From 39eaf40722e61ef8ab0b40bacfdaa85d097bee45 Mon Sep 17 00:00:00 2001 From: Vadim Kurland Date: Wed, 2 Feb 2011 17:45:36 -0800 Subject: [PATCH] see #1888, #2020, #2018 rc.conf format of the init script for PF on FreeBSD, includes inetrfaes. addresses, CARP, pfsync and pf initialization --- VERSION | 2 +- VERSION.h | 2 +- doc/ChangeLog | 10 + packaging/fwbuilder-static-qt.spec | 2 +- packaging/fwbuilder.control | 2 +- packaging/fwbuilder.spec | 2 +- src/cisco_lib/CompilerDriver_iosacl_run.cpp | 3 +- src/cisco_lib/CompilerDriver_pix_run.cpp | 3 +- .../CompilerDriver_procurve_acl_run.cpp | 3 +- src/compiler_lib/CompilerDriver.h | 3 +- .../CompilerDriver_generators.cpp | 28 +- src/pflib/CompilerDriver_ipf_run.cpp | 37 +- src/pflib/CompilerDriver_ipfw_run.cpp | 3 +- src/pflib/CompilerDriver_pf_run.cpp | 47 +- src/pflib/OSConfigurator_bsd.cpp | 343 +------------ src/pflib/OSConfigurator_bsd.h | 52 +- src/pflib/OSConfigurator_bsd_interfaces.cpp | 470 ++++++++++++++++++ src/pflib/OSConfigurator_freebsd.cpp | 328 +++++++++++- src/pflib/OSConfigurator_freebsd.h | 35 +- src/pflib/OSConfigurator_macosx.h | 6 +- src/pflib/OSConfigurator_openbsd.h | 6 +- src/pflib/OSConfigurator_solaris.cpp | 4 - src/pflib/OSConfigurator_solaris.h | 8 +- src/pflib/pflib.pro | 1 + .../configlets/freebsd/rc_conf_carp_interface | 22 + .../configlets/freebsd/rc_conf_kernel_vars | 19 + .../freebsd/rc_conf_pfsync_interface | 10 + src/res/configlets/pf/rc_conf_activation | 14 + src/res/configlets/pf/rc_conf_skeleton | 32 ++ src/res/configlets/pf/rc_conf_top_comment | 12 + .../generatedScriptTestsIpfilter.cpp | 8 +- .../generatedScriptTestsPF.cpp | 10 +- test/pf/cluster-tests.fwb | 379 +++++++++++++- test/pf/objects-for-regression-tests.fwb | 254 +++++++++- 34 files changed, 1726 insertions(+), 434 deletions(-) create mode 100644 src/pflib/OSConfigurator_bsd_interfaces.cpp create mode 100644 src/res/configlets/freebsd/rc_conf_carp_interface create mode 100644 src/res/configlets/freebsd/rc_conf_kernel_vars create mode 100644 src/res/configlets/freebsd/rc_conf_pfsync_interface create mode 100644 src/res/configlets/pf/rc_conf_activation create mode 100644 src/res/configlets/pf/rc_conf_skeleton create mode 100644 src/res/configlets/pf/rc_conf_top_comment diff --git a/VERSION b/VERSION index 1946e3d16..adf41e729 100644 --- a/VERSION +++ b/VERSION @@ -7,7 +7,7 @@ FWB_MICRO_VERSION=0 # build number is like "nano" version number. I am incrementing build # number during development cycle # -BUILD_NUM="3456" +BUILD_NUM="3457" VERSION="$FWB_MAJOR_VERSION.$FWB_MINOR_VERSION.$FWB_MICRO_VERSION.$BUILD_NUM" diff --git a/VERSION.h b/VERSION.h index 18a617509..41f03fcf5 100644 --- a/VERSION.h +++ b/VERSION.h @@ -1,2 +1,2 @@ -#define VERSION "4.2.0.3456" +#define VERSION "4.2.0.3457" #define GENERATION "4.2" diff --git a/doc/ChangeLog b/doc/ChangeLog index 684eb6897..d45a4ec93 100644 --- a/doc/ChangeLog +++ b/doc/ChangeLog @@ -1,3 +1,13 @@ +2011-02-02 vadim + + * OSConfigurator_freebsd.cpp: see #1888 "Add option to generate + rc.conf.local file for BSD systems". Added ability to generate + initialization script in rc.conf fromat for FreeBSD. Only FreeBSD + is currently supported (not OpenBSD). Generated script includes + variables to configure interfaces and their ipv4 and ipv6 + addresses, vlans, CARP and pfsync interfaces, as well as variables + that initialize PF. + 2011-02-01 vadim * CompilerDriver_files.cpp (determineOutputFileNames): See #2015 diff --git a/packaging/fwbuilder-static-qt.spec b/packaging/fwbuilder-static-qt.spec index cbca4476f..ec99b0ab1 100644 --- a/packaging/fwbuilder-static-qt.spec +++ b/packaging/fwbuilder-static-qt.spec @@ -3,7 +3,7 @@ %define name fwbuilder -%define version 4.2.0.3456 +%define version 4.2.0.3457 %define release 1 %if "%_vendor" == "MandrakeSoft" diff --git a/packaging/fwbuilder.control b/packaging/fwbuilder.control index 82f5b1f49..1b134ed9e 100644 --- a/packaging/fwbuilder.control +++ b/packaging/fwbuilder.control @@ -4,6 +4,6 @@ Replaces: fwbuilder (<=4.1.1-1), fwbuilder-common, fwbuilder-bsd, fwbuilder-linu Priority: extra Section: checkinstall Maintainer: vadim@fwbuilder.org -Version: 4.2.0.3456-1 +Version: 4.2.0.3457-1 Depends: libqt4-gui (>= 4.3.0), libxml2, libxslt1.1, libsnmp | libsnmp15 Description: Firewall Builder GUI and policy compilers diff --git a/packaging/fwbuilder.spec b/packaging/fwbuilder.spec index e5c6f3ff3..72c9135b4 100644 --- a/packaging/fwbuilder.spec +++ b/packaging/fwbuilder.spec @@ -1,6 +1,6 @@ %define name fwbuilder -%define version 4.2.0.3456 +%define version 4.2.0.3457 %define release 1 %if "%_vendor" == "MandrakeSoft" diff --git a/src/cisco_lib/CompilerDriver_iosacl_run.cpp b/src/cisco_lib/CompilerDriver_iosacl_run.cpp index 1f5baf30d..2ce764bfe 100644 --- a/src/cisco_lib/CompilerDriver_iosacl_run.cpp +++ b/src/cisco_lib/CompilerDriver_iosacl_run.cpp @@ -117,7 +117,8 @@ QString CompilerDriver_iosacl::assembleFwScript(Cluster *cluster, options->setStr("prolog_script", options->getStr("iosacl_prolog_script")); options->setStr("epilog_script", options->getStr("iosacl_epilog_script")); - assembleFwScriptInternal(cluster, fw, cluster_member, oscnf, &script_skeleton, &top_comment, "!"); + assembleFwScriptInternal(cluster, fw, cluster_member, + oscnf, &script_skeleton, &top_comment, "!", true); return script_skeleton.expand(); } diff --git a/src/cisco_lib/CompilerDriver_pix_run.cpp b/src/cisco_lib/CompilerDriver_pix_run.cpp index b5e766a8a..f3c255e0e 100644 --- a/src/cisco_lib/CompilerDriver_pix_run.cpp +++ b/src/cisco_lib/CompilerDriver_pix_run.cpp @@ -160,7 +160,8 @@ QString CompilerDriver_pix::assembleFwScript(Cluster *cluster, script_skeleton.setVariable("routing_script", QString::fromUtf8(routing_script.c_str())); - assembleFwScriptInternal(cluster, fw, cluster_member, oscnf, &script_skeleton, &top_comment, "!"); + assembleFwScriptInternal(cluster, fw, cluster_member, oscnf, + &script_skeleton, &top_comment, "!", true); return script_skeleton.expand(); } diff --git a/src/cisco_lib/CompilerDriver_procurve_acl_run.cpp b/src/cisco_lib/CompilerDriver_procurve_acl_run.cpp index af3521fd7..030c0cd2d 100644 --- a/src/cisco_lib/CompilerDriver_procurve_acl_run.cpp +++ b/src/cisco_lib/CompilerDriver_procurve_acl_run.cpp @@ -113,7 +113,8 @@ QString CompilerDriver_procurve_acl::assembleFwScript(Cluster *cluster, options->setStr("prolog_script", options->getStr("procurve_acl_prolog_script")); options->setStr("epilog_script", options->getStr("procurve_acl_epilog_script")); - assembleFwScriptInternal(cluster, fw, cluster_member, oscnf, &script_skeleton, &top_comment, ";"); + assembleFwScriptInternal(cluster, fw, cluster_member, oscnf, + &script_skeleton, &top_comment, ";", true); return script_skeleton.expand(); } diff --git a/src/compiler_lib/CompilerDriver.h b/src/compiler_lib/CompilerDriver.h index ef24adbcf..ec3ea6c57 100644 --- a/src/compiler_lib/CompilerDriver.h +++ b/src/compiler_lib/CompilerDriver.h @@ -156,7 +156,8 @@ protected: OSConfigurator *ocsnf, Configlet *script_skeleton, Configlet *top_comment, - const QString &comment_char); + const QString &comment_char, + bool indent); void _findImportedRuleSetsRecursively(libfwbuilder::Firewall *fw, libfwbuilder::RuleSet *ruleset, diff --git a/src/compiler_lib/CompilerDriver_generators.cpp b/src/compiler_lib/CompilerDriver_generators.cpp index 72303f72d..00f52e084 100644 --- a/src/compiler_lib/CompilerDriver_generators.cpp +++ b/src/compiler_lib/CompilerDriver_generators.cpp @@ -71,7 +71,8 @@ void CompilerDriver::assembleFwScriptInternal(Cluster *cluster, OSConfigurator *oscnf, Configlet *script_skeleton, Configlet *top_comment, - const QString &comment_char) + const QString &comment_char, + bool indent) { FWOptions* options = fw->getOptionsObject(); string platform = fw->getStr("platform"); @@ -112,17 +113,21 @@ void CompilerDriver::assembleFwScriptInternal(Cluster *cluster, QFileInfo fw_file_info(fw_file_name); - top_comment->setVariable("manifest", assembleManifest(cluster, fw, cluster_member)); + top_comment->setVariable("manifest", assembleManifest(cluster, fw, + cluster_member)); top_comment->setVariable("platform", platform.c_str()); top_comment->setVariable("fw_version", fw_version.c_str()); - top_comment->setVariable("comment", prepend(comment_char + " ", fw->getComment().c_str())); + top_comment->setVariable("comment", + prepend((indent) ? comment_char + " " : "", + fw->getComment().c_str())); script_skeleton->setVariable("have_nat", have_nat); script_skeleton->setVariable("have_filter", have_filter); script_skeleton->setVariable("top_comment", top_comment->expand()); script_skeleton->setVariable("errors_and_warnings", - prepend(comment_char + " ", all_errors.join("\n"))); + prepend((indent) ? comment_char + " " : "", + all_errors.join("\n"))); script_skeleton->setVariable("tools", printPathForAllTools(fw, family)); script_skeleton->setVariable("timestamp", timestr); @@ -134,16 +139,21 @@ void CompilerDriver::assembleFwScriptInternal(Cluster *cluster, script_buffer = ""; - script_skeleton->setVariable("shell_functions", oscnf->printFunctions().c_str()); + script_skeleton->setVariable("shell_functions", + oscnf->printFunctions().c_str()); script_skeleton->setVariable("kernel_vars_commands", - prepend(" ", oscnf->printKernelVarsCommands().c_str())); + prepend((indent) ? " " : "", + oscnf->printKernelVarsCommands().c_str())); script_skeleton->setVariable("configure_interfaces", - prepend(" ", oscnf->configureInterfaces().c_str())); + prepend((indent) ? " " : "", + oscnf->configureInterfaces().c_str())); // this really adds nothing for the most of the systems - script_skeleton->setVariable("other_os_configuration_commands", oscnf->getCompiledScript().c_str()); + script_skeleton->setVariable("other_os_configuration_commands", + oscnf->getCompiledScript().c_str()); - script_skeleton->setVariable("activation_commands", printActivationCommands(fw)); + script_skeleton->setVariable("activation_commands", + printActivationCommands(fw)); script_skeleton->setVariable("verify_interfaces", ""); diff --git a/src/pflib/CompilerDriver_ipf_run.cpp b/src/pflib/CompilerDriver_ipf_run.cpp index 2e6fd92bd..2487b0d09 100644 --- a/src/pflib/CompilerDriver_ipf_run.cpp +++ b/src/pflib/CompilerDriver_ipf_run.cpp @@ -160,7 +160,8 @@ QString CompilerDriver_ipf::assembleFwScript(Cluster *cluster, Configlet top_comment(fw, "ipf", "top_comment"); assembleFwScriptInternal( - cluster, fw, cluster_member, oscnf, &script_skeleton, &top_comment, "#"); + cluster, fw, cluster_member, oscnf, + &script_skeleton, &top_comment, "#", true); return script_skeleton.expand(); } @@ -200,6 +201,17 @@ QString CompilerDriver_ipf::run(const std::string &cluster_id, determineOutputFileNames(cluster, fw, !cluster_id.empty()); + // if remote file spec does not include path, the file is + // assumed to be in directory set in the "Installer" tab + // of the firewall settings dialog + // + // fw_dir is used below to generate activation commands + + QString fw_dir = options->getStr("firewall_dir").c_str(); + + if (fw_dir.isEmpty()) fw_dir = Resources::getTargetOptionStr( + fw->getStr("host_OS"), "activation/fwdir").c_str(); + QFileInfo finfo(fw_file_name); QString ipf_file_name = finfo.completeBaseName() + "-ipf.conf"; QString nat_file_name = finfo.completeBaseName() + "-nat.conf"; @@ -362,7 +374,16 @@ QString CompilerDriver_ipf::run(const std::string &cluster_id, QString filePath; if (remote_ipf_name[0] == '/') filePath = remote_ipf_name; - else filePath = QString("${FWDIR}/") + remote_ipf_name; + else + { + QFileInfo remote_file_info(remote_ipf_name); + if (remote_file_info.path() != ".") + filePath = remote_ipf_name; + else + filePath = fw_dir + "/" + remote_ipf_name; + + //filePath = QString("${FWDIR}/") + remote_ipf_name; + } activation_commands.push_back( composeActivationCommand( @@ -400,7 +421,17 @@ QString CompilerDriver_ipf::run(const std::string &cluster_id, QString filePath; if (remote_nat_name[0] == '/') filePath = remote_nat_name; - else filePath = QString("${FWDIR}/") + remote_nat_name; + else + { + QFileInfo remote_file_info(remote_nat_name); + if (remote_file_info.path() != ".") + filePath = remote_nat_name; + else + filePath = fw_dir + "/" + remote_nat_name; + + //filePath = QString("${FWDIR}/") + remote_nat_name; + } + activation_commands.push_back( composeActivationCommand( fw, false, ipf_dbg, fw_version, filePath.toStdString())); diff --git a/src/pflib/CompilerDriver_ipfw_run.cpp b/src/pflib/CompilerDriver_ipfw_run.cpp index 9fb043211..7294e5e4e 100644 --- a/src/pflib/CompilerDriver_ipfw_run.cpp +++ b/src/pflib/CompilerDriver_ipfw_run.cpp @@ -107,7 +107,8 @@ QString CompilerDriver_ipfw::assembleFwScript(Cluster *cluster, Configlet top_comment(fw, "ipfw", "top_comment"); assembleFwScriptInternal( - cluster, fw, cluster_member, oscnf, &script_skeleton, &top_comment, "#"); + cluster, fw, cluster_member, oscnf, + &script_skeleton, &top_comment, "#", true); return script_skeleton.expand(); } diff --git a/src/pflib/CompilerDriver_pf_run.cpp b/src/pflib/CompilerDriver_pf_run.cpp index 80dfdf6b7..6723d3505 100644 --- a/src/pflib/CompilerDriver_pf_run.cpp +++ b/src/pflib/CompilerDriver_pf_run.cpp @@ -89,7 +89,11 @@ QString CompilerDriver_pf::composeActivationCommand(Firewall *fw, const string &pf_version, const string &remote_file_name) { - Configlet act(fw, "pf", "activation"); + FWOptions* options = fw->getOptionsObject(); + Configlet act(fw, "pf", + options->getBool("generate_rc_conf_file") ? + "rc_conf_activation" : "activation"); + act.removeComments(); act.setVariable("pfctl_debug", pfctl_debug.c_str()); act.setVariable("anchor", !anchor_name.empty()); @@ -113,10 +117,25 @@ QString CompilerDriver_pf::printActivationCommands(Firewall *fw) bool debug = options->getBool("debug"); string pfctl_dbg = (debug)?"-v ":""; + // if remote file spec does not include path, the file is + // assumed to be in directory set in the "Installer" tab + // of the firewall settings dialog + QString fw_dir = options->getStr("firewall_dir").c_str(); + + if (fw_dir.isEmpty()) fw_dir = Resources::getTargetOptionStr( + fw->getStr("host_OS"), "activation/fwdir").c_str(); + QStringList activation_commands; QString remote_file = remote_conf_files["__main__"]; if (remote_file.isEmpty()) remote_file = conf_files["__main__"]; - if (remote_file[0] != '/') remote_file = "${FWDIR}/" + remote_file; + if (remote_file[0] != '/') + { + QFileInfo remote_file_info(remote_file); + if (remote_file_info.path() != ".") + remote_file = remote_file; + else + remote_file = fw_dir + "/" + remote_file; + } remote_file = this->escapeFileName(remote_file); activation_commands.push_back( @@ -128,7 +147,14 @@ QString CompilerDriver_pf::printActivationCommands(Firewall *fw) { QString remote_file = remote_conf_files[i->first]; if (remote_file.isEmpty()) remote_file = i->second; - if (remote_file[0] != '/') remote_file = "${FWDIR}/" + remote_file; + if (remote_file[0] != '/') + { + QFileInfo remote_file_info(remote_file); + if (remote_file_info.path() != ".") + remote_file = remote_file; + else + remote_file = fw_dir + "/" + remote_file; + } remote_file = this->escapeFileName(remote_file); if (i->first != "__main__") @@ -179,14 +205,23 @@ QString CompilerDriver_pf::assembleFwScript(Cluster *cluster, OSConfigurator *oscnf) { FWOptions* options = fw->getOptionsObject(); - Configlet script_skeleton(fw, "pf", "script_skeleton"); - Configlet top_comment(fw, "pf", "top_comment"); + + Configlet script_skeleton( + fw, "pf", + options->getBool("generate_rc_conf_file") ? + "rc_conf_skeleton" : "script_skeleton"); + + Configlet top_comment(fw, "pf", + options->getBool("generate_rc_conf_file") ? + "rc_conf_top_comment" : "top_comment"); script_skeleton.setVariable("routing_script", QString::fromUtf8(routing_script.c_str())); assembleFwScriptInternal( - cluster, fw, cluster_member, oscnf, &script_skeleton, &top_comment, "#"); + cluster, fw, cluster_member, oscnf, + &script_skeleton, &top_comment, "#", + !options->getBool("generate_rc_conf_file")); if (fw->getStr("platform") == "pf") { diff --git a/src/pflib/OSConfigurator_bsd.cpp b/src/pflib/OSConfigurator_bsd.cpp index 014100797..627cdd2d1 100644 --- a/src/pflib/OSConfigurator_bsd.cpp +++ b/src/pflib/OSConfigurator_bsd.cpp @@ -2,11 +2,9 @@ Firewall Builder - Copyright (C) 2002,2009 NetCitadel, LLC + Copyright (C) 2002-2011 NetCitadel, LLC - Author: Vadim Kurland vadim@vk.crocodile.org - - $Id$ + Author: Vadim Kurland vadim@fwbuilder.org This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms @@ -64,57 +62,6 @@ string OSConfigurator_bsd::printKernelVarsCommands() return ""; } -string OSConfigurator_bsd::updateAddressesOfInterfaceCall( - Interface *iface, list > all_addresses) -{ - QStringList arg1; - arg1.push_back(iface->getName().c_str()); - - for (list >::iterator j = all_addresses.begin(); - j != all_addresses.end(); ++j) - { - InetAddr ipaddr = j->first; - InetAddr ipnetm = j->second; - - if (ipaddr.isV6()) - arg1.push_back(QString("%1/%2").arg(ipaddr.toString().c_str()) - .arg(ipnetm.getLength())); - else - { -/* - on OpenBSD ifconfig prints netmask of ipv4 addresses in hex - - # ifconfig em0 - em0: flags=8843 mtu 1500 - lladdr 00:0c:29:83:4d:2f - media: Ethernet autoselect (1000baseT full-duplex,master) - status: active - inet 10.1.1.50 netmask 0xffffff00 broadcast 10.1.1.255 - inet6 fe80::20c:29ff:fe83:4d2f%em0 prefixlen 64 scopeid 0x2 -*/ - int nbits = ipnetm.getLength(); - uint32_t netm = 0; - while (nbits) - { - netm = netm >> 1; - netm |= 1<<31; - nbits--; - } - - arg1.push_back(QString("%1/0x%2") - .arg(ipaddr.toString().c_str()) - .arg(netm, -8, 16)); - } - } - - return string("update_addresses_of_interface ") + - "\"" + - arg1.join(" ").toStdString() + - "\"" + - " \"\""; -} - - void OSConfigurator_bsd::addVirtualAddressForNAT(const Network*) { } @@ -212,291 +159,6 @@ string OSConfigurator_bsd::printFunctions() return ostr.str(); } -/* - * We need to sort interfaces by name but make sure carp interfaces - * are always last. See #1807 - */ -bool compare_names(FWObject *a, FWObject *b) -{ - QString a_name = QString(a->getName().c_str()); - QString b_name = QString(b->getName().c_str()); - if (a_name.startsWith("carp") && b_name.startsWith("carp")) return a_name < b_name; - if (a_name.startsWith("carp")) return false; - if (b_name.startsWith("carp")) return true; - return a_name < b_name; -} - -string OSConfigurator_bsd::configureInterfaces() -{ - ostringstream ostr; - FWOptions* options = fw->getOptionsObject(); - - // Update vlans first because we may need to update ip addresses - // on vlan interfaces later - if ( options->getBool("configure_vlan_interfaces") ) - { - QStringList vlan_interfaces; - ostringstream vlan_output; - // http://blog.scottlowe.org/2007/08/31/vlan-interfaces-with-openbsd-41/ - // ifconfig vlan vlandev - FWObjectTypedChildIterator i=fw->findByType(Interface::TYPENAME); - for ( ; i!=i.end(); ++i ) - { - Interface *iface = Interface::cast(*i); - assert(iface); - - vlan_output << "update_vlans_of_interface " - << "\"" << iface->getName() << " "; - - FWObjectTypedChildIterator si=iface->findByType(Interface::TYPENAME); - for ( ; si!=si.end(); ++si ) - { - Interface *subinterface = Interface::cast(*si); - assert(subinterface); - - if (subinterface->getOptionsObject()->getStr("type") == "8021q") - { - vlan_interfaces.push_back(subinterface->getName().c_str()); - vlan_output << subinterface->getName() << " "; - } - } - vlan_output << "\"" << endl; - } - - ostr << "sync_vlan_interfaces " - << vlan_interfaces.join(" ").toStdString() - << endl; - - if (vlan_interfaces.size() > 0) - { - ostr << vlan_output.str() << endl; - } - } - - if ( options->getBool("configure_carp_interfaces") ) - { -/* - * Compiler::processFailoverGroup copies interfaces of the cluster to - * the member firewall objects. This means when we scan interfaces of - * the firewall here, we get both its normal interfaces and a copy of - * cluster interfaces. - * - */ - ostringstream carp_output; - QStringList carp_interfaces; - - FWObjectTypedChildIterator i=fw->findByType(Interface::TYPENAME); - for ( ; i!=i.end(); ++i ) - { - Interface *iface = Interface::cast(*i); - assert(iface); - - if ( ! iface->isFailoverInterface()) continue; - - // failover_master and base_device are set in Compiler::processFailoverGroup - FWOptions *ifopt = (Interface::cast(iface))->getOptionsObject(); - assert(ifopt != NULL); - - bool master = ifopt->getBool("failover_master"); - string base_interface = ifopt->getStr("base_device"); - - FWObject *failover_group = - iface->getFirstByType(FailoverClusterGroup::TYPENAME); - if (failover_group && failover_group->getStr("type") == "carp") - { - carp_interfaces.push_back(iface->getName().c_str()); - - FWOptions *failover_opts = - FailoverClusterGroup::cast(failover_group)->getOptionsObject(); - string carp_password = failover_opts->getStr("carp_password"); - if (carp_password.empty()) carp_password = "\"\""; - string vhid = failover_opts->getStr("carp_vhid"); - int advbase = failover_opts->getInt("carp_advbase"); - int master_advskew = failover_opts->getInt("carp_master_advskew"); - int default_advskew = failover_opts->getInt("carp_default_advskew"); - - if (master_advskew < 0) master_advskew = 0; - if (default_advskew < 0) default_advskew = 0; - if (master_advskew == default_advskew) default_advskew++; - - int use_advskew; - if (master) - use_advskew = master_advskew; - else - use_advskew = default_advskew; - - Configlet configlet(fw, "bsd", "carp_interface"); - configlet.removeComments(); - configlet.collapseEmptyStrings(true); - configlet.setVariable("carp_interface", iface->getName().c_str()); - configlet.setVariable("have_advbase", advbase > 1); - configlet.setVariable("advbase", advbase); - configlet.setVariable("have_advskew", use_advskew > 0); - configlet.setVariable("advskew", use_advskew); - configlet.setVariable("have_base_inetrface", !base_interface.empty()); - configlet.setVariable("base_inetrface", base_interface.c_str()); - configlet.setVariable("carp_password", carp_password.c_str()); - configlet.setVariable("vhid", vhid.c_str()); - - carp_output << configlet.expand().toStdString() << endl; - } - } - - ostr << "sync_carp_interfaces " - << carp_interfaces.join(" ").toStdString() - << endl; - - if (carp_interfaces.size() > 0) - { - ostr << carp_output.str() << endl; - } - } - - - if ( options->getBool("configure_interfaces") ) - { - ostr << endl; - - std::auto_ptr int_prop( - interfacePropertiesObjectFactory::getInterfacePropertiesObject( - fw->getStr("host_OS"))); - - list all_interfaces = fw->getByTypeDeep(Interface::TYPENAME); - all_interfaces.sort(compare_names); - for (list::iterator i=all_interfaces.begin(); - i != all_interfaces.end(); ++i ) - { - Interface *iface = Interface::cast(*i); - assert(iface); - - if (!iface->isRegular()) continue; - //if (iface->isFailoverInterface()) continue; - - QStringList update_addresses; - QStringList ignore_addresses; - if (int_prop->manageIpAddresses(iface, update_addresses, ignore_addresses)) - { - // unfortunately addresses in update_addresses are in - // the form of address/masklen but OpenBSD ifconfig - // uses hex netmask representation and so should we. - // Will ignore update_addresses and ignore_addresses and - // build our own list here. Returned value of manageIpAddresses() - // is useful though. - list all_addr = iface->getByType(IPv4::TYPENAME); - list all_ipv6 = iface->getByType(IPv6::TYPENAME); - all_addr.insert(all_addr.begin(), all_ipv6.begin(), all_ipv6.end()); - - const InetAddr *netmask = iface->getNetmaskPtr(); - - list > all_addresses; - - for (list::iterator j = all_addr.begin(); - j != all_addr.end(); ++j) - { - Address *iaddr = Address::cast(*j); - const InetAddr *ipaddr = iaddr->getAddressPtr(); - const InetAddr *ipnetm = iaddr->getNetmaskPtr(); - all_addresses.push_back( - pair(*ipaddr, *ipnetm)); - } - - set::iterator it; - for (it=virtual_addresses.begin(); it!=virtual_addresses.end(); ++it) - { - const Address *addr = *it; - FWObject *iaddr = findAddressFor(addr, fw ); - if (iaddr!=NULL) - { - Interface *iface_2 = Interface::cast(iaddr->getParent()); - if (iface_2 == iface) - { - all_addresses.push_back( - pair( - *(addr->getAddressPtr()), *netmask)); - } - } - } - - ostr << updateAddressesOfInterfaceCall(iface, all_addresses) << endl; - } - } - ostr << endl; - } - - - if ( options->getBool("configure_pfsync_interfaces") ) - { - bool have_pfsync_interfaces = false; - ostringstream pfsync_output; - /* - * http://www.kernel-panic.it/openbsd/carp/index.html - * http://www.openbsd.org/faq/pf/carp.html - * pfsync configuration: - * - * ifconfig pfsyncN syncdev syncdev [syncpeer syncpeer] - */ - FWObjectTypedChildIterator i=fw->findByType(Interface::TYPENAME); - for ( ; i!=i.end(); ++i) - { - Interface *iface = Interface::cast(*i); - assert(iface); - - if ( ! iface->getOptionsObject()->getBool("state_sync_group_member")) - continue; - - int state_sync_group_id = FWObjectDatabase::getIntId( - iface->getOptionsObject()->getStr("state_sync_group_id")); - StateSyncClusterGroup *state_sync_group = - StateSyncClusterGroup::cast(dbcopy->findInIndex(state_sync_group_id)); - assert(state_sync_group!=NULL); - - // Interface can be state sync group member, but of a different type - if (state_sync_group->getStr("type") != "pfsync") continue; - - have_pfsync_interfaces = true; - - Configlet configlet(fw, "bsd", "pfsync_interface"); - configlet.removeComments(); - configlet.collapseEmptyStrings(true); - configlet.setVariable("syncdev", iface->getName().c_str()); - - if (state_sync_group->getOptionsObject()->getBool("syncpeer")) - { - for (FWObjectTypedChildIterator it = - state_sync_group->findByType(FWObjectReference::TYPENAME); - it != it.end(); ++it) - { - Interface *cluster_iface = Interface::cast( - FWObjectReference::getObject(*it)); - assert(cluster_iface); - - if (cluster_iface->getId() == iface->getId()) continue; - - IPv4 *ipv4 = IPv4::cast(cluster_iface->getFirstByType(IPv4::TYPENAME)); - const InetAddr *addr = ipv4->getAddressPtr(); - - configlet.setVariable("have_syncpeer", 1); - configlet.setVariable("syncpeer", addr->toString().c_str()); - } - } - pfsync_output << configlet.expand().toStdString() << endl; - - break; - } - - ostr << "sync_pfsync_interfaces "; - if (have_pfsync_interfaces) ostr << "pfsync0" << endl; - else ostr << endl; - - if (have_pfsync_interfaces) - { - ostr << pfsync_output.str() << endl; - } - } - - return ostr.str(); -} - void OSConfigurator_bsd::setKernelVariable(Firewall *fw, const string &var_name, Configlet *configlet) @@ -512,4 +174,3 @@ void OSConfigurator_bsd::setKernelVariable(Firewall *fw, } } - diff --git a/src/pflib/OSConfigurator_bsd.h b/src/pflib/OSConfigurator_bsd.h index 139ad0084..60ef79ad7 100644 --- a/src/pflib/OSConfigurator_bsd.h +++ b/src/pflib/OSConfigurator_bsd.h @@ -32,25 +32,61 @@ #include -#include +#include class Configlet; +namespace libfwbuilder +{ + class Firewall; + class Interface; + class StateSyncClusterGroup; +} -namespace fwcompiler { +namespace fwcompiler +{ - class OSConfigurator_bsd : public OSConfigurator { + class OSConfigurator_bsd : public OSConfigurator + { protected: std::set virtual_addresses; - void setKernelVariable(libfwbuilder::Firewall *fw, - const std::string &var_name, - Configlet *configlet); - std::string updateAddressesOfInterfaceCall( + virtual void setKernelVariable(libfwbuilder::Firewall *fw, + const std::string &var_name, + Configlet *configlet); + + // functions that generate interface address configuration + virtual QString listAllInterfacesConfigLine(QStringList intf_names, + bool ipv6); + + virtual QString updateAddressesOfInterface( libfwbuilder::Interface *iface, - std::list > all_addresses); + std::list > + all_addresses); + + // functions that generate VLAN configuration + virtual QString listAllVlansConfgLine(QStringList vlan_names); + + virtual QString updateVlansOfInterface( + libfwbuilder::Interface *iface, QStringList vlan_names); + + // functions that generate CARP interface configuration + virtual QString listAllCARPConfgLine(QStringList carp_names); + virtual QString updateCARPInterface(libfwbuilder::Interface *iface, + libfwbuilder::FWObject *failover_group); + virtual QString updateCARPInterfaceInternal( + libfwbuilder::Interface *iface, + libfwbuilder::FWObject *failover_group, + Configlet *configlet); + + // functions that generate pfsync interface configuration + virtual QString listAllPfsyncConfgLine(bool have_pfsync); + virtual QString updatePfsyncInterface( + libfwbuilder::Interface *iface, + libfwbuilder::StateSyncClusterGroup *sync_group); + public: diff --git a/src/pflib/OSConfigurator_bsd_interfaces.cpp b/src/pflib/OSConfigurator_bsd_interfaces.cpp new file mode 100644 index 000000000..9f9dadfd6 --- /dev/null +++ b/src/pflib/OSConfigurator_bsd_interfaces.cpp @@ -0,0 +1,470 @@ +/* + + Firewall Builder + + Copyright (C) 2011 NetCitadel, LLC + + Author: Vadim Kurland vadim@fwbuilder.org + + This program is free software which we release under the GNU General Public + License. You may redistribute and/or modify this program under the terms + of that license as published by the Free Software Foundation; either + version 2 of the License, or (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + To get a copy of the GNU General Public License, write to the Free Software + Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA + +*/ + +#include + +#include "Configlet.h" +#include "OSConfigurator_bsd.h" + +#include "fwbuilder/Firewall.h" +#include "fwbuilder/FWOptions.h" +#include "fwbuilder/Interface.h" +#include "fwbuilder/IPv4.h" +#include "fwbuilder/IPv6.h" +#include "fwbuilder/FailoverClusterGroup.h" +#include "fwbuilder/StateSyncClusterGroup.h" + +#include "interfaceProperties.h" +#include "interfacePropertiesObjectFactory.h" + +#include +#include + +#include +#include + + +using namespace libfwbuilder; +using namespace fwcompiler; +using namespace std; + + +/* + * I need to sort interfaces by name but make sure carp interfaces are + * always last. See #1807 + */ +bool compare_names(FWObject *a, FWObject *b) +{ + QString a_name = QString(a->getName().c_str()); + QString b_name = QString(b->getName().c_str()); + if (a_name.startsWith("carp") && b_name.startsWith("carp")) + return a_name < b_name; + if (a_name.startsWith("carp")) return false; + if (b_name.startsWith("carp")) return true; + return a_name < b_name; +} + + +string OSConfigurator_bsd::configureInterfaces() +{ + ostringstream ostr; + FWOptions* options = fw->getOptionsObject(); + + // Update vlans first because we may need to update ip addresses + // on vlan interfaces later + if ( options->getBool("configure_vlan_interfaces") ) + { + QStringList vlan_interfaces; // all vlan interfaces + QStringList vlan_output; + + // http://blog.scottlowe.org/2007/08/31/vlan-interfaces-with-openbsd-41/ + // ifconfig vlan vlandev + FWObjectTypedChildIterator i=fw->findByType(Interface::TYPENAME); + for ( ; i!=i.end(); ++i ) + { + Interface *iface = Interface::cast(*i); + assert(iface); + + QStringList vlan_subinterfaces; + + FWObjectTypedChildIterator si=iface->findByType(Interface::TYPENAME); + for ( ; si!=si.end(); ++si ) + { + Interface *subinterface = Interface::cast(*si); + assert(subinterface); + + if (subinterface->getOptionsObject()->getStr("type") == "8021q") + { + vlan_subinterfaces << subinterface->getName().c_str(); + vlan_interfaces << subinterface->getName().c_str(); + } + } + + if (vlan_subinterfaces.size() > 0) + vlan_output << updateVlansOfInterface(iface, vlan_subinterfaces); + } + + // issue sync_vlan_interfaces command even if there are no vlans + // since it deletes them on the firewall if they exist + ostr << listAllVlansConfgLine(vlan_interfaces).toStdString() + << endl; + + if (vlan_output.size() > 0) + { + ostr << vlan_output.join("\n").toStdString() + << endl; + } + } + + + if ( options->getBool("configure_carp_interfaces") ) + { +/* + * Compiler::processFailoverGroup copies interfaces of the cluster to + * the member firewall objects. This means when we scan interfaces of + * the firewall here, we get both its normal interfaces and a copy of + * cluster interfaces. + * + */ + QStringList carp_output; + QStringList carp_interfaces; + + FWObjectTypedChildIterator i=fw->findByType(Interface::TYPENAME); + for ( ; i!