onkelbeh/fwbuilder
1
0
Fork 0
mirror of https://github.com/fwbuilder/fwbuilder synced 2026-03-20 02:07:23 +01:00
Code Issues Releases Wiki Activity

* MangleTableCompiler_ipt.cpp (keepMangleTableRules::processNext):

Browse Source 
fixed #1415 "action branch that creates branch in mangle table
should branch in FORWARD chain". Rule with "any" in src and dst
and action Branch with option "branch in mangle table" will go
into FORWARD chain in addition to the PREROUTING and POSTROUTING
chains as before. Note that choice of PREROUTING or POSTROUTING
chains depends on direction.
This commit is contained in:
Vadim Kurland 2010-04-24 01:41:47 +00:00
parent a23b39d61a
commit 3360977c2d
5 changed files with 359 additions and 113 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
build_num
View File

@ -1 +1 @@
#define BUILD_NUM 2828
#define BUILD_NUM 2833

10
doc/ChangeLog
View File

@ -1,3 +1,13 @@
2010-04-23 vadim <vadim@vk.crocodile.org>
* MangleTableCompiler_ipt.cpp (keepMangleTableRules::processNext):
fixed #1415 "action branch that creates branch in mangle table
should branch in FORWARD chain". Rule with "any" in src and dst
and action Branch with option "branch in mangle table" will go
into FORWARD chain in addition to the PREROUTING and POSTROUTING
chains as before. Note that choice of PREROUTING or POSTROUTING
chains depends on direction.
2010-04-23 Vadim Kurland <vadim@vk.crocodile.org>
* instDialog.cpp (instDialog::show): fixed #1418 "install

26
src/iptlib/MangleTableCompiler_ipt.cpp
View File

@ -112,7 +112,31 @@ bool MangleTableCompiler_ipt::keepMangleTableRules::processNext()
tmp_queue.push_back(r);
}
tmp_queue.push_back(rule);
// ticket #1415 User reports that only packets that went
// through the FORWARD chain can match inbound "-i" and
// outbound "-o" interface at the same time. Since we do
// not allow both in and out interface matches in one rule
// and have to use branch to do this, need to branch in
// FORWARD chain as well so that inbound interface can be
// matched in the branching rule and outbound interface
// can be matched in a rule in the branch
//
// This is ugly, this means the branch will inspect the
// packet at least twice - in PREROUTING and FORWARD, or
// FORWARD and POSTROUTING chains.
//
// I mention above that some targets can only be used in
// PREROUTING or POSTROUTING chains. It would help if
// these tagrets worked in FORWARD chain, in that case we
// could just branch in FORWARD instead of all thress chains.
//
r= compiler->dbcopy->createPolicyRule();
compiler->temp_ruleset->add(r);
r->duplicate(rule);
r->setStr("ipt_chain","FORWARD");
tmp_queue.push_back(r);
// tmp_queue.push_back(rule);
return true;
}

14
src/iptlib/PolicyCompiler_ipt.cpp
View File

@ -779,6 +779,20 @@ bool PolicyCompiler_ipt::dropMangleTableRules::processNext()
rule->getAction() == PolicyRule::Route ||
rule->getAction() == PolicyRule::Classify) return true;
// Another special case (while working on #1415, although not
// related directly): branching rule that has "branch in mangle table"
// checkbox turned on and is branches to the "mangle only" rule set
// does not need any iptables rules in the filter table
FWOptions *ruleopt = rule->getOptionsObject();
if (rule->getAction() == PolicyRule::Branch &&
ruleopt->getBool("ipt_branch_in_mangle"))
{
RuleSet *ruleset = rule->getBranch();
assert(ruleset!=NULL);
rulesetopts = ruleset->getOptionsObject();
if (rulesetopts->getBool("mangle_only_rule_set")) return true;
}
tmp_queue.push_back(rule);
return true;

420
test/ipt/objects-for-regression-tests.fwb
View File

@ -3395,6 +3395,98 @@
