* IPTImporter.cpp (IPTImporter::finalize): see #1513 iptables

importer should check default policy in standard chains.
2026-03-18 17:27:20 +01:00 · 2010-06-11 20:27:35 +00:00 · 2010-06-11 20:27:35 +00:00 · 4ecb807f23
commit 4ecb807f23
parent 9cfe3b9866
7 changed files with 177 additions and 22 deletions
--- a/2
+++ b/2
@ -1 +1 @@
-#define BUILD_NUM 2970
+#define BUILD_NUM 2971
--- a/doc/ChangeLog
+++ b/doc/ChangeLog
@ -1,9 +1,14 @@
+2010-06-11  vadim  <vadim@vk.crocodile.org>
+
+	* IPTImporter.cpp (IPTImporter::finalize): see #1513 iptables
+	importer should check default policy in standard chains.
+
 2010-06-08  Vadim Kurland  <vadim@vk.crocodile.org>

 	* applied patch from slif@bellsouth.net to fix compiler
 	warnings. Patch applied partially since not all fixes were
 	appropriate. fixes #1510
-	
+
 	* IPTImporter.cpp (IPTImporter::pushPolicyRule): fixed #1512 SF
 	bug 3012953: iptables importer sometimes does not recognize rule
 	with " ESTABLISHED,RELATED ". Parser properly processed iptables
--- a/src/gui/IPTImporter.cpp
+++ b/src/gui/IPTImporter.cpp
@ -1166,6 +1166,46 @@ Firewall* IPTImporter::finalize()

        fwopt->setBool("firewall_is_part_of_any_and_networks", false);

+        // scan all UnidirectionalRuleSet objects and take care of
+        // their default action
+        std::map<const string, UnidirectionalRuleSet*>::iterator it;
+        for (it=all_rulesets.begin(); it!=all_rulesets.end(); ++it)
+        {
+            UnidirectionalRuleSet* rs = it->second;
+            if (Policy::isA(rs->ruleset) && rs->default_action == PolicyRule::Accept)
+            {
+
+                FWObjectDatabase *dbroot = getFirewallObject()->getRoot();
+                PolicyRule *rule = PolicyRule::cast(
+                    dbroot->create(PolicyRule::TYPENAME));
+
+                // check if all child objects were populated properly
+                FWOptions  *ropt = current_rule->getOptionsObject();
+                assert(ropt!=NULL);
+                ropt->setBool("stateless",true);
+
+                rule->setAction(PolicyRule::Accept);
+
+                if (rs->name == "INPUT")
+                {
+                    RuleElementSrc* src = rule->getSrc();
+                    assert(src!=NULL);
+                    src->addRef(fw);
+                    rule->setDirection(PolicyRule::Inbound);
+                }
+                if (rs->name == "OUTPUT")
+                {
+                    RuleElementDst* dst = rule->getDst();
+                    assert(dst!=NULL);
+                    dst->addRef(fw);
+                    rule->setDirection(PolicyRule::Outbound);
+                }
+
+                rs->ruleset->add(rule);
+
+            }
+        }
+
        list<FWObject*> l2 = fw->getByType(Policy::TYPENAME);
        for (list<FWObject*>::iterator i=l2.begin(); i!=l2.end(); ++i)
        {
--- a/src/gui/Importer.cpp
+++ b/src/gui/Importer.cpp
@ -372,6 +372,23 @@ void Importer::newUnidirRuleSet(const std::string &ruleset_name)
    *logger << "Ruleset: " << ruleset_name << "\n";
 }

+/*
+ * Grammar must ensure the call to setDefaultAction() happens
+ * after the call to newUnidirRuleSet()
+ * 
+ */
+void Importer::setDefaultAction(const std::string &iptables_action_name)
+{
+    string default_action_str = "Deny";
+    if (iptables_action_name == "ACCEPT")
+    {
+        current_ruleset->default_action = PolicyRule::Accept;
+        default_action_str = "Accept";
+    } else current_ruleset->default_action = PolicyRule::Deny;
+
+    *logger << "Default action: " << default_action_str << "\n";
+}
+

 void Importer::newPolicyRule()
 {
--- a/src/gui/Importer.h
+++ b/src/gui/Importer.h
@ -57,6 +57,7 @@ public:
    std::string name;
    // interface names and directions
    std::map<std::string,std::string> intf_dir;
+    libfwbuilder::PolicyRule::Action default_action;
 };

 class ImporterException : public std::exception
@ -109,7 +110,7 @@ protected:
    std::map<const std::string, int> custom_service_codes;

    UnidirectionalRuleSet* current_ruleset;
-
+    
    libfwbuilder::Rule* current_rule;

    libfwbuilder::FWObject* createObject(const std::string &objType,
@ -271,6 +272,11 @@ public:
     */
    virtual void newUnidirRuleSet(const std::string &name);

+    /**
+     * Sets default action for the current rule set.
+     */
+    virtual void setDefaultAction(const std::string &iptables_action_name);
+
    /**
     * add interface and direction setting to a ruleset. Note that the
     * same ruleset may be associated with multiple interfaces and 
--- a/src/parsers/iptables.g
+++ b/src/parsers/iptables.g
@ -162,6 +162,10 @@ create_chain : COLON chain_def
            *dbg << "NEW CHAIN " << LT(0)->getText() << std::endl;
        }
        (WORD | MINUS)
+        {
+            importer->setDefaultAction(LT(0)->getText());
+            *dbg << "DEFAULT ACTION " << LT(0)->getText() << std::endl;
+        }
        (OPENING_SQUARE INT_CONST COLON INT_CONST CLOSING_SQUARE)?
    ;

--- a/test/ipt/objects-for-regression-tests.fwb
+++ b/test/ipt/objects-for-regression-tests.fwb
@ -1,6 +1,6 @@
 <?xml version="1.0" encoding="utf-8"?>
 <!DOCTYPE FWObjectDatabase SYSTEM "fwbuilder.dtd">
-<FWObjectDatabase xmlns="http://www.fwbuilder.org/1.0/" version="16" lastModified="1272737130" id="root">
+<FWObjectDatabase xmlns="http://www.fwbuilder.org/1.0/" version="16" lastModified="1276020555" id="root">
  <Library id="syslib000" color="#d4f8ff" name="Standard" comment="Standard objects" ro="True">
    <AnyNetwork id="sysid0" name="Any" comment="Any Network" ro="False" address="0.0.0.0" netmask="0.0.0.0"/>
    <AnyIPService id="sysid1" protocol_num="0" name="Any" comment="Any IP Service" ro="False"/>
@ -101,29 +101,19 @@
    <ServiceGroup id="stdid05" name="Services" comment="" ro="False">
      <CustomService id="stdid14_1" name="ESTABLISHED" comment="This service matches all packets which are part of network connections established through the firewall, or connections 'related' to those established through the firewall. Term 'established' refers to the state tracking mechanism which exists inside iptables and other stateful firewalls and does not mean any particular combination of packet header options. Packet is considered to correspond to the state 'ESTABLISHED' if it belongs to the network session, for which proper initiation has been seen by the firewall, so its stateful inspection module made appropriate record in the state table. Usually stateful firewalls keep track of network connections using not only tcp protocol, but also udp and sometimes even icmp protocols. 'RELATED' describes packet belonging to a separate network connection, related to the session firewall is keeping track of. One example is FTP command and FTP data sessions." ro="False" protocol="any" address_family="ipv4">
        <CustomServiceCommand platform="Undefined"></CustomServiceCommand>
-        <CustomServiceCommand platform="fwsm"></CustomServiceCommand>
        <CustomServiceCommand platform="iosacl">established</CustomServiceCommand>
-        <CustomServiceCommand platform="ipf"></CustomServiceCommand>
        <CustomServiceCommand platform="ipfilter"></CustomServiceCommand>
        <CustomServiceCommand platform="ipfw">established</CustomServiceCommand>
        <CustomServiceCommand platform="iptables">-m state --state ESTABLISHED,RELATED</CustomServiceCommand>
-        <CustomServiceCommand platform="pf"></CustomServiceCommand>
-        <CustomServiceCommand platform="pix"></CustomServiceCommand>
        <CