onkelbeh/fwbuilder
1
0
Fork 0
mirror of https://github.com/fwbuilder/fwbuilder synced 2026-03-19 17:57:22 +01:00
Code Issues Releases Wiki Activity

* PolicyCompiler_ipt.cpp (PolicyCompiler_ipt::checkForShadowingPlatformSpecific):

Browse Source 
see #1417 (SF bug 2992177) rule with greater limit module rate
value shadows rule with lower rate value. Comments in the code explain
why.
This commit is contained in:
Vadim Kurland 2010-04-27 16:58:05 +00:00
parent ef2d783888
commit 3cfd19c79b
4 changed files with 127 additions and 113 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
build_num
View File

@ -1 +1 @@
#define BUILD_NUM 2847
#define BUILD_NUM 2848

7
doc/ChangeLog
View File

@ -1,3 +1,10 @@
2010-04-27 vadim <vadim@vk.crocodile.org>
* PolicyCompiler_ipt.cpp (PolicyCompiler_ipt::checkForShadowingPlatformSpecific):
see #1417 (SF bug 2992177) rule with greater limit module rate
value shadows rule with lower rate value. Comments in the code explain
why.
2010-04-26 vadim <vadim@vk.crocodile.org>
* PolicyCompiler_ipt.cpp (PolicyCompiler_ipt::checkForShadowingPlatformSpecific):

35
src/iptlib/PolicyCompiler_ipt.cpp
View File

@ -5151,16 +5151,17 @@ list<string> PolicyCompiler_ipt::getUsedChains()
* rule with rate "-1" (i.e. no rate limiting at all) shadows rule with
* rate > 0
* OR
* rule with lower rate shadows rule with greater rate
* rule with greater rate shadows rule with lower rate
*
* consider for example two rules: rule 1 that matches 30 pkts/sec and
* rule 2 that matches 50 pkts/sec
* From man iptables: "A rule using this extension will match until
* this limit is reached "
*
* In this case neither rule matches when packet flow is at <30
* pkts/sec and rule 1 matches if packet flow is greater than 30
* pkts/sec . Even when packet flow is greater than 50 pkts/sec, it is
* still rule 1 that matches it. So rule 2 will never match at all,
* and rule with lower rate shadows rule with greater rate.
* consider for example two rules: rule 1 that matches 50 pkts/sec and
* rule 2 that matches 30 pkts/sec
*
* rule 1 matches rates between 0 and 49 and rule 2 rates between 0
* and 29. This means rule 2 will never match any rate and rule with
* greater limit value shadows the one with lower limit value
*
* we should return true if candidate_rule_2 shadows candidate_rule_1
*/
@ -5172,8 +5173,10 @@ bool PolicyCompiler_ipt::checkForShadowingPlatformSpecific(PolicyRule *candidate
if (opt_1->getInt("limit_value")>0 || opt_2->getInt("limit_value")>0)
{
if (opt_1->getInt("limit_value") < opt_2->getInt("limit_value"))
return false;
int rate_1 = opt_1->getInt("limit_value"); if (rate_1 == -1) rate_1 = INT_MAX;
int rate_2 = opt_2->getInt("limit_value"); if (rate_2 == -1) rate_2 = INT_MAX;
if (rate_1 > rate_2) return false;
if (opt_1->getStr("limit_value_not") != opt_2->getStr("limit_value_not"))
return false;
if (opt_1->getStr("limit_suffix") != opt_2->getStr("limit_suffix"))
@ -5182,8 +5185,10 @@ bool PolicyCompiler_ipt::checkForShadowingPlatformSpecific(PolicyRule *candidate
if (opt_1->getInt("connlimit_value")>0 || opt_2->getInt("connlimit_value")>0)
{
if (opt_1->getInt("connlimit_value") < opt_2->getInt("connlimit_value"))
return false;
int rate_1 = opt_1->getInt("connlimit_value"); if (rate_1 == -1) rate_1 = INT_MAX;
int rate_2 = opt_2->getInt("connlimit_value"); if (rate_2 == -1) rate_2 = INT_MAX;
if (rate_1 > rate_2) return false;
if (opt_1->getStr("connlimit_value_not") != opt_2->getStr("connlimit_value_not"))
return false;
if (opt_1->getStr("connlimit_suffix") != opt_2->getStr("connlimit_suffix"))
@ -5192,8 +5197,10 @@ bool PolicyCompiler_ipt::checkForShadowingPlatformSpecific(PolicyRule *candidate
if (opt_1->getInt("hashlimit_value")>0 || opt_2->getInt("hashlimit_value")>0)
{
if (opt_1->getInt("hashlimit_value") < opt_2->getInt("hashlimit_value"))
return false;
int rate_1 = opt_1->getInt("hashlimit_value"); if (rate_1 == -1) rate_1 = INT_MAX;
int rate_2 = opt_2->getInt("hashlimit_value"); if (rate_2 == -1) rate_2 = INT_MAX;
if (rate_1 > rate_2) return false;
if (opt_1->getStr("hashlimit_suffix") != opt_2->getStr("hashlimit_suffix"))
return false;
if (opt_1->getStr("hashlimit_mode") != opt_2->getStr("hashlimit_mode"))