<Option name="verify_interfaces">False</Option>
</FirewallOptions>
</Firewall>
<Policy id="id2843857X67928" name="Policy_3" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="False">
<PolicyRule id="id2843931X67928" disabled="False" log="True" position="0" action="Tag" direction="Outbound" comment="">
<Src neg="False">
<ObjectRef ref="sysid0"/>
</Src>
<Dst neg="False">
<ObjectRef ref="sysid0"/>
</Dst>
<Srv neg="False">
<ServiceRef ref="sysid1"/>
</Srv>
<Itf neg="False">
<ObjectRef ref="id43BB817C9745"/>
</Itf>
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions>
<Option name="action_on_reject"></Option>
<Option name="classify_str"></Option>
<Option name="custom_str"></Option>
<Option name="ipf_route_opt_addr"></Option>
<Option name="ipf_route_opt_if"></Option>
<Option name="ipf_route_option">route_through</Option>
<Option name="ipfw_classify_method">2</Option>
<Option name="ipfw_pipe_port_num">0</Option>
<Option name="ipfw_pipe_queue_num">0</Option>
<Option name="ipt_continue">False</Option>
<Option name="ipt_gw"></Option>
<Option name="ipt_iif"></Option>
<Option name="ipt_mark_connections">False</Option>
<Option name="ipt_oif"></Option>
<Option name="ipt_tee">False</Option>
<Option name="pf_fastroute">False</Option>
<Option name="pf_route_load_option">none</Option>
<Option name="pf_route_opt_addr"></Option>
<Option name="pf_route_opt_if"></Option>
<Option name="pf_route_option">none</Option>
<Option name="rule_name_accounting"></Option>
<Option name="stateless">False</Option>
<Option name="tagobject_id">id449328D924380</Option>
</PolicyRuleOptions>
</PolicyRule>
<RuleSetOptions/>
</Policy>
<Policy id="id711459X72329" name="Policy_3_mangle_only" comment="" ro="False" ipv4_rule_set="True" ipv6_rule_set="False" top_rule_set="False">
<PolicyRule id="id711461X72329" disabled="False" log="True" position="0" action="Tag" direction="Outbound" comment="">
<Src neg="False">
<ObjectRef ref="sysid0"/>
</Src>
<Dst neg="False">
<ObjectRef ref="sysid0"/>
</Dst>
<Srv neg="False">
<ServiceRef ref="sysid1"/>
</Srv>
<Itf neg="False">
<ObjectRef ref="id43BB817C9745"/>
</Itf>
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions>
<Option name="action_on_reject"></Option>
<Option name="classify_str"></Option>
<Option name="custom_str"></Option>
<Option name="ipf_route_opt_addr"></Option>
<Option name="ipf_route_opt_if"></Option>
<Option name="ipf_route_option">route_through</Option>
<Option name="ipfw_classify_method">2</Option>
<Option name="ipfw_pipe_port_num">0</Option>
<Option name="ipfw_pipe_queue_num">0</Option>
<Option name="ipt_continue">False</Option>
<Option name="ipt_gw"></Option>
<Option name="ipt_iif"></Option>
<Option name="ipt_mark_connections">False</Option>
<Option name="ipt_oif"></Option>
<Option name="ipt_tee">False</Option>
<Option name="pf_fastroute">False</Option>
<Option name="pf_route_load_option">none</Option>
<Option name="pf_route_opt_addr"></Option>
<Option name="pf_route_opt_if"></Option>
<Option name="pf_route_option">none</Option>
<Option name="rule_name_accounting"></Option>
<Option name="stateless">False</Option>
<Option name="tagobject_id">id449328D924380</Option>
</PolicyRuleOptions>
</PolicyRule>
<RuleSetOptions>
<Option name="mangle_only_rule_set">True</Option>
</RuleSetOptions>
</Policy>
</Library>
<Library id="syslib001" color="#d2ffd0" name="User" comment="User defined objects" ro="False">
<ObjectGroup id="stdid01_1_clusters" name="Clusters" comment="" ro="False"/>
@ -19358,7 +19450,7 @@ echo '%FWBPROMPT%'; sh /tmp/%FWSCRIPT%
<Option name="verify_interfaces">true</Option>
</FirewallOptions>
</Firewall>
