onkelbeh/fwbuilder
1
0
Fork 0
mirror of https://github.com/fwbuilder/fwbuilder synced 2026-03-19 09:47:20 +01:00
Code Issues Releases Wiki Activity

user-specified parameter for action Reject takes precedence over automatically determined action based on the protocol. If user chooses one of the icmp responses, it should be used even with tcp (we used to force return-rst in that case)

Browse Source
This commit is contained in:
Vadim Kurland 2011-05-29 13:36:55 -07:00
parent aac598f1cc
commit 3a88a0cbc5
2 changed files with 70 additions and 22 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

49
src/pflib/PolicyCompiler_pf_writers.cpp
View File

@ -97,31 +97,36 @@ void PolicyCompiler_pf::PrintRule::_printAction(PolicyRule *rule)
break;
case PolicyRule::Reject:
if (TCPService::isA(srv)) compiler->output << "block return-rst ";
else
{
string aor = ruleopt->getStr("action_on_reject");
string code;
if ( aor.find("ICMP")!=string::npos )
{
string aor=ruleopt->getStr("action_on_reject");
string code;
if ( aor.find("ICMP")!=string::npos )
code = "return-icmp ";
if (aor.find("unreachable")!=string::npos )
{
code="return-icmp ";
if (aor.find("unreachable")!=string::npos )
{
if (aor.find("net")!=string::npos) code=code+"( 0 ) ";
if (aor.find("host")!=string::npos) code=code+"( 1 ) ";
if (aor.find("protocol")!=string::npos) code=code+"( 2 ) ";
if (aor.find("port")!=string::npos) code=code+"( 3 ) ";
}
if (aor.find("prohibited")!=string::npos )
{
if (aor.find("net")!=string::npos) code=code+"( 9 ) ";
if (aor.find("host")!=string::npos) code=code+"( 10 ) ";
}
} else
code="return-icmp ";
compiler->output << "block " << code;
}
if (aor.find("net")!=string::npos) code = code + "( 0 ) ";
if (aor.find("host")!=string::npos) code = code + "( 1 ) ";
if (aor.find("protocol")!=string::npos) code = code + "( 2 ) ";
if (aor.find("port")!=string::npos) code = code + "( 3 ) ";
}
if (aor.find("prohibited")!=string::npos )
{
if (aor.find("net")!=string::npos) code = code + "( 9 ) ";
if (aor.find("host")!=string::npos) code = code + "( 10 ) ";
if (aor.find("filter")!=string::npos) code = code + "( 13 ) ";
if (aor.find("admin")!=string::npos) code = code + "( 13 ) ";
}
} else
{
if ( aor.find("TCP")!=string::npos ) code = "return-rst ";
else
code = "return-icmp ";
}
compiler->output << "block " << code;
break;
}
case PolicyRule::Scrub:
{

43
src/unit_tests/PFImporterTest/test_data/pf-block-return-actions.conf Normal file
View File

@ -0,0 +1,43 @@
# state matches
block in quick inet proto tcp from any to self port = 80
# the same as the one above
block drop in quick inet proto tcp from any to self port = 80
block return in quick inet proto tcp from any to self port = 80
block return in quick inet from any to self
block return in quick inet proto udp from any to self port = 123
block return in quick inet proto icmp from any to self
block return in quick inet proto { tcp, udp, icmp } from any to self
block return-rst in quick inet proto tcp from any to self port = 80
# incorrect rule (cant ue return-rst with udp). But we import it anyway
block return-rst in quick inet proto udp from any to self port = 123
block return-icmp in quick inet proto tcp from any to self port = 1080
block return-icmp (net-unr) in quick inet proto tcp from any to self port = 1081
block return-icmp (0) in quick inet proto tcp from any to self port = 1082
block return-icmp ( net-unr ) in quick inet proto tcp from any to self port = 1083
block return-icmp ( 0 ) in quick inet proto tcp from any to self port = 1084
block return-icmp (host-unr) in quick inet proto tcp from any to self port = 1085
block return-icmp (1) in quick inet proto tcp from any to self port = 1086
block return-icmp (proto-unr) in quick inet proto tcp from any to self port = 1087
block return-icmp (2) in quick inet proto tcp from any to self port = 1088
block return-icmp (port-unr) in quick inet proto tcp from any to self port = 1089
block return-icmp (3) in quick inet proto tcp from any to self port = 1090
block return-icmp (net-prohib) in quick inet proto tcp from any to self port = 1091
block return-icmp (9) in quick inet proto tcp from any to self port = 1092
block return-icmp (host-prohib) in quick inet proto tcp from any to self port = 1093
block return-icmp (10) in quick inet proto tcp from any to self port = 1094
block return-icmp (filter-prohib) in quick inet proto tcp from any to self port = 1095
block return-icmp (13) in quick inet proto tcp from any to self port = 1096