onkelbeh/fwbuilder
1
0
Fork 0
mirror of https://github.com/fwbuilder/fwbuilder synced 2026-03-25 20:57:29 +01:00
Code Issues Releases Wiki Activity

* PolicyCompiler_ipt.cpp (PolicyCompiler_ipt::compile): Using rule

Browse Source 
processor Compiler::checkForObjectsWithErrors to find objects with
errors and generate proper calls to abort(). This exposes errors
that happened when Preprocessor failed to resolve compile-time
AddressTable and DNSName objects. If compiler runs in test mode,
preprocessor did not abort but used dummy substitution addresses
and continued. Call to checkForObjectsWithErrors generates proper
error messages tied to rules. Using this rule processor in all
compilers. Fixes #1087
This commit is contained in:
Vadim Kurland 2010-01-16 00:26:01 +00:00
parent 5a39ed8f67
commit 2e27954947
21 changed files with 484 additions and 30 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
build_num
View File

@ -1 +1 @@
#define BUILD_NUM 2351
#define BUILD_NUM 2352

10
doc/ChangeLog
View File

@ -1,5 +1,15 @@
2010-01-15 vadim <vadim@vk.crocodile.org>
* PolicyCompiler_ipt.cpp (PolicyCompiler_ipt::compile): Using rule
processor Compiler::checkForObjectsWithErrors to find objects with
errors and generate proper calls to abort(). This exposes errors
that happened when Preprocessor failed to resolve compile-time
AddressTable and DNSName objects. If compiler runs in test mode,
preprocessor did not abort but used dummy substitution addresses
and continued. Call to checkForObjectsWithErrors generates proper
error messages tied to rules. Using this rule processor in all
compilers. Fixes #1087
* PolicyCompiler_ipt.cpp (processMultiAddressObjectsInRE::processNext):
fixes #1086: incorrect processing of run time address tables.
SourceForge bug 2932680. Rules with two run-time AddressTable

2
src/cisco_lib/CompilerDriver_iosacl_run.cpp
View File

@ -220,6 +220,8 @@ QString CompilerDriver_iosacl::run(const std::string &cluster_id,
if (policy_count)
{
std::auto_ptr<Preprocessor> prep(new Preprocessor(objdb, fw, false));
if (inTestMode()) prep->setTestMode();
if (inEmbeddedMode()) prep->setEmbeddedMode();
prep->compile();
}

2
src/cisco_lib/CompilerDriver_pix_run.cpp
View File

@ -521,6 +521,8 @@ QString CompilerDriver_pix::run(const std::string &cluster_id,
*/
std::auto_ptr<Preprocessor> prep(new Preprocessor(objdb , fw, false));
if (inTestMode()) prep->setTestMode();
if (inEmbeddedMode()) prep->setEmbeddedMode();
prep->compile();
std::auto_ptr<OSConfigurator> oscnf(new OSConfigurator_pix_os(objdb , fw, false));

3
src/cisco_lib/NATCompiler_pix.cpp
View File

@ -1579,6 +1579,9 @@ void NATCompiler_pix::compile()
add( new SuppressDuplicateNONATStatics(
"suppress duplicate NONAT statics" ));
add( new checkForObjectsWithErrors(
"check if we have objects with errors in rule elements"));
add( new PrintClearCommands( "Clear ACLs" ));
add( new PrintRule ("generate PIX code" ));

7
src/cisco_lib/PolicyCompiler_iosacl.cpp
View File

@ -215,6 +215,10 @@ void PolicyCompiler_iosacl::compile()
add( new dropRuleWithEmptyRE(
"drop rules with empty rule elements"));
add( new ConvertToAtomic("convert to atomic rules" ) );
add( new checkForObjectsWithErrors(
"check if we have objects with errors in rule elements"));
add( new DetectShadowing("Detect shadowing" ) );
add( new simplePrintProgress() );
@ -312,6 +316,9 @@ void PolicyCompiler_iosacl::compile()
add( new createNewCompilerPass ("Creating ACLs ..."));
add( new checkForObjectsWithErrors(
"check if we have objects with errors in rule elements"));
// add( new ClearACLs("Clear ACLs"));
// This processor prints each ACL separately in one block.

8
src/cisco_lib/PolicyCompiler_pix.cpp
View File

@ -659,6 +659,10 @@ void PolicyCompiler_pix::compile()
add( new ExpandMultipleAddressesInSrc("expand objects with multiple addresses in SRC" ));
add( new ExpandMultipleAddressesInDst("expand objects with multiple addresses in DST" ));
add( new ConvertToAtomic ("convert to atomic rules" ));
add( new checkForObjectsWithErrors(
"check if we have objects with errors in rule elements"));
add( new DetectShadowing ("Detect shadowing" ));
add( new simplePrintProgress ( ));
@ -791,6 +795,10 @@ void PolicyCompiler_pix::compile()
"remove redundant addresses from Src"));
add( new removeRedundantAddressesFromDst(
"remove redundant addresses from Dst"));
add( new checkForObjectsWithErrors(
"check if we have objects with errors in rule elements"));
// add( new AvoidObjectGroup("avoid object groups for certain cases"));
add( new CreateObjectGroupsForSrc("create object groups for Src"));
add( new CreateObjectGroupsForDst("create object groups for Dst"));

2
src/iptlib/CompilerDriver_ipt_run.cpp
View File

@ -410,7 +410,7 @@ QString CompilerDriver_ipt::run(const std::string &cluster_id,
// that we do not return all_errors because all compilers
// include errors and warnings with generated code for each
// rule. CompilerDriver errors, however, need to be added on
// top.
// top.
return
QString::fromUtf8(
(getErrors("") +

3
src/iptlib/NATCompiler_ipt.cpp
View File

@ -2580,6 +2580,9 @@ void NATCompiler_ipt::compile()
"set target if dynamic interface in TSrc" ) );
add( new convertInterfaceIdToStr("prepare interface assignments") );
add( new checkForObjectsWithErrors(
"check if we have objects with errors in rule elements"));
add( new countChainUsage("Count chain usage"));
if (fwopt->getBool("use_iptables_restore"))

2
src/iptlib/PolicyCompiler_PrintRule.cpp
View File

@ -194,7 +194,7 @@ string PolicyCompiler_ipt::PrintRule::_printRuleLabel(PolicyRule *rule)
}
}
current_rule_label=rl;
current_rule_label = rl;
string err = rule->getStr(".error_msg");
if (!err.empty()) res << "# " << err << endl;

6
src/iptlib/PolicyCompiler_ipt.cpp
View File

@ -4102,6 +4102,9 @@ void PolicyCompiler_ipt::compile()
add( new SkipActionContinueWithNoLogging(
"drop rules with action Continue") );
add( new checkForObjectsWithErrors(
"check if we have objects with errors in rule elements"));
if (my_table=="mangle" &&
!fw->getOptionsObject()->getBool("classify_mark_terminating")
)
@ -4373,7 +4376,8 @@ void PolicyCompiler_ipt::compile()
add( new convertInterfaceIdToStr("prepare interface assignments") );
add( new optimize3("optimization 3") );
add( new optimizeForMinusIOPlus("optimize for '-i +' / '-o +'") );
add( new checkForObjectsWithErrors(
"check if we have objects with errors in rule elements"));
add( new countChainUsage("Count chain usage"));
add( createPrintRuleProcessor() );

3
src/iptlib/RoutingCompiler_ipt.cpp
View File

@ -247,6 +247,9 @@ void RoutingCompiler_ipt::compile()
add(new eliminateDuplicateRules(
"Eliminate duplicate rules over the whole table"));
add( new checkForObjectsWithErrors(
"check if we have objects with errors in rule elements"));
add(new PrintRule("generate ip code"));
add(new simplePrintProgress());

4
src/pflib/NATCompiler_ipf.cpp
View File

@ -578,6 +578,10 @@ void NATCompiler_ipf::compile()
add( new AssignInterface( "assign rules to interfaces" ) );
add( new RedirectRules( "replace objects in TDst for 'Redirect' rules" ) );
add( new convertInterfaceIdToStr( "prepare interface assignments" ) );
add( new checkForObjectsWithErrors(
"check if we have objects with errors in rule elements"));
add( new PrintRule("generate ipfilter code") );
add( new simplePrintProgress() );

3
src/pflib/NATCompiler_pf.cpp
View File

@ -1212,6 +1212,9 @@ void NATCompiler_pf::compile()
add( new AssignInterface( "assign rules to interfaces" ) );
add( new convertInterfaceIdToStr("prepare interface assignments") );
add( new checkForObjectsWithErrors(
"check if we have objects with errors in rule elements"));
add( new createTables("create tables"));
// add( new PrintTables( "print tables" ) );

8
src/pflib/PolicyCompiler_ipf.cpp
View File

@ -457,6 +457,10 @@ void PolicyCompiler_ipf::compile()
add( new ExpandMultipleAddressesInDst(
"expand objects with multiple addresses in DST" ) );
add( new ConvertToAtomic("convert to atomic rules" ) );
add( new checkForObjectsWithErrors(
"check if we have objects with errors in rule elements"));
add( new DetectShadowing("Detect shadowing" ) );
add( new simplePrintProgress() );
@ -551,6 +555,10 @@ void PolicyCompiler_ipf::compile()
add( new calculateSkip("calculate argument for skip") );
add( new checkForKeepState("check for 'keep state'") );
add( new convertInterfaceIdToStr("prepare interface assignments") );
add( new checkForObjectsWithErrors(
"check if we have objects with errors in rule elements"));
add( new PrintRule("generate ipf code") );
add( new simplePrintProgress() );

8
src/pflib/PolicyCompiler_ipfw.cpp
View File

@ -571,6 +571,10 @@ void PolicyCompiler_ipfw::compile()
"expand objects with multiple addresses in DST"));
add( new dropRuleWithEmptyRE("drop rules with empty rule elements"));
add( new ConvertToAtomic("convert to atomic rules"));
add( new checkForObjectsWithErrors(
"check if we have objects with errors in rule elements"));
add( new DetectShadowing("Detect shadowing"));
add( new simplePrintProgress());
@ -647,6 +651,10 @@ void PolicyCompiler_ipfw::compile()
add( new calculateNum("calculate rule numbers "));
add( new convertInterfaceIdToStr("prepare interface assignments"));
add( new checkForObjectsWithErrors(
"check if we have objects with errors in rule elements"));
add( new PrintRule("generate ipf code"));
add( new simplePrintProgress());

7
src/pflib/PolicyCompiler_pf.cpp
View File

@ -1030,6 +1030,10 @@ void PolicyCompiler_pf::compile()
add(new dropRuleWithEmptyRE(
"drop rules with empty rule elements"));
add(new ConvertToAtomic("convert to atomic rules"));
add( new checkForObjectsWithErrors(
"check if we have objects with errors in rule elements"));
add(new DetectShadowing("Detect shadowing"));
add(new simplePrintProgress());
@ -1128,6 +1132,9 @@ void PolicyCompiler_pf::compile()
add(new checkForZeroAddr("check for zero addresses"));
add(new convertInterfaceIdToStr("prepare interface assignments"));
add( new checkForObjectsWithErrors(
"check if we have objects with errors in rule elements"));
add(new createTables("create tables"));
// add(new PrintTables("print tables"));

211
test/iosacl/objects-for-regression-tests.fwb
View File

@ -1,6 +1,6 @@
<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE FWObjectDatabase SYSTEM "fwbuilder.dtd">
<FWObjectDatabase xmlns="http://www.fwbuilder.org/1.0/" version="15" lastModified="1257560726" id="root">
<FWObjectDatabase xmlns="http://www.fwbuilder.org/1.0/" version="15" lastModified="1263599937" id="root">
<Library id="sysid99" name="Deleted Objects" comment="" ro="False">
<Interface id="id19433X65694" dedicated_failover="False" dyn="False" label="" mgmt="False" security_level="100" unnum="False" unprotected="False" name="lo" comment="" ro="False">
<IPv4 id="id19434X65694" name="firewall-ipv6-1:lo:ip" comment="" ro="False" address="127.0.0.1" netmask="255.0.0.0"/>
@ -27,7 +27,11 @@
<IPv4 id="id4204X90642" name="internal gw" comment="" ro="False" address="10.3.14.254" netmask="0.0.0.0"/>
</ObjectGroup>
<ObjectGroup id="id4511636623682" name="DNS Names" comment="" ro="False"/>
<ObjectGroup id="id4511636723682" name="Address Tables" comment="" ro="False"/>
<ObjectGroup id="id4511636723682" name="Address Tables" comment="" ro="False">
<AddressTable id="id6250X9455" filename="addr-table-1.tbl" run_time="False" name="addr-table-1" comment="" ro="False"/>
<AddressTable id="id6263X9455" filename="block-hosts.tbl" run_time="False" name="block-hosts" comment="" ro="False"/>
<AddressTable id="id75678X9455" filename="file_does_not_exist.tbl" run_time="False" name="missing table" comment="" ro="False"/>
</ObjectGroup>
<ObjectGroup id="id4511636823682" name="Groups" comment="" ro="False">
<ObjectGroup id="id46412C4226611" name="networks behind router" comment="" ro="False">
<ObjectRef ref="id46412C4126611"/>
@ -4350,6 +4354,209 @@
<Option name="verify_interfaces">true</Option>
</FirewallOptions>
</Firewall>
<Firewall id="id6270X9455" host_OS="ios" inactive="False" lastCompiled="1261963349" lastInstalled="0" lastModified="1263599966" platform="iosacl" version="12.1" name="testios3" comment="" ro="False">
<NAT id="id6531X9455" name="NAT" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
<RuleSetOptions/>
</NAT>
<Policy id="id6288X9455" name="Policy" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
<PolicyRule id="id6698X9455" disabled="False" log="True" position="0" action="Deny" direction="Outbound" comment="">
<Src neg="False">
<ObjectRef ref="id46412C4226611"/>
</Src>
<Dst neg="False">
<ObjectRef ref="id6250X9455"/>
</Dst>
<Srv neg="False">
<ServiceRef ref="sysid1"/>
</Srv>
<Itf neg="False">
<ObjectRef ref="id6278X9455"/>
</Itf>
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions>
<Option name="stateless">True</Option>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id6652X9455" disabled="False" log="True" position="1" action="Deny" direction="Outbound" comment="">
<Src neg="False">
<ObjectRef ref="id46412C4226611"/>
</Src>
<Dst neg="False">
<ObjectRef ref="id6263X9455"/>
</Dst>
<Srv neg="False">
<ServiceRef ref="sysid1"/>
</Srv>
<Itf neg="False">
<ObjectRef ref="id6278X9455"/>
</Itf>
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions>
<Option name="stateless">True</Option>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id6289X9455" disabled="False" log="True" position="2" action="Deny" direction="Outbound" comment="">
<Src neg="False">
<ObjectRef ref="id46412C4226611"/>
</Src>
<Dst neg="False">
<ObjectRef ref="id6250X9455"/>
<ObjectRef ref="id6263X9455"/>
</Dst>
<Srv neg="False">
<ServiceRef ref="sysid1"/>
</Srv>
<Itf neg="False">
<ObjectRef ref="id6278X9455"/>
</Itf>
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions>
<Option name="stateless">True</Option>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id77882X9455" disabled="False" group="" log="True" position="3" action="Deny" direction="Outbound" comment="">
<Src neg="False">
<ObjectRef ref="id46412C4226611"/>
</Src>
<Dst neg="False">
<ObjectRef ref="id75678X9455"/>
</Dst>
<Srv neg="False">
<ServiceRef ref="sysid1"/>
</Srv>
<Itf neg="False">
<ObjectRef ref="id6278X9455"/>
</Itf>
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions>
<Option name="stateless">True</Option>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id6518X9455" disabled="False" log="True" position="4" action="Deny" direction="Both" comment="">
<Src neg="False">
<ObjectRef ref="sysid0"/>
</Src>
<Dst neg="False">
<ObjectRef ref="sysid0"/>
</Dst>
<Srv neg="False">
<ServiceRef ref="sysid1"/>
</Srv>
<Itf neg="False">
<ObjectRef ref="sysid0"/>
</Itf>
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions>
<Option name="stateless">True</Option>
</PolicyRuleOptions>
</PolicyRule>
<RuleSetOptions/>
</Policy>
<Routing id="id6533X9455" name="Routing" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
<RuleSetOptions/>
</Routing>
<Interface id="id6278X9455" dedicated_failover="False" dyn="False" label="" security_level="50" unnum="False" unprotected="False" name="ethernet0" comment="" ro="False">
<IPv4 id="id6281X9455" name="testios3:ethernet0:ip" comment="" ro="False" address="1.1.1.1" netmask="255.255.255.0"/>
<InterfaceOptions/>
</Interface>
<Interface id="id6283X9455" dedicated_failover="False" dyn="False" label="" mgmt="True" security_level="100" unnum="False" unprotected="False" name="ethernet1" comment="" ro="False">
<IPv4 id="id6286X9455" name="testios3:ethernet1:ip" comment="" ro="False" address="10.10.10.1" netmask="255.255.255.0"/>
<InterfaceOptions/>
</Interface>
<Management address="10.10.10.1">
<SNMPManagement enabled="False" snmp_read_community="" snmp_write_community=""/>
<FWBDManagement enabled="False" identity="" port="-1"/>
<PolicyInstallScript arguments="" command="" enabled="False"/>
</Management>
<FirewallOptions>
<Option name="accept_established">true</Option>
<Option name="accept_new_tcp_with_no_syn">true</Option>
<Option name="add_check_state_rule">true</Option>
<Option name="admUser"></Option>
<Option name="altAddress"></Option>
<Option name="check_shading">False</Option>
<Option name="configure_interfaces">true</Option>
<Option name="eliminate_duplicates">true</Option>
<Option name="filesystem">/etc</Option>
<Option name="firewall_dir">/etc</Option>
<Option name="firewall_is_part_of_any_and_networks">true</Option>
<Option name="freebsd_ip_forward">1</Option>
<Option name="ignore_empty_groups">False</Option>
<Option name="in_out_code">true</Option>
<Option name="ios_ip_address">True</Option>
<Option name="ios_set_host_name">True</Option>
<Option name="iosacl_acl_basic">False</Option>
<Option name="iosacl_acl_no_clear">False</Option>
<Option name="iosacl_acl_substitution">True</Option>
<Option name="iosacl_acl_temp_addr">10.10.10.0/24</Option>
<Option name="iosacl_add_clear_statements">true</Option>
<Option name="iosacl_assume_fw_part_of_any">true</Option>
<Option name="iosacl_epilog_script"></Option>
<Option name="iosacl_generate_logging_commands">False</Option>
<Option name="iosacl_include_comments">True</Option>
<Option name="iosacl_logging_buffered">False</Option>
<Option name="iosacl_logging_buffered_level">3</Option>
<Option name="iosacl_logging_console">False</Option>
<Option name="iosacl_logging_console_level">3</Option>
<Option name="iosacl_logging_timestamp">False</Option>
<Option name="iosacl_logging_trap_level">3</Option>
<Option name="iosacl_prolog_script"></Option>
<Option name="iosacl_regroup_commands">False</Option>
<Option name="iosacl_syslog_facility"></Option>
<Option name="iosacl_syslog_host"></Option>
<Option name="iosacl_use_acl_remarks">False</Option>
<Option name="ipv4_6_order">ipv4_first</Option>
<Option name="limit_value">0</Option>
<Option name="linux24_ip_forward">1</Option>
<Option name="load_modules">true</Option>
<Option name="local_nat">false</Option>
<Option name="log_level">info</Option>
<Option name="log_prefix">RULE %N -- %A </Option>
<Option name="loopback_interface">lo0</Option>
<Option name="macosx_ip_forward">1</Option>
<Option name="manage_virtual_addr">true</Option>
<Option name="mgmt_addr">10.10.10.0/24</Option>
<Option name="mgmt_ssh">True</Option>
<Option name="openbsd_ip_forward">1</Option>
<Option name="output_file"></Option>
<Option name="pass_all_out">false</Option>
<Option name="pf_limit_frags">5000</Option>
<Option name="pf_limit_states">10000</Option>
<Option name="pf_scrub_maxmss">1460</Option>
<Option name="pf_timeout_frag">30</Option>
<Option name="pf_timeout_interval">10</Option>
<Option name="pix_add_clear_statements">true</Option>
<Option name="pix_assume_fw_part_of_any">true</Option>
<Option name="pix_default_logint">300</Option>
<Option name="pix_emblem_log_format">false</Option>
<Option name="pix_emulate_out_acl">true</Option>
<Option name="pix_floodguard">true</Option>
<Option name="pix_include_comments">true</Option>
<Option name="pix_route_dnat_supported">true</Option>
<Option name="pix_rule_syslog_settings">false</Option>
<Option name="pix_security_fragguard_supported">true</Option>
<Option name="pix_syslog_device_id_supported">false</Option>
<Option name="pix_use_acl_remarks">true</Option>
<Option name="prompt1">$ </Option>
<Option name="prompt2"> # </Option>
<Option name="scpArgs"></Option>
<Option name="solaris_ip_forward">1</Option>
<Option name="sshArgs"></Option>
<Option name="ulog_nlgroup">1</Option>
<Option name="use_scp">False</Option>
<Option name="verify_interfaces">true</Option>
</FirewallOptions>
</Firewall>
</ObjectGroup>
<IntervalGroup id="id4511637523682" name="Time" comment="" ro="False"/>
</Library>

46
test/ipt/objects-for-regression-tests.fwb
View File

@ -1,6 +1,6 @@
<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE FWObjectDatabase SYSTEM "fwbuilder.dtd">
<FWObjectDatabase xmlns="http://www.fwbuilder.org/1.0/" version="15" lastModified="1263422953" id="root">
<FWObjectDatabase xmlns="http://www.fwbuilder.org/1.0/" version="15" lastModified="1263600829" id="root">
<Library id="sysid99" name="Deleted Objects" comment="" ro="False">
<ICMP6Service id="idE0C27650" code="0" type="1" name="ipv6 dest unreachable" comment="No route to destination" ro="False"/>
<IPv4 id="id41D295E2" name="firewall30:ppp.200*:ip" comment="" ro="False" address="192.168.1.1" netmask="255.255.255.0"/>
@ -1763,6 +1763,7 @@
<AddressTable id="id4389EE9118346" filename="block-hosts.tbl" run_time="True" name="block these" comment="this is run-time table" ro="False"/>
<AddressTable id="id44F7056328576" filename="addr-table-1.tbl" run_time="True" name="atbl.1" comment="the name contains character that is special to shell" ro="False"/>
<AddressTable id="id459673BE7794" filename="emtpy-table.tbl" run_time="False" name="empty table" comment="" ro="False"/>
<AddressTable id="id50108X1683" filename="this_table_does_not_exist.tbl" run_time="False" name="missing table" comment="" ro="False"/>
</ObjectGroup>
<ObjectGroup id="stdid01_1_og_dnsn_1" name="DNS Names" comment="" ro="False">
<DNSName id="id43869E8C18346" dnsrec="www.cnn.com" dnsrectype="A" run_time="False" name="cnn (ct)" comment="" ro="False"/>
@ -1776,6 +1777,7 @@
<DNSName id="id44749X4903" dnsrec="6bone.net" dnsrectype="A" run_time="True" name="6bone.net (rt)" comment="there are both A and AAAA records for this name&#10;" ro="False"/>
<DNSName id="id44910X6795" dnsrec="ny6ix.net" dnsrectype="A" run_time="False" name="ny6ix.net (ct)" comment="" ro="False"/>
<DNSName id="id44911X6795" dnsrec="ny6ix.net" dnsrectype="A" run_time="True" name="ny6ix.net (rt)" comment="" ro="False"/>
<DNSName id="id50136X10982" dnsrec="does_not_resolve.local" dnsrectype="A" run_time="False" name="does not resolve" comment="" ro="False"/>
</ObjectGroup>
<ObjectGroup id="stdid16_1" name="Addresses" comment="" ro="False">
<IPv4 id="id417B3641" name="net_address" comment="" ro="False" address="192.168.1.0" netmask="255.255.255.255"/>
@ -26814,7 +26816,7 @@ echo '%FWBPROMPT%'; sh /tmp/%FWSCRIPT%
<Option name="verify_interfaces">True</Option>
</FirewallOptions>
</Firewall>
<Firewall id="id44EC18128791" host_OS="linux24" inactive="False" lastCompiled="1247364146" lastInstalled="0" lastModified="1263593206" platform="iptables" version="" name="firewall41" comment="testing rule shadowing with run-time objects, rules with such objects should be ignored&#10;&#10;" ro="False">
<Firewall id="id44EC18128791" host_OS="linux24" inactive="False" lastCompiled="1247364146" lastInstalled="0" lastModified="1263600863" platform="iptables" version="" name="firewall41" comment="testing rule shadowing with run-time objects, rules with such objects should be ignored&#10;&#10;" ro="False">
<NAT id="id44EC18168791" name="NAT" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
<RuleSetOptions/>
</NAT>
@ -26912,6 +26914,46 @@ echo '%FWBPROMPT%'; sh /tmp/%FWSCRIPT%
</When>
<PolicyRuleOptions/>
</PolicyRule>
<PolicyRule id="id50115X1683" disabled="False" group="" log="True" position="5" action="Deny" direction="Both" comment="there should be warning saying the table could not be found">
<Src neg="False">
<ObjectRef ref="id44EC18128791"/>
</Src>
<Dst neg="False">
<ObjectRef ref="id50108X1683"/>
</Dst>
<Srv neg="False">
<ServiceRef ref="sysid1"/>
</Srv>
<Itf neg="False">
<ObjectRef ref="sysid0"/>
</Itf>
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions>
<Option name="stateless">True</Option>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id50145X10982" disabled="False" group="" log="True" position="6" action="Deny" direction="Both" comment="">
<Src neg="False">
<ObjectRef ref="id44EC18128791"/>
</Src>
<Dst neg="False">
<ObjectRef ref="id50136X10982"/>
</Dst>
<Srv neg="False">
<ServiceRef ref="sysid1"/>
</Srv>
<Itf neg="False">
<ObjectRef ref="sysid0"/>
</Itf>
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions>
<Option name="stateless">True</Option>
</PolicyRuleOptions>
</PolicyRule>
<RuleSetOptions/>
</Policy>
<Routing id="id44EC18178791" name="Routing" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">

132
test/pf/objects-for-regression-tests.fwb
View File

@ -1,6 +1,6 @@
<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE FWObjectDatabase SYSTEM "fwbuilder.dtd">
<FWObjectDatabase xmlns="http://www.fwbuilder.org/1.0/" version="15" lastModified="1263499279" id="root">
<FWObjectDatabase xmlns="http://www.fwbuilder.org/1.0/" version="15" lastModified="1263599226" id="root">
<Library id="sysid99" name="Deleted Objects" comment="" ro="False">
<ICMP6Service id="idE0C27650" code="0" type="1" name="ipv6 dest unreachable" comment="No route to destination" ro="False"/>
<Library id="id40E233F3" color="#FFFFFF" name="West Coast" comment="" ro="False">
@ -1096,6 +1096,7 @@
<AddressTable id="id4389EE9018346" filename="addr-table-1.tbl" run_time="False" name="addr-table-1" comment="" ro="False"/>
<AddressTable id="id4389EE9118346" filename="block-hosts.tbl" run_time="True" name="block these" comment="this is run-time table" ro="False"/>
<AddressTable id="id452762A75348" filename="" run_time="True" name="spammers" comment="empty file name; should generate code like this:&#10;&#10;table &lt;spammers&gt; persist&#10;&#10;without &quot;file 'blah'&quot;&#10;&#10;" ro="False"/>
<AddressTable id="id20634X8713" filename="file_does_not_exist.tbl" run_time="False" name="missing table" comment="" ro="False"/>
</ObjectGroup>
<ObjectGroup id="stdid16_1" name="Addresses" comment="" ro="False">
<IPv4 id="id4388C37D674" name="sapmhost1" comment="" ro="False" address="61.150.47.112" netmask="255.255.255.255"/>
@ -9008,12 +9009,12 @@
<Option name="verify_interfaces">true</Option>
</FirewallOptions>
</Firewall>
<Firewall id="id44EC18128791" host_OS="freebsd" inactive="False" lastCompiled="1157930818" lastInstalled="0" lastModified="1193632413" platform="pf" version="" name="firewall41" comment="testing rule shadowing with run-time objects, rules with such objects should be ignored&#10;&#10;" ro="False">
<Firewall id="id44EC18128791" host_OS="freebsd" inactive="False" lastCompiled="1263599379" lastInstalled="0" lastModified="1263599377" platform="pf" version="" name="firewall41" comment="testing rule shadowing with run-time objects, rules with such objects should be ignored&#10;&#10;" ro="False">
<NAT id="id44EC18168791" name="NAT" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
<RuleSetOptions/>
</NAT>
<Policy id="id44EC18158791" name="Policy" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
<PolicyRule id="id44EC181E8791" disabled="False" log="True" position="0" action="Accept" direction="Both" comment="">
<PolicyRule id="id44EC181E8791" disabled="False" log="True" position="0" action="Accept" direction="Outbound" comment="">
<Src neg="False">
<ObjectRef ref="id44EC18128791"/>
</Src>
@ -9031,7 +9032,7 @@
</When>
<PolicyRuleOptions/>
</PolicyRule>
<PolicyRule id="id44F7056428576" disabled="False" log="True" position="1" action="Accept" direction="Both" comment="">
<PolicyRule id="id44F7056428576" disabled="False" log="True" position="1" action="Accept" direction="Outbound" comment="">
<Src neg="False">
<ObjectRef ref="id44EC18128791"/>
</Src>
@ -9049,7 +9050,44 @@
</When>
<PolicyRuleOptions/>
</PolicyRule>
<PolicyRule id="id44F707E428576" disabled="False" log="True" position="2" action="Accept" direction="Both" comment="">
<PolicyRule id="id20664X8713" disabled="False" group="" log="True" position="2" action="Accept" direction="Outbound" comment="">
<Src neg="False">
<ObjectRef ref="id44EC18128791"/>
</Src>
<Dst neg="False">
<ObjectRef ref="id4389EE9118346"/>
<ObjectRef ref="id452762A75348"/>
</Dst>
<Srv neg="False">
<ServiceRef ref="sysid1"/>
</Srv>
<Itf neg="False">
<ObjectRef ref="sysid0"/>
</Itf>
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions/>
</PolicyRule>
<PolicyRule id="id20710X8713" disabled="False" group="" log="True" position="3" action="Accept" direction="Outbound" comment="">
<Src neg="False">
<ObjectRef ref="id44EC18128791"/>
</Src>
<Dst neg="False">
<ObjectRef ref="id20634X8713"/>
</Dst>
<Srv neg="False">
<ServiceRef ref="sysid1"/>
</Srv>
<Itf neg="False">
<ObjectRef ref="sysid0"/>
</Itf>
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions/>
</PolicyRule>
<PolicyRule id="id44F707E428576" disabled="False" log="True" position="4" action="Accept" direction="Outbound" comment="">
<Src neg="False">
<ObjectRef ref="id44EC18128791"/>
</Src>
@ -9087,14 +9125,28 @@
</Management>
<FirewallOptions>
<Option name="accept_established">true</Option>
<Option name="accept_new_tcp_with_no_syn">true</Option>
<Option name="check_shading">true</Option>
<Option name="configure_interfaces">true</Option>
<Option name="accept_new_tcp_with_no_syn">True</Option>
<Option name="activationCmd"></Option>
<Option name="admUser"></Option>
<Option name="altAddress"></Option>
<Option name="check_shading">True</Option>
<Option name="cmdline">-xt</Option>
<Option name="compiler"></Option>
<Option name="conf_file_name_on_firewall"></Option>
<Option name="configure_carp_interfaces">False</Option>
<Option name="configure_interfaces">True</Option>
<Option name="configure_pfsync_interfaces">False</Option>
<Option name="configure_vlan_interfaces">False</Option>
<Option name="debug">False</Option>
<Option name="eliminate_duplicates">true</Option>
<Option name="epilog_script"></Option>
<Option name="fallback_log">False</Option>
<Option name="firewall_dir">/etc</Option>
<Option name="firewall_is_part_of_any_and_networks">true</Option>
<Option name="freebsd_ip_forward">1</Option>
<Option name="ignore_empty_groups">False</Option>
<Option name="in_out_code">true</Option>
<Option name="ipv4_6_order">ipv4_first</Option>
<Option name="limit_value">0</Option>
<Option name="linux24_ip_forward">1</Option>
<Option name="load_modules">true</Option>
@ -9103,14 +9155,71 @@
<Option name="log_prefix">RULE %N -- %A </Option>
<Option name="loopback_interface">lo0</Option>
<Option name="macosx_ip_forward">1</Option>
<Option name="manage_virtual_addr">true</Option>
<Option name="manage_virtual_addr">True</Option>
<Option name="mgmt_addr"></Option>
<Option name="mgmt_ssh">False</Option>
<Option name="openbsd_ip_forward">1</Option>
<Option name="output_file"></Option>
<Option name="pass_all_out">false</Option>
<Option name="pf_adaptive_end">0</Option>
<Option name="pf_adaptive_start">0</Option>
<Option name="pf_do_limit_frags">False</Option>
<Option name="pf_do_limit_src_nodes">False</Option>
<Option name="pf_do_limit_states">False</Option>
<Option name="pf_do_limit_table_entries">False</Option>
<Option name="pf_do_limit_tables">False</Option>
<Option name="pf_do_scrub">False</Option>
<Option name="pf_do_timeout_frag">False</Option>
<Option name="pf_do_timeout_interval">False</Option>
<Option name="pf_flush_states">False</Option>
<Option name="pf_icmp_error">0</Option>
<Option name="pf_icmp_first">0</Option>
<Option name="pf_limit_frags">5000</Option>
<Option name="pf_limit_src_nodes">0</Option>
<Option name="pf_limit_states">10000</Option>
<Option name="pf_limit_table_entries">0</Option>
<Option name="pf_limit_tables">0</Option>
<Option name="pf_modulate_state">False</Option>
<Option name="pf_optimization"></Option>
<Option name="pf_other_first">0</Option>
<Option name="pf_other_multiple">0</Option>
<Option name="pf_other_single">0</Option>
<Option name="pf_scrub_fragm_crop">False</Option>
<Option name="pf_scrub_fragm_drop_ovl">False</Option>
<Option name="pf_scrub_maxmss">1460</Option>
<Option name="pf_scrub_minttl">0</Option>
<Option name="pf_scrub_no_df">False</Option>
<Option name="pf_scrub_random_id">False</Option>
<Option name="pf_scrub_reassemble">True</Option>
<Option name="pf_scrub_use_maxmss">False</Option>
<Option name="pf_scrub_use_minttl">False</Option>
<Option name="pf_set_adaptive">False</Option>
<Option name="pf_set_icmp_error">False</Option>
<Option name="pf_set_icmp_first">False</Option>
<Option name="pf_set_other_first">False</Option>
<Option name="pf_set_other_multiple">False</Option>
<Option name="pf_set_other_single">False</Option>
<Option name="pf_set_tcp_closed">False</Option>
<Option name="pf_set_tcp_closing">False</Option>
<Option name="pf_set_tcp_established">False</Option>
<Option name="pf_set_tcp_finwait">False</Option>
<Option name="pf_set_tcp_first">False</Option>
<Option name="pf_set_tcp_opening">False</Option>
<Option name="pf_set_udp_first">False</Option>
<Option name="pf_set_udp_multiple">False</Option>
<Option name="pf_set_udp_single">False</Option>
<Option name="pf_state_policy"></Option>
<Option name="pf_tcp_closed">0</Option>
<Option name="pf_tcp_closing">0</Option>
<Option name="pf_tcp_established">0</Option>
<Option name="pf_tcp_finwait">0</Option>
<Option name="pf_tcp_first">0</Option>
<Option name="pf_tcp_opening">0</Option>
<Option name="pf_timeout_frag">30</Option>
<Option name="pf_timeout_interval">10</Option>
<Option name="pf_udp_first">0</Option>
<Option name="pf_udp_multiple">0</Option>
<Option name="pf_udp_single">0</Option>
<Option name="pix_add_clear_statements">true</Option>
<Option name="pix_assume_fw_part_of_any">true</Option>
<Option name="pix_default_logint">300</Option>
@ -9123,9 +9232,14 @@
<Option name="pix_security_fragguard_supported">true</Option>
<Option name="pix_syslog_device_id_supported">false</Option>
<Option name="pix_use_acl_remarks">true</Option>
<Option name="prolog_place">fw_file</Option>
<Option name="prolog_script"></Option>
<Option name="prompt1">$ </Option>
<Option name="prompt2"> # </Option>
<Option name="scpArgs"></Option>
<Option name="script_name_on_firewall"></Option>
<Option name="solaris_ip_forward">1</Option>
<Option name="sshArgs"></Option>
<Option name="ulog_nlgroup">1</Option>
<Option name="verify_interfaces">true</Option>
</FirewallOptions>