196
test/ipt/objects-for-regression-tests.fwb
View File

@ -49959,12 +49959,12 @@ echo '%FWBPROMPT%'; sh /tmp/%FWSCRIPT%
<Option name="verify_interfaces">True</Option>
</FirewallOptions>
</Firewall>
<Firewall id="id54445X20318" host_OS="linux24" inactive="False" lastCompiled="1272384879" lastInstalled="0" lastModified="1272384869" platform="iptables" version="" name="test-shadowing-3" comment="testing shadowing detection&#10;compiler runs with -xt flag&#10;testing shadowing when rules have non-default options" ro="False">
<Firewall id="id54445X20318" host_OS="linux24" inactive="False" lastCompiled="1272387175" lastInstalled="0" lastModified="1272387229" platform="iptables" version="" name="test-shadowing-3" comment="testing shadowing detection&#10;compiler runs with -xt flag&#10;testing shadowing when rules have non-default options" ro="False">
<NAT id="id54554X20318" name="NAT" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
<RuleSetOptions/>
</NAT>
<Policy id="id54468X20318" name="Policy" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
<PolicyRule id="id54469X20318" disabled="False" log="False" position="0" action="Accept" direction="Outbound" comment="">
<PolicyRule id="id54469X20318" disabled="False" log="False" position="0" action="Accept" direction="Outbound" comment="limit ">
<Src neg="False">
<ObjectRef ref="net-Internal_net"/>
</Src>
@ -50031,7 +50031,7 @@ echo '%FWBPROMPT%'; sh /tmp/%FWSCRIPT%
<RuleSetOptions/>
</Policy>
<Policy id="id55734X20318" name="Policy_1" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="False">
<PolicyRule id="id55855X20318" disabled="False" group="" log="False" position="0" action="Accept" direction="Outbound" comment="">
<PolicyRule id="id55855X20318" disabled="False" group="" log="False" position="0" action="Accept" direction="Outbound" comment="connlimit">
<Src neg="False">
<ObjectRef ref="net-Internal_net"/>
</Src>
@ -50098,7 +50098,7 @@ echo '%FWBPROMPT%'; sh /tmp/%FWSCRIPT%
<RuleSetOptions/>
</Policy>
<Policy id="id55760X20318" name="Policy_2" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="False">
<PolicyRule id="id55947X20318" disabled="False" group="" log="False" position="0" action="Accept" direction="Outbound" comment="">
<PolicyRule id="id55947X20318" disabled="False" group="" log="False" position="0" action="Accept" direction="Outbound" comment="hashlimit">
<Src neg="False">
<ObjectRef ref="net-Internal_net"/>
</Src>
@ -50182,7 +50182,7 @@ echo '%FWBPROMPT%'; sh /tmp/%FWSCRIPT%
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions>
<Option name="color">#C0C0C0</Option>
<Option name="color">#C86E6E</Option>
<Option name="connlimit_above_not">False</Option>
<Option name="connlimit_masklen">0</Option>
<Option name="connlimit_value">0</Option>
@ -50227,7 +50227,7 @@ echo '%FWBPROMPT%'; sh /tmp/%FWSCRIPT%
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions>
<Option name="color">#C0C0C0</Option>
<Option name="color">#C86E6E</Option>
<Option name="connlimit_above_not">False</Option>
<Option name="connlimit_masklen">0</Option>
<Option name="connlimit_value">0</Option>
@ -50258,52 +50258,7 @@ echo '%FWBPROMPT%'; sh /tmp/%FWSCRIPT%
<RuleSetOptions/>
</Policy>
<Policy id="id54971X87331" name="Policy_4" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="False">
<PolicyRule id="id55158X87331" disabled="False" group="" log="False" position="0" action="Accept" direction="Outbound" comment="50/sec">
<Src neg="False">
<ObjectRef ref="net-Internal_net"/>
</Src>
<Dst neg="False">
<ObjectRef ref="sysid0"/>
</Dst>
<Srv neg="False">
<ServiceRef ref="sysid1"/>
</Srv>
<Itf neg="False">
<ObjectRef ref="id54453X20318"/>
</Itf>
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions>
<Option name="color">#8BC065</Option>
<Option name="connlimit_above_not">False</Option>
<Option name="connlimit_masklen">0</Option>
<Option name="connlimit_value">0</Option>
<Option name="firewall_is_part_of_any_and_networks"></Option>
<Option name="hashlimit_burst">0</Option>
<Option name="hashlimit_dstlimit">False</Option>
<Option name="hashlimit_expire">0</Option>
<Option name="hashlimit_gcinterval">0</Option>
<Option name="hashlimit_max">0</Option>
<Option name="hashlimit_mode_dstip">False</Option>
<Option name="hashlimit_mode_dstport">False</Option>
<Option name="hashlimit_mode_srcip">True</Option>
<Option name="hashlimit_mode_srcport">False</Option>
<Option name="hashlimit_name">test</Option>
<Option name="hashlimit_size">0</Option>
<Option name="hashlimit_suffix">/second</Option>
<Option name="hashlimit_value">50</Option>
<Option name="limit_burst">0</Option>
<Option name="limit_suffix"></Option>
<Option name="limit_value">0</Option>
<Option name="limit_value_not">False</Option>
<Option name="log_level"></Option>
<Option name="log_prefix"></Option>
<Option name="stateless">False</Option>
<Option name="ulog_nlgroup">1</Option>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id55112X87331" disabled="False" group="" log="False" position="1" action="Accept" direction="Outbound" comment="30/sec">
<PolicyRule id="id55112X87331" disabled="False" group="" log="False" position="0" action="Accept" direction="Outbound" comment="30/sec">
<Src neg="False">
<ObjectRef ref="net-Internal_net"/>
</Src>
@ -50348,6 +50303,51 @@ echo '%FWBPROMPT%'; sh /tmp/%FWSCRIPT%
<Option name="ulog_nlgroup">1</Option>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id55158X87331" disabled="False" group="" log="False" position="1" action="Accept" direction="Outbound" comment="50/sec">
<Src neg="False">
<ObjectRef ref="net-Internal_net"/>
</Src>
<Dst neg="False">
<ObjectRef ref="sysid0"/>
</Dst>
<Srv neg="False">
<ServiceRef ref="sysid1"/>
</Srv>
<Itf neg="False">
<ObjectRef ref="id54453X20318"/>
</Itf>
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions>
<Option name="color">#8BC065</Option>
<Option name="connlimit_above_not">False</Option>
<Option name="connlimit_masklen">0</Option>
<Option name="connlimit_value">0</Option>
<Option name="firewall_is_part_of_any_and_networks"></Option>
<Option name="hashlimit_burst">0</Option>
<Option name="hashlimit_dstlimit">False</Option>
<Option name="hashlimit_expire">0</Option>
<Option name="hashlimit_gcinterval">0</Option>
<Option name="hashlimit_max">0</Option>
<Option name="hashlimit_mode_dstip">False</Option>
<Option name="hashlimit_mode_dstport">False</Option>
<Option name="hashlimit_mode_srcip">True</Option>
<Option name="hashlimit_mode_srcport">False</Option>
<Option name="hashlimit_name">test</Option>
<Option name="hashlimit_size">0</Option>
<Option name="hashlimit_suffix">/second</Option>
<Option name="hashlimit_value">50</Option>
<Option name="limit_burst">0</Option>
<Option name="limit_suffix"></Option>
<Option name="limit_value">0</Option>
<Option name="limit_value_not">False</Option>
<Option name="log_level"></Option>
<Option name="log_prefix"></Option>
<Option name="stateless">False</Option>
<Option name="ulog_nlgroup">1</Option>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id55066X87331" disabled="False" group="" log="False" position="2" action="Accept" direction="Outbound" comment="htable_rule_4&#10;">
<Src neg="False">
<ObjectRef ref="net-Internal_net"/>
@ -50441,52 +50441,7 @@ echo '%FWBPROMPT%'; sh /tmp/%FWSCRIPT%
<RuleSetOptions/>
</Policy>
<Policy id="id54773X87346" name="Policy_5" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="False">
<PolicyRule id="id54868X87346" disabled="False" group="" log="False" position="0" action="Accept" direction="Outbound" comment="30/sec">
<Src neg="False">
<ObjectRef ref="net-Internal_net"/>
</Src>
<Dst neg="False">
<ObjectRef ref="sysid0"/>
</Dst>
<Srv neg="False">
<ServiceRef ref="sysid1"/>
</Srv>
<Itf neg="False">
<ObjectRef ref="id54453X20318"/>
</Itf>
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions>
<Option name="color">#C86E6E</Option>
<Option name="connlimit_above_not">False</Option>
<Option name="connlimit_masklen">0</Option>
<Option name="connlimit_value">0</Option>
<Option name="firewall_is_part_of_any_and_networks"></Option>
<Option name="hashlimit_burst">0</Option>
<Option name="hashlimit_dstlimit">False</Option>
<Option name="hashlimit_expire">0</Option>
<Option name="hashlimit_gcinterval">0</Option>
<Option name="hashlimit_max">0</Option>
<Option name="hashlimit_mode_dstip">False</Option>
<Option name="hashlimit_mode_dstport">False</Option>
<Option name="hashlimit_mode_srcip">True</Option>
<Option name="hashlimit_mode_srcport">False</Option>
<Option name="hashlimit_name">test</Option>
<Option name="hashlimit_size">0</Option>
<Option name="hashlimit_suffix">/second</Option>
<Option name="hashlimit_value">30</Option>
<Option name="limit_burst">0</Option>
<Option name="limit_suffix"></Option>
<Option name="limit_value">0</Option>
<Option name="limit_value_not">False</Option>
<Option name="log_level"></Option>
<Option name="log_prefix"></Option>
<Option name="stateless">False</Option>
<Option name="ulog_nlgroup">1</Option>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id54822X87346" disabled="False" group="" log="False" position="1" action="Accept" direction="Outbound" comment="50/sec">
<PolicyRule id="id54822X87346" disabled="False" group="" log="False" position="0" action="Accept" direction="Outbound" comment="50/sec">
<Src neg="False">
<ObjectRef ref="net-Internal_net"/>
</Src>
@ -50531,6 +50486,51 @@ echo '%FWBPROMPT%'; sh /tmp/%FWSCRIPT%
<Option name="ulog_nlgroup">1</Option>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id54868X87346" disabled="False" group="" log="False" position="1" action="Accept" direction="Outbound" comment="30/sec">
<Src neg="False">
<ObjectRef ref="net-Internal_net"/>
</Src>
<Dst neg="False">
<ObjectRef ref="sysid0"/>
</Dst>
<Srv neg="False">
<ServiceRef ref="sysid1"/>
</Srv>
<Itf neg="False">
<ObjectRef ref="id54453X20318"/>
</Itf>
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions>
<Option name="color">#C86E6E</Option>
<Option name="connlimit_above_not">False</Option>
<Option name="connlimit_masklen">0</Option>
<Option name="connlimit_value">0</Option>
<Option name="firewall_is_part_of_any_and_networks"></Option>
<Option name="hashlimit_burst">0</Option>
<Option name="hashlimit_dstlimit">False</Option>
<Option name="hashlimit_expire">0</Option>
<Option name="hashlimit_gcinterval">0</Option>
<Option name="hashlimit_max">0</Option>
<Option name="hashlimit_mode_dstip">False</Option>
<Option name="hashlimit_mode_dstport">False</Option>
<Option name="hashlimit_mode_srcip">True</Option>
<Option name="hashlimit_mode_srcport">False</Option>
<Option name="hashlimit_name">test</Option>
<Option name="hashlimit_size">0</Option>
<Option name="hashlimit_suffix">/second</Option>
<Option name="hashlimit_value">30</Option>
<Option name="limit_burst">0</Option>
<Option name="limit_suffix"></Option>
<Option name="limit_value">0</Option>
<Option name="limit_value_not">False</Option>
<Option name="log_level"></Option>
<Option name="log_prefix"></Option>
<Option name="stateless">False</Option>
<Option name="ulog_nlgroup">1</Option>
</PolicyRuleOptions>
</PolicyRule>
<RuleSetOptions/>
</Policy>
<Routing id="id54556X20318" name="Routing" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">