=i.end(); ++i ) + { + Interface *iface = Interface::cast(*i); + assert(iface); + + if ( ! iface->isFailoverInterface()) continue; + + FWObject *failover_group = + iface->getFirstByType(FailoverClusterGroup::TYPENAME); + if (failover_group && failover_group->getStr("type") == "carp") + { + carp_interfaces << iface->getName().c_str(); + carp_output << updateCARPInterface(iface, failover_group); + } + } + + // issue "sync_carp_interfaces" call even when we have none, it will + // delete those that might exist on the firewall + ostr << listAllCARPConfgLine(carp_interfaces).toStdString() + << endl; + + if (carp_interfaces.size() > 0) + { + ostr << carp_output.join("\n").toStdString() << endl; + } + } + + + if ( options->getBool("configure_interfaces") ) + { + ostr << endl; + + std::auto_ptr int_prop( + interfacePropertiesObjectFactory::getInterfacePropertiesObject( + fw->getStr("host_OS"))); + + list all_interfaces = fw->getByTypeDeep(Interface::TYPENAME); + all_interfaces.sort(compare_names); + + QStringList configure_intf_commands; + QStringList intf_names; + QStringList ipv6_names; + + for (list::iterator i=all_interfaces.begin(); + i != all_interfaces.end(); ++i ) + { + Interface *iface = Interface::cast(*i); + assert(iface); + + if (!iface->isRegular()) continue; + //if (iface->isFailoverInterface()) continue; + + QStringList update_addresses; + QStringList ignore_addresses; + if (int_prop->manageIpAddresses(iface, update_addresses, ignore_addresses)) + { + // unfortunately addresses in update_addresses are in + // the form of address/masklen but OpenBSD ifconfig + // uses hex netmask representation and so should we. + // Will ignore update_addresses and ignore_addresses and + // build our own list here. Returned value of manageIpAddresses() + // is useful though. + list all_addr = iface->getByType(IPv4::TYPENAME); + list all_ipv6 = iface->getByType(IPv6::TYPENAME); + all_addr.insert(all_addr.begin(), all_ipv6.begin(), all_ipv6.end()); + + if (all_addr.size() > 0) + intf_names << iface->getName().c_str(); + + if (all_ipv6.size() > 0) + ipv6_names << iface->getName().c_str(); + + const InetAddr *netmask = iface->getNetmaskPtr(); + + list > all_addresses; + + for (list::iterator j = all_addr.begin(); + j != all_addr.end(); ++j) + { + Address *iaddr = Address::cast(*j); + const InetAddr *ipaddr = iaddr->getAddressPtr(); + const InetAddr *ipnetm = iaddr->getNetmaskPtr(); + all_addresses.push_back( + pair(*ipaddr, *ipnetm)); + } + + set::iterator it; + for (it=virtual_addresses.begin(); it!=virtual_addresses.end(); ++it) + { + const Address *addr = *it; + FWObject *iaddr = findAddressFor(addr, fw ); + if (iaddr!=NULL) + { + Interface *iface_2 = Interface::cast(iaddr->getParent()); + if (iface_2 == iface) + { + all_addresses.push_back( + pair( + *(addr->getAddressPtr()), *netmask)); + } + } + } + + configure_intf_commands << updateAddressesOfInterface( + iface, all_addresses); + + } + } + + QString list_command; + list_command = listAllInterfacesConfigLine(ipv6_names, true); + if (!list_command.isEmpty()) + configure_intf_commands.push_front(list_command); + + list_command = listAllInterfacesConfigLine(intf_names, false); + if (!list_command.isEmpty()) + configure_intf_commands.push_front(list_command); + + ostr << configure_intf_commands.join("\n").toStdString(); + ostr << endl; + } + + + if ( options->getBool("configure_pfsync_interfaces") ) + { + bool have_pfsync_interfaces = false; + QStringList pfsync_output; + + FWObjectTypedChildIterator i=fw->findByType(Interface::TYPENAME); + for ( ; i!=i.end(); ++i) + { + Interface *iface = Interface::cast(*i); + assert(iface); + + if ( ! iface->getOptionsObject()->getBool("state_sync_group_member")) + continue; + + int state_sync_group_id = FWObjectDatabase::getIntId( + iface->getOptionsObject()->getStr("state_sync_group_id")); + StateSyncClusterGroup *state_sync_group = + StateSyncClusterGroup::cast(dbcopy->findInIndex(state_sync_group_id)); + assert(state_sync_group!=NULL); + + // Interface can be state sync group member, but of a different type + if (state_sync_group->getStr("type") != "pfsync") continue; + + have_pfsync_interfaces = true; + + pfsync_output << updatePfsyncInterface(iface, state_sync_group); + + break; + } + + ostr << listAllPfsyncConfgLine(have_pfsync_interfaces).toStdString() + << endl; + + if (have_pfsync_interfaces) + { + ostr << pfsync_output.join("\n").toStdString() + << endl; + } + } + + return ostr.str(); +} + +QString OSConfigurator_bsd::listAllInterfacesConfigLine(QStringList , bool ) +{ + return ""; +} + +QString OSConfigurator_bsd::updateAddressesOfInterface( + Interface *iface, list > all_addresses) +{ + QStringList arg1; + arg1.push_back(iface->getName().c_str()); + + for (list >::iterator j = all_addresses.begin(); + j != all_addresses.end(); ++j) + { + InetAddr ipaddr = j->first; + InetAddr ipnetm = j->second; + + if (ipaddr.isV6()) + arg1.push_back(QString("%1/%2").arg(ipaddr.toString().c_str()) + .arg(ipnetm.getLength())); + else + { +/* + on OpenBSD ifconfig prints netmask of ipv4 addresses in hex + + # ifconfig em0 + em0: flags=8843 mtu 1500 + lladdr 00:0c:29:83:4d:2f + media: Ethernet autoselect (1000baseT full-duplex,master) + status: active + inet 10.1.1.50 netmask 0xffffff00 broadcast 10.1.1.255 + inet6 fe80::20c:29ff:fe83:4d2f%em0 prefixlen 64 scopeid 0x2 +*/ + int nbits = ipnetm.getLength(); + uint32_t netm = 0; + while (nbits) + { + netm = netm >> 1; + netm |= 1<<31; + nbits--; + } + + arg1.push_back(QString("%1/0x%2") + .arg(ipaddr.toString().c_str()) + .arg(netm, -8, 16)); + } + } + + return QString("update_addresses_of_interface ") + + "\"" + arg1.join(" ") + "\"" + " \"\""; +} + + + +QString OSConfigurator_bsd::listAllVlansConfgLine(QStringList vlan_names) +{ + return QString("sync_vlan_interfaces %1").arg(vlan_names.join(" ")); +} + + +QString OSConfigurator_bsd::updateVlansOfInterface(Interface *iface, + QStringList vlan_names) +{ + return QString("update_vlans_of_interface \"%1 %2\"") + .arg(iface->getName().c_str()) + .arg(vlan_names.join(" ")); +} + +QString OSConfigurator_bsd::listAllCARPConfgLine(QStringList carp_names) +{ + return QString("sync_carp_interfaces %1").arg(carp_names.join(" ")); +} + +QString OSConfigurator_bsd::updateCARPInterface(Interface *iface, + FWObject *failover_group) +{ + Configlet configlet(fw, "bsd", "carp_interface"); + return updateCARPInterfaceInternal(iface, failover_group, &configlet); +} + +QString OSConfigurator_bsd::updateCARPInterfaceInternal( + Interface *iface, FWObject *failover_group, Configlet *configlet) +{ + // failover_master and base_device are set in Compiler::processFailoverGroup + FWOptions *ifopt = (Interface::cast(iface))->getOptionsObject(); + assert(ifopt != NULL); + + bool master = ifopt->getBool("failover_master"); + string base_interface = ifopt->getStr("base_device"); + QStringList carp_interfaces; + + carp_interfaces.push_back(iface->getName().c_str()); + + FWOptions *failover_opts = + FailoverClusterGroup::cast(failover_group)->getOptionsObject(); + string carp_password = failover_opts->getStr("carp_password"); + if (carp_password.empty()) carp_password = "\"\""; + string vhid = failover_opts->getStr("carp_vhid"); + int advbase = failover_opts->getInt("carp_advbase"); + int master_advskew = failover_opts->getInt("carp_master_advskew"); + int default_advskew = failover_opts->getInt("carp_default_advskew"); + + if (master_advskew < 0) master_advskew = 0; + if (default_advskew < 0) default_advskew = 0; + if (master_advskew == default_advskew) default_advskew++; + + int use_advskew; + if (master) + use_advskew = master_advskew; + else + use_advskew = default_advskew; + + configlet->removeComments(); + configlet->collapseEmptyStrings(true); + configlet->setVariable("carp_interface", iface->getName().c_str()); + configlet->setVariable("have_advbase", advbase > 1); + configlet->setVariable("advbase", advbase); + configlet->setVariable("have_advskew", use_advskew > 0); + configlet->setVariable("advskew", use_advskew); + configlet->setVariable("have_base_inetrface", !base_interface.empty()); + configlet->setVariable("base_inetrface", base_interface.c_str()); + configlet->setVariable("carp_password", carp_password.c_str()); + configlet->setVariable("vhid", vhid.c_str()); + + return configlet->expand(); +} + +QString OSConfigurator_bsd::listAllPfsyncConfgLine(bool have_pfsync) +{ + return QString("sync_pfsync_interfaces %1").arg(have_pfsync?"pfsync0":""); +} + +/* + * http://www.kernel-panic.it/openbsd/carp/index.html + * http://www.openbsd.org/faq/pf/carp.html + * pfsync configuration: + * + * ifconfig pfsyncN syncdev syncdev [syncpeer syncpeer] + */ + +QString OSConfigurator_bsd::updatePfsyncInterface( + Interface *iface, StateSyncClusterGroup *state_sync_group) +{ + Configlet configlet(fw, "bsd", "pfsync_interface"); + configlet.removeComments(); + configlet.collapseEmptyStrings(true); + configlet.setVariable("syncdev", iface->getName().c_str()); + + if (state_sync_group->getOptionsObject()->getBool("syncpeer")) + { + for (FWObjectTypedChildIterator it = + state_sync_group->findByType(FWObjectReference::TYPENAME); + it != it.end(); ++it) + { + Interface *cluster_iface = Interface::cast( + FWObjectReference::getObject(*it)); + assert(cluster_iface); + + if (cluster_iface->getId() == iface->getId()) continue; + + IPv4 *ipv4 = IPv4::cast(cluster_iface->getFirstByType(IPv4::TYPENAME)); + const InetAddr *addr = ipv4->getAddressPtr(); + + configlet.setVariable("have_syncpeer", 1); + configlet.setVariable("syncpeer", addr->toString().c_str()); + } + } + return configlet.expand(); +} + + + diff --git a/src/pflib/OSConfigurator_freebsd.cpp b/src/pflib/OSConfigurator_freebsd.cpp index 237d80bc2..97f426a6c 100644 --- a/src/pflib/OSConfigurator_freebsd.cpp +++ b/src/pflib/OSConfigurator_freebsd.cpp @@ -2,11 +2,9 @@ Firewall Builder - Copyright (C) 2002 NetCitadel, LLC + Copyright (C) 2002-2011 NetCitadel, LLC - Author: Vadim Kurland vadim@vk.crocodile.org - - $Id$ + Author: Vadim Kurland vadim@fwbuilder.org This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms @@ -27,15 +25,19 @@ #include "OSConfigurator_freebsd.h" #include "Configlet.h" +#include "interfaceProperties.h" +#include "interfacePropertiesObjectFactory.h" #include "fwbuilder/Firewall.h" #include "fwbuilder/FWOptions.h" #include "fwbuilder/Interface.h" #include "fwbuilder/IPv4.h" +#include "fwbuilder/FailoverClusterGroup.h" +#include "fwbuilder/StateSyncClusterGroup.h" #include -#include -#include +#include + using namespace libfwbuilder; using namespace fwcompiler; @@ -45,13 +47,45 @@ string OSConfigurator_freebsd::myPlatformName() { return "FreeBSD"; } string OSConfigurator_freebsd::printKernelVarsCommands() { - Configlet kernel_vars(fw, "bsd", "kernel_vars"); - kernel_vars.removeComments(); - setKernelVariable(fw, "freebsd_ip_forward", &kernel_vars); - setKernelVariable(fw, "freebsd_ipv6_forward", &kernel_vars); - setKernelVariable(fw, "freebsd_ip_sourceroute", &kernel_vars); - setKernelVariable(fw, "freebsd_ip_redirect", &kernel_vars); - return kernel_vars.expand().toStdString(); + FWOptions* options = fw->getOptionsObject(); + std::auto_ptr kernel_vars; + if (options->getBool("generate_rc_conf_file")) + { + kernel_vars = std::auto_ptr( + new Configlet(fw, "freebsd", "rc_conf_kernel_vars")); + } else + { + kernel_vars = std::auto_ptr( + new Configlet(fw, "bsd", "kernel_vars")); + } + + kernel_vars->removeComments(); + setKernelVariable(fw, "freebsd_ip_forward", kernel_vars.get()); + setKernelVariable(fw, "freebsd_ipv6_forward", kernel_vars.get()); + setKernelVariable(fw, "freebsd_ip_sourceroute", kernel_vars.get()); + //setKernelVariable(fw, "freebsd_ip_redirect", kernel_vars.get()); + return kernel_vars->expand().toStdString(); +} + +void OSConfigurator_freebsd::setKernelVariable(Firewall *fw, + const string &var_name, + Configlet *configlet) +{ + FWOptions* options = fw->getOptionsObject(); + + if (options->getBool("generate_rc_conf_file")) + { + string s; + s = options->getStr(var_name); + if (!s.empty()) + { + configlet->setVariable(QString("have_") + var_name.c_str(), 1); + string yesno = (s=="1" || s=="on" || s=="On") ? "YES" : "NO"; + configlet->setVariable(QString(var_name.c_str()), + QString(yesno.c_str())); + } + } else + OSConfigurator_bsd::setKernelVariable(fw, var_name, configlet); } int OSConfigurator_freebsd::prolog() @@ -66,4 +100,272 @@ int OSConfigurator_freebsd::prolog() return 0; } +QString OSConfigurator_freebsd::listAllInterfacesConfigLine(QStringList names, + bool ipv6) +{ + FWOptions* options = fw->getOptionsObject(); + if (options->getBool("generate_rc_conf_file")) + { + if (ipv6) + { + return "ipv6_network_interfaces=\"" + names.join(" ") + "\""; + } else + { + return "network_interfaces=\"" + names.join(" ") + "\""; + } + } else + return ""; +} + +QString OSConfigurator_freebsd::updateAddressesOfInterface( + Interface *iface, list > all_addresses) +{ + FWOptions* options = fw->getOptionsObject(); + if (options->getBool("generate_rc_conf_file")) + { + /* + * lines in rc.conf have the following format: + * + * network_interfaces="ed0 ed1 lo0" + * ifconfig_ed0="inet 192.0.2.1 netmask 0xffffff00" + * ipv4_addrs_ed0="192.0.2.129/27 192.0.2.1-5/28" + * + */ + + QString interface_name = iface->getName().c_str(); + QStringList addr_conf; + + int ipv4_alias_counter = -2; + int ipv6_alias_counter = -2; + + for (list >::iterator j = all_addresses.begin(); + j != all_addresses.end(); ++j) + { + QString ipv4_conf_line; + QString ipv6_conf_line; + + InetAddr ipaddr = j->first; + InetAddr ipnetm = j->second; + + if (ipaddr.isV6()) + { + ipv6_conf_line += + QString("%1/%2") + .arg(ipaddr.toString().c_str()) + .arg(ipnetm.getLength()); + ipv6_alias_counter++; + } else + { + int nbits = ipnetm.getLength(); + uint32_t netm = 0; + while (nbits) + { + netm = netm >> 1; + netm |= 1<<31; + nbits--; + } + + ipv4_conf_line += + QString("inet %1 netmask 0x%2") + .arg(ipaddr.toString().c_str()) + .arg(netm, -8, 16); + + ipv4_alias_counter++; + } + + if (!ipv4_conf_line.isEmpty()) + { + QString suffix; + if (ipv4_alias_counter>=0) + suffix = QString("_alias%1").arg(ipv4_alias_counter); + addr_conf << QString("ifconfig_%1%2=\"%3\"") + .arg(interface_name) + .arg(suffix) + .arg(ipv4_conf_line); + } + + if (!ipv6_conf_line.isEmpty()) + { + QString suffix; + if (ipv6_alias_counter>=0) + suffix = QString("_alias%1").arg(ipv6_alias_counter); + addr_conf << QString("ipv6_ifconfig_%1%2=\"%3\"") + .arg(interface_name) + .arg(suffix) + .arg(ipv6_conf_line); + } + } + + return addr_conf.join("\n"); + + } else + return OSConfigurator_bsd::updateAddressesOfInterface(iface, all_addresses); +} + +QString OSConfigurator_freebsd::listAllVlansConfgLine(QStringList vlan_names) +{ + FWOptions* options = fw->getOptionsObject(); + if (options->getBool("generate_rc_conf_file")) + { + return ""; + } else + return QString("sync_vlan_interfaces %1").arg(vlan_names.join(" ")); +} + +/* + + For rc.conf format: + + If a vlans_ variable is set, a vlan(4) interface + will be created for each item in the list with the vlandev + argument set to interface. If a vlan interface's name is a + number, then that number is used as the vlan tag and the new + vlan interface is named interface.tag. Otherwise, the vlan + tag must be specified via a vlan parameter in the + create_args_ variable. + + To create a vlan device named em0.101 on em0 with the vlan + tag 101: + + vlans_em0="101" + + To create a vlan device named myvlan on em0 with the vlan tag + 102: + + vlans_em0="myvlan" + create_args_myvlan="vlan 102" + + */ +QString OSConfigurator_freebsd::updateVlansOfInterface(Interface *iface, + QStringList vlan_names) +{ + FWOptions* options = fw->getOptionsObject(); + if (options->getBool("generate_rc_conf_file")) + { + QStringList outp; + outp << QString("vlans_%1=\"%2\"").arg(iface->getName().c_str()) + .arg(vlan_names.join(" ")); + foreach(QString vlan_intf_name, vlan_names) + { + std::auto_ptr int_prop( + interfacePropertiesObjectFactory::getInterfacePropertiesObject( + fw->getStr("host_OS"))); + QString parent_name_from_regex; + int vlan_id; + if (int_prop->parseVlan(vlan_intf_name, + &parent_name_from_regex, &vlan_id)) + { + outp << QString("create_args_%1=\"vlan %2\"") + .arg(vlan_intf_name).arg(vlan_id); + } + } + return outp.join("\n"); + } else + return QString("update_vlans_of_interface \"%1 %2\"") + .arg(iface->getName().c_str()) + .arg(vlan_names.join(" ")); +} + + +QString OSConfigurator_freebsd::listAllCARPConfgLine(QStringList carp_names) +{ + FWOptions* options = fw->getOptionsObject(); + if (options->getBool("generate_rc_conf_file")) + { + return QString("cloned_interfaces=\"%1\"").arg(carp_names.join(" "));; + } else + return OSConfigurator_bsd::listAllCARPConfgLine(carp_names); +} + +QString OSConfigurator_freebsd::updateCARPInterface(Interface *iface, + FWObject *failover_group) +{ + FWOptions* options = fw->getOptionsObject(); + if (options->getBool("generate_rc_conf_file")) + { + Configlet configlet(fw, "freebsd", "rc_conf_carp_interface"); + return updateCARPInterfaceInternal(iface, failover_group, &configlet); + } else + return OSConfigurator_bsd::updateCARPInterface(iface, failover_group); +} + +QString OSConfigurator_freebsd::listAllPfsyncConfgLine(bool have_pfsync) +{ + FWOptions* options = fw->getOptionsObject(); + if (options->getBool("generate_rc_conf_file")) + { + return "pfsync_enable=\"YES\""; + } else + return OSConfigurator_bsd::listAllPfsyncConfgLine(have_pfsync); +} + +/* + in rc.conf format: + + pfsync_enable + (bool) Set to ``NO'' by default. Setting this to ``YES'' + enables exposing pf(4) state changes to other hosts over the + network by means of pfsync(4). The pfsync_syncdev variable + must also be set then. + + pfsync_syncdev + (str) Empty by default. This variable specifies the name of + the network interface pfsync(4) should operate through. It + must be set accordingly if pfsync_enable is set to ``YES''. + + pfsync_syncpeer + (str) Empty by default. This variable is optional. By + default, state change messages are sent out on the synchroni- + sation interface using IP multicast packets. The protocol is + IP protocol 240, PFSYNC, and the multicast group used is + 224.0.0.240. When a peer address is specified using the + pfsync_syncpeer option, the peer address is used as a desti- + nation for the pfsync traffic, and the traffic can then be + protected using ipsec(4). See the pfsync(4) manpage for more + details about using ipsec(4) with pfsync(4) interfaces. + + pfsync_ifconfig + (str) Empty by default. This variable can contain additional + options to be passed to the ifconfig(8) command used to set + up pfsync(4). + */ + +QString OSConfigurator_freebsd::updatePfsyncInterface( + Interface *iface, StateSyncClusterGroup *state_sync_group) +{ + FWOptions* options = fw->getOptionsObject(); + if (options->getBool("generate_rc_conf_file")) + { + Configlet configlet(fw, "freebsd", "rc_conf_pfsync_interface"); + configlet.removeComments(); + configlet.collapseEmptyStrings(true); + configlet.setVariable("syncdev", iface->getName().c_str()); + + if (state_sync_group->getOptionsObject()->getBool("syncpeer")) + { + for (FWObjectTypedChildIterator it = + state_sync_group->findByType(FWObjectReference::TYPENAME); + it != it.end(); ++it) + { + Interface *cluster_iface = Interface::cast( + FWObjectReference::getObject(*it)); + assert(cluster_iface); + + if (cluster_iface->getId() == iface->getId()) continue; + + IPv4 *ipv4 = IPv4::cast(cluster_iface->getFirstByType(IPv4::TYPENAME)); + const InetAddr *addr = ipv4->getAddressPtr(); + + configlet.setVariable("have_syncpeer", 1); + configlet.setVariable("syncpeer", addr->toString().c_str()); + } + } + return configlet.expand(); + + } else + return OSConfigurator_bsd::updatePfsyncInterface(iface, state_sync_group); + +} + + diff --git a/src/pflib/OSConfigurator_freebsd.h b/src/pflib/OSConfigurator_freebsd.h index 5f3c73001..747eaf3f4 100644 --- a/src/pflib/OSConfigurator_freebsd.h +++ b/src/pflib/OSConfigurator_freebsd.h @@ -31,10 +31,41 @@ #include "OSConfigurator_bsd.h" #include "OSData.h" -namespace fwcompiler { +namespace fwcompiler +{ - class OSConfigurator_freebsd : public OSConfigurator_bsd { + class OSConfigurator_freebsd : public OSConfigurator_bsd + { + virtual void setKernelVariable(libfwbuilder::Firewall *fw, + const std::string &var_name, + Configlet *configlet); + + virtual QString listAllInterfacesConfigLine(QStringList intf_names, + bool ipv6); + virtual QString updateAddressesOfInterface( + libfwbuilder::Interface *iface, + std::list > + all_addresses); + + + virtual QString listAllVlansConfgLine(QStringList vlan_names); + + virtual QString updateVlansOfInterface( + libfwbuilder::Interface *iface, QStringList vlan_names); + + // functions that generate CARP interface configuration + virtual QString listAllCARPConfgLine(QStringList carp_names); + virtual QString updateCARPInterface(libfwbuilder::Interface *iface, + libfwbuilder::FWObject *failover_group); + + // functions that generate pfsync interface configuration + virtual QString listAllPfsyncConfgLine(bool have_pfsync); + virtual QString updatePfsyncInterface( + libfwbuilder::Interface *iface, + libfwbuilder::StateSyncClusterGroup *sync_group); + + public: virtual ~OSConfigurator_freebsd() {}; diff --git a/src/pflib/OSConfigurator_macosx.h b/src/pflib/OSConfigurator_macosx.h index d33ad2ca4..59bc73d3d 100644 --- a/src/pflib/OSConfigurator_macosx.h +++ b/src/pflib/OSConfigurator_macosx.h @@ -31,9 +31,11 @@ #include "OSConfigurator_bsd.h" #include "OSData.h" -namespace fwcompiler { +namespace fwcompiler +{ - class OSConfigurator_macosx : public OSConfigurator_bsd { + class OSConfigurator_macosx : public OSConfigurator_bsd + { public: diff --git a/src/pflib/OSConfigurator_openbsd.h b/src/pflib/OSConfigurator_openbsd.h index 94bee3588..bab7bc7cd 100644 --- a/src/pflib/OSConfigurator_openbsd.h +++ b/src/pflib/OSConfigurator_openbsd.h @@ -31,9 +31,11 @@ #include "OSConfigurator_bsd.h" #include "OSData.h" -namespace fwcompiler { +namespace fwcompiler +{ - class OSConfigurator_openbsd : public OSConfigurator_bsd { + class OSConfigurator_openbsd : public OSConfigurator_bsd + { public: diff --git a/src/pflib/OSConfigurator_solaris.cpp b/src/pflib/OSConfigurator_solaris.cpp index 70eeb62ef..f723f88cc 100644 --- a/src/pflib/OSConfigurator_solaris.cpp +++ b/src/pflib/OSConfigurator_solaris.cpp @@ -129,7 +129,3 @@ string OSConfigurator_solaris::configureInterfaces() return ostr.str(); } - - - - diff --git a/src/pflib/OSConfigurator_solaris.h b/src/pflib/OSConfigurator_solaris.h index 2af4b0598..9ed7f8fbf 100644 --- a/src/pflib/OSConfigurator_solaris.h +++ b/src/pflib/OSConfigurator_solaris.h @@ -43,11 +43,13 @@ * generic name, something like OSConfigurator_generic_pf_ipf_family */ -namespace fwcompiler { +namespace fwcompiler +{ - class OSConfigurator_solaris : public OSConfigurator_bsd { + class OSConfigurator_solaris : public OSConfigurator_bsd + { - OSData os_data; + OSData os_data; std::vector virtual_addresses; diff --git a/src/pflib/pflib.pro b/src/pflib/pflib.pro index 22438423e..cffd4ed09 100644 --- a/src/pflib/pflib.pro +++ b/src/pflib/pflib.pro @@ -14,6 +14,7 @@ SOURCES = TableFactory.cpp \ NATCompiler_pf_negation.cpp \ NATCompiler_pf_writers.cpp \ OSConfigurator_bsd.cpp \ + OSConfigurator_bsd_interfaces.cpp \ OSConfigurator_freebsd.cpp \ OSConfigurator_macosx.cpp \ OSConfigurator_openbsd.cpp \ diff --git a/src/res/configlets/freebsd/rc_conf_carp_interface b/src/res/configlets/freebsd/rc_conf_carp_interface new file mode 100644 index 000000000..13f9f0f13 --- /dev/null +++ b/src/res/configlets/freebsd/rc_conf_carp_interface @@ -0,0 +1,22 @@ +## -*- mode: shell-script; -*- +## +## Lines that start with "##" will be removed before this code is +## added to the generated script. Regular shell comments can be added +## using single "#", these will appear in the script. +## +## +## CARP +## ifconfig carp-interface [advbase n] [advskew n] [carpdev iface] +## [pass passphrase] [state state] [vhid host-id] +## +## for pfsync and CARP see http://www.kernel-panic.it/openbsd/carp/ +## "Redundant firewalls with OpenBSD, CARP and pfsync" +## +## here is how to configure CARP interfaces in rc.conf +## +## http://blas.phemo.us/articles/2007/04/04/setting-up-and-configuring-carp-interfaces-on-freebsd + +ifconfig_{{$carp_interface}}="vhid {{$vhid}} pass {{$carp_password}} {{if have_advbase}} advbase {{$advbase}}{{endif}} {{if have_advskew}} advskew {{$advskew}}{{endif}} {{if have_base_inetrface}} carpdev {{$base_inetrface}}{{endif}}" + + + diff --git a/src/res/configlets/freebsd/rc_conf_kernel_vars b/src/res/configlets/freebsd/rc_conf_kernel_vars new file mode 100644 index 000000000..56e3b1090 --- /dev/null +++ b/src/res/configlets/freebsd/rc_conf_kernel_vars @@ -0,0 +1,19 @@ +## -*- mode: shell-script; -*- +## +## To be able to make changes to the part of configuration created +## from this configlet you need to copy this file to the directory +## fwbuilder/configlets/freebsd/ in your home directory and modify it. +## Double "##" comments are removed during processing but single "#" +## comments are be retained and appear in the generated script. Empty +## lines are removed as well. +## +## Configlets support simple macro language with these constructs: +## {{$var}} is variable expansion +## {{if var}} is conditional operator. + +{{if have_freebsd_ip_forward}}gateway_enable="{{$freebsd_ip_forward}}"{{endif}} +{{if have_freebsd_ipv6_forward}}ipv6_gateway_enable="{{$freebsd_ipv6_forward}}"{{endif}} + +{{if have_freebsd_ip_sourceroute}}forward_sourceroute="{{$freebsd_ip_sourceroute}}"{{endif}} +{{if have_freebsd_ip_sourceroute}}accept_sourceroute="{{$freebsd_ip_sourceroute}}"{{endif}} + diff --git a/src/res/configlets/freebsd/rc_conf_pfsync_interface b/src/res/configlets/freebsd/rc_conf_pfsync_interface new file mode 100644 index 000000000..14c047e6c --- /dev/null +++ b/src/res/configlets/freebsd/rc_conf_pfsync_interface @@ -0,0 +1,10 @@ +## -*- mode: shell-script; -*- +## +## Lines that start with "##" will be removed before this code is +## added to the generated script. Regular shell comments can be added +## using single "#", these will appear in the script. +## +## + +pfsync_syncdev="{{$syncdev}}" +{{if have_syncpeer}}pfsync_syncpeer="{{$syncpeer}}"{{endif}} diff --git a/src/res/configlets/pf/rc_conf_activation b/src/res/configlets/pf/rc_conf_activation new file mode 100644 index 000000000..5f712a919 --- /dev/null +++ b/src/res/configlets/pf/rc_conf_activation @@ -0,0 +1,14 @@ +## -*- mode: shell-script; -*- +## +## To be able to make changes to the part of configuration created +## from this configlet you need to copy this file to the directory +## fwbuilder/configlets/pf/ in your home directory and modify it. +## Double "##" comments are removed during processing but single "#" +## comments are be retained and appear in the generated script. Empty +## lines are removed as well. +## +## Configlets support simple macro language with these constructs: +## {{$var}} is variable expansion +## {{if var}} is conditional operator. +## +pf_rules="{{$remote_file}}" diff --git a/src/res/configlets/pf/rc_conf_skeleton b/src/res/configlets/pf/rc_conf_skeleton new file mode 100644 index 000000000..4c487374b --- /dev/null +++ b/src/res/configlets/pf/rc_conf_skeleton @@ -0,0 +1,32 @@ +## -*- mode: shell-script; -*- +## +## To be able to make changes to the part of configuration created +## from this configlet you need to copy this file to the directory +## fwbuilder/configlets/pf/ in your home directory and modify it. +## Double "##" comments are removed during processing but single "#" +## comments are be retained and appear in the generated script. Empty +## lines are removed as well. +## +## Configlets support simple macro language with these constructs: +## {{$var}} is variable expansion +## {{if var}} is conditional operator. +## +## Parts of this configlets will be translated to variable=value syntax +## used by rc.conf files +## +{{$top_comment}} + +{{$errors_and_warnings}} + +{{$kernel_vars_commands}} + +{{$prolog_script}} + +{{$configure_interfaces}} + +pf_enable="YES" +{{$activation_commands}} + +{{$routing_script}} + +{{$epilog_script}} diff --git a/src/res/configlets/pf/rc_conf_top_comment b/src/res/configlets/pf/rc_conf_top_comment new file mode 100644 index 000000000..588197360 --- /dev/null +++ b/src/res/configlets/pf/rc_conf_top_comment @@ -0,0 +1,12 @@ +# +# This is automatically generated file. DO NOT MODIFY ! +# +# Firewall Builder fwb_pf v{{$version}} +# +# Generated {{$timestamp}} {{$tz}} by {{$user}} +# +{{$manifest}} +# +# Compiled for {{$platform}} {{$fw_version}} +# +{{$comment}} diff --git a/src/unit_tests/generatedScriptTestsIpfilter/generatedScriptTestsIpfilter.cpp b/src/unit_tests/generatedScriptTestsIpfilter/generatedScriptTestsIpfilter.cpp index 0c21cbeb4..6dca548dc 100644 --- a/src/unit_tests/generatedScriptTestsIpfilter/generatedScriptTestsIpfilter.cpp +++ b/src/unit_tests/generatedScriptTestsIpfilter/generatedScriptTestsIpfilter.cpp @@ -238,7 +238,7 @@ void GeneratedScriptTest::ActivationCommandsTest_1() { objdb = new FWObjectDatabase(); QString res = Configlet::findConfigletInFile("activation", "ipf1.fw"); - CPPUNIT_ASSERT(res.indexOf("$IPF -I -f ${FWDIR}/ipf1-ipf.conf") != -1); + CPPUNIT_ASSERT(res.indexOf("$IPF -I -f /etc/ipf1-ipf.conf") != -1); delete objdb; } @@ -246,7 +246,7 @@ void GeneratedScriptTest::ActivationCommandsTest_2() { objdb = new FWObjectDatabase(); QString res = Configlet::findConfigletInFile("activation", "ipf2-1.fw"); - CPPUNIT_ASSERT(res.indexOf("$IPF -I -f ${FWDIR}/ipf2-1-ipf.conf") != -1); + CPPUNIT_ASSERT(res.indexOf("$IPF -I -f /etc/ipf2-1-ipf.conf") != -1); delete objdb; } @@ -254,7 +254,7 @@ void GeneratedScriptTest::ActivationCommandsTest_3() { objdb = new FWObjectDatabase(); QString res = Configlet::findConfigletInFile("activation", "ipf2-1"); - CPPUNIT_ASSERT(res.indexOf("$IPF -I -f ${FWDIR}/ipf2-1-ipf.conf") != -1); + CPPUNIT_ASSERT(res.indexOf("$IPF -I -f /etc/ipf2-1-ipf.conf") != -1); delete objdb; } @@ -262,7 +262,7 @@ void GeneratedScriptTest::ActivationCommandsTest_4() { objdb = new FWObjectDatabase(); QString res = Configlet::findConfigletInFile("activation", "ipf2-1.fw"); - CPPUNIT_ASSERT(res.indexOf("$IPF -I -f ${FWDIR}/ipf2-1-ipf.conf") != -1); + CPPUNIT_ASSERT(res.indexOf("$IPF -I -f /etc/ipf2-1-ipf.conf") != -1); delete objdb; } diff --git a/src/unit_tests/generatedScriptTestsPF/generatedScriptTestsPF.cpp b/src/unit_tests/generatedScriptTestsPF/generatedScriptTestsPF.cpp index 587b2f708..859493f38 100644 --- a/src/unit_tests/generatedScriptTestsPF/generatedScriptTestsPF.cpp +++ b/src/unit_tests/generatedScriptTestsPF/generatedScriptTestsPF.cpp @@ -278,7 +278,7 @@ void GeneratedScriptTest::ActivationCommandsTest_1() objdb = new FWObjectDatabase(); QString res = Configlet::findConfigletInFile("activation", "pf1.fw") .split(QRegExp("\\s+")).join(" "); - CPPUNIT_ASSERT(res.indexOf("$PFCTL \\ -f \\ ${FWDIR}/pf1.conf") != -1); + CPPUNIT_ASSERT(res.indexOf("$PFCTL \\ -f \\ /etc/pf1.conf") != -1); delete objdb; } @@ -287,7 +287,7 @@ void GeneratedScriptTest::ActivationCommandsTest_2() objdb = new FWObjectDatabase(); QString res = Configlet::findConfigletInFile("activation", "ipf2-1.fw") .split(QRegExp("\\s+")).join(" "); - CPPUNIT_ASSERT(res.indexOf("$PFCTL \\ -f \\ ${FWDIR}/ipf2-1.conf") != -1); + CPPUNIT_ASSERT(res.indexOf("$PFCTL \\ -f \\ /etc/ipf2-1.conf") != -1); delete objdb; } @@ -296,7 +296,7 @@ void GeneratedScriptTest::ActivationCommandsTest_3() objdb = new FWObjectDatabase(); QString res = Configlet::findConfigletInFile("activation", "ipf2-1.fw") .split(QRegExp("\\s+")).join(" "); - CPPUNIT_ASSERT(res.indexOf("$PFCTL \\ -f \\ ${FWDIR}/ipf2-1.conf") != -1); + CPPUNIT_ASSERT(res.indexOf("$PFCTL \\ -f \\ /etc/ipf2-1.conf") != -1); delete objdb; } @@ -305,7 +305,7 @@ void GeneratedScriptTest::ActivationCommandsTest_4() objdb = new FWObjectDatabase(); QString res = Configlet::findConfigletInFile("activation", "pf2-1.fw") .split(QRegExp("\\s+")).join(" "); - CPPUNIT_ASSERT(res.indexOf("$PFCTL \\ -f \\ ${FWDIR}/ipf2-1.conf") != -1); + CPPUNIT_ASSERT(res.indexOf("$PFCTL \\ -f \\ /etc/ipf2-1.conf") != -1); delete objdb; } @@ -333,7 +333,7 @@ void GeneratedScriptTest::ActivationCommandsTest_8() objdb = new FWObjectDatabase(); QString res = Configlet::findConfigletInFile("activation", "pf5.fw") .split(QRegExp("\\s+")).join(" "); - CPPUNIT_ASSERT(res.indexOf("$PFCTL \\ -f \\ ${FWDIR}/pf5.conf") != -1); + CPPUNIT_ASSERT(res.indexOf("$PFCTL \\ -f \\ /etc/pf5.conf") != -1); delete objdb; } diff --git a/test/pf/cluster-tests.fwb b/test/pf/cluster-tests.fwb index 8409cb0f0..ab1264b10 100644 --- a/test/pf/cluster-tests.fwb +++ b/test/pf/cluster-tests.fwb @@ -1,6 +1,6 @@ - + @@ -105,6 +105,7 @@ established -m state --state ESTABLISHED,RELATED + established @@ -112,6 +113,7 @@ established -m state --state ESTABLISHED,RELATED + established @@ -141,6 +143,12 @@ + + + + + + @@ -203,6 +211,7 @@ + @@ -504,7 +513,7 @@ - + @@ -528,7 +537,7 @@ - + @@ -546,7 +555,7 @@ - + @@ -564,7 +573,7 @@ - + @@ -582,7 +591,7 @@ - + @@ -600,7 +609,7 @@ - + @@ -618,7 +627,7 @@ - + @@ -636,7 +645,7 @@ - + @@ -694,7 +703,7 @@ - + @@ -738,7 +747,7 @@ - + @@ -756,7 +765,7 @@ - + @@ -774,7 +783,7 @@ - + @@ -810,7 +819,7 @@ - + @@ -828,7 +837,7 @@ - + @@ -870,7 +879,7 @@ - + @@ -888,7 +897,7 @@ - + @@ -1616,12 +1625,19 @@ + + + + + + + - + @@ -1933,7 +1949,7 @@ - + @@ -2012,7 +2028,7 @@ - + @@ -2088,7 +2104,7 @@ - + @@ -2420,6 +2436,81 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + @@ -3180,6 +3271,252 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + diff --git a/test/pf/objects-for-regression-tests.fwb b/test/pf/objects-for-regression-tests.fwb index 2dce890a8..e5fc706f1 100644 --- a/test/pf/objects-for-regression-tests.fwb +++ b/test/pf/objects-for-regression-tests.fwb @@ -1,6 +1,6 @@ - + @@ -19939,6 +19939,258 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +