onkelbeh/fwbuilder
1
0
Fork 0
mirror of https://github.com/fwbuilder/fwbuilder synced 2026-03-20 10:17:16 +01:00
Code Issues Releases Wiki Activity

fixed #1360 "negation of cluster interfaces is broken"

Browse Source
This commit is contained in:
Vadim Kurland 2010-03-27 21:41:04 +00:00
parent a6c0b0f1ee
commit 3aec315ac0
5 changed files with 1015 additions and 33 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
build_num
View File

@ -1 +1 @@
#define BUILD_NUM 2768
#define BUILD_NUM 2769

10
doc/ChangeLog
View File

@ -1,5 +1,15 @@
2010-03-27 vadim <vadim@vk.crocodile.org>
* fixed #1360 "negation of cluster interfaces is broken". Rule
with one or several cluster interfaces in the "Interface" rule
element with negation should compile into a rule using all other
interfaces of the member firewall, or using single object negation
"!" if appropriate. This is also fixed in compiler for PF.
Files:
src/iptlib/PolicyCompiler_ipt.cpp
src/pflib/PolicyCompiler_pf.cpp
See also changes r591 , r592 in libfwbuilder
* platforms.cpp (isDefaultPolicyRuleOptions): fixed #1365 "missing
some flags for the "non-default" rule options for PF"

3
src/pflib/PolicyCompiler_pf.cpp
View File

@ -1090,6 +1090,9 @@ void PolicyCompiler_pf::compile()
add(new replaceFailoverInterfaceInItf("replace carp interfaces"));
add(new replaceClusterInterfaceInItf(
"replace cluster interfaces with member interfaces in the Interface rule element"));
add(new ItfNegation("process negation in Itf"));
//add(new InterfacePolicyRules(

515
test/ipt/cluster-tests.fwb
View File

@ -1,6 +1,6 @@
<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE FWObjectDatabase SYSTEM "fwbuilder.dtd">
<FWObjectDatabase xmlns="http://www.fwbuilder.org/1.0/" version="16" lastModified="1269721443" id="root">
<FWObjectDatabase xmlns="http://www.fwbuilder.org/1.0/" version="16" lastModified="1269723394" id="root">
<Library id="syslib000" color="#d4f8ff" name="Standard" comment="Standard objects" ro="True">
<AnyNetwork id="sysid0" name="Any" comment="Any Network" ro="False" address="0.0.0.0" netmask="0.0.0.0"/>
<AnyIPService id="sysid1" protocol_num="0" name="Any" comment="Any IP Service" ro="False"/>
@ -1592,7 +1592,7 @@
<ObjectRef ref="id4055X2906"/>
</StateSyncClusterGroup>
</Cluster>
<Cluster id="id2772X94039" host_OS="linux24" inactive="False" lastCompiled="1248541095" lastInstalled="0" lastModified="1253911174" platform="iptables" name="vrrp_cluster_1" comment="" ro="False">
<Cluster id="id2772X94039" host_OS="linux24" inactive="False" lastCompiled="1248541095" lastInstalled="0" lastModified="1269723257" platform="iptables" name="vrrp_cluster_1" comment="" ro="False">
<NAT id="id2866X94039" name="NAT" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
<NATRule id="id2867X94039" disabled="False" position="0" action="Translate" comment="">
<OSrc neg="False">
@ -1856,13 +1856,13 @@
</RoutingRule>
<RuleSetOptions/>
</Routing>
<Interface id="id2882X94039" dedicated_failover="False" dyn="False" label="" security_level="0" unnum="False" unprotected="False" name="vrrp0" comment="" ro="False">
<IPv4 id="id2889X94039" name="cluster1-1:vrrp0:ip" comment="" ro="False" address="172.24.0.1" netmask="255.255.0.0"/>
<Interface id="id2882X94039" dedicated_failover="False" dyn="False" label="" mgmt="False" security_level="0" unnum="False" unprotected="False" name="eth0" comment="" ro="False">
<IPv4 id="id2889X94039" name="vrrp_cluster_1:eth0:ip" comment="" ro="False" address="172.24.0.1" netmask="255.255.0.0"/>
<InterfaceOptions>
<Option name="iface_mtu">1500</Option>
<Option name="type">vrrp</Option>
</InterfaceOptions>
<FailoverClusterGroup id="id2891X94039" master_iface="id2843X69605" type="vrrp" name="cluster1:vrrp0:members" comment=" ">
<FailoverClusterGroup id="id2891X94039" master_iface="id2843X69605" type="vrrp" name="vrrp_cluster_1:eth0:members" comment=" ">
<ObjectRef ref="id2843X69605"/>
<ObjectRef ref="id3117X69605"/>
<ClusterGroupOptions>
@ -1871,15 +1871,16 @@
</ClusterGroupOptions>
</FailoverClusterGroup>
</Interface>
<Interface id="id2895X94039" dedicated_failover="False" dyn="False" label="" security_level="0" unnum="False" unprotected="False" name="vrrp1" comment="" ro="False">
<IPv4 id="id2901X94039" name="cluster1-1:vrrp1:ip" comment="" ro="False" address="192.168.1.1" netmask="255.255.255.0"/>
<Interface id="id2895X94039" dedicated_failover="False" dyn="False" label="" mgmt="False" security_level="0" unnum="False" unprotected="False" name="eth1" comment="" ro="False">
<IPv4 id="id2901X94039" name="vrrp_cluster_1:eth1:ip" comment="" ro="False" address="192.168.1.1" netmask="255.255.255.0"/>
<InterfaceOptions>
<Option name="iface_mtu">1500</Option>
<Option name="type">vrrp</Option>
</InterfaceOptions>
<FailoverClusterGroup id="id2903X94039" master_iface="id2844X69605" type="vrrp" name="cluster1:vrrp1:members" comment=" ">
<FailoverClusterGroup id="id2903X94039" master_iface="id2844X69605" type="vrrp" name="vrrp_cluster_1:eth1:members" comment=" ">
<ObjectRef ref="id2844X69605"/>
<ObjectRef ref="id3118X69605"/>
<ClusterGroupOptions/>
</FailoverClusterGroup>
</Interface>
<FirewallOptions/>
@ -2763,7 +2764,7 @@
</ClusterGroupOptions>
</StateSyncClusterGroup>
</Cluster>
<Cluster id="id3937X13563" host_OS="linux24" lastCompiled="1264020603" lastInstalled="0" lastModified="1251419063" platform="iptables" name="vrrp_cluster_2" comment="" ro="False">
<Cluster id="id3937X13563" host_OS="linux24" lastCompiled="1264020603" lastInstalled="0" lastModified="1269723274" platform="iptables" name="vrrp_cluster_2" comment="" ro="False">
<NAT id="id3941X13563" name="NAT" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
<NATRule id="id5083X25627" disabled="False" position="0" action="Translate" comment="">
<OSrc neg="False">
@ -3003,12 +3004,12 @@
<Routing id="id3942X13563" name="Routing" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
<RuleSetOptions/>
</Routing>
<Interface id="id3945X13563" dedicated_failover="False" dyn="False" label="" security_level="0" unnum="False" unprotected="False" name="vrrp0" comment="" ro="False">
<IPv4 id="id3946X13563" name="vrrp_cluster_2:vrrp0:ip" comment="" ro="False" address="172.24.0.1" netmask="255.255.255.0"/>
<Interface id="id3945X13563" dedicated_failover="False" dyn="False" label="" mgmt="False" security_level="0" unnum="False" unprotected="False" name="eth0" comment="" ro="False">
<IPv4 id="id3946X13563" name="vrrp_cluster_2:eth0:ip" comment="" ro="False" address="172.24.0.1" netmask="255.255.255.0"/>
<InterfaceOptions>
<Option name="type">vrrp</Option>
</InterfaceOptions>
<FailoverClusterGroup id="id3948X13563" type="vrrp" name="vrrp_cluster_2:vrrp0:members" comment="">
<FailoverClusterGroup id="id3948X13563" type="vrrp" name="vrrp_cluster_2:eth0:members" comment="">
<ObjectRef ref="id2843X69605"/>
<ObjectRef ref="id3117X69605"/>
<ClusterGroupOptions>
@ -3017,12 +3018,12 @@
</ClusterGroupOptions>
</FailoverClusterGroup>
</Interface>
<Interface id="id3950X13563" dedicated_failover="False" dyn="False" label="" security_level="0" unnum="False" unprotected="False" name="vrrp1" comment="" ro="False">
<IPv4 id="id3951X13563" name="vrrp_cluster_2:vrrp1:ip" comment="" ro="False" address="192.168.1.1" netmask="255.255.255.0"/>
<Interface id="id3950X13563" dedicated_failover="False" dyn="False" label="" mgmt="False" security_level="0" unnum="False" unprotected="False" name="eth1" comment="" ro="False">
<IPv4 id="id3951X13563" name="vrrp_cluster_2:eth1:ip" comment="" ro="False" address="192.168.1.1" netmask="255.255.255.0"/>
<InterfaceOptions>
<Option name="type">vrrp</Option>
</InterfaceOptions>
<FailoverClusterGroup id="id3953X13563" type="vrrp" name="vrrp_cluster_2:vrrp1:members" comment="">
<FailoverClusterGroup id="id3953X13563" type="vrrp" name="vrrp_cluster_2:eth1:members" comment="">
<ObjectRef ref="id2844X69605"/>
<ObjectRef ref="id3118X69605"/>
<ClusterGroupOptions>
@ -3044,7 +3045,7 @@
<ClusterGroupOptions/>
</StateSyncClusterGroup>
</Cluster>
<Cluster id="id4400X28690" host_OS="linux24" inactive="False" lastCompiled="1248555910" lastInstalled="0" lastModified="1253911350" platform="iptables" name="openais_cluster_1" comment="" ro="False">
<Cluster id="id4400X28690" host_OS="linux24" inactive="False" lastCompiled="1248555910" lastInstalled="0" lastModified="1269723257" platform="iptables" name="openais_cluster_1" comment="" ro="False">
<NAT id="id4568X28690" name="NAT" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
<NATRule id="id4569X28690" disabled="False" position="0" action="Translate" comment="">
<OSrc neg="False">
@ -3847,7 +3848,7 @@
</ClusterGroupOptions>
</StateSyncClusterGroup>
</Cluster>
<Cluster id="id58476X27834" host_OS="linux24" inactive="False" lastCompiled="0" lastInstalled="0" lastModified="1266606636" platform="iptables" name="heartbeat_cluster_1_d" comment="" ro="False">
<Cluster id="id58476X27834" host_OS="linux24" inactive="False" lastCompiled="0" lastInstalled="0" lastModified="1269724200" platform="iptables" name="heartbeat_cluster_1_d" comment="" ro="False">
<NAT id="id58844X27834" name="NAT" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
<NATRule id="id288869X75145" disabled="False" position="0" action="Translate" comment="">
<OSrc neg="False">
@ -4356,9 +4357,9 @@
<Option name="ulog_nlgroup">1</Option>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id58819X27834" disabled="False" log="False" position="13" action="Accept" direction="Both" comment="">
<PolicyRule id="id148160X50472" disabled="False" group="Negation in interface RE" log="False" position="13" action="Accept" direction="Both" comment="">
<Src neg="False">
<ObjectRef ref="id3DC75CE7-1"/>
<ObjectRef ref="sysid0"/>
</Src>
<Dst neg="False">
<ObjectRef ref="sysid0"/>
@ -4366,15 +4367,17 @@
<Srv neg="False">
<ServiceRef ref="sysid1"/>
</Srv>
<Itf neg="False">
<ObjectRef ref="sysid0"/>
<Itf neg="True">
<ObjectRef ref="id58486X27834"/>
</Itf>
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions/>
<PolicyRuleOptions>
<Option name="stateless">False</Option>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id58831X27834" disabled="False" log="True" position="14" action="Deny" direction="Both" comment="">
<PolicyRule id="id200555X50472" disabled="False" group="Negation in interface RE" log="False" position="14" action="Accept" direction="Both" comment="">
<Src neg="False">
<ObjectRef ref="sysid0"/>
</Src>
@ -4384,8 +4387,296 @@
<Srv neg="False">
<ServiceRef ref="sysid1"/>
</Srv>
<Itf neg="False">
<Itf neg="True">
<ObjectRef ref="id58486X27834"/>
<ObjectRef ref="id58492X27834"/>
</Itf>
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions>
<Option name="stateless">False</Option>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id729613X50472" disabled="False" group="Negation in interface RE" log="False" position="15" action="Accept" direction="Both" comment="fw is part of any is OFF">
<Src neg="False">
<ObjectRef ref="sysid0"/>
</Src>
<Dst neg="False">
<ObjectRef ref="sysid0"/>
</Dst>
<Srv neg="False">
<ServiceRef ref="sysid1"/>
</Srv>
<Itf neg="True">
<ObjectRef ref="id58486X27834"/>
</Itf>
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions>
<Option name="connlimit_above_not">False</Option>
<Option name="connlimit_masklen">0</Option>
<Option name="connlimit_value">0</Option>
<Option name="firewall_is_part_of_any_and_networks">0</Option>
<Option name="hashlimit_burst">0</Option>
<Option name="hashlimit_dstlimit">False</Option>
<Option name="hashlimit_expire">0</Option>
<Option name="hashlimit_gcinterval">0</Option>
<Option name="hashlimit_max">0</Option>
<Option name="hashlimit_mode_dstip">False</Option>
<Option name="hashlimit_mode_dstport">False</Option>
<Option name="hashlimit_mode_srcip">False</Option>
<Option name="hashlimit_mode_srcport">False</Option>
<Option name="hashlimit_name"></Option>
<Option name="hashlimit_size">0</Option>
<Option name="hashlimit_suffix"></Option>
<Option name="hashlimit_value">0</Option>
<Option name="limit_burst">0</Option>
<Option name="limit_suffix"></Option>
<Option name="limit_value">0</Option>
<Option name="limit_value_not">False</Option>
<Option name="log_level"></Option>
<Option name="log_prefix"></Option>
<Option name="stateless">False</Option>
<Option name="ulog_nlgroup">1</Option>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id729566X50472" disabled="False" group="Negation in interface RE" log="False" position="16" action="Accept" direction="Both" comment="fw is part of any is OFF">
<Src neg="False">
<ObjectRef ref="sysid0"/>
</Src>
<Dst neg="False">
<ObjectRef ref="sysid0"/>
</Dst>
<Srv neg="False">
<ServiceRef ref="sysid1"/>
</Srv>
<Itf neg="True">
<ObjectRef ref="id58486X27834"/>
<ObjectRef ref="id58492X27834"/>
</Itf>
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions>
<Option name="connlimit_above_not">False</Option>
<Option name="connlimit_masklen">0</Option>
<Option name="connlimit_value">0</Option>
<Option name="firewall_is_part_of_any_and_networks">0</Option>
<Option name="hashlimit_burst">0</Option>
<Option name="hashlimit_dstlimit">False</Option>
<Option name="hashlimit_expire">0</Option>
<Option name="hashlimit_gcinterval">0</Option>
<Option name="hashlimit_max">0</Option>
<Option name="hashlimit_mode_dstip">False</Option>
<Option name="hashlimit_mode_dstport">False</Option>
<Option name="hashlimit_mode_srcip">False</Option>
<Option name="hashlimit_mode_srcport">False</Option>
<Option name="hashlimit_name"></Option>
<Option name="hashlimit_size">0</Option>
<Option name="hashlimit_suffix"></Option>
<Option name="hashlimit_value">0</Option>
<Option name="limit_burst">0</Option>
<Option name="limit_suffix"></Option>
<Option name="limit_value">0</Option>
<Option name="limit_value_not">False</Option>
<Option name="log_level"></Option>
<Option name="log_prefix"></Option>
<Option name="stateless">False</Option>
<Option name="ulog_nlgroup">1</Option>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id944761X50472" disabled="False" group="Negation in interface RE" log="False" position="17" action="Accept" direction="Inbound" comment="fw is part of any is OFF">
<Src neg="False">
<ObjectRef ref="sysid0"/>
</Src>
<Dst neg="False">
<ObjectRef ref="sysid0"/>
</Dst>
<Srv neg="False">
<ServiceRef ref="sysid1"/>
</Srv>
<Itf neg="True">
<ObjectRef ref="id58486X27834"/>
</Itf>
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions>
<Option name="connlimit_above_not">False</Option>
<Option name="connlimit_masklen">0</Option>
<Option name="connlimit_value">0</Option>
<Option name="firewall_is_part_of_any_and_networks">0</Option>
<Option name="hashlimit_burst">0</Option>
<Option name="hashlimit_dstlimit">False</Option>
<Option name="hashlimit_expire">0</Option>
<Option name="hashlimit_gcinterval">0</Option>
<Option name="hashlimit_max">0</Option>
<Option name="hashlimit_mode_dstip">False</Option>
<Option name="hashlimit_mode_dstport">False</Option>
<Option name="hashlimit_mode_srcip">False</Option>
<Option name="hashlimit_mode_srcport">False</Option>
<Option name="hashlimit_name"></Option>
<Option name="hashlimit_size">0</Option>
<Option name="hashlimit_suffix"></Option>
<Option name="hashlimit_value">0</Option>
<Option name="limit_burst">0</Option>
<Option name="limit_suffix"></Option>
<Option name="limit_value">0</Option>
<Option name="limit_value_not">False</Option>
<Option name="log_level"></Option>
<Option name="log_prefix"></Option>
<Option name="stateless">False</Option>
<Option name="ulog_nlgroup">1</Option>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id944714X50472" disabled="False" group="Negation in interface RE" log="False" position="18" action="Accept" direction="Inbound" comment="fw is part of any is OFF">
<Src neg="False">
<ObjectRef ref="sysid0"/>
</Src>
<Dst neg="False">
<ObjectRef ref="sysid0"/>
</Dst>
<Srv neg="False">
<ServiceRef ref="sysid1"/>
</Srv>
<Itf neg="True">
<ObjectRef ref="id58486X27834"/>
<ObjectRef ref="id58492X27834"/>
</Itf>
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions>
<Option name="connlimit_above_not">False</Option>
<Option name="connlimit_masklen">0</Option>
<Option name="connlimit_value">0</Option>
<Option name="firewall_is_part_of_any_and_networks">0</Option>
<Option name="hashlimit_burst">0</Option>
<Option name="hashlimit_dstlimit">False</Option>
<Option name="hashlimit_expire">0</Option>
<Option name="hashlimit_gcinterval">0</Option>
<Option name="hashlimit_max">0</Option>
<Option name="hashlimit_mode_dstip">False</Option>
<Option name="hashlimit_mode_dstport">False</Option>
<Option name="hashlimit_mode_srcip">False</Option>
<Option name="hashlimit_mode_srcport">False</Option>
<Option name="hashlimit_name"></Option>
<Option name="hashlimit_size">0</Option>
<Option name="hashlimit_suffix"></Option>
<Option name="hashlimit_value">0</Option>
<Option name="limit_burst">0</Option>
<Option name="limit_suffix"></Option>
<Option name="limit_value">0</Option>
<Option name="limit_value_not">False</Option>
<Option name="log_level"></Option>
<Option name="log_prefix"></Option>
<Option name="stateless">False</Option>
<Option name="ulog_nlgroup">1</Option>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id944903X50472" disabled="False" group="Negation in interface RE" log="False" position="19" action="Accept" direction="Outbound" comment="fw is part of any is OFF">
<Src neg="False">
<ObjectRef ref="sysid0"/>
</Src>
<Dst neg="False">
<ObjectRef ref="sysid0"/>
</Dst>
<Srv neg="False">
<ServiceRef ref="sysid1"/>
</Srv>
<Itf neg="True">
<ObjectRef ref="id58486X27834"/>
</Itf>
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions>
<Option name="connlimit_above_not">False</Option>
<Option name="connlimit_masklen">0</Option>
<Option name="connlimit_value">0</Option>
<Option name="firewall_is_part_of_any_and_networks">0</Option>
<Option name="hashlimit_burst">0</Option>
<Option name="hashlimit_dstlimit">False</Option>
<Option name="hashlimit_expire">0</Option>
<Option name="hashlimit_gcinterval">0</Option>
<Option name="hashlimit_max">0</Option>
<Option name="hashlimit_mode_dstip">False</Option>
<Option name="hashlimit_mode_dstport">False</Option>
<Option name="hashlimit_mode_srcip">False</Option>
<Option name="hashlimit_mode_srcport">False</Option>
<Option name="hashlimit_name"></Option>
<Option name="hashlimit_size">0</Option>
<Option name="hashlimit_suffix"></Option>
<Option name="hashlimit_value">0</Option>
<Option name="limit_burst">0</Option>
<Option name="limit_suffix"></Option>
<Option name="limit_value">0</Option>
<Option name="limit_value_not">False</Option>
<Option name="log_level"></Option>
<Option name="log_prefix"></Option>
<Option name="stateless">False</Option>
<Option name="ulog_nlgroup">1</Option>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id944856X50472" disabled="False" group="Negation in interface RE" log="False" position="20" action="Accept" direction="Outbound" comment="fw is part of any is OFF">
<Src neg="False">
<ObjectRef ref="sysid0"/>
</Src>
<Dst neg="False">
<ObjectRef ref="sysid0"/>
</Dst>
<Srv neg="False">
<ServiceRef ref="sysid1"/>
</Srv>
<Itf neg="True">
<ObjectRef ref="id58486X27834"/>
<ObjectRef ref="id58492X27834"/>
</Itf>
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions>
<Option name="connlimit_above_not">False</Option>
<Option name="connlimit_masklen">0</Option>
<Option name="connlimit_value">0</Option>
<Option name="firewall_is_part_of_any_and_networks">0</Option>
<Option name="hashlimit_burst">0</Option>
<Option name="hashlimit_dstlimit">False</Option>
<Option name="hashlimit_expire">0</Option>
<Option name="hashlimit_gcinterval">0</Option>
<Option name="hashlimit_max">0</Option>
<Option name="hashlimit_mode_dstip">False</Option>
<Option name="hashlimit_mode_dstport">False</Option>
<Option name="hashlimit_mode_srcip">False</Option>
<Option name="hashlimit_mode_srcport">False</Option>
<Option name="hashlimit_name"></Option>
<Option name="hashlimit_size">0</Option>
<Option name="hashlimit_suffix"></Option>
<Option name="hashlimit_value">0</Option>
<Option name="limit_burst">0</Option>
<Option name="limit_suffix"></Option>
<Option name="limit_value">0</Option>
<Option name="limit_value_not">False</Option>
<Option name="log_level"></Option>
<Option name="log_prefix"></Option>
<Option name="stateless">False</Option>
<Option name="ulog_nlgroup">1</Option>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id1440989X50472" disabled="False" group="Negation in interface RE" log="False" position="21" action="Accept" direction="Both" comment="">
<Src neg="False">
<ObjectRef ref="sysid0"/>
</Src>
<Dst neg="False">
<ObjectRef ref="id58476X27834"/>
</Dst>
<Srv neg="False">
<ServiceRef ref="sysid1"/>
</Srv>
<Itf neg="True">
<ObjectRef ref="id58486X27834"/>
</Itf>
<When neg="False">
<IntervalRef ref="sysid2"/>
@ -4414,7 +4705,141 @@
<Option name="limit_value_not">False</Option>
<Option name="log_level"></Option>
<Option name="log_prefix"></Option>
<Option name="stateless">True</Option>
<Option name="stateless">False</Option>
<Option name="ulog_nlgroup">1</Option>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id1441036X50472" disabled="False" group="Negation in interface RE" log="False" position="22" action="Accept" direction="Both" comment="">
<Src neg="False">
<ObjectRef ref="sysid0"/>
</Src>
<Dst neg="False">
<ObjectRef ref="id58476X27834"/>
</Dst>
<Srv neg="False">
<ServiceRef ref="sysid1"/>
</Srv>
<Itf neg="True">
<ObjectRef ref="id58486X27834"/>
<ObjectRef ref="id58492X27834"/>
</Itf>
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions>
<Option name="connlimit_above_not">False</Option>
<Option name="connlimit_masklen">0</Option>
<Option name="connlimit_value">0</Option>
<Option name="firewall_is_part_of_any_and_networks"></Option>
<Option name="hashlimit_burst">0</Option>
<Option name="hashlimit_dstlimit">False</Option>
<Option name="hashlimit_expire">0</Option>
<Option name="hashlimit_gcinterval">0</Option>
<Option name="hashlimit_max">0</Option>
<Option name="hashlimit_mode_dstip">False</Option>
<Option name="hashlimit_mode_dstport">False</Option>
<Option name="hashlimit_mode_srcip">False</Option>
<Option name="hashlimit_mode_srcport">False</Option>
<Option name="hashlimit_name"></Option>
<Option name="hashlimit_size">0</Option>
<Option name="hashlimit_suffix"></Option>
<Option name="hashlimit_value">0</Option>
<Option name="limit_burst">0</Option>
<Option name="limit_suffix"></Option>
<Option name="limit_value">0</Option>
<Option name="limit_value_not">False</Option>
<Option name="log_level"></Option>
<Option name="log_prefix"></Option>
<Option name="stateless">False</Option>
<Option name="ulog_nlgroup">1</Option>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id1275381X50472" disabled="False" group="Negation in interface RE" log="False" position="23" action="Accept" direction="Both" comment="fw is part of any is OFF">
<Src neg="False">
<ObjectRef ref="sysid0"/>
</Src>
<Dst neg="False">
<ObjectRef ref="id58476X27834"/>
</Dst>
<Srv neg="False">
<ServiceRef ref="sysid1"/>
</Srv>
<Itf neg="True">
<ObjectRef ref="id58486X27834"/>
</Itf>
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions>
<Option name="connlimit_above_not">False</Option>
<Option name="connlimit_masklen">0</Option>
<Option name="connlimit_value">0</Option>
<Option name="firewall_is_part_of_any_and_networks">0</Option>
<Option name="hashlimit_burst">0</Option>
<Option name="hashlimit_dstlimit">False</Option>
<Option name="hashlimit_expire">0</Option>
<Option name="hashlimit_gcinterval">0</Option>
<Option name="hashlimit_max">0</Option>
<Option name="hashlimit_mode_dstip">False</Option>
<Option name="hashlimit_mode_dstport">False</Option>
<Option name="hashlimit_mode_srcip">False</Option>
<Option name="hashlimit_mode_srcport">False</Option>
<Option name="hashlimit_name"></Option>
<Option name="hashlimit_size">0</Option>
<Option name="hashlimit_suffix"></Option>
<Option name="hashlimit_value">0</Option>
<Option name="limit_burst">0</Option>
<Option name="limit_suffix"></Option>
<Option name="limit_value">0</Option>
<Option name="limit_value_not">False</Option>
<Option name="log_level"></Option>
<Option name="log_prefix"></Option>
<Option name="stateless">False</Option>
<Option name="ulog_nlgroup">1</Option>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id1275334X50472" disabled="False" group="Negation in interface RE" log="False" position="24" action="Accept" direction="Both" comment="fw is part of any is OFF">
<Src neg="False">
<ObjectRef ref="sysid0"/>
</Src>
<Dst neg="False">
<ObjectRef ref="id58476X27834"/>
</Dst>
<Srv neg="False">
<ServiceRef ref="sysid1"/>
</Srv>
<Itf neg="True">
<ObjectRef ref="id58486X27834"/>
<ObjectRef ref="id58492X27834"/>
</Itf>
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions>
<Option name="connlimit_above_not">False</Option>
<Option name="connlimit_masklen">0</Option>
<Option name="connlimit_value">0</Option>
<Option name="firewall_is_part_of_any_and_networks">0</Option>
<Option name="hashlimit_burst">0</Option>
<Option name="hashlimit_dstlimit">False</Option>
<Option name="hashlimit_expire">0</Option>
<Option name="hashlimit_gcinterval">0</Option>
<Option name="hashlimit_max">0</Option>
<Option name="hashlimit_mode_dstip">False</Option>
<Option name="hashlimit_mode_dstport">False</Option>
<Option name="hashlimit_mode_srcip">False</Option>
<Option name="hashlimit_mode_srcport">False</Option>
<Option name="hashlimit_name"></Option>
<Option name="hashlimit_size">0</Option>
<Option name="hashlimit_suffix"></Option>
<Option name="hashlimit_value">0</Option>
<Option name="limit_burst">0</Option>
<Option name="limit_suffix"></Option>
<Option name="limit_value">0</Option>
<Option name="limit_value_not">False</Option>
<Option name="log_level"></Option>
<Option name="log_prefix"></Option>
<Option name="stateless">False</Option>
<Option name="ulog_nlgroup">1</Option>
</PolicyRuleOptions>
</PolicyRule>
@ -4433,7 +4858,7 @@
<ClusterGroupOptions/>
</FailoverClusterGroup>
</Interface>
<Interface id="id58492X27834" dedicated_failover="False" dyn="False" label="inside" security_level="0" unnum="False" unprotected="False" name="eth1" comment="" ro="False">
<Interface id="id58492X27834" dedicated_failover="False" dyn="False" label="hb_cluster_1_d eth1" mgmt="False" security_level="0" unnum="False" unprotected="False" name="eth1" comment="" ro="False">
<IPv4 id="id58493X27834" name="heartbeat_cluster_1_d:eth1:ip" comment="" ro="False" address="192.168.1.254" netmask="255.255.255.0"/>
<InterfaceOptions>
<Option name="type">cluster_interface</Option>
@ -4454,6 +4879,16 @@
<ClusterGroupOptions/>
</FailoverClusterGroup>
</Interface>
<Interface id="id95167X50472" dedicated_failover="False" dyn="False" label="" mgmt="False" security_level="0" unnum="False" unprotected="False" name="eth2.100" comment="" ro="False">
<InterfaceOptions>
<Option name="type">ethernet</Option>
</InterfaceOptions>
<FailoverClusterGroup id="id95197X50472" type="heartbeat" name="Failover group" comment="">
<ObjectRef ref="id95101X50472"/>
<ObjectRef ref="id95134X50472"/>
<ClusterGroupOptions/>
</FailoverClusterGroup>
</Interface>
<FirewallOptions/>
<StateSyncClusterGroup id="id58484X27834" type="conntrack" name="State Sync Group" comment="">
<ObjectRef ref="id57982X27834"/>
@ -5500,7 +5935,7 @@
<Option name="verify_interfaces">True</Option>
</FirewallOptions>
</Firewall>
<Firewall id="id57974X27834" host_OS="linux24" lastCompiled="0" lastInstalled="0" lastModified="1266606630" platform="iptables" version="" name="linux-1-d" comment="This firewall has two interfaces. Eth0 faces outside and has a dynamic address; eth1 faces inside.&#10;Policy includes basic rules to permit unrestricted outbound access and anti-spoofing rules. Access to the firewall is permitted only from internal network and only using SSH. The firewall uses one of the machines on internal network for DNS. Internal network is configured with address 192.168.1.0/255.255.255.0" ro="False">
<Firewall id="id57974X27834" host_OS="linux24" lastCompiled="0" lastInstalled="0" lastModified="1269723357" platform="iptables" version="" name="linux-1-d" comment="This firewall has two interfaces. Eth0 faces outside and has a dynamic address; eth1 faces inside.&#10;Policy includes basic rules to permit unrestricted outbound access and anti-spoofing rules. Access to the firewall is permitted only from internal network and only using SSH. The firewall uses one of the machines on internal network for DNS. Internal network is configured with address 192.168.1.0/255.255.255.0" ro="False">
<NAT id="id58864X27834" name="NAT" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="False">
<RuleSetOptions/>
</NAT>
@ -5521,6 +5956,18 @@
<IPv4 id="id57988X27834" name="linux-1-d:lo:ipv4" comment="" ro="False" address="127.0.0.1" netmask="255.0.0.0"/>
<InterfaceOptions/>
</Interface>
<Interface id="id95075X50472" dedicated_failover="False" dyn="False" label="" mgmt="False" security_level="0" unnum="True" unprotected="False" name="eth2" comment="" ro="False">
<InterfaceOptions>
<Option name="type">ethernet</Option>
</InterfaceOptions>
<Interface id="id95101X50472" dedicated_failover="False" dyn="False" label="" mgmt="False" security_level="0" unnum="False" unprotected="False" name="eth2.100" comment="" ro="False">
<IPv4 id="id95123X50472" name="linux-1-d:eth2:eth2.100:ip" comment="" ro="False" address="172.20.0.1" netmask="255.255.255.0"/>
<InterfaceOptions>
<Option name="type">8021q</Option>
<Option name="vlan_id">100</Option>
</InterfaceOptions>
</Interface>
</Interface>
<Management address="192.168.1.1">
<SNMPManagement enabled="False" snmp_read_community="" snmp_write_community=""/>
<FWBDManagement enabled="False" identity="" port="-1"/>
@ -5607,7 +6054,7 @@
<Option name="verify_interfaces">True</Option>
</FirewallOptions>
</Firewall>
<Firewall id="id58236X27834" host_OS="linux24" inactive="False" lastCompiled="0" lastInstalled="0" lastModified="1266606636" platform="iptables" version="" name="linux-2-d" comment="This firewall has two interfaces. Eth0 faces outside and has a dynamic address; eth1 faces inside.&#10;Policy includes basic rules to permit unrestricted outbound access and anti-spoofing rules. Access to the firewall is permitted only from internal network and only using SSH. The firewall uses one of the machines on internal network for DNS. Internal network is configured with address 192.168.1.0/255.255.255.0" ro="False">
<Firewall id="id58236X27834" host_OS="linux24" inactive="False" lastCompiled="0" lastInstalled="0" lastModified="1269723372" platform="iptables" version="" name="linux-2-d" comment="This firewall has two interfaces. Eth0 faces outside and has a dynamic address; eth1 faces inside.&#10;Policy includes basic rules to permit unrestricted outbound access and anti-spoofing rules. Access to the firewall is permitted only from internal network and only using SSH. The firewall uses one of the machines on internal network for DNS. Internal network is configured with address 192.168.1.0/255.255.255.0" ro="False">
<NAT id="id58870X27834" name="NAT" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="False">
<RuleSetOptions/>
</NAT>
@ -5628,6 +6075,18 @@
<IPv4 id="id58255X27834" name="linux-2-d:lo:ip" comment="" ro="False" address="127.0.0.1" netmask="255.0.0.0"/>
<InterfaceOptions/>
</Interface>
<Interface id="id95132X50472" dedicated_failover="False" dyn="False" label="" mgmt="False" security_level="0" unnum="True" unprotected="False" name="eth2" comment="" ro="False">
<InterfaceOptions>
<Option name="type">ethernet</Option>
</InterfaceOptions>
<Interface id="id95134X50472" dedicated_failover="False" dyn="False" label="" mgmt="False" security_level="0" unnum="False" unprotected="False" name="eth2.100" comment="" ro="False">
<IPv4 id="id95136X50472" name="linux-1-d:eth2:eth2.100:ip" comment="" ro="False" address="172.20.0.2" netmask="255.255.255.0"/>
<InterfaceOptions>
<Option name="type">8021q</Option>
<Option name="vlan_id">100</Option>
</InterfaceOptions>
</Interface>
</Interface>
<Management address="192.168.1.2">
<SNMPManagement enabled="False" snmp_read_community="" snmp_write_community=""/>
<FWBDManagement enabled="False" identity="" port="-1"/>

518
test/pf/cluster-tests.fwb
View File

@ -1,6 +1,6 @@
<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE FWObjectDatabase SYSTEM "fwbuilder.dtd">
<FWObjectDatabase xmlns="http://www.fwbuilder.org/1.0/" version="16" lastModified="1247165520" id="root">
<FWObjectDatabase xmlns="http://www.fwbuilder.org/1.0/" version="16" lastModified="1269724623" id="root">
<Library id="syslib000" color="#d4f8ff" name="Standard" comment="Standard objects" ro="True">
<AnyNetwork id="sysid0" name="Any" comment="Any Network" ro="False" address="0.0.0.0" netmask="0.0.0.0"/>
<AnyIPService id="sysid1" protocol_num="0" name="Any" comment="Any IP Service" ro="False"/>
@ -1613,6 +1613,9 @@
</InterfaceOptions>
</Interface>
<IPv4 id="id16633X39764" name="pf_cluster_1:carp0:ip-1" comment="" ro="False" address="172.24.0.1" netmask="255.255.255.0"/>
<Interface id="id39617X50958" dedicated_failover="False" dyn="False" security_level="0" unnum="False" unprotected="False" name="Interface" comment="" ro="False">
<InterfaceOptions/>
</Interface>
</Library>
<Library id="id1495X69605" color="#d2ffd0" name="User" comment="" ro="False">
<ObjectGroup id="id1502X69605" name="Clusters" comment="" ro="False">
@ -2080,11 +2083,237 @@
</ClusterGroupOptions>
</StateSyncClusterGroup>
</Cluster>
<Cluster id="id3642X20162" host_OS="openbsd" inactive="False" lastCompiled="0" lastInstalled="0" lastModified="0" platform="pf" name="pf_cluster_3" comment="" ro="False">
<Cluster id="id3642X20162" host_OS="openbsd" inactive="False" lastCompiled="0" lastInstalled="0" lastModified="1269724803" platform="pf" name="pf_cluster_3" comment="" ro="False">
<NAT id="id3646X20162" name="NAT" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
<RuleSetOptions/>
</NAT>
<Policy id="id3645X20162" name="Policy" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
<PolicyRule id="id39732X50958" disabled="False" log="True" position="0" action="Deny" direction="Inbound" comment="">
<Src neg="False">
<ObjectRef ref="id3642X20162"/>
</Src>
<Dst neg="False">
<ObjectRef ref="sysid0"/>
</Dst>
<Srv neg="False">
<ServiceRef ref="sysid1"/>
</Srv>
<Itf neg="False">
<ObjectRef ref="id3650X20162"/>
</Itf>
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions>
<Option name="stateless">True</Option>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id56069X50958" disabled="False" group="" log="False" position="1" action="Accept" direction="Both" comment="">
<Src neg="False">
<ObjectRef ref="sysid0"/>
</Src>
<Dst neg="False">
<ObjectRef ref="sysid0"/>
</Dst>
<Srv neg="False">
<ServiceRef ref="sysid1"/>
</Srv>
<Itf neg="False">
<ObjectRef ref="id3650X20162"/>
</Itf>
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions>
<Option name="stateless">False</Option>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id72694X50958" disabled="False" group="" log="False" position="2" action="Accept" direction="Both" comment="">
<Src neg="False">
<ObjectRef ref="sysid0"/>
</Src>
<Dst neg="False">
<ObjectRef ref="sysid0"/>
</Dst>
<Srv neg="False">
<ServiceRef ref="sysid1"/>
</Srv>
<Itf neg="True">
<ObjectRef ref="id3650X20162"/>
</Itf>
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions>
<Option name="stateless">False</Option>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id89654X50958" disabled="False" group="" log="False" position="3" action="Accept" direction="Both" comment="">
<Src neg="False">
<ObjectRef ref="sysid0"/>
</Src>
<Dst neg="False">
<ObjectRef ref="sysid0"/>
</Dst>
<Srv neg="False">
<ServiceRef ref="sysid1"/>
</Srv>
<Itf neg="True">
<ObjectRef ref="id3650X20162"/>
<ObjectRef ref="id3655X20162"/>
</Itf>
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions>
<Option name="stateless">False</Option>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id106892X50958" disabled="False" group="" log="False" position="4" action="Accept" direction="Both" comment="">
<Src neg="False">
<ObjectRef ref="sysid0"/>
</Src>
<Dst neg="False">
<ObjectRef ref="sysid0"/>
</Dst>
<Srv neg="False">
<ServiceRef ref="sysid1"/>
</Srv>
<Itf neg="True">
<ObjectRef ref="id3650X20162"/>
<ObjectRef ref="id3655X20162"/>
<ObjectRef ref="id39675X50958"/>
</Itf>
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions>
<Option name="stateless">False</Option>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id124525X50958" disabled="False" group="" log="False" position="5" action="Accept" direction="Inbound" comment="">
<Src neg="False">
<ObjectRef ref="sysid0"/>
</Src>
<Dst neg="False">
<ObjectRef ref="sysid0"/>
</Dst>
<Srv neg="False">
<ServiceRef ref="sysid1"/>
</Srv>
<Itf neg="True">
<ObjectRef ref="id3650X20162"/>
</Itf>
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions>
<Option name="stateless">False</Option>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id124478X50958" disabled="False" group="" log="False" position="6" action="Accept" direction="Inbound" comment="">
<Src neg="False">
<ObjectRef ref="sysid0"/>
</Src>
<Dst neg="False">
<ObjectRef ref="sysid0"/>
</Dst>
<Srv neg="False">
<ServiceRef ref="sysid1"/>
</Srv>
<Itf neg="True">
<ObjectRef ref="id3650X20162"/>
<ObjectRef ref="id3655X20162"/>
</Itf>
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions>
<Option name="stateless">False</Option>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id124667X50958" disabled="False" group="" log="False" position="7" action="Accept" direction="Outbound" comment="">
<Src neg="False">
<ObjectRef ref="sysid0"/>
</Src>
<Dst neg="False">
<ObjectRef ref="sysid0"/>
</Dst>
<Srv neg="False">
<ServiceRef ref="sysid1"/>
</Srv>
<Itf neg="True">
<ObjectRef ref="id3650X20162"/>
</Itf>
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions>
<Option name="stateless">False</Option>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id124620X50958" disabled="False" group="" log="False" position="8" action="Accept" direction="Outbound" comment="">
<Src neg="False">
<ObjectRef ref="sysid0"/>
</Src>
<Dst neg="False">
<ObjectRef ref="sysid0"/>
</Dst>
<Srv neg="False">
<ServiceRef ref="sysid1"/>
</Srv>
<Itf neg="True">
<ObjectRef ref="id3650X20162"/>
<ObjectRef ref="id3655X20162"/>
</Itf>
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions>
<Option name="stateless">False</Option>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id181105X50958" disabled="False" group="" log="False" position="9" action="Accept" direction="Both" comment="">
<Src neg="False">
<ObjectRef ref="sysid0"/>
</Src>
<Dst neg="False">
<ObjectRef ref="id3642X20162"/>
</Dst>
<Srv neg="False">
<ServiceRef ref="sysid1"/>
</Srv>
<Itf neg="True">
<ObjectRef ref="id3650X20162"/>
</Itf>
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions>
<Option name="stateless">False</Option>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id181058X50958" disabled="False" group="" log="False" position="10" action="Accept" direction="Both" comment="">
<Src neg="False">
<ObjectRef ref="sysid0"/>
</Src>
<Dst neg="False">
<ObjectRef ref="id3642X20162"/>
</Dst>
<Srv neg="False">
<ServiceRef ref="sysid1"/>
</Srv>
<Itf neg="True">
<ObjectRef ref="id3650X20162"/>
<ObjectRef ref="id3655X20162"/>
</Itf>
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions>
<Option name="stateless">False</Option>
</PolicyRuleOptions>
</PolicyRule>
<RuleSetOptions/>
</Policy>
<Routing id="id3647X20162" name="Routing" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
@ -2095,7 +2324,9 @@
<InterfaceOptions>
<Option name="type">cluster_interface</Option>
</InterfaceOptions>
<FailoverClusterGroup id="id3653X20162" type="carp" name="pf_cluster_3:carp0:members" comment="">
<FailoverClusterGroup id="id3653X20162" master_iface="id39241X50958" type="carp" name="pf_cluster_3:carp0:members" comment="">
<ObjectRef ref="id39241X50958"/>
<ObjectRef ref="id39413X50958"/>
<ClusterGroupOptions>
<Option name="vrrp_secret">vrrp_secret</Option>
<Option name="vrrp_vrid">1</Option>
@ -2107,7 +2338,9 @@
<InterfaceOptions>
<Option name="type">cluster_interface</Option>
</InterfaceOptions>
<FailoverClusterGroup id="id3658X20162" type="carp" name="pf_cluster_3:carp1:members" comment="">
<FailoverClusterGroup id="id3658X20162" master_iface="id39246X50958" type="carp" name="pf_cluster_3:carp1:members" comment="">
<ObjectRef ref="id39246X50958"/>
<ObjectRef ref="id39418X50958"/>
<ClusterGroupOptions>
<Option name="vrrp_secret">vrrp_secret</Option>
<Option name="vrrp_vrid">1</Option>
@ -2120,12 +2353,25 @@
<Option name="type">cluster_interface</Option>
</InterfaceOptions>
<FailoverClusterGroup id="id3663X20162" type="carp" name="pf_cluster_3:lo0:members" comment="">
<ObjectRef ref="id39583X50958"/>
<ObjectRef ref="id39632X50958"/>
<ClusterGroupOptions>
<Option name="vrrp_secret">vrrp_secret</Option>
<Option name="vrrp_vrid">1</Option>
</ClusterGroupOptions>
</FailoverClusterGroup>
</Interface>
<Interface id="id39675X50958" dedicated_failover="False" dyn="False" label="" mgmt="False" security_level="0" unnum="False" unprotected="False" name="carp2" comment="" ro="False">
<IPv4 id="id39723X50958" name="pf_cluster_3:carp2:ip" comment="" ro="False" address="172.20.0.1" netmask="255.255.255.0"/>
<InterfaceOptions>
<Option name="type">ethernet</Option>
</InterfaceOptions>
<FailoverClusterGroup id="id39701X50958" master_iface="id39372X50958" type="carp" name="Failover group" comment="">
<ObjectRef ref="id39372X50958"/>
<ObjectRef ref="id39520X50958"/>
<ClusterGroupOptions/>
</FailoverClusterGroup>
</Interface>
<FirewallOptions/>
<StateSyncClusterGroup id="id3648X20162" type="pfsync" name="State Sync Group" comment="">
<ClusterGroupOptions/>
@ -2622,6 +2868,270 @@
<Option name="sshArgs"></Option>
</FirewallOptions>
</Firewall>
<Firewall id="id39233X50958" host_OS="openbsd" inactive="False" lastCompiled="0" lastInstalled="0" lastModified="1269724579" platform="pf" version="4.6" name="openbsd-3" comment="" ro="False">
<NAT id="id39253X50958" name="NAT" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
<RuleSetOptions/>
</NAT>
<Policy id="id39251X50958" name="Policy" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
<RuleSetOptions/>
</Policy>
<Routing id="id39255X50958" name="Routing" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
<RuleSetOptions/>
</Routing>
<Interface id="id39241X50958" dedicated_failover="False" dyn="False" label="" security_level="0" unnum="False" unprotected="False" name="en0" comment="" ro="False">
<IPv4 id="id39244X50958" name="openbsd-3:en0:ip" comment="" ro="False" address="172.24.0.2" netmask="255.255.255.0"/>
<InterfaceOptions/>
</Interface>
<Interface id="id39246X50958" dedicated_failover="False" dyn="False" label="" security_level="100" unnum="False" unprotected="False" name="en1" comment="" ro="False">
<IPv4 id="id39249X50958" name="openbsd-3:en1:ip" comment="" ro="False" address="192.168.1.2" netmask="255.255.255.0"/>
<InterfaceOptions/>
</Interface>
<Interface id="id39346X50958" dedicated_failover="False" dyn="False" label="" mgmt="False" security_level="0" unnum="True" unprotected="False" name="en2" comment="" ro="False">
<InterfaceOptions>
<Option name="type">ethernet</Option>
</InterfaceOptions>
<Interface id="id39372X50958" dedicated_failover="False" dyn="False" label="" mgmt="False" security_level="0" unnum="False" unprotected="False" name="vlan100" comment="" ro="False">
<IPv4 id="id39394X50958" name="openbsd-3:en2:vlan100:ip" comment="" ro="False" address="172.20.0.2" netmask="255.255.255.0"/>
<InterfaceOptions>
<Option name="type">8021q</Option>
<Option name="vlan_id">100</Option>
</InterfaceOptions>
</Interface>
</Interface>
<Interface id="id39583X50958" dedicated_failover="False" dyn="False" label="" mgmt="False" security_level="0" unnum="False" unprotected="False" name="lo" comment="" ro="False">
<IPv4 id="id39623X50958" name="openbsd-3:lo:ip" comment="" ro="False" address="127.0.0.1" netmask="255.0.0.0"/>
<InterfaceOptions>
<Option name="type">ethernet</Option>
</InterfaceOptions>
</Interface>
<Management address="0.0.0.0">
<SNMPManagement enabled="False" snmp_read_community="" snmp_write_community=""/>
<FWBDManagement enabled="False" identity="" port="-1"/>
<PolicyInstallScript arguments="" command="" enabled="False"/>
</Management>
<FirewallOptions>
<Option name="accept_new_tcp_with_no_syn">False</Option>
<Option name="activationCmd"></Option>
<Option name="admUser"></Option>
<Option name="altAddress"></Option>
<Option name="check_shading">False</Option>
<Option name="cmdline"></Option>
<Option name="compiler"></Option>
<Option name="configure_carp_interfaces">True</Option>
<Option name="configure_interfaces">True</Option>
<Option name="configure_pfsync_interfaces">True</Option>
<Option name="configure_vlan_interfaces">True</Option>
<Option name="debug">False</Option>
<Option name="epilog_script"></Option>
<Option name="fallback_log">False</Option>
<Option name="firewall_dir">/etc</Option>
<Option name="ignore_empty_groups">False</Option>
<Option name="in_out_code">true</Option>
<Option name="ipv4_6_order">ipv4_first</Option>
<Option name="log_prefix">RULE %N -- %A </Option>
<Option name="loopback_interface">lo0</Option>
<Option name="manage_virtual_addr">True</Option>
<Option name="mgmt_addr"></Option>
<Option name="mgmt_ssh">False</Option>
<Option name="modulate_state">False</Option>
<Option name="openbsd_ip_forward">1</Option>
<Option name="output_file"></Option>
<Option name="pass_all_out">false</Option>
<Option name="pf_adaptive_end">0</Option>
<Option name="pf_adaptive_start">0</Option>
<Option name="pf_do_limit_frags">False</Option>
<Option name="pf_do_limit_src_nodes">False</Option>
<Option name="pf_do_limit_states">False</Option>
<Option name="pf_do_limit_table_entries">False</Option>
<Option name="pf_do_limit_tables">False</Option>
<Option name="pf_do_scrub">False</Option>
<Option name="pf_do_timeout_frag">False</Option>
<Option name="pf_do_timeout_interval">False</Option>
<Option name="pf_flush_states">False</Option>
<Option name="pf_icmp_error">0</Option>
<Option name="pf_icmp_first">0</Option>
<Option name="pf_limit_frags">5000</Option>
<Option name="pf_limit_src_nodes">0</Option>
<Option name="pf_limit_states">10000</Option>
<Option name="pf_limit_table_entries">0</Option>
<Option name="pf_limit_tables">0</Option>
<Option name="pf_optimization"></Option>
<Option name="pf_other_first">0</Option>
<Option name="pf_other_multiple">0</Option>
<Option name="pf_other_single">0</Option>
<Option name="pf_scrub_fragm_crop">False</Option>
<Option name="pf_scrub_fragm_drop_ovl">False</Option>
<Option name="pf_scrub_maxmss">1460</Option>
<Option name="pf_scrub_minttl">0</Option>
<Option name="pf_scrub_no_df">False</Option>
<Option name="pf_scrub_random_id">False</Option>
<Option name="pf_scrub_reassemble">True</Option>
<Option name="pf_scrub_use_maxmss">False</Option>
<Option name="pf_scrub_use_minttl">False</Option>
<Option name="pf_set_adaptive">False</Option>
<Option name="pf_set_icmp_error">False</Option>
<Option name="pf_set_icmp_first">False</Option>
<Option name="pf_set_other_first">False</Option>
<Option name="pf_set_other_multiple">False</Option>
<Option name="pf_set_other_single">False</Option>
<Option name="pf_set_tcp_closed">False</Option>
<Option name="pf_set_tcp_closing">False</Option>
<Option name="pf_set_tcp_established">False</Option>
<Option name="pf_set_tcp_finwait">False</Option>
<Option name="pf_set_tcp_first">False</Option>
<Option name="pf_set_tcp_opening">False</Option>
<Option name="pf_set_udp_first">False</Option>
<Option name="pf_set_udp_multiple">False</Option>
<Option name="pf_set_udp_single">False</Option>
<Option name="pf_tcp_closed">0</Option>
<Option name="pf_tcp_closing">0</Option>
<Option name="pf_tcp_established">0</Option>
<Option name="pf_tcp_finwait">0</Option>
<Option name="pf_tcp_first">0</Option>
<Option name="pf_tcp_opening">0</Option>
<Option name="pf_timeout_frag">30</Option>
<Option name="pf_timeout_interval">10</Option>
<Option name="pf_udp_first">0</Option>
<Option name="pf_udp_multiple">0</Option>
<Option name="pf_udp_single">0</Option>
<Option name="prolog_place">fw_file</Option>
<Option name="prolog_script"></Option>
<Option name="scpArgs"></Option>
<Option name="sshArgs"></Option>
</FirewallOptions>
</Firewall>
<Firewall id="id39405X50958" host_OS="openbsd" inactive="False" lastCompiled="1264267285" lastInstalled="0" lastModified="1269724587" platform="pf" version="4.6" name="openbsd-4" comment="" ro="False">
<NAT id="id39425X50958" name="NAT" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
<RuleSetOptions/>
</NAT>
<Policy id="id39423X50958" name="Policy" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
<RuleSetOptions/>
</Policy>
<Routing id="id39427X50958" name="Routing" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
<RuleSetOptions/>
</Routing>
<Interface id="id39413X50958" dedicated_failover="False" dyn="False" label="" security_level="0" unnum="False" unprotected="False" name="en0" comment="" ro="False">
<IPv4 id="id39416X50958" name="openbsd-4:en0:ip" comment="" ro="False" address="172.24.0.3" netmask="255.255.255.0"/>
<InterfaceOptions/>
</Interface>
<Interface id="id39418X50958" dedicated_failover="False" dyn="False" label="" security_level="100" unnum="False" unprotected="False" name="en1" comment="" ro="False">
<IPv4 id="id39421X50958" name="openbsd-4:en1:ip" comment="" ro="False" address="192.168.1.3" netmask="255.255.255.0"/>
<InterfaceOptions/>
</Interface>
<Interface id="id39518X50958" dedicated_failover="False" dyn="False" label="" mgmt="False" security_level="0" unnum="True" unprotected="False" name="en2" comment="" ro="False">
<InterfaceOptions>
<Option name="type">ethernet</Option>
</InterfaceOptions>
<Interface id="id39520X50958" dedicated_failover="False" dyn="False" label="" mgmt="False" security_level="0" unnum="False" unprotected="False" name="vlan100" comment="" ro="False">
<IPv4 id="id39522X50958" name="openbsd-3:en2:vlan100:ip" comment="" ro="False" address="172.20.0.3" netmask="255.255.255.0"/>
<InterfaceOptions>
<Option name="type">8021q</Option>
<Option name="vlan_id">100</Option>
</InterfaceOptions>
</Interface>
</Interface>
<Interface id="id39632X50958" dedicated_failover="False" dyn="False" label="" mgmt="False" security_level="0" unnum="False" unprotected="False" name="lo" comment="" ro="False">
<IPv4 id="id39634X50958" name="openbsd-3:lo:ip" comment="" ro="False" address="127.0.0.1" netmask="255.0.0.0"/>
<InterfaceOptions>
<Option name="type">ethernet</Option>
</InterfaceOptions>
</Interface>
<Management address="0.0.0.0">
<SNMPManagement enabled="False" snmp_read_community="" snmp_write_community=""/>
<FWBDManagement enabled="False" identity="" port="-1"/>
<PolicyInstallScript arguments="" command="" enabled="False"/>
</Management>
<FirewallOptions>
<Option name="accept_new_tcp_with_no_syn">False</Option>
<Option name="activationCmd"></Option>
<Option name="admUser"></Option>
<Option name="altAddress"></Option>
<Option name="check_shading">False</Option>
<Option name="cmdline"></Option>
<Option name="compiler"></Option>
<Option name="configure_carp_interfaces">True</Option>
<Option name="configure_interfaces">True</Option>
<Option name="configure_pfsync_interfaces">False</Option>
<Option name="configure_vlan_interfaces">False</Option>
<Option name="debug">False</Option>
<Option name="epilog_script"></Option>
<Option name="fallback_log">False</Option>
<Option name="firewall_dir">/etc</Option>
<Option name="ignore_empty_groups">False</Option>
<Option name="in_out_code">true</Option>
<Option name="ipv4_6_order">ipv4_first</Option>
<Option name="log_prefix">RULE %N -- %A </Option>
<Option name="loopback_interface">lo0</Option>
<Option name="manage_virtual_addr">True</Option>
<Option name="mgmt_addr"></Option>
<Option name="mgmt_ssh">False</Option>
<Option name="modulate_state">False</Option>
<Option name="openbsd_ip_forward">1</Option>
<Option name="output_file"></Option>
<Option name="pass_all_out">false</Option>
<Option name="pf_adaptive_end">0</Option>
<Option name="pf_adaptive_start">0</Option>
<Option name="pf_do_limit_frags">False</Option>
<Option name="pf_do_limit_src_nodes">False</Option>
<Option name="pf_do_limit_states">False</Option>
<Option name="pf_do_limit_table_entries">False</Option>
<Option name="pf_do_limit_tables">False</Option>
<Option name="pf_do_scrub">False</Option>
<Option name="pf_do_timeout_frag">False</Option>
<Option name="pf_do_timeout_interval">False</Option>
<Option name="pf_flush_states">False</Option>
<Option name="pf_icmp_error">0</Option>
<Option name="pf_icmp_first">0</Option>
<Option name="pf_limit_frags">5000</Option>
<Option name="pf_limit_src_nodes">0</Option>
<Option name="pf_limit_states">10000</Option>
<Option name="pf_limit_table_entries">0</Option>
<Option name="pf_limit_tables">0</Option>
<Option name="pf_optimization"></Option>
<Option name="pf_other_first">0</Option>
<Option name="pf_other_multiple">0</Option>
<Option name="pf_other_single">0</Option>
<Option name="pf_scrub_fragm_crop">False</Option>
<Option name="pf_scrub_fragm_drop_ovl">False</Option>
<Option name="pf_scrub_maxmss">1460</Option>
<Option name="pf_scrub_minttl">0</Option>
<Option name="pf_scrub_no_df">False</Option>
<Option name="pf_scrub_random_id">False</Option>
<Option name="pf_scrub_reassemble">True</Option>
<Option name="pf_scrub_use_maxmss">False</Option>
<Option name="pf_scrub_use_minttl">False</Option>
<Option name="pf_set_adaptive">False</Option>
<Option name="pf_set_icmp_error">False</Option>
<Option name="pf_set_icmp_first">False</Option>
<Option name="pf_set_other_first">False</Option>
<Option name="pf_set_other_multiple">False</Option>
<Option name="pf_set_other_single">False</Option>
<Option name="pf_set_tcp_closed">False</Option>
<Option name="pf_set_tcp_closing">False</Option>
<Option name="pf_set_tcp_established">False</Option>
<Option name="pf_set_tcp_finwait">False</Option>
<Option name="pf_set_tcp_first">False</Option>
<Option name="pf_set_tcp_opening">False</Option>
<Option name="pf_set_udp_first">False</Option>
<Option name="pf_set_udp_multiple">False</Option>
<Option name="pf_set_udp_single">False</Option>
<Option name="pf_tcp_closed">0</Option>
<Option name="pf_tcp_closing">0</Option>
<Option name="pf_tcp_established">0</Option>
<Option name="pf_tcp_finwait">0</Option>
<Option name="pf_tcp_first">0</Option>
<Option name="pf_tcp_opening">0</Option>
<Option name="pf_timeout_frag">30</Option>
<Option name="pf_timeout_interval">10</Option>
<Option name="pf_udp_first">0</Option>
<Option name="pf_udp_multiple">0</Option>
<Option name="pf_udp_single">0</Option>
<Option name="prolog_place">fw_file</Option>
<Option name="prolog_script"></Option>
<Option name="scpArgs"></Option>
<Option name="sshArgs"></Option>
</FirewallOptions>
</Firewall>
</ObjectGroup>
<IntervalGroup id="id1515X69605" name="Time" comment="" ro="False"/>
</Library>