onkelbeh/fwbuilder
1
0
Fork 0
mirror of https://github.com/fwbuilder/fwbuilder synced 2026-03-18 17:27:20 +01:00
Code Issues Releases Wiki Activity

* CompilerDriver_ipt_policy.cpp (CompilerDriver_ipt::processPolicyRuleSet):

Browse Source 
fixes #1432 "automatic rule with --restore-mark is missing if
rules using action Tag are not in the default Policy rule set".
This commit is contained in:
Vadim Kurland 2010-05-01 22:23:01 +00:00
parent 2ed279c80e
commit 388f69537c
13 changed files with 509 additions and 67 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
build_num
View File

@ -1 +1 @@
#define BUILD_NUM 2863
#define BUILD_NUM 2866

6
doc/ChangeLog
View File

@ -1,3 +1,9 @@
2010-05-01 vadim <vadim@vk.crocodile.org>
* CompilerDriver_ipt_policy.cpp (CompilerDriver_ipt::processPolicyRuleSet):
fixes #1432 "automatic rule with --restore-mark is missing if
rules using action Tag are not in the default Policy rule set".
2010-05-01 yalovoy <yalovoy@gmail.com>
* RuleSetView.cpp: fixes #1431 GUI crash adding rules to rule group

18
src/compiler_lib/CompilerDriver.cpp
View File

@ -753,15 +753,8 @@ QTextStream& operator<< (QTextStream &text_stream, const string &str)
*/
string CompilerDriver::indent(int n_spaces, const string &txt)
{
ostringstream output;
istringstream str(txt);
char line[65536];
while (!str.eof())
{
str.getline(line, sizeof(line));
output << std::setw(n_spaces) << std::setfill(' ') << " " << line << endl;
}
return output.str();
QString res = indent(n_spaces, QString(txt.c_str()));
return res.toStdString();
}
QString CompilerDriver::indent(int n_spaces, const QString &txt)
@ -770,12 +763,17 @@ QString CompilerDriver::indent(int n_spaces, const QString &txt)
return prepend(fill, txt);
}
/*
* prepend each line in @txt with @prep, however there is no need to
* prepend empty lines
*/
QString CompilerDriver::prepend(const QString &prep, const QString &txt)
{
QStringList str;
foreach (QString line, txt.split("\n"))
{
str.append(line.prepend(prep));
if (line.isEmpty()) str.append(line);
else str.append(line.prepend(prep));
}
return str.join("\n");
}

21
src/iptlib/CompilerDriver_ipt.cpp
View File

@ -52,6 +52,8 @@ using namespace fwcompiler;
CompilerDriver_ipt::CompilerDriver_ipt(FWObjectDatabase *db) :
CompilerDriver(db)
{
have_connmark = false;
have_connmark_in_output = false;
}
// create a copy of itself, including objdb
@ -127,7 +129,8 @@ void CompilerDriver_ipt::findBranchesInMangleTable(Firewall*,
* compile or more if-then-else in configlet code.
*/
string CompilerDriver_ipt::dumpScript(Firewall *fw,
const string& reset_script,
const string& automatic_rules_script,
const string& automatic_mangle_script,
const string& nat_script,
const string& mangle_script,
const string& filter_script,
@ -138,11 +141,11 @@ string CompilerDriver_ipt::dumpScript(Firewall *fw,
string prolog_place = fw->getOptionsObject()->getStr("prolog_place");
Configlet *conf = NULL;
bool have_reset = !reset_script.empty();
bool have_auto = !automatic_rules_script.empty() || !automatic_mangle_script.empty();
if (single_rule_compile_on)
{
have_reset = false;
have_auto = false;
conf = new Configlet(fw, "linux24", "script_body_single_rule");
conf->collapseEmptyStrings(true);
} else
@ -154,20 +157,22 @@ string CompilerDriver_ipt::dumpScript(Firewall *fw,
conf = new Configlet(fw, "linux24", "script_body_single_rule");
}
conf->setVariable("reset", have_reset);
conf->setVariable("reset_script", reset_script.c_str());
conf->setVariable("auto", have_auto);
conf->setVariable("filter", !filter_script.empty());
conf->setVariable("filter_or_reset", have_reset || !filter_script.empty());
conf->setVariable("filter_or_auto", have_auto || !filter_script.empty());
conf->setVariable("filter_auto_script", automatic_rules_script.c_str());
conf->setVariable("filter_script", filter_script.c_str());
conf->setVariable("mangle", !mangle_script.empty());
conf->setVariable("mangle_or_auto", !mangle_script.empty() || !automatic_mangle_script.empty());
conf->setVariable("mangle_auto_script", automatic_mangle_script.c_str());
conf->setVariable("mangle_script", mangle_script.c_str());
conf->setVariable("nat", !nat_script.empty());
conf->setVariable("nat_script", nat_script.c_str());
bool have_script = (have_reset ||
bool have_script = (have_auto ||
!filter_script.empty() ||
!mangle_script.empty() ||
!nat_script.empty());

7
src/iptlib/CompilerDriver_ipt.h
View File

@ -72,6 +72,9 @@ namespace fwcompiler {
fwcompiler::OSConfigurator *_oscnf,
std::map<const std::string, bool> *m_n_commands_map);
bool have_connmark;
bool have_connmark_in_output;
public:
CompilerDriver_ipt(libfwbuilder::FWObjectDatabase *db);
@ -88,7 +91,8 @@ public:
std::list<libfwbuilder::FWObject*> &all_policies);
std::string dumpScript(libfwbuilder::Firewall *fw,
const std::string& reset_script,
const std::string& automatic_rules_script,
const std::string& automatic_mangle_script,
const std::string& nat_script,
const std::string& mangle_script,
const std::string& filter_script,
@ -101,6 +105,7 @@ public:
std::ostringstream &filter_table_stream,
std::ostringstream &mangle_table_stream,
std::ostringstream &automatic_rules_stream,
std::ostringstream &automatic_mangle_stream,
fwcompiler::OSConfigurator_linux24 *oscnf,
int policy_af,
std::map<const std::string, bool> &minus_n_commands_filter,

87
src/iptlib/CompilerDriver_ipt_policy.cpp
View File

@ -49,14 +49,16 @@ using namespace std;
using namespace libfwbuilder;
using namespace fwcompiler;
// we always first process all non-top rule sets, then all top rule
// sets
bool CompilerDriver_ipt::processPolicyRuleSet(
Firewall *fw,
FWObject *ruleset,
const string &single_rule_id,
ostringstream &filter_table_stream,
ostringstream &mangle_table_stream,
ostringstream &filter_rules_stream,
ostringstream &mangle_rules_stream,
ostringstream &automatic_rules_stream,
ostringstream &automatic_mangle_stream,
OSConfigurator_linux24 *oscnf,
int policy_af,
std::map<const std::string, bool> &minus_n_commands_filter,
@ -64,8 +66,6 @@ bool CompilerDriver_ipt::processPolicyRuleSet(
{
int policy_rules_count = 0;
int mangle_rules_count = 0;
bool have_connmark = false;
bool have_connmark_in_output = false;
bool empty_output = true;
string prolog_place = fw->getOptionsObject()->getStr("prolog_place");
string platform = fw->getStr("platform");
@ -124,28 +124,7 @@ bool CompilerDriver_ipt::processPolicyRuleSet(
have_connmark |= mangle_compiler->haveConnMarkRules();
have_connmark_in_output |= mangle_compiler->haveConnMarkRulesInOutput();
long m_str_pos = mangle_table_stream.tellp();
if (policy->isTop())
{
ostringstream tmp;
if (flush_and_set_default_policy)
tmp << mangle_compiler->flushAndSetDefaultPolicy();
tmp << mangle_compiler->printAutomaticRules();
if (tmp.tellp() > 0)
{
if (!single_rule_compile_on)
{
mangle_table_stream << "# ================ Table 'mangle', ";
mangle_table_stream << "automatic rules";
mangle_table_stream << "\n";
}
mangle_table_stream << tmp.str();
}
}
long m_str_pos = mangle_rules_stream.tellp();
if (mangle_compiler->getCompiledScriptLength() > 0)
{
@ -157,10 +136,10 @@ bool CompilerDriver_ipt::processPolicyRuleSet(
{
if (!single_rule_compile_on)
{
mangle_table_stream << "# ================ Table 'mangle', ";
mangle_table_stream << "rule set " << branch_name << "\n";
mangle_rules_stream << "# ================ Table 'mangle', ";
mangle_rules_stream << "rule set " << branch_name << "\n";
}
mangle_table_stream << tmp.str();
mangle_rules_stream << tmp.str();
}
}
@ -169,11 +148,12 @@ bool CompilerDriver_ipt::processPolicyRuleSet(
all_errors.push_back(mangle_compiler->getErrors("").c_str());
}
if (m_str_pos!=mangle_table_stream.tellp())
if (m_str_pos!=mangle_rules_stream.tellp())
{
mangle_table_stream << "\n";
//mangle_rules_stream << "\n";
empty_output = false;
}
}
std::auto_ptr<PolicyCompiler_ipt> policy_compiler = createPolicyCompiler(
@ -207,10 +187,10 @@ bool CompilerDriver_ipt::processPolicyRuleSet(
empty_output = false;
if (!single_rule_compile_on)
{
filter_table_stream << "# ================ Table 'filter', ";
filter_table_stream << "rule set " << branch_name << "\n";
filter_rules_stream << "# ================ Table 'filter', ";
filter_rules_stream << "rule set " << branch_name << "\n";
}
filter_table_stream << tmp.str();
filter_rules_stream << tmp.str();
}
}
@ -246,6 +226,12 @@ bool CompilerDriver_ipt::processPolicyRuleSet(
tmp << policy_compiler->printAutomaticRules();
// printAutomaticRules() can generate errors and warnings
if (policy_compiler->haveErrorsAndWarnings())
{
all_errors.push_back(policy_compiler->getErrors("").c_str());
}
if (tmp.tellp() > 0)
{
empty_output = false;
@ -258,5 +244,36 @@ bool CompilerDriver_ipt::processPolicyRuleSet(
automatic_rules_stream << tmp.str();
}
}
long auto_mangle_stream_position = automatic_mangle_stream.tellp();
if (policy->isTop() && auto_mangle_stream_position <= 0)
{
// Note that we process non-top rule sets first and then
// deal with the top rule set. By the time we get here the
// have_connmark flags reflect the state of all other rule
// sets and the top one.
ostringstream tmp_m;
tmp_m << mangle_compiler->printAutomaticRulesForMangleTable(
have_connmark, have_connmark_in_output);
// printAutomaticRulesForMangleTable() can generate errors and warnings
if (mangle_compiler->haveErrorsAndWarnings())
{
all_errors.push_back(mangle_compiler->getErrors("").c_str());
}
if (tmp_m.tellp() > 0)
{
if (!single_rule_compile_on)
{
automatic_mangle_stream << "# ================ Table 'mangle', ";
automatic_mangle_stream << "automatic rules";
automatic_mangle_stream << "\n";
}
automatic_mangle_stream << tmp_m.str();
}
}
return empty_output;
}

4
src/iptlib/CompilerDriver_ipt_run.cpp
View File

@ -288,6 +288,7 @@ QString CompilerDriver_ipt::run(const std::string &cluster_id,
}
ostringstream automaitc_rules_stream;
ostringstream automaitc_mangle_stream;
ostringstream filter_rules_stream;
ostringstream mangle_rules_stream;
ostringstream nat_rules_stream;
@ -327,6 +328,7 @@ QString CompilerDriver_ipt::run(const std::string &cluster_id,
policy_af,
minus_n_commands_nat)) empty_output = false;
// first process all non-top rule sets, then all top rule sets
for (int all_top = 0; all_top < 2; ++all_top)
{
for (list<FWObject*>::iterator p=all_policies.begin();
@ -345,6 +347,7 @@ QString CompilerDriver_ipt::run(const std::string &cluster_id,
filter_rules_stream,
mangle_rules_stream,
automaitc_rules_stream,
automaitc_mangle_stream,
oscnf.get(),
policy_af,
minus_n_commands_filter,
@ -370,6 +373,7 @@ QString CompilerDriver_ipt::run(const std::string &cluster_id,
generated_script += dumpScript(fw,
automaitc_rules_stream.str(),
automaitc_mangle_stream.str(),
nat_rules_stream.str(),
mangle_rules_stream.str(),
filter_rules_stream.str(),

7
src/iptlib/MangleTableCompiler_ipt.cpp
View File

@ -160,10 +160,13 @@ string MangleTableCompiler_ipt::flushAndSetDefaultPolicy()
return "";
}
// mangle table compiler is special, it needs additional parameters to
// generate automatic rules correctly. But virtual function
// printAutomaticRules() has no parameters so we have another one
// that takes parameters: printAutomaticRulesForMangleTable()
string MangleTableCompiler_ipt::printAutomaticRules()
{
return printAutomaticRulesForMangleTable(have_connmark,
have_connmark_in_output);
return "";
}
string MangleTableCompiler_ipt::printAutomaticRulesForMangleTable(

6
src/iptlib/PolicyCompiler_ipt.cpp
View File

@ -1740,10 +1740,10 @@ bool PolicyCompiler_ipt::splitIfTagAndConnmark::processNext()
PolicyRule *r, *r1;
if (make_terminating)
ruleopt->setBool("already_terminating_target",true);
ruleopt->setBool("already_terminating_target", true);
string this_chain = rule->getStr("ipt_chain");
string new_chain=ipt_comp->getNewChainName(rule,rule_iface);
string this_chain = rule->getStr("ipt_chain");
string new_chain = ipt_comp->getNewChainName(rule,rule_iface);
r= compiler->dbcopy->createPolicyRule();
compiler->temp_ruleset->add(r);

7
src/res/configlets/linux24/script_body_iptables_restore
View File

@ -14,14 +14,15 @@
## iptables-restore method, not single rule compile
{{if have_script}}
(
{{if filter_or_reset}}
{{if filter_or_auto}}
echo '*filter'
{{$reset_script}}
{{$filter_auto_script}}
{{$filter_script}}
echo COMMIT
{{endif}}
{{if mangle}}
{{if mangle_or_auto}}
echo '*mangle'
{{$mangle_auto_script}}
{{$mangle_script}}
echo COMMIT
{{endif}}

3
src/res/configlets/linux24/script_body_single_rule
View File

@ -14,7 +14,8 @@
## this template is used for single rule compile, both
## iptables-restore and regular, as well as for the regular
## (not iptables-restore) script
{{if reset}}{{$reset_script}}{{endif}}
{{if auto}}{{$filter_auto_script}}
{{$mangle_auto_script}}{{endif}}
{{if nat}}{{$nat_script}}{{endif}}

406
test/ipt/objects-for-regression-tests.fwb
View File

@ -1,6 +1,6 @@
<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE FWObjectDatabase SYSTEM "fwbuilder.dtd">
<FWObjectDatabase xmlns="http://www.fwbuilder.org/1.0/" version="16" lastModified="1272673989" id="root">
<FWObjectDatabase xmlns="http://www.fwbuilder.org/1.0/" version="16" lastModified="1272737130" id="root">
<Library id="syslib000" color="#d4f8ff" name="Standard" comment="Standard objects" ro="True">
<AnyNetwork id="sysid0" name="Any" comment="Any Network" ro="False" address="0.0.0.0" netmask="0.0.0.0"/>
<AnyIPService id="sysid1" protocol_num="0" name="Any" comment="Any IP Service" ro="False"/>
@ -50763,7 +50763,7 @@ echo '%FWBPROMPT%'; sh /tmp/%FWSCRIPT%
<Option name="verify_interfaces">True</Option>
</FirewallOptions>
</Firewall>
<Firewall id="id54821X29165" host_OS="linux24" inactive="False" lastCompiled="1272674003" lastInstalled="1142003872" lastModified="1272673997" platform="iptables" version="1.4.0" name="firewall40-1" comment="&#10;more complex and realistic combination of Tag and Route rules that are in the separate Policy rule set&#10;" ro="False">
<Firewall id="id54821X29165" host_OS="linux24" inactive="False" lastCompiled="1272737108" lastInstalled="1142003872" lastModified="1272737191" platform="iptables" version="1.4.0" name="firewall40-1" comment="&#10;more complex and realistic combination of Tag and Route rules that are in the separate Policy rule set&#10;" ro="False">
<NAT id="id54936X29165" name="NAT" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
<NATRule id="id54937X29165" disabled="False" position="0" action="Translate" comment="Translate source address&#10;for outgoing connections">
<OSrc neg="False">
@ -50789,6 +50789,26 @@ echo '%FWBPROMPT%'; sh /tmp/%FWSCRIPT%
<RuleSetOptions/>
</NAT>
<Policy id="id54849X29165" name="Policy" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
<PolicyRule id="id55100X22068" disabled="False" log="True" position="0" action="Deny" direction="Both" comment="any rule here to make top Policy ruleset non-empty">
<Src neg="False">
<ObjectRef ref="sysid0"/>
</Src>
<Dst neg="False">
<ObjectRef ref="sysid0"/>
</Dst>
<Srv neg="False">
<ServiceRef ref="sysid1"/>
</Srv>
<Itf neg="False">
<ObjectRef ref="sysid0"/>
</Itf>
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions>
<Option name="stateless">True</Option>
</PolicyRuleOptions>
</PolicyRule>
<RuleSetOptions/>
</Policy>
<Policy id="id54988X29165" name="Policy_1" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="False">
@ -51145,6 +51165,388 @@ echo '%FWBPROMPT%'; sh /tmp/%FWSCRIPT%
<Option name="verify_interfaces">True</Option>
</FirewallOptions>
</Firewall>
<Firewall id="id55112X22068" host_OS="linux24" inactive="False" lastCompiled="1272737108" lastInstalled="1142003872" lastModified="1272737150" platform="iptables" version="1.4.0" name="firewall40-2" comment="&#10;more complex and realistic combination of Tag and Route rules that are in the separate Policy rule set. Here the top Policy rule set is empty&#10;" ro="False">
<NAT id="id55241X22068" name="NAT" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
<NATRule id="id55242X22068" disabled="False" position="0" action="Translate" comment="Translate source address&#10;for outgoing connections">
<OSrc neg="False">
<ObjectRef ref="id3DC75CE7-1"/>
</OSrc>
<ODst neg="False">
<ObjectRef ref="sysid0"/>
</ODst>
<OSrv neg="False">
<ServiceRef ref="sysid1"/>
</OSrv>
<TSrc neg="False">
<ObjectRef ref="id55120X22068"/>
</TSrc>
<TDst neg="False">
<ObjectRef ref="sysid0"/>
</TDst>
<TSrv neg="False">
<ServiceRef ref="sysid1"/>
</TSrv>
<NATRuleOptions/>
</NATRule>
<RuleSetOptions/>
</NAT>
<Policy id="id55140X22068" name="Policy" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
<RuleSetOptions/>
</Policy>
<Policy id="id55154X22068" name="Policy_1" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="False">
<PolicyRule id="id55155X22068" disabled="False" log="False" position="0" action="Tag" direction="Inbound" comment="">
<Src neg="False">
<ObjectRef ref="sysid0"/>
</Src>
<Dst neg="False">
<ObjectRef ref="sysid0"/>
</Dst>
<Srv neg="False">
<ServiceRef ref="sysid1"/>
</Srv>
<Itf neg="False">
<ObjectRef ref="id55120X22068"/>
</Itf>
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions>
<Option name="action_on_reject"></Option>
<Option name="branch_anchor_name"></Option>
<Option name="branch_chain_name"></Option>
<Option name="classify_str"></Option>
<Option name="custom_str"></Option>
<Option name="ipf_route_opt_addr"></Option>
<Option name="ipf_route_opt_if"></Option>
<Option name="ipf_route_option">Route through</Option>
<Option name="ipfw_classify_method">2</Option>
<Option name="ipfw_pipe_port_num">0</Option>
<Option name="ipfw_pipe_queue_num">0</Option>
<Option name="ipt_continue">False</Option>
<Option name="ipt_gw"></Option>
<Option name="ipt_iif"></Option>
<Option name="ipt_mark_connections">True</Option>
<Option name="ipt_oif"></Option>
<Option name="ipt_tee">False</Option>
<Option name="pf_fastroute">False</Option>
<Option name="pf_route_opt_addr"></Option>
<Option name="pf_route_opt_if"></Option>
<Option name="pf_route_option">Route through</Option>
<Option name="rule_name_accounting"></Option>
<Option name="tagobject_id">id449328D824380</Option>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id55167X22068" disabled="False" log="False" position="1" action="Tag" direction="Inbound" comment="">
<Src neg="False">
<ObjectRef ref="sysid0"/>
</Src>
<Dst neg="False">
<ObjectRef ref="sysid0"/>
</Dst>
<Srv neg="False">
<ServiceRef ref="sysid1"/>
</Srv>
<Itf neg="False">
<ObjectRef ref="id55130X22068"/>
</Itf>
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions>
<Option name="action_on_reject"></Option>
<Option name="branch_anchor_name"></Option>
<Option name="branch_chain_name"></Option>
<Option name="classify_str"></Option>
<Option name="custom_str"></Option>
<Option name="ipf_route_opt_addr"></Option>
<Option name="ipf_route_opt_if"></Option>
<Option name="ipf_route_option">Route through</Option>
<Option name="ipfw_classify_method">2</Option>
<Option name="ipfw_pipe_port_num">0</Option>
<Option name="ipfw_pipe_queue_num">0</Option>
<Option name="ipt_continue">False</Option>
<Option name="ipt_gw"></Option>
<Option name="ipt_iif"></Option>
<Option name="ipt_mark_connections">True</Option>
<Option name="ipt_oif"></Option>
<Option name="ipt_tee">False</Option>
<Option name="pf_fastroute">False</Option>
<Option name="pf_route_opt_addr"></Option>
<Option name="pf_route_opt_if"></Option>
<Option name="pf_route_option">Route through</Option>
<Option name="rule_name_accounting"></Option>
<Option name="tagobject_id">id449328D924380</Option>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id55179X22068" disabled="False" log="False" position="2" action="Accept" direction="Both" comment="This permits access from internal net&#10;to the Internet and DMZ">
<Src neg="False">
<ObjectRef ref="id3DC75CE7-1"/>
</Src>
<Dst neg="False">
<ObjectRef ref="sysid0"/>
</Dst>
<Srv neg="False">
<ServiceRef ref="sysid1"/>
</Srv>
<Itf neg="False">
<ObjectRef ref="sysid0"/>
</Itf>
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions/>
</PolicyRule>
<PolicyRule id="id55191X22068" disabled="False" log="False" position="3" action="Route" direction="Both" comment="">
<Src neg="False">
<ObjectRef ref="sysid0"/>
</Src>
<Dst neg="False">
<ObjectRef ref="sysid0"/>
</Dst>
<Srv neg="False">
<ServiceRef ref="id449328D824380"/>
</Srv>
<Itf neg="False">
<ObjectRef ref="sysid0"/>
</Itf>
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions>
<Option name="action_on_reject"></Option>
<Option name="branch_anchor_name"></Option>
<Option name="branch_chain_name"></Option>
<Option name="classify_str"></Option>
<Option name="custom_str"></Option>
<Option name="ipf_route_opt_addr"></Option>
<Option name="ipf_route_opt_if"></Option>
<Option name="ipf_route_option">Route through</Option>
<Option name="ipfw_classify_method">2</Option>
<Option name="ipfw_pipe_port_num">0</Option>
<Option name="ipfw_pipe_queue_num">0</Option>
<Option name="ipt_continue">True</Option>
<Option name="ipt_gw"></Option>
<Option name="ipt_iif"></Option>
<Option name="ipt_mark_connections">False</Option>
<Option name="ipt_oif">eth0</Option>
<Option name="ipt_tee">False</Option>
<Option name="pf_fastroute">False</Option>
<Option name="pf_route_opt_addr"></Option>
<Option name="pf_route_opt_if"></Option>
<Option name="pf_route_option">Route through</Option>
<Option name="rule_name_accounting"></Option>
<Option name="stateless">True</Option>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id55203X22068" disabled="False" log="False" position="4" action="Route" direction="Both" comment="">
<Src neg="False">
<ObjectRef ref="sysid0"/>
</Src>
<Dst neg="False">
<ObjectRef ref="sysid0"/>
</Dst>
<Srv neg="False">
<ServiceRef ref="id449328D924380"/>
</Srv>
<Itf neg="False">
<ObjectRef ref="sysid0"/>
</Itf>
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions>
<Option name="action_on_reject"></Option>
<Option name="branch_anchor_name"></Option>
<Option name="branch_chain_name"></Option>
<Option name="classify_str"></Option>
<Option name="custom_str"></Option>
<Option name="ipf_route_opt_addr"></Option>
<Option name="ipf_route_opt_if"></Option>
<Option name="ipf_route_option">Route through</Option>
<Option name="ipfw_classify_method">2</Option>
<Option name="ipfw_pipe_port_num">0</Option>
<Option name="ipfw_pipe_queue_num">0</Option>
<Option name="ipt_continue">True</Option>
<Option name="ipt_gw"></Option>
<Option name="ipt_iif"></Option>
<Option name="ipt_mark_connections">False</Option>
<Option name="ipt_oif">eth2</Option>
<Option name="ipt_tee">False</Option>
<Option name="pf_fastroute">False</Option>
<Option name="pf_route_opt_addr"></Option>
<Option name="pf_route_opt_if"></Option>
<Option name="pf_route_option">Route through</Option>
<Option name="rule_name_accounting"></Option>
<Option name="stateless">True</Option>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id55215X22068" disabled="False" log="True" position="5" action="Deny" direction="Both" comment="">
<Src neg="False">
<ObjectRef ref="sysid0"/>
</Src>
<Dst neg="False">
<ObjectRef ref="sysid0"/>
</Dst>
<Srv neg="False">
<ServiceRef ref="sysid1"/>
</Srv>
<Itf neg="False">
<ObjectRef ref="sysid0"/>
</Itf>
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions>
<Option name="stateless">True</Option>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id55227X22068" disabled="False" log="True" position="6" action="Tag" direction="Both" comment="">
<Src neg="False">
<ObjectRef ref="id3DC75CE7-1"/>
</Src>
<Dst neg="False">
<ObjectRef ref="id3B665641"/>
<ObjectRef ref="id3B665643"/>
</Dst>
<Srv neg="False">
<ServiceRef ref="sysid1"/>
</Srv>
<Itf neg="False">
<ObjectRef ref="sysid0"/>
</Itf>
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions>
<Option name="action_on_reject"></Option>
<Option name="classify_str"></Option>
<Option name="custom_str"></Option>
<Option name="ipf_route_opt_addr"></Option>
<Option name="ipf_route_opt_if"></Option>
<Option name="ipf_route_option">route_through</Option>
<Option name="ipfw_classify_method">2</Option>
<Option name="ipfw_pipe_port_num">0</Option>
<Option name="ipfw_pipe_queue_num">0</Option>
<Option name="ipt_continue">False</Option>
<Option name="ipt_gw"></Option>
<Option name="ipt_iif"></Option>
<Option name="ipt_mark_connections">False</Option>
<Option name="ipt_oif"></Option>
<Option name="ipt_tee">False</Option>
<Option name="pf_fastroute">False</Option>
<Option name="pf_route_load_option">none</Option>
<Option name="pf_route_opt_addr"></Option>
<Option name="pf_route_opt_if"></Option>
<Option name="pf_route_option">route_through</Option>
<Option name="rule_name_accounting"></Option>
<Option name="stateless">False</Option>
<Option name="tagobject_id">id365999</Option>
</PolicyRuleOptions>
</PolicyRule>
<RuleSetOptions/>
</Policy>
<Routing id="id55257X22068" name="Routing" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
<RuleSetOptions/>
</Routing>
<Interface id="id55120X22068" dedicated_failover="False" dyn="False" label="" mgmt="False" security_level="0" unnum="False" unprotected="False" name="eth0" comment="" ro="False">
<IPv4 id="id55123X22068" name="firewall40-2:eth0:ip" comment="This is a test address, change it to your real one" ro="False" address="192.0.2.1" netmask="255.255.255.0"/>
<InterfaceOptions/>
</Interface>
<Interface id="id55125X22068" dedicated_failover="False" dyn="False" label="loopback" mgmt="False" security_level="100" unnum="False" unprotected="False" name="lo" comment="" ro="False">
<IPv4 id="id55128X22068" name="firewall40-2:lo:ip" comment="" ro="False" address="127.0.0.1" netmask="255.0.0.0"/>
<InterfaceOptions/>
</Interface>
<Interface id="id55130X22068" dedicated_failover="False" dyn="False" label="" mgmt="False" security_level="0" unnum="False" unprotected="False" name="eth2" comment="" ro="False">
<IPv4 id="id55133X22068" name="firewall40-2:eth2:ip" comment="" ro="False" address="192.0.100.1" netmask="255.255.255.0"/>
<InterfaceOptions/>
</Interface>
<Interface id="id55135X22068" dedicated_failover="False" dyn="False" label="" mgmt="True" security_level="100" unnum="False" unprotected="False" name="eth1" comment="" ro="False">
<IPv4 id="id55138X22068" name="firewall40-2:eth1:ip" comment="" ro="False" address="192.168.1.1" netmask="255.255.255.0"/>
<InterfaceOptions/>
</Interface>
<Management address="192.168.1.1">
<SNMPManagement enabled="False" snmp_read_community="" snmp_write_community=""/>
<FWBDManagement enabled="False" identity="" port="-1"/>
<PolicyInstallScript arguments="" command="" enabled="False"/>
</Management>
<FirewallOptions>
<Option name="accept_established">True</Option>
<Option name="accept_new_tcp_with_no_syn">True</Option>
<Option name="action_on_reject"></Option>
<Option name="activationCmd"></Option>
<Option name="admUser"></Option>
<Option name="altAddress"></Option>
<Option name="bridging_fw">False</Option>
<Option name="check_shading">False</Option>
<Option name="clamp_mss_to_mtu">True</Option>
<Option name="classify_mark_terminating">False</Option>
<Option name="cmdline"></Option>
<Option name="compiler"></Option>
<Option name="configure_interfaces">True</Option>
<Option name="debug">False</Option>
<Option name="drop_invalid">False</Option>
<Option name="eliminate_duplicates">true</Option>
<Option name="enable_ipv6">False</Option>
<Option name="epilog_script"></Option>
<Option name="firewall_dir">/etc</Option>
<Option name="firewall_is_part_of_any_and_networks">True</Option>
<Option name="freebsd_ip_forward">1</Option>
<Option name="ignore_empty_groups">False</Option>
<Option name="in_out_code">true</Option>
<Option name="ipv4_6_order">ipv4_first</Option>
<Option name="limit_suffix"></Option>
<Option name="limit_value">0</Option>
<Option name="linux24_ip_forward">1</Option>
<Option name="load_modules">True</Option>
<Option name="local_nat">False</Option>
<Option name="log_all">False</Option>
<Option name="log_invalid">False</Option>
<Option name="log_ip_opt">False</Option>
<Option name="log_level">info</Option>
<Option name="log_prefix">RULE %N -- %A </Option>
<Option name="log_tcp_opt">False</Option>
<Option name="log_tcp_seq">False</Option>
<Option name="loopback_interface">lo0</Option>
<Option name="macosx_ip_forward">1</Option>
<Option name="manage_virtual_addr">True</Option>
<Option name="mgmt_addr"></Option>
<Option name="mgmt_ssh">False</Option>
<Option name="no_ipv6_default_policy">False</Option>
<Option name="openbsd_ip_forward">1</Option>
<Option name="output_file"></Option>
<Option name="pass_all_out">false</Option>
<Option name="pf_limit_frags">5000</Option>
<Option name="pf_limit_states">10000</Option>
<Option name="pf_scrub_maxmss">1460</Option>
<Option name="pf_timeout_frag">30</Option>
<Option name="pf_timeout_interval">10</Option>
<Option name="pix_add_clear_statements">true</Option>
<Option name="pix_assume_fw_part_of_any">true</Option>
<Option name="pix_default_logint">300</Option>
<Option name="pix_emblem_log_format">false</Option>
<Option name="pix_emulate_out_acl">true</Option>
<Option name="pix_floodguard">true</Option>
<Option name="pix_include_comments">true</Option>
<Option name="pix_route_dnat_supported">true</Option>
<Option name="pix_rule_syslog_settings">false</Option>
<Option name="pix_security_fragguard_supported">true</Option>
<Option name="pix_syslog_device_id_supported">false</Option>
<Option name="pix_use_acl_remarks">true</Option>
<Option name="prolog_place">top</Option>
<Option name="prolog_script"></Option>
<Option name="prompt1">$ </Option>
<Option name="prompt2"> # </Option>
<Option name="solaris_ip_forward">1</Option>
<Option name="sshArgs"></Option>
<Option name="ulog_cprange">0</Option>
<Option name="ulog_nlgroup">1</Option>
<Option name="ulog_qthreshold">1</Option>
<Option name="use_ULOG">False</Option>
<Option name="use_iptables_restore">False</Option>
<Option name="use_numeric_log_levels">False</Option>
<Option name="verify_interfaces">True</Option>
</FirewallOptions>
</Firewall>
</ObjectGroup>
<IntervalGroup id="stdid11_1" name="Time" comment="" ro="False">
<Interval id="id3D6864D0" days_of_week="0,1" from_day="-1" from_hour="1" from_minute="1" from_month="-1" from_weekday="0" from_year="-1" to_day="-1" to_hour="2" to_minute="2" to_month="-1" to_weekday="1" to_year="-1" name="test time 1" comment="" ro="False"/>

2
test/ipt/quick-cmp.sh
View File

@ -1,7 +1,7 @@
#!/bin/sh
DIFFCMD="diff -C 5 -c -b -B -w -I \"# Generated\" -I 'Activating ' -I '# Firewall Builder fwb_ipt v' -I 'Can not find file' -I '====' -I 'log '"
DIFFCMD="diff -C 5 -c -b -w -I \"^ *$\" -I \" *# *$\" -I \"# Generated\" -I 'Activating ' -I '# Firewall Builder fwb_ipt v' -I 'Can not find file' -I '====' -I 'log '"
for f in $(ls *.fw.orig)
do