<Firewall id="id417C680B" host_OS="linux24" inactive="False" lastCompiled="1247364001" lastInstalled="1142003872" lastModified="1264474374" platform="iptables" version="1.4.0" name="firewall25" comment="this firewall uses iptables-restore format. Firewall has wildcard interface ppp*; script is generated dynamically and then piped to iptables-restore&#10;&#10;two rule sets for the filter table, to make sure there is only&#10;one COMMIT for both" ro="False">
<Firewall id="id417C680B" host_OS="linux24" inactive="False" lastCompiled="1247364001" lastInstalled="1142003872" lastModified="1272071699" platform="iptables" version="1.4.0" name="firewall25" comment="this firewall uses iptables-restore format. Firewall has wildcard interface ppp*; script is generated dynamically and then piped to iptables-restore&#10;&#10;two rule sets for the filter table, to make sure there is only&#10;one COMMIT for both" ro="False">
<NAT id="id417C688D" name="NAT" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
<NATRule id="id417C688E" disabled="False" position="0" action="Translate" comment="">
<OSrc neg="False">
@ -19813,7 +19905,7 @@ echo '%FWBPROMPT%'; sh /tmp/%FWSCRIPT%
<Option name="tagobject_id">id342984</Option>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id55907X96121" disabled="False" group="" log="True" position="18" action="Branch" direction="Both" comment="">
<PolicyRule id="id55907X96121" disabled="False" group="" log="False" position="18" action="Branch" direction="Both" comment="">
<Src neg="False">
<ObjectRef ref="sysid0"/>
</Src>
@ -19856,7 +19948,136 @@ echo '%FWBPROMPT%'; sh /tmp/%FWSCRIPT%
<Option name="stateless">True</Option>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id417C6883" disabled="False" log="True" position="19" action="Deny" direction="Both" comment="Automatically generated 'catch all' rule">
<PolicyRule id="id1821637X72329" disabled="False" group="" log="False" position="19" action="Branch" direction="Both" comment="">
<Src neg="False">
<ObjectRef ref="sysid0"/>
</Src>
<Dst neg="False">
<ObjectRef ref="sysid0"/>
</Dst>
<Srv neg="False">
<ServiceRef ref="sysid1"/>
</Srv>
<Itf neg="False">
<ObjectRef ref="sysid0"/>
</Itf>
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions>
<Option name="action_on_reject"></Option>
<Option name="branch_id">id1821563X72329</Option>
<Option name="classify_str"></Option>
<Option name="custom_str"></Option>
<Option name="ipf_route_opt_addr"></Option>
<Option name="ipf_route_opt_if"></Option>
<Option name="ipf_route_option">route_copy_through</Option>
<Option name="ipfw_classify_method">2</Option>
<Option name="ipfw_pipe_port_num">0</Option>
<Option name="ipfw_pipe_queue_num">0</Option>
<Option name="ipt_branch_in_mangle">True</Option>
<Option name="ipt_continue">False</Option>
<Option name="ipt_gw"></Option>
<Option name="ipt_iif"></Option>
<Option name="ipt_mark_connections">False</Option>
<Option name="ipt_oif"></Option>
<Option name="ipt_tee">False</Option>
<Option name="pf_fastroute">False</Option>
<Option name="pf_route_load_option">none</Option>
<Option name="pf_route_opt_addr"></Option>
<Option name="pf_route_opt_if"></Option>
<Option name="pf_route_option">route_reply_through</Option>
<Option name="rule_name_accounting"></Option>
<Option name="stateless">True</Option>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id1821755X72329" disabled="False" group="" log="False" position="20" action="Branch" direction="Inbound" comment="">
<Src neg="False">
<ObjectRef ref="sysid0"/>
</Src>
<Dst neg="False">
<ObjectRef ref="sysid0"/>
</Dst>
<Srv neg="False">
<ServiceRef ref="sysid1"/>
</Srv>