45
test/pix/objects-for-regression-tests.fwb
View File

@ -1,6 +1,6 @@
<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE FWObjectDatabase SYSTEM "fwbuilder.dtd">
<FWObjectDatabase xmlns="http://www.fwbuilder.org/1.0/" version="15" lastModified="1257560955" id="root">
<FWObjectDatabase xmlns="http://www.fwbuilder.org/1.0/" version="15" lastModified="1263600448" id="root">
<Library id="sysid99" name="Deleted Objects" comment="" ro="False"/>
<Library id="syslib001" color="#d2ffd0" name="User" comment="User defined objects" ro="False">
<ObjectGroup id="stdid01_1_clusters" name="Clusters" comment="" ro="False"/>
@ -9,6 +9,7 @@
<AddressTable id="id4389EE9018346" filename="addr-table-1.tbl" run_time="False" name="addr-table-1" comment="" ro="False"/>
<AddressTable id="id4385C1081434" filename="/home/vadim/Projects/fwb2.1/fwb2/fwbuilder2/test/ipt/addr-table-1.tbl" run_time="False" name="addrtbl 1" comment="" ro="False"/>
<AddressTable id="id4389EE9118346" filename="block-hosts.tbl" run_time="False" name="block these" comment="this is run-time table" ro="False"/>
<AddressTable id="id16958X10208" filename="file_does_not_exist.tbl" run_time="False" name="missing table" comment="" ro="False"/>
</ObjectGroup>
<ObjectGroup id="stdid01_1_og_dnsn_1" name="DNS Names" comment="" ro="False">
<DNSName id="id43869E8E18346" dnsrec="buildmaster" dnsrectype="A" run_time="False" name="buildmaster (ct)" comment="an example of a local host" ro="False"/>
@ -9951,7 +9952,7 @@ no sysopt nodnsalias outbound
<Option name="verify_interfaces">False</Option>
</FirewallOptions>
</Firewall>
<Firewall id="id4389EDAE18346" host_OS="pix_os" inactive="False" lastCompiled="1147840988" lastInstalled="1142003872" lastModified="1147841460" platform="pix" version="6.3" name="firewall34" comment="testing AddressTable object" ro="False">
<Firewall id="id4389EDAE18346" host_OS="pix_os" inactive="False" lastCompiled="1147840988" lastInstalled="1142003872" lastModified="1263600473" platform="pix" version="6.3" name="firewall34" comment="testing AddressTable object" ro="False">
<NAT id="id4389EE4818346" name="NAT" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
<NATRule id="id4389EEB018346" disabled="True" position="0" action="Translate" comment="">
<OSrc neg="True">
@ -9998,7 +9999,7 @@ no sysopt nodnsalias outbound
<RuleSetOptions/>
</NAT>
<Policy id="id4389EDB418346" name="Policy" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
<PolicyRule id="id4389EDB518346" disabled="False" log="False" position="0" action="Accept" direction="Both" comment="">
<PolicyRule id="id16988X10208" disabled="False" log="False" position="0" action="Accept" direction="Both" comment="">
<Src neg="False">
<ObjectRef ref="sysid0"/>
</Src>
@ -10016,7 +10017,25 @@ no sysopt nodnsalias outbound
</When>
<PolicyRuleOptions/>
</PolicyRule>
<PolicyRule id="id4390C25825682" disabled="False" log="True" position="1" action="Deny" direction="Both" comment="">
<PolicyRule id="id4389EDB518346" disabled="False" log="False" position="1" action="Accept" direction="Both" comment="">
<Src neg="False">
<ObjectRef ref="sysid0"/>
</Src>
<Dst neg="False">
<ObjectRef ref="id16958X10208"/>
</Dst>
<Srv neg="False">
<ServiceRef ref="sysid1"/>
</Srv>
<Itf neg="False">
<ObjectRef ref="sysid0"/>
</Itf>
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions/>
</PolicyRule>
<PolicyRule id="id4390C25825682" disabled="False" log="True" position="2" action="Deny" direction="Both" comment="">
<Src neg="False">
<ObjectRef ref="sysid0"/>
</Src>
@ -10036,7 +10055,7 @@ no sysopt nodnsalias outbound
<Option name="stateless">True</Option>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id4389EDC118346" disabled="False" log="False" position="2" action="Deny" direction="Both" comment="">
<PolicyRule id="id4389EDC118346" disabled="False" log="False" position="3" action="Deny" direction="Both" comment="">
<Src neg="False">
<ObjectRef ref="sysid0"/>
</Src>
@ -10057,7 +10076,7 @@ no sysopt nodnsalias outbound
<Option name="stateless">True</Option>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id43920D5025682" disabled="False" log="False" position="3" action="Deny" direction="Both" comment="">
<PolicyRule id="id43920D5025682" disabled="False" log="False" position="4" action="Deny" direction="Both" comment="">
<Src neg="False">
<ObjectRef ref="id4389EE8418346"/>
</Src>
@ -10078,7 +10097,7 @@ no sysopt nodnsalias outbound
<Option name="stateless">True</Option>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id4388CFF8674" disabled="False" log="True" position="4" action="Deny" direction="Both" comment="">
<PolicyRule id="id4388CFF8674" disabled="False" log="True" position="5" action="Deny" direction="Both" comment="">
<Src neg="False">
<ObjectRef ref="id4389EE9118346"/>
</Src>
@ -10098,7 +10117,7 @@ no sysopt nodnsalias outbound
<Option name="stateless">True</Option>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id4388C36F674" disabled="False" log="True" position="5" action="Deny" direction="Both" comment="">
<PolicyRule id="id4388C36F674" disabled="False" log="True" position="6" action="Deny" direction="Both" comment="">
<Src neg="False">
<ObjectRef ref="id4389EE9118346"/>
<ObjectRef ref="id4388C37D674"/>
@ -10119,7 +10138,7 @@ no sysopt nodnsalias outbound
<Option name="stateless">True</Option>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id4388F5A9674" disabled="False" log="False" position="6" action="Accept" direction="Both" comment="">
<PolicyRule id="id4388F5A9674" disabled="False" log="False" position="7" action="Accept" direction="Both" comment="">
<Src neg="True">
<ObjectRef ref="id4389EE9118346"/>
<ObjectRef ref="id4388C37D674"/>
@ -10138,7 +10157,7 @@ no sysopt nodnsalias outbound
</When>
<PolicyRuleOptions/>
</PolicyRule>
<PolicyRule id="id4392312525682" disabled="False" log="False" position="7" action="Accept" direction="Both" comment="">
<PolicyRule id="id4392312525682" disabled="False" log="False" position="8" action="Accept" direction="Both" comment="">
<Src neg="False">
<ObjectRef ref="id4389EE8418346"/>
</Src>
@ -10157,7 +10176,7 @@ no sysopt nodnsalias outbound
</When>
<PolicyRuleOptions/>
</PolicyRule>
<PolicyRule id="id4389EEA118346" disabled="False" log="False" position="8" action="Accept" direction="Both" comment="">
<PolicyRule id="id4389EEA118346" disabled="False" log="False" position="9" action="Accept" direction="Both" comment="">
<Src neg="False">
<ObjectRef ref="sysid0"/>
</Src>
@ -10175,7 +10194,7 @@ no sysopt nodnsalias outbound
</When>
<PolicyRuleOptions/>
</PolicyRule>
<PolicyRule id="id4389EDCD18346" disabled="False" log="False" position="9" action="Accept" direction="Both" comment="">
<PolicyRule id="id4389EDCD18346" disabled="False" log="False" position="10" action="Accept" direction="Both" comment="">
<Src neg="False">
<ObjectRef ref="net-Internal_net"/>
</Src>
@ -10193,7 +10212,7 @@ no sysopt nodnsalias outbound
</When>
<PolicyRuleOptions/>
</PolicyRule>
<PolicyRule id="id4389EE3C18346" disabled="False" log="True" position="10" action="Deny" direction="Both" comment="">
<PolicyRule id="id4389EE3C18346" disabled="False" log="True" position="11" action="Deny" direction="Both" comment="">
<Src neg="False">
<ObjectRef ref="sysid0"/>
</Src>