firewall3.fw
#
@ -578,7 +578,7 @@ test -z "$cmd" && {
case "$cmd" in
start)
log "Activating firewall script generated Tue Mar 8 18:56:51 2011 by vadim"
log "Activating firewall script generated Thu Mar 10 21:50:14 2011 by vadim"
check_tools
prolog_commands
check_run_time_address_table_files

6
test/ipt/firewall30.fw.orig
View File

@ -2,9 +2,9 @@
#
# This is automatically generated file. DO NOT MODIFY !
#
# Firewall Builder fwb_ipt v4.2.0.3498
# Firewall Builder fwb_ipt v4.2.0.3499
#
# Generated Tue Mar 8 18:56:52 2011 PST by vadim
# Generated Thu Mar 10 21:50:15 2011 PST by vadim
#
# files: * firewall30.fw /etc/fw/firewall30.fw
#
@ -375,7 +375,7 @@ test -z "$cmd" && {
case "$cmd" in
start)
log "Activating firewall script generated Tue Mar 8 18:56:52 2011 by vadim"
log "Activating firewall script generated Thu Mar 10 21:50:15 2011 by vadim"
check_tools
prolog_commands
check_run_time_address_table_files

6
test/ipt/firewall31.fw.orig
View File

@ -2,9 +2,9 @@
#
# This is automatically generated file. DO NOT MODIFY !
#
# Firewall Builder fwb_ipt v4.2.0.3498
# Firewall Builder fwb_ipt v4.2.0.3499
#
# Generated Tue Mar 8 18:56:54 2011 PST by vadim
# Generated Thu Mar 10 21:50:17 2011 PST by vadim
#
# files: * firewall31.fw /etc/fw/firewall31.fw
#
@ -445,7 +445,7 @@ test -z "$cmd" && {
case "$cmd" in
start)
log "Activating firewall script generated Tue Mar 8 18:56:54 2011 by vadim"
log "Activating firewall script generated Thu Mar 10 21:50:17 2011 by vadim"
check_tools
prolog_commands
check_run_time_address_table_files

6
test/ipt/firewall32.fw.orig
View File

@ -2,9 +2,9 @@
#
# This is automatically generated file. DO NOT MODIFY !
#
# Firewall Builder fwb_ipt v4.2.0.3498
# Firewall Builder fwb_ipt v4.2.0.3499
#
# Generated Tue Mar 8 18:56:55 2011 PST by vadim
# Generated Thu Mar 10 21:50:18 2011 PST by vadim
#
# files: * firewall32.fw /etc/fw/firewall32.fw
#
@ -416,7 +416,7 @@ test -z "$cmd" && {
case "$cmd" in
start)
log "Activating firewall script generated Tue Mar 8 18:56:55 2011 by vadim"
log "Activating firewall script generated Thu Mar 10 21:50:18 2011 by vadim"
check_tools
prolog_commands
check_run_time_address_table_files

16
test/ipt/firewall33-1.fw.orig
View File

@ -2,9 +2,9 @@
#
# This is automatically generated file. DO NOT MODIFY !
#
# Firewall Builder fwb_ipt v4.2.0.3498
# Firewall Builder fwb_ipt v4.2.0.3499
#
# Generated Tue Mar 8 18:57:02 2011 PST by vadim
# Generated Thu Mar 10 21:50:24 2011 PST by vadim
#
# files: * firewall33-1.fw /etc/fw/firewall33-1.fw
#
@ -395,11 +395,11 @@ script_body() {
#
$IPTABLES -N Cid438728A918346.0
$IPTABLES -A Policy -m state --state NEW -j Cid438728A918346.0
$IPTABLES -A Cid438728A918346.0 -d 74.125.224.80 -j RETURN
$IPTABLES -A Cid438728A918346.0 -d 74.125.224.81 -j RETURN
$IPTABLES -A Cid438728A918346.0 -d 74.125.224.82 -j RETURN
$IPTABLES -A Cid438728A918346.0 -d 74.125.224.83 -j RETURN
$IPTABLES -A Cid438728A918346.0 -d 74.125.224.84 -j RETURN
$IPTABLES -A Cid438728A918346.0 -d 74.125.224.16 -j RETURN
$IPTABLES -A Cid438728A918346.0 -d 74.125.224.17 -j RETURN
$IPTABLES -A Cid438728A918346.0 -d 74.125.224.18 -j RETURN
$IPTABLES -A Cid438728A918346.0 -d 74.125.224.19 -j RETURN
$IPTABLES -A Cid438728A918346.0 -d 74.125.224.20 -j RETURN
$IPTABLES -A Cid438728A918346.0 -d 157.166.224.25 -j RETURN
$IPTABLES -A Cid438728A918346.0 -d 157.166.224.26 -j RETURN
$IPTABLES -A Cid438728A918346.0 -d 157.166.226.25 -j RETURN
@ -525,7 +525,7 @@ test -z "$cmd" && {
case "$cmd" in
start)
log "Activating firewall script generated Tue Mar 8 18:57:02 2011 by vadim"
log "Activating firewall script generated Thu Mar 10 21:50:24 2011 by vadim"
check_tools
prolog_commands
check_run_time_address_table_files

16
test/ipt/firewall33.fw.orig
View File

@ -2,9 +2,9 @@
#
# This is automatically generated file. DO NOT MODIFY !
#
# Firewall Builder fwb_ipt v4.2.0.3498
# Firewall Builder fwb_ipt v4.2.0.3499
#
# Generated Tue Mar 8 18:57:02 2011 PST by vadim
# Generated Thu Mar 10 21:50:24 2011 PST by vadim
#
# files: * firewall33.fw /etc/fw/firewall33.fw
#
@ -443,11 +443,11 @@ script_body() {
$IPTABLES -A OUTPUT -m state --state NEW -j Cid438728A918346.0
$IPTABLES -A INPUT -m state --state NEW -j Cid438728A918346.0
$IPTABLES -A FORWARD -m state --state NEW -j Cid438728A918346.0
$IPTABLES -A Cid438728A918346.0 -d 74.125.224.80 -j RETURN
$IPTABLES -A Cid438728A918346.0 -d 74.125.224.81 -j RETURN
$IPTABLES -A Cid438728A918346.0 -d 74.125.224.82 -j RETURN
$IPTABLES -A Cid438728A918346.0 -d 74.125.224.83 -j RETURN
$IPTABLES -A Cid438728A918346.0 -d 74.125.224.84 -j RETURN
$IPTABLES -A Cid438728A918346.0 -d 74.125.224.16 -j RETURN
$IPTABLES -A Cid438728A918346.0 -d 74.125.224.17 -j RETURN
$IPTABLES -A Cid438728A918346.0 -d 74.125.224.18 -j RETURN
$IPTABLES -A Cid438728A918346.0 -d 74.125.224.19 -j RETURN
$IPTABLES -A Cid438728A918346.0 -d 74.125.224.20 -j RETURN
$IPTABLES -A Cid438728A918346.0 -d 157.166.224.25 -j RETURN
$IPTABLES -A Cid438728A918346.0 -d 157.166.224.26 -j RETURN
$IPTABLES -A Cid438728A918346.0 -d 157.166.226.25 -j RETURN
@ -572,7 +572,7 @@ test -z "$cmd" && {
case "$cmd" in
start)
log "Activating firewall script generated Tue Mar 8 18:57:02 2011 by vadim"
log "Activating firewall script generated Thu Mar 10 21:50:24 2011 by vadim"
check_tools
prolog_commands
check_run_time_address_table_files

6
test/ipt/firewall34.fw.orig
View File

@ -2,9 +2,9 @@
#
# This is automatically generated file. DO NOT MODIFY !
#
# Firewall Builder fwb_ipt v4.2.0.3498
# Firewall Builder fwb_ipt v4.2.0.3499
#
# Generated Tue Mar 8 18:57:06 2011 PST by vadim
# Generated Thu Mar 10 21:50:28 2011 PST by vadim
#
# files: * firewall34.fw /etc/fw/firewall34.fw
#
@ -648,7 +648,7 @@ test -z "$cmd" && {
case "$cmd" in
start)
log "Activating firewall script generated Tue Mar 8 18:57:06 2011 by vadim"
log "Activating firewall script generated Thu Mar 10 21:50:28 2011 by vadim"
check_tools
prolog_commands
check_run_time_address_table_files

6
test/ipt/firewall35.fw.orig
View File

@ -2,9 +2,9 @@
#
# This is automatically generated file. DO NOT MODIFY !
#
# Firewall Builder fwb_ipt v4.2.0.3498
# Firewall Builder fwb_ipt v4.2.0.3499
#
# Generated Tue Mar 8 18:57:06 2011 PST by vadim
# Generated Thu Mar 10 21:50:28 2011 PST by vadim
#
# files: * firewall35.fw /etc/fw/firewall35.fw
#
@ -540,7 +540,7 @@ test -z "$cmd" && {
case "$cmd" in
start)
log "Activating firewall script generated Tue Mar 8 18:57:06 2011 by vadim"
log "Activating firewall script generated Thu Mar 10 21:50:28 2011 by vadim"
check_tools
prolog_commands
check_run_time_address_table_files

6
test/ipt/firewall36-1.fw.orig
View File

@ -2,9 +2,9 @@
#
# This is automatically generated file. DO NOT MODIFY !
#
# Firewall Builder fwb_ipt v4.2.0.3498
# Firewall Builder fwb_ipt v4.2.0.3499
#
# Generated Tue Mar 8 18:57:09 2011 PST by vadim
# Generated Thu Mar 10 21:50:31 2011 PST by vadim
#
# files: * firewall36-1.fw /etc/firewall36-1.fw
#
@ -433,7 +433,7 @@ test -z "$cmd" && {
case "$cmd" in
start)
log "Activating firewall script generated Tue Mar 8 18:57:09 2011 by vadim"
log "Activating firewall script generated Thu Mar 10 21:50:31 2011 by vadim"
check_tools
prolog_commands
check_run_time_address_table_files

6
test/ipt/firewall36-2.fw.orig
View File

@ -2,9 +2,9 @@
#
# This is automatically generated file. DO NOT MODIFY !
#
# Firewall Builder fwb_ipt v4.2.0.3498
# Firewall Builder fwb_ipt v4.2.0.3499
#
# Generated Tue Mar 8 18:57:13 2011 PST by vadim
# Generated Thu Mar 10 21:50:34 2011 PST by vadim
#
# files: * firewall36-2.fw /etc/firewall36-2.fw
#
@ -433,7 +433,7 @@ test -z "$cmd" && {
case "$cmd" in
start)
log "Activating firewall script generated Tue Mar 8 18:57:13 2011 by vadim"
log "Activating firewall script generated Thu Mar 10 21:50:34 2011 by vadim"
check_tools
prolog_commands
check_run_time_address_table_files

6
test/ipt/firewall36.fw.orig
View File

@ -2,9 +2,9 @@
#
# This is automatically generated file. DO NOT MODIFY !
#
# Firewall Builder fwb_ipt v4.2.0.3498
# Firewall Builder fwb_ipt v4.2.0.3499
#
# Generated Tue Mar 8 18:57:09 2011 PST by vadim
# Generated Thu Mar 10 21:50:31 2011 PST by vadim
#
# files: * firewall36.fw /etc/firewall36.fw
#
@ -535,7 +535,7 @@ test -z "$cmd" && {
case "$cmd" in
start)
log "Activating firewall script generated Tue Mar 8 18:57:09 2011 by vadim"
log "Activating firewall script generated Thu Mar 10 21:50:31 2011 by vadim"
check_tools
prolog_commands
check_run_time_address_table_files

6
test/ipt/firewall37-1.fw.orig
View File

@ -2,9 +2,9 @@
#
# This is automatically generated file. DO NOT MODIFY !
#
# Firewall Builder fwb_ipt v4.2.0.3498
# Firewall Builder fwb_ipt v4.2.0.3499
#
# Generated Tue Mar 8 18:57:16 2011 PST by vadim
# Generated Thu Mar 10 21:50:37 2011 PST by vadim
#
# files: * firewall37-1.fw /etc/fw/firewall37-1.fw
#
@ -769,7 +769,7 @@ test -z "$cmd" && {
case "$cmd" in
start)
log "Activating firewall script generated Tue Mar 8 18:57:16 2011 by vadim"
log "Activating firewall script generated Thu Mar 10 21:50:37 2011 by vadim"
check_tools
prolog_commands
check_run_time_address_table_files

6
test/ipt/firewall37.fw.orig
View File

@ -2,9 +2,9 @@
#
# This is automatically generated file. DO NOT MODIFY !
#
# Firewall Builder fwb_ipt v4.2.0.3498
# Firewall Builder fwb_ipt v4.2.0.3499
#
# Generated Tue Mar 8 18:57:18 2011 PST by vadim
# Generated Thu Mar 10 21:50:39 2011 PST by vadim
#
# files: * firewall37.fw /etc/fw/firewall37.fw
#
@ -1050,7 +1050,7 @@ test -z "$cmd" && {
case "$cmd" in
start)
log "Activating firewall script generated Tue Mar 8 18:57:18 2011 by vadim"
log "Activating firewall script generated Thu Mar 10 21:50:39 2011 by vadim"
check_tools
prolog_commands
check_run_time_address_table_files

6
test/ipt/firewall38.fw.orig
View File

@ -2,9 +2,9 @@
#
# This is automatically generated file. DO NOT MODIFY !
#
# Firewall Builder fwb_ipt v4.2.0.3498
# Firewall Builder fwb_ipt v4.2.0.3499
#
# Generated Tue Mar 8 18:57:19 2011 PST by vadim
# Generated Thu Mar 10 21:50:40 2011 PST by vadim
#
# files: * firewall38.fw /etc/fw/firewall38.fw
#
@ -498,7 +498,7 @@ test -z "$cmd" && {
case "$cmd" in
start)
log "Activating firewall script generated Tue Mar 8 18:57:19 2011 by vadim"
log "Activating firewall script generated Thu Mar 10 21:50:40 2011 by vadim"
check_tools
prolog_commands
check_run_time_address_table_files

6
test/ipt/firewall39.fw.orig
View File

@ -2,9 +2,9 @@
#
# This is automatically generated file. DO NOT MODIFY !
#
# Firewall Builder fwb_ipt v4.2.0.3498
# Firewall Builder fwb_ipt v4.2.0.3499
#
# Generated Tue Mar 8 18:57:25 2011 PST by vadim
# Generated Thu Mar 10 21:50:46 2011 PST by vadim
#
# files: * firewall39.fw /etc/fw/firewall39.fw
#
@ -895,7 +895,7 @@ test -z "$cmd" && {
case "$cmd" in
start)
log "Activating firewall script generated Tue Mar 8 18:57:25 2011 by vadim"
log "Activating firewall script generated Thu Mar 10 21:50:46 2011 by vadim"
check_tools
prolog_commands
check_run_time_address_table_files

6
test/ipt/firewall4.fw.orig
View File

@ -2,9 +2,9 @@
#
# This is automatically generated file. DO NOT MODIFY !
#
# Firewall Builder fwb_ipt v4.2.0.3498
# Firewall Builder fwb_ipt v4.2.0.3499
#
# Generated Tue Mar 8 18:57:23 2011 PST by vadim
# Generated Thu Mar 10 21:50:43 2011 PST by vadim
#
# files: * firewall4.fw /etc/fw/firewall4.fw
#
@ -710,7 +710,7 @@ test -z "$cmd" && {
case "$cmd" in
start)
log "Activating firewall script generated Tue Mar 8 18:57:23 2011 by vadim"
log "Activating firewall script generated Thu Mar 10 21:50:43 2011 by vadim"
check_tools
prolog_commands
check_run_time_address_table_files

6
test/ipt/firewall40-1.fw.orig
View File

@ -2,9 +2,9 @@
#
# This is automatically generated file. DO NOT MODIFY !
#
# Firewall Builder fwb_ipt v4.2.0.3498
# Firewall Builder fwb_ipt v4.2.0.3499
#
# Generated Tue Mar 8 18:57:29 2011 PST by vadim
# Generated Thu Mar 10 21:50:50 2011 PST by vadim
#
# files: * firewall40-1.fw /etc/firewall40-1.fw
#
@ -450,7 +450,7 @@ test -z "$cmd" && {
case "$cmd" in
start)
log "Activating firewall script generated Tue Mar 8 18:57:29 2011 by vadim"
log "Activating firewall script generated Thu Mar 10 21:50:50 2011 by vadim"
check_tools
prolog_commands
check_run_time_address_table_files

6
test/ipt/firewall40-2.fw.orig
View File

@ -2,9 +2,9 @@
#
# This is automatically generated file. DO NOT MODIFY !
#
# Firewall Builder fwb_ipt v4.2.0.3498
# Firewall Builder fwb_ipt v4.2.0.3499
#
# Generated Tue Mar 8 18:57:29 2011 PST by vadim
# Generated Thu Mar 10 21:50:50 2011 PST by vadim
#
# files: * firewall40-2.fw /etc/firewall40-2.fw
#
@ -437,7 +437,7 @@ test -z "$cmd" && {
case "$cmd" in
start)
log "Activating firewall script generated Tue Mar 8 18:57:29 2011 by vadim"
log "Activating firewall script generated Thu Mar 10 21:50:50 2011 by vadim"
check_tools
prolog_commands
check_run_time_address_table_files

6
test/ipt/firewall40.fw.orig
View File

@ -2,9 +2,9 @@
#
# This is automatically generated file. DO NOT MODIFY !
#
# Firewall Builder fwb_ipt v4.2.0.3498
# Firewall Builder fwb_ipt v4.2.0.3499
#
# Generated Tue Mar 8 18:57:26 2011 PST by vadim
# Generated Thu Mar 10 21:50:46 2011 PST by vadim
#
# files: * firewall40.fw /etc/firewall40.fw
#
@ -439,7 +439,7 @@ test -z "$cmd" && {
case "$cmd" in
start)
log "Activating firewall script generated Tue Mar 8 18:57:26 2011 by vadim"
log "Activating firewall script generated Thu Mar 10 21:50:46 2011 by vadim"
check_tools
prolog_commands
check_run_time_address_table_files

6
test/ipt/firewall41-1.fw.orig
View File

@ -2,9 +2,9 @@
#
# This is automatically generated file. DO NOT MODIFY !
#
# Firewall Builder fwb_ipt v4.2.0.3498
# Firewall Builder fwb_ipt v4.2.0.3499
#
# Generated Tue Mar 8 18:57:33 2011 PST by vadim
# Generated Thu Mar 10 21:50:53 2011 PST by vadim
#
# files: * firewall41-1.fw /etc/firewall41-1.fw
#
@ -575,7 +575,7 @@ test -z "$cmd" && {
case "$cmd" in
start)
log "Activating firewall script generated Tue Mar 8 18:57:33 2011 by vadim"
log "Activating firewall script generated Thu Mar 10 21:50:53 2011 by vadim"
check_tools
prolog_commands
check_run_time_address_table_files

8
test/ipt/firewall41.fw.orig
View File

@ -2,9 +2,9 @@
#
# This is automatically generated file. DO NOT MODIFY !
#
# Firewall Builder fwb_ipt v4.2.0.3498
# Firewall Builder fwb_ipt v4.2.0.3499
#
# Generated Tue Mar 8 18:57:32 2011 PST by vadim
# Generated Thu Mar 10 21:50:53 2011 PST by vadim
#
# files: * firewall41.fw /etc/firewall41.fw
#
@ -393,7 +393,7 @@ script_body() {
echo "Rule 6 (global)"
#
$IPTABLES -N RULE_6
$IPTABLES -A OUTPUT -d 208.68.143.50 -j RULE_6
$IPTABLES -A OUTPUT -d 208.68.139.38 -j RULE_6
$IPTABLES -A RULE_6 -j LOG --log-level info --log-prefix "RULE 6 -- DENY "
$IPTABLES -A RULE_6 -j DROP
}
@ -451,7 +451,7 @@ test -z "$cmd" && {
case "$cmd" in
start)
log "Activating firewall script generated Tue Mar 8 18:57:32 2011 by vadim"
log "Activating firewall script generated Thu Mar 10 21:50:53 2011 by vadim"
check_tools
prolog_commands
check_run_time_address_table_files

6
test/ipt/firewall42.fw.orig
View File

@ -2,9 +2,9 @@
#
# This is automatically generated file. DO NOT MODIFY !
#
# Firewall Builder fwb_ipt v4.2.0.3498
# Firewall Builder fwb_ipt v4.2.0.3499
#
# Generated Tue Mar 8 18:57:36 2011 PST by vadim
# Generated Thu Mar 10 21:50:57 2011 PST by vadim
#
# files: * firewall42.fw /etc/fw/firewall42.fw
#
@ -382,7 +382,7 @@ test -z "$cmd" && {
case "$cmd" in
start)
log "Activating firewall script generated Tue Mar 8 18:57:36 2011 by vadim"
log "Activating firewall script generated Thu Mar 10 21:50:57 2011 by vadim"
check_tools
prolog_commands
check_run_time_address_table_files

6
test/ipt/firewall5.fw.orig
View File

@ -2,9 +2,9 @@
#
# This is automatically generated file. DO NOT MODIFY !
#
# Firewall Builder fwb_ipt v4.2.0.3498
# Firewall Builder fwb_ipt v4.2.0.3499
#
# Generated Tue Mar 8 18:57:39 2011 PST by vadim
# Generated Thu Mar 10 21:51:00 2011 PST by vadim
#
# files: * firewall5.fw /etc/fw/firewall5.fw
#
@ -622,7 +622,7 @@ test -z "$cmd" && {
case "$cmd" in
start)
log "Activating firewall script generated Tue Mar 8 18:57:39 2011 by vadim"
log "Activating firewall script generated Thu Mar 10 21:51:00 2011 by vadim"
check_tools
prolog_commands
check_run_time_address_table_files

6
test/ipt/firewall50.fw.orig
View File

@ -2,9 +2,9 @@
#
# This is automatically generated file. DO NOT MODIFY !
#
# Firewall Builder fwb_ipt v4.2.0.3498
# Firewall Builder fwb_ipt v4.2.0.3499
#
# Generated Tue Mar 8 18:57:40 2011 PST by vadim
# Generated Thu Mar 10 21:51:01 2011 PST by vadim
#
# files: * firewall50.fw /etc/fw/firewall50.fw
#
@ -407,7 +407,7 @@ test -z "$cmd" && {
case "$cmd" in
start)
log "Activating firewall script generated Tue Mar 8 18:57:40 2011 by vadim"
log "Activating firewall script generated Thu Mar 10 21:51:01 2011 by vadim"
check_tools
prolog_commands
check_run_time_address_table_files

6
test/ipt/firewall51.fw.orig
View File

@ -2,9 +2,9 @@
#
# This is automatically generated file. DO NOT MODIFY !
#
# Firewall Builder fwb_ipt v4.2.0.3498
# Firewall Builder fwb_ipt v4.2.0.3499
#
# Generated Tue Mar 8 18:57:46 2011 PST by vadim
# Generated Thu Mar 10 21:51:06 2011 PST by vadim
#
# files: * firewall51.fw /etc/fw/firewall51.fw
#
@ -491,7 +491,7 @@ test -z "$cmd" && {
case "$cmd" in
start)
log "Activating firewall script generated Tue Mar 8 18:57:46 2011 by vadim"
log "Activating firewall script generated Thu Mar 10 21:51:06 2011 by vadim"
check_tools
prolog_commands
check_run_time_address_table_files

6
test/ipt/firewall6.fw.orig
View File

@ -2,9 +2,9 @@
#
# This is automatically generated file. DO NOT MODIFY !
#
# Firewall Builder fwb_ipt v4.2.0.3498
# Firewall Builder fwb_ipt v4.2.0.3499
#
# Generated Tue Mar 8 18:57:43 2011 PST by vadim
# Generated Thu Mar 10 21:51:04 2011 PST by vadim
#
# files: * firewall6.fw /etc/fw/firewall6.fw
#
@ -513,7 +513,7 @@ test -z "$cmd" && {
case "$cmd" in
start)
log "Activating firewall script generated Tue Mar 8 18:57:43 2011 by vadim"
log "Activating firewall script generated Thu Mar 10 21:51:04 2011 by vadim"
check_tools
prolog_commands
check_run_time_address_table_files

6
test/ipt/firewall60.fw.orig
View File

@ -2,9 +2,9 @@
#
# This is automatically generated file. DO NOT MODIFY !
#
# Firewall Builder fwb_ipt v4.2.0.3498
# Firewall Builder fwb_ipt v4.2.0.3499
#
# Generated Tue Mar 8 18:57:46 2011 PST by vadim
# Generated Thu Mar 10 21:51:07 2011 PST by vadim
#
# files: * firewall60.fw /etc/firewall60.fw
#
@ -419,7 +419,7 @@ test -z "$cmd" && {
case "$cmd" in
start)
log "Activating firewall script generated Tue Mar 8 18:57:46 2011 by vadim"
log "Activating firewall script generated Thu Mar 10 21:51:07 2011 by vadim"
check_tools
prolog_commands
check_run_time_address_table_files

6
test/ipt/firewall61-1.2.5.fw.orig
View File

@ -2,9 +2,9 @@
#
# This is automatically generated file. DO NOT MODIFY !
#
# Firewall Builder fwb_ipt v4.2.0.3498
# Firewall Builder fwb_ipt v4.2.0.3499
#
# Generated Tue Mar 8 18:57:49 2011 PST by vadim
# Generated Thu Mar 10 21:51:10 2011 PST by vadim
#
# files: * firewall61-1.2.5.fw /etc/firewall61-1.2.5.fw
#
@ -499,7 +499,7 @@ test -z "$cmd" && {
case "$cmd" in
start)
log "Activating firewall script generated Tue Mar 8 18:57:49 2011 by vadim"
log "Activating firewall script generated Thu Mar 10 21:51:10 2011 by vadim"
check_tools
prolog_commands
check_run_time_address_table_files

6
test/ipt/firewall61-1.2.6.fw.orig
View File

@ -2,9 +2,9 @@
#
# This is automatically generated file. DO NOT MODIFY !
#
# Firewall Builder fwb_ipt v4.2.0.3498
# Firewall Builder fwb_ipt v4.2.0.3499
#
# Generated Tue Mar 8 18:57:51 2011 PST by vadim
# Generated Thu Mar 10 21:51:11 2011 PST by vadim
#
# files: * firewall61-1.2.6.fw /etc/firewall61-1.2.6.fw
#
@ -505,7 +505,7 @@ test -z "$cmd" && {
case "$cmd" in
start)
log "Activating firewall script generated Tue Mar 8 18:57:51 2011 by vadim"
log "Activating firewall script generated Thu Mar 10 21:51:11 2011 by vadim"
check_tools
prolog_commands
check_run_time_address_table_files

6
test/ipt/firewall61-1.3.x.fw.orig
View File

@ -2,9 +2,9 @@
#
# This is automatically generated file. DO NOT MODIFY !
#
# Firewall Builder fwb_ipt v4.2.0.3498
# Firewall Builder fwb_ipt v4.2.0.3499
#
# Generated Tue Mar 8 18:57:54 2011 PST by vadim
# Generated Thu Mar 10 21:51:14 2011 PST by vadim
#
# files: * firewall61-1.3.x.fw /etc/firewall61-1.3.x.fw
#
@ -492,7 +492,7 @@ test -z "$cmd" && {
case "$cmd" in
start)
log "Activating firewall script generated Tue Mar 8 18:57:54 2011 by vadim"
log "Activating firewall script generated Thu Mar 10 21:51:14 2011 by vadim"
check_tools
prolog_commands
check_run_time_address_table_files

6
test/ipt/firewall61-1.4.fw.orig
View File

@ -2,9 +2,9 @@
#
# This is automatically generated file. DO NOT MODIFY !
#
# Firewall Builder fwb_ipt v4.2.0.3498
# Firewall Builder fwb_ipt v4.2.0.3499
#
# Generated Tue Mar 8 18:57:55 2011 PST by vadim
# Generated Thu Mar 10 21:51:14 2011 PST by vadim
#
# files: * firewall61-1.4.fw /etc/firewall61-1.4.fw
#
@ -493,7 +493,7 @@ test -z "$cmd" && {
case "$cmd" in
start)
log "Activating firewall script generated Tue Mar 8 18:57:55 2011 by vadim"
log "Activating firewall script generated Thu Mar 10 21:51:14 2011 by vadim"
check_tools
prolog_commands
check_run_time_address_table_files

6
test/ipt/firewall62.fw.orig
View File

@ -2,9 +2,9 @@
#
# This is automatically generated file. DO NOT MODIFY !
#
# Firewall Builder fwb_ipt v4.2.0.3498
# Firewall Builder fwb_ipt v4.2.0.3499
#
# Generated Tue Mar 8 18:57:57 2011 PST by vadim
# Generated Thu Mar 10 21:51:17 2011 PST by vadim
#
# files: * firewall62.fw /etc/firewall62.fw
#
@ -569,7 +569,7 @@ test -z "$cmd" && {
case "$cmd" in
start)
log "Activating firewall script generated Tue Mar 8 18:57:57 2011 by vadim"
log "Activating firewall script generated Thu Mar 10 21:51:17 2011 by vadim"
check_tools
prolog_commands
check_run_time_address_table_files

6
test/ipt/firewall63.fw.orig
View File

@ -2,9 +2,9 @@
#
# This is automatically generated file. DO NOT MODIFY !
#
# Firewall Builder fwb_ipt v4.2.0.3498
# Firewall Builder fwb_ipt v4.2.0.3499
#
# Generated Tue Mar 8 18:57:58 2011 PST by vadim
# Generated Thu Mar 10 21:51:17 2011 PST by vadim
#
# files: * firewall63.fw /etc/firewall63.fw
#
@ -389,7 +389,7 @@ test -z "$cmd" && {
case "$cmd" in
start)
log "Activating firewall script generated Tue Mar 8 18:57:58 2011 by vadim"
log "Activating firewall script generated Thu Mar 10 21:51:17 2011 by vadim"
check_tools
prolog_commands
check_run_time_address_table_files

6
test/ipt/firewall7.fw.orig
View File

@ -2,9 +2,9 @@
#
# This is automatically generated file. DO NOT MODIFY !
#
# Firewall Builder fwb_ipt v4.2.0.3498
# Firewall Builder fwb_ipt v4.2.0.3499
#
# Generated Tue Mar 8 18:58:00 2011 PST by vadim
# Generated Thu Mar 10 21:51:19 2011 PST by vadim
#
# files: * firewall7.fw /etc/fw/firewall7.fw
#
@ -473,7 +473,7 @@ test -z "$cmd" && {
case "$cmd" in
start)
log "Activating firewall script generated Tue Mar 8 18:58:00 2011 by vadim"
log "Activating firewall script generated Thu Mar 10 21:51:19 2011 by vadim"
check_tools
prolog_commands
check_run_time_address_table_files

6
test/ipt/firewall70.fw.orig
View File

@ -2,9 +2,9 @@
#
# This is automatically generated file. DO NOT MODIFY !
#
# Firewall Builder fwb_ipt v4.2.0.3498
# Firewall Builder fwb_ipt v4.2.0.3499
#
# Generated Tue Mar 8 18:58:02 2011 PST by vadim
# Generated Thu Mar 10 21:51:21 2011 PST by vadim
#
# files: * firewall70.fw iptables.sh
#
@ -412,7 +412,7 @@ test -z "$cmd" && {
case "$cmd" in
start)
log "Activating firewall script generated Tue Mar 8 18:58:02 2011 by vadim"
log "Activating firewall script generated Thu Mar 10 21:51:21 2011 by vadim"
check_tools
prolog_commands
check_run_time_address_table_files

6
test/ipt/firewall71.fw.orig
View File

@ -2,9 +2,9 @@
#
# This is automatically generated file. DO NOT MODIFY !
#
# Firewall Builder fwb_ipt v4.2.0.3498
# Firewall Builder fwb_ipt v4.2.0.3499
#
# Generated Tue Mar 8 18:58:04 2011 PST by vadim
# Generated Thu Mar 10 21:51:23 2011 PST by vadim
#
# files: * firewall71.fw /etc/fw/firewall71.fw
#
@ -428,7 +428,7 @@ test -z "$cmd" && {
case "$cmd" in
start)
log "Activating firewall script generated Tue Mar 8 18:58:04 2011 by vadim"
log "Activating firewall script generated Thu Mar 10 21:51:23 2011 by vadim"
check_tools
prolog_commands
check_run_time_address_table_files

6
test/ipt/firewall72-1.3.x.fw.orig
View File

@ -2,9 +2,9 @@
#
# This is automatically generated file. DO NOT MODIFY !
#
# Firewall Builder fwb_ipt v4.2.0.3498
# Firewall Builder fwb_ipt v4.2.0.3499
#
# Generated Tue Mar 8 18:58:05 2011 PST by vadim
# Generated Thu Mar 10 21:51:24 2011 PST by vadim
#
# files: * firewall72-1.3.x.fw /etc/fw/firewall72-1.3.x.fw
#
@ -560,7 +560,7 @@ test -z "$cmd" && {
case "$cmd" in
start)
log "Activating firewall script generated Tue Mar 8 18:58:05 2011 by vadim"
log "Activating firewall script generated Thu Mar 10 21:51:24 2011 by vadim"
check_tools
prolog_commands
check_run_time_address_table_files

6
test/ipt/firewall72-1.4.3.fw.orig
View File

@ -2,9 +2,9 @@
#
# This is automatically generated file. DO NOT MODIFY !
#
# Firewall Builder fwb_ipt v4.2.0.3498
# Firewall Builder fwb_ipt v4.2.0.3499
#
# Generated Tue Mar 8 18:58:07 2011 PST by vadim
# Generated Thu Mar 10 21:51:26 2011 PST by vadim
#
# files: * firewall72-1.4.3.fw /etc/fw/firewall72-1.4.3.fw
#
@ -560,7 +560,7 @@ test -z "$cmd" && {
case "$cmd" in
start)
log "Activating firewall script generated Tue Mar 8 18:58:07 2011 by vadim"
log "Activating firewall script generated Thu Mar 10 21:51:26 2011 by vadim"
check_tools
prolog_commands
check_run_time_address_table_files

6
test/ipt/firewall73.fw.orig
View File

@ -2,9 +2,9 @@
#
# This is automatically generated file. DO NOT MODIFY !
#
# Firewall Builder fwb_ipt v4.2.0.3498
# Firewall Builder fwb_ipt v4.2.0.3499
#
# Generated Tue Mar 8 18:58:08 2011 PST by vadim
# Generated Thu Mar 10 21:51:27 2011 PST by vadim
#
# files: * firewall73.fw /etc/fw/firewall73.fw
#
@ -523,7 +523,7 @@ test -z "$cmd" && {
case "$cmd" in
start)
log "Activating firewall script generated Tue Mar 8 18:58:08 2011 by vadim"
log "Activating firewall script generated Thu Mar 10 21:51:27 2011 by vadim"
check_tools
prolog_commands
check_run_time_address_table_files

6
test/ipt/firewall74.fw.orig
View File

@ -2,9 +2,9 @@
#
# This is automatically generated file. DO NOT MODIFY !
#
# Firewall Builder fwb_ipt v4.2.0.3498
# Firewall Builder fwb_ipt v4.2.0.3499
#
# Generated Tue Mar 8 18:58:10 2011 PST by vadim
# Generated Thu Mar 10 21:51:29 2011 PST by vadim
#
# files: * firewall74.fw /etc/fw/firewall74.fw
#
@ -375,7 +375,7 @@ test -z "$cmd" && {
case "$cmd" in
start)
log "Activating firewall script generated Tue Mar 8 18:58:10 2011 by vadim"
log "Activating firewall script generated Thu Mar 10 21:51:29 2011 by vadim"
check_tools
prolog_commands
check_run_time_address_table_files

6
test/ipt/firewall8.fw.orig
View File

@ -2,9 +2,9 @@
#
# This is automatically generated file. DO NOT MODIFY !
#
# Firewall Builder fwb_ipt v4.2.0.3498
# Firewall Builder fwb_ipt v4.2.0.3499
#
# Generated Tue Mar 8 18:58:11 2011 PST by vadim
# Generated Thu Mar 10 21:51:30 2011 PST by vadim
#
# files: * firewall8.fw /etc/fw/firewall8.fw
#
@ -358,7 +358,7 @@ test -z "$cmd" && {
case "$cmd" in
start)
log "Activating firewall script generated Tue Mar 8 18:58:11 2011 by vadim"
log "Activating firewall script generated Thu Mar 10 21:51:30 2011 by vadim"
check_tools
prolog_commands
check_run_time_address_table_files