<Itf neg="False">
<ObjectRef ref="id417C6933"/>
</Itf>
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions>
<Option name="action_on_reject"></Option>
<Option name="branch_id">id38458X96057</Option>
<Option name="classify_str"></Option>
<Option name="custom_str"></Option>
<Option name="ipf_route_opt_addr"></Option>
<Option name="ipf_route_opt_if"></Option>
<Option name="ipf_route_option">route_reply_through</Option>
<Option name="ipfw_classify_method">2</Option>
<Option name="ipfw_pipe_port_num">0</Option>
<Option name="ipfw_pipe_queue_num">0</Option>
<Option name="ipt_branch_in_mangle">True</Option>
<Option name="ipt_continue">False</Option>
<Option name="ipt_gw"></Option>
<Option name="ipt_iif"></Option>
<Option name="ipt_mark_connections">False</Option>
<Option name="ipt_oif"></Option>
<Option name="ipt_tee">False</Option>
<Option name="pf_fastroute">False</Option>
<Option name="pf_route_load_option">none</Option>
<Option name="pf_route_opt_addr"></Option>
<Option name="pf_route_opt_if"></Option>
<Option name="pf_route_option">route_reply_through</Option>
<Option name="rule_name_accounting"></Option>
<Option name="stateless">True</Option>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id1821801X72329" disabled="False" group="" log="False" position="21" action="Branch" direction="Inbound" comment="">
<Src neg="False">
<ObjectRef ref="sysid0"/>
</Src>
<Dst neg="False">
<ObjectRef ref="sysid0"/>
</Dst>
<Srv neg="False">
<ServiceRef ref="sysid1"/>
</Srv>
<Itf neg="False">
<ObjectRef ref="id417C6933"/>
</Itf>
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions>
<Option name="action_on_reject"></Option>
<Option name="branch_id">id1821563X72329</Option>
<Option name="classify_str"></Option>
<Option name="custom_str"></Option>
<Option name="ipf_route_opt_addr"></Option>
<Option name="ipf_route_opt_if"></Option>
<Option name="ipf_route_option">route_copy_through</Option>
<Option name="ipfw_classify_method">2</Option>
<Option name="ipfw_pipe_port_num">0</Option>
<Option name="ipfw_pipe_queue_num">0</Option>
<Option name="ipt_branch_in_mangle">True</Option>
<Option name="ipt_continue">False</Option>
<Option name="ipt_gw"></Option>
<Option name="ipt_iif"></Option>
<Option name="ipt_mark_connections">False</Option>
<Option name="ipt_oif"></Option>
<Option name="ipt_tee">False</Option>
<Option name="pf_fastroute">False</Option>
<Option name="pf_route_load_option">none</Option>
<Option name="pf_route_opt_addr"></Option>
<Option name="pf_route_opt_if"></Option>
<Option name="pf_route_option">route_reply_through</Option>
<Option name="rule_name_accounting"></Option>
<Option name="stateless">True</Option>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id417C6883" disabled="False" log="True" position="22" action="Deny" direction="Both" comment="Automatically generated 'catch all' rule">
<Src neg="False">
<ObjectRef ref="sysid0"/>
</Src>
@ -19884,7 +20105,27 @@ echo '%FWBPROMPT%'; sh /tmp/%FWSCRIPT%
<RuleSetOptions/>
</Policy>
<Policy id="id38458X96057" name="policy_2" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="False">
<PolicyRule id="id38459X96057" disabled="False" log="True" position="0" action="Deny" direction="Both" comment="">
<PolicyRule id="id1821888X72329" disabled="False" log="False" position="0" action="Accept" direction="Outbound" comment="">
<Src neg="False">
<ObjectRef ref="sysid0"/>
</Src>
<Dst neg="False">
<ObjectRef ref="sysid0"/>
</Dst>
<Srv neg="False">
<ServiceRef ref="sysid1"/>
</Srv>
<Itf neg="False">
<ObjectRef ref="id417C6938"/>
</Itf>
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions>
<Option name="stateless">False</Option>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id38459X96057" disabled="False" log="True" position="1" action="Deny" direction="Both" comment="">
<Src neg="False">
<ObjectRef ref="sysid0"/>
</Src>
@ -19929,6 +20170,51 @@ echo '%FWBPROMPT%'; sh /tmp/%FWSCRIPT%
</PolicyRule>
<RuleSetOptions/>
</Policy>
<Policy id="id1821563X72329" name="policy_2_mangle" comment="" ro="False" ipv4_rule_set="True" ipv6_rule_set="False" top_rule_set="False">
<PolicyRule id="id1822003X72329" disabled="False" log="False" position="0" action="Accept" direction="Outbound" comment="">
<Src neg="False">
<ObjectRef ref="sysid0"/>
</Src>
<Dst neg="False">
<ObjectRef ref="sysid0"/>
</Dst>
<Srv neg="False">
<ServiceRef ref="sysid1"/>
</Srv>
<Itf neg="False">
<ObjectRef ref="id417C6938"/>
</Itf>
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions>
<Option name="stateless">False</Option>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id1821565X72329" disabled="False" log="True" position="1" action="Deny" direction="Both" comment="">
<Src neg="False">
<ObjectRef ref="sysid0"/>
</Src>
<Dst neg="False">
<ObjectRef ref="sysid0"/>
</Dst>
<Srv neg="False">
<ServiceRef ref="sysid1"/>
</Srv>
<Itf neg="False">
<ObjectRef ref="sysid0"/>
</Itf>
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions>
<Option name="stateless">True</Option>
</PolicyRuleOptions>
</PolicyRule>
<RuleSetOptions>
<Option name="mangle_only_rule_set">True</Option>
</RuleSetOptions>
</Policy>
<Routing id="id417C680B-routing" name="Routing" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
<RuleSetOptions/>
</Routing>
@ -24042,7 +24328,7 @@ echo '%FWBPROMPT%'; sh /tmp/%FWSCRIPT%
<Option name="verify_interfaces">True</Option>
</FirewallOptions>
</Firewall>
<Firewall id="id43BB80919745" host_OS="linux24" inactive="False" lastCompiled="1247364089" lastInstalled="1142003872" lastModified="1272040560" platform="iptables" version="" name="firewall37" comment="testing TAG and CLASSIFY rules&#10;&#10;normal script mode (not using iptables-restore)" ro="False">
<Firewall id="id43BB80919745" host_OS="linux24" inactive="False" lastCompiled="1247364089" lastInstalled="1142003872" lastModified="1272071722" platform="iptables" version="" name="firewall37" comment="testing TAG and CLASSIFY rules&#10;&#10;normal script mode (not using iptables-restore)" ro="False">
<NAT id="id43BB80B09745" name="NAT" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
<NATRule id="id43BB814D9745" disabled="False" position="0" action="Translate" comment="">
<OSrc neg="False">
@ -24630,50 +24916,7 @@ echo '%FWBPROMPT%'; sh /tmp/%FWSCRIPT%
<Option name="tagobject_id">id342984</Option>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id2287317X67928" disabled="False" group="" log="False" position="20" action="Branch" direction="Inbound" comment="">
<Src neg="False">
<ObjectRef ref="sysid0"/>
</Src>
<Dst neg="False">
<ObjectRef ref="sysid0"/>
</Dst>
<Srv neg="False">
<ServiceRef ref="id3CB1279B"/>
</Srv>
<Itf neg="False">
<ObjectRef ref="id43BB81799745"/>
</Itf>
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions>
<Option name="action_on_reject"></Option>
<Option name="branch_id">id2843857X67928</Option>
<Option name="classify_str"></Option>
<Option name="custom_str"></Option>
<Option name="ipf_route_opt_addr"></Option>
<Option name="ipf_route_opt_if"></Option>
<Option name="ipf_route_option">route_reply_through</Option>
<Option name="ipfw_classify_method">2</Option>
<Option name="ipfw_pipe_port_num">0</Option>
<Option name="ipfw_pipe_queue_num">0</Option>
<Option name="ipt_branch_in_mangle">True</Option>
<Option name="ipt_continue">False</Option>
<Option name="ipt_gw"></Option>
<Option name="ipt_iif"></Option>
<Option name="ipt_mark_connections">False</Option>
<Option name="ipt_oif"></Option>
<Option name="ipt_tee">False</Option>
<Option name="pf_fastroute">False</Option>
<Option name="pf_route_load_option">none</Option>
<Option name="pf_route_opt_addr"></Option>
<Option name="pf_route_opt_if"></Option>
<Option name="pf_route_option">none</Option>
<Option name="rule_name_accounting"></Option>
<Option name="stateless">True</Option>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id37410X26379" disabled="False" group="" log="False" position="21" action="Accept" direction="Both" comment="tag 0 matches packet that has not been marked yet.&#10;">
<PolicyRule id="id37410X26379" disabled="False" group="" log="False" position="20" action="Accept" direction="Both" comment="tag 0 matches packet that has not been marked yet.&#10;">
<Src neg="False">
<ObjectRef ref="sysid0"/>
</Src>
@ -24716,7 +24959,7 @@ echo '%FWBPROMPT%'; sh /tmp/%FWSCRIPT%
<Option name="tagobject_id">id37422X26379</Option>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id43BB80989745" disabled="False" log="False" position="22" action="Pipe" direction="Both" comment="">
<PolicyRule id="id43BB80989745" disabled="False" log="False" position="21" action="Pipe" direction="Both" comment="">
<Src neg="False">
<ObjectRef ref="sysid0"/>
</Src>
@ -24736,7 +24979,7 @@ echo '%FWBPROMPT%'; sh /tmp/%FWSCRIPT%
<Option name="stateless">True</Option>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id43BB81879745" disabled="False" log="False" position="23" action="Classify" direction="Both" comment="">
<PolicyRule id="id43BB81879745" disabled="False" log="False" position="22" action="Classify" direction="Both" comment="">
<Src neg="False">
<ObjectRef ref="net-Internal_net"/>
</Src>
@ -24771,7 +25014,7 @@ echo '%FWBPROMPT%'; sh /tmp/%FWSCRIPT%
<Option name="ulog_nlgroup">1</Option>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id451E2B486383" disabled="False" log="True" position="24" action="Classify" direction="Both" comment="">
<PolicyRule id="id451E2B486383" disabled="False" log="True" position="23" action="Classify" direction="Both" comment="">
<Src neg="False">
<ObjectRef ref="net-Internal_net"/>
</Src>
@ -24806,7 +25049,7 @@ echo '%FWBPROMPT%'; sh /tmp/%FWSCRIPT%
<Option name="ulog_nlgroup">1</Option>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id451E56936383" disabled="False" log="False" position="25" action="Classify" direction="Both" comment="">
<PolicyRule id="id451E56936383" disabled="False" log="False" position="24" action="Classify" direction="Both" comment="">
<Src neg="True">
<ObjectRef ref="net-Internal_net"/>
<ObjectRef ref="id3B022266"/>
@ -24842,7 +25085,7 @@ echo '%FWBPROMPT%'; sh /tmp/%FWSCRIPT%
<Option name="ulog_nlgroup">1</Option>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id451E56A46383" disabled="False" log="True" position="26" action="Classify" direction="Both" comment="">
<PolicyRule id="id451E56A46383" disabled="False" log="True" position="25" action="Classify" direction="Both" comment="">
<Src neg="True">
<ObjectRef ref="net-Internal_net"/>
<ObjectRef ref="id3B022266"/>
@ -24878,7 +25121,7 @@ echo '%FWBPROMPT%'; sh /tmp/%FWSCRIPT%
<Option name="ulog_nlgroup">1</Option>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id451EAD596383" disabled="False" log="False" position="27" action="Classify" direction="Both" comment="">
<PolicyRule id="id451EAD596383" disabled="False" log="False" position="26" action="Classify" direction="Both" comment="">
<Src neg="False">
<ObjectRef ref="net-Internal_net"/>
</Src>
@ -24913,7 +25156,7 @@ echo '%FWBPROMPT%'; sh /tmp/%FWSCRIPT%
<Option name="ulog_nlgroup">1</Option>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id451EAD6A6383" disabled="False" log="True" position="28" action="Classify" direction="Both" comment="">
<PolicyRule id="id451EAD6A6383" disabled="False" log="True" position="27" action="Classify" direction="Both" comment="">
<Src neg="False">
<ObjectRef ref="net-Internal_net"/>
</Src>
@ -24948,7 +25191,7 @@ echo '%FWBPROMPT%'; sh /tmp/%FWSCRIPT%
<Option name="ulog_nlgroup">1</Option>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id451ED8E76383" disabled="False" log="False" position="29" action="Classify" direction="Both" comment="">
<PolicyRule id="id451ED8E76383" disabled="False" log="False" position="28" action="Classify" direction="Both" comment="">
<Src neg="False">
<ObjectRef ref="net-Internal_net"/>
</Src>
@ -24983,7 +25226,7 @@ echo '%FWBPROMPT%'; sh /tmp/%FWSCRIPT%
<Option name="ulog_nlgroup">1</Option>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id451ED8F86383" disabled="False" log="True" position="30" action="Classify" direction="Both" comment="">
<PolicyRule id="id451ED8F86383" disabled="False" log="True" position="29" action="Classify" direction="Both" comment="">
<Src neg="False">
<ObjectRef ref="net-Internal_net"/>
</Src>
@ -25018,7 +25261,7 @@ echo '%FWBPROMPT%'; sh /tmp/%FWSCRIPT%
<Option name="ulog_nlgroup">1</Option>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id4599A9DC19324" disabled="False" log="False" position="31" action="Classify" direction="Both" comment="testing for bug #1618381&#10;classify action is non-terminating&#10;in this firewall object">
<PolicyRule id="id4599A9DC19324" disabled="False" log="False" position="30" action="Classify" direction="Both" comment="testing for bug #1618381&#10;classify action is non-terminating&#10;in this firewall object">
<Src neg="False">
<ObjectRef ref="sysid0"/>
</Src>
@ -25060,7 +25303,7 @@ echo '%FWBPROMPT%'; sh /tmp/%FWSCRIPT%
<Option name="stateless">True</Option>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id4599A9E919324" disabled="False" log="False" position="32" action="Classify" direction="Both" comment="second rule for bug #1618381">
<PolicyRule id="id4599A9E919324" disabled="False" log="False" position="31" action="Classify" direction="Both" comment="second rule for bug #1618381">
<Src neg="False">
<ObjectRef ref="sysid0"/>
</Src>
@ -25102,7 +25345,7 @@ echo '%FWBPROMPT%'; sh /tmp/%FWSCRIPT%
<Option name="stateless">True</Option>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id459A026219324" disabled="False" log="False" position="33" action="Classify" direction="Both" comment="testing for bug #1618381">
<PolicyRule id="id459A026219324" disabled="False" log="False" position="32" action="Classify" direction="Both" comment="testing for bug #1618381">
<Src neg="True">
<ObjectRef ref="net-Internal_net"/>
<ObjectRef ref="id3B022266"/>
@ -25145,7 +25388,7 @@ echo '%FWBPROMPT%'; sh /tmp/%FWSCRIPT%
<Option name="stateless">True</Option>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id459A5AFB19324" disabled="False" log="False" position="34" action="Classify" direction="Both" comment="testing for bug #1618381">
<PolicyRule id="id459A5AFB19324" disabled="False" log="False" position="33" action="Classify" direction="Both" comment="testing for bug #1618381">
<Src neg="True">
<ObjectRef ref="net-Internal_net"/>
<ObjectRef ref="id3B022266"/>
@ -25189,7 +25432,7 @@ echo '%FWBPROMPT%'; sh /tmp/%FWSCRIPT%
<Option name="stateless">True</Option>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id459A875F19324" disabled="False" log="False" position="35" action="Classify" direction="Both" comment="bug #1618381&#10;this rule uses multiport&#10;and has to be split because&#10;of that">
<PolicyRule id="id459A875F19324" disabled="False" log="False" position="34" action="Classify" direction="Both" comment="bug #1618381&#10;this rule uses multiport&#10;and has to be split because&#10;of that">
<Src neg="False">
<ObjectRef ref="sysid0"/>
</Src>
@ -25232,7 +25475,7 @@ echo '%FWBPROMPT%'; sh /tmp/%FWSCRIPT%
<Option name="stateless">True</Option>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id43F46B8A28368" disabled="False" log="False" position="36" action="Custom" direction="Both" comment="">
<PolicyRule id="id43F46B8A28368" disabled="False" log="False" position="35" action="Custom" direction="Both" comment="">
<Src neg="False">
<ObjectRef ref="net-Internal_net"/>
</Src>
@ -25260,7 +25503,7 @@ echo '%FWBPROMPT%'; sh /tmp/%FWSCRIPT%
<Option name="tagvalue"></Option>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id43495X28575" disabled="False" group="" log="True" position="37" action="Branch" direction="Both" comment="">
<PolicyRule id="id43495X28575" disabled="False" group="" log="True" position="36" action="Branch" direction="Both" comment="">
<Src neg="False">
<ObjectRef ref="sysid0"/>
</Src>
@ -25303,7 +25546,7 @@ echo '%FWBPROMPT%'; sh /tmp/%FWSCRIPT%
<Option name="stateless">True</Option>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id43BB80A49745" disabled="False" log="True" position="38" action="Deny" direction="Both" comment="">
<PolicyRule id="id43BB80A49745" disabled="False" log="True" position="37" action="Deny" direction="Both" comment="">
<Src neg="False">
<ObjectRef ref="sysid0"/>
</Src>
@ -26046,51 +26289,6 @@ echo '%FWBPROMPT%'; sh /tmp/%FWSCRIPT%
</Option>
</RuleSetOptions>
</Policy>
<Policy id="id2843857X67928" name="Policy_3" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="False">
<PolicyRule id="id2843931X67928" disabled="False" log="True" position="0" action="Tag" direction="Outbound" comment="">
<Src neg="False">
<ObjectRef ref="sysid0"/>
</Src>
<Dst neg="False">
<ObjectRef ref="sysid0"/>
</Dst>
<Srv neg="False">
<ServiceRef ref="sysid1"/>
</Srv>
<Itf neg="False">
<ObjectRef ref="id43BB817C9745"/>
</Itf>
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions>
<Option name="action_on_reject"></Option>
<Option name="classify_str"></Option>
<Option name="custom_str"></Option>
<Option name="ipf_route_opt_addr"></Option>
<Option name="ipf_route_opt_if"></Option>
<Option name="ipf_route_option">route_through</Option>
<Option name="ipfw_classify_method">2</Option>
<Option name="ipfw_pipe_port_num">0</Option>
<Option name="ipfw_pipe_queue_num">0</Option>
<Option name="ipt_continue">False</Option>
<Option name="ipt_gw"></Option>
<Option name="ipt_iif"></Option>
<Option name="ipt_mark_connections">False</Option>
<Option name="ipt_oif"></Option>
<Option name="ipt_tee">False</Option>
<Option name="pf_fastroute">False</Option>
<Option name="pf_route_load_option">none</Option>
<Option name="pf_route_opt_addr"></Option>
<Option name="pf_route_opt_if"></Option>
<Option name="pf_route_option">none</Option>
<Option name="rule_name_accounting"></Option>
<Option name="stateless">False</Option>
<Option name="tagobject_id">id449328D924380</Option>
</PolicyRuleOptions>
</PolicyRule>
<RuleSetOptions/>
</Policy>
<Routing id="id43BB81789745" name="Routing" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
<RuleSetOptions/>
</Routing>