6
test/ipt/firewall80.fw.orig
View File

@ -2,9 +2,9 @@
#
# This is automatically generated file. DO NOT MODIFY !
#
# Firewall Builder fwb_ipt v4.2.0.3498
# Firewall Builder fwb_ipt v4.2.0.3499
#
# Generated Tue Mar 8 18:58:13 2011 PST by vadim
# Generated Thu Mar 10 21:51:32 2011 PST by vadim
#
# files: * firewall80.fw /etc/fw/firewall80.fw
#
@ -399,7 +399,7 @@ test -z "$cmd" && {
case "$cmd" in
start)
log "Activating firewall script generated Tue Mar 8 18:58:13 2011 by vadim"
log "Activating firewall script generated Thu Mar 10 21:51:32 2011 by vadim"
check_tools
prolog_commands
check_run_time_address_table_files

6
test/ipt/firewall81.fw.orig
View File

@ -2,9 +2,9 @@
#
# This is automatically generated file. DO NOT MODIFY !
#
# Firewall Builder fwb_ipt v4.2.0.3498
# Firewall Builder fwb_ipt v4.2.0.3499
#
# Generated Tue Mar 8 18:58:15 2011 PST by vadim
# Generated Thu Mar 10 21:51:34 2011 PST by vadim
#
# files: * firewall81.fw /etc/fw/firewall81.fw
#
@ -420,7 +420,7 @@ test -z "$cmd" && {
case "$cmd" in
start)
log "Activating firewall script generated Tue Mar 8 18:58:15 2011 by vadim"
log "Activating firewall script generated Thu Mar 10 21:51:34 2011 by vadim"
check_tools
prolog_commands
check_run_time_address_table_files

6
test/ipt/firewall82.fw.orig
View File

@ -2,9 +2,9 @@
#
# This is automatically generated file. DO NOT MODIFY !
#
# Firewall Builder fwb_ipt v4.2.0.3498
# Firewall Builder fwb_ipt v4.2.0.3499
#
# Generated Tue Mar 8 18:58:17 2011 PST by vadim
# Generated Thu Mar 10 21:51:36 2011 PST by vadim
#
# files: * firewall82.fw /etc/firewall82.fw
#
@ -411,7 +411,7 @@ test -z "$cmd" && {
case "$cmd" in
start)
log "Activating firewall script generated Tue Mar 8 18:58:17 2011 by vadim"
log "Activating firewall script generated Thu Mar 10 21:51:36 2011 by vadim"
check_tools
prolog_commands
check_run_time_address_table_files

6
test/ipt/firewall82_A.fw.orig
View File

@ -2,9 +2,9 @@
#
# This is automatically generated file. DO NOT MODIFY !
#
# Firewall Builder fwb_ipt v4.2.0.3498
# Firewall Builder fwb_ipt v4.2.0.3499
#
# Generated Tue Mar 8 18:58:19 2011 PST by vadim
# Generated Thu Mar 10 21:51:37 2011 PST by vadim
#
# files: * firewall82_A.fw /etc/fw/firewall82_A.fw
#
@ -400,7 +400,7 @@ test -z "$cmd" && {
case "$cmd" in
start)
log "Activating firewall script generated Tue Mar 8 18:58:19 2011 by vadim"
log "Activating firewall script generated Thu Mar 10 21:51:37 2011 by vadim"
check_tools
prolog_commands
check_run_time_address_table_files

6
test/ipt/firewall82_B.fw.orig
View File

@ -2,9 +2,9 @@
#
# This is automatically generated file. DO NOT MODIFY !
#
# Firewall Builder fwb_ipt v4.2.0.3498
# Firewall Builder fwb_ipt v4.2.0.3499
#
# Generated Tue Mar 8 18:58:20 2011 PST by vadim
# Generated Thu Mar 10 21:51:39 2011 PST by vadim
#
# files: * firewall82_B.fw /etc/fw/firewall82_B.fw
#
@ -363,7 +363,7 @@ test -z "$cmd" && {
case "$cmd" in
start)
log "Activating firewall script generated Tue Mar 8 18:58:20 2011 by vadim"
log "Activating firewall script generated Thu Mar 10 21:51:39 2011 by vadim"
check_tools
prolog_commands
check_run_time_address_table_files

6
test/ipt/firewall9.fw.orig
View File

@ -2,9 +2,9 @@
#
# This is automatically generated file. DO NOT MODIFY !
#
# Firewall Builder fwb_ipt v4.2.0.3498
# Firewall Builder fwb_ipt v4.2.0.3499
#
# Generated Tue Mar 8 18:58:23 2011 PST by vadim
# Generated Thu Mar 10 21:51:40 2011 PST by vadim
#
# files: * firewall9.fw /etc/fw/firewall9.fw
#
@ -621,7 +621,7 @@ test -z "$cmd" && {
case "$cmd" in
start)
log "Activating firewall script generated Tue Mar 8 18:58:23 2011 by vadim"
log "Activating firewall script generated Thu Mar 10 21:51:40 2011 by vadim"
check_tools
prolog_commands
check_run_time_address_table_files

Some files were not shown because too many files have changed in this diff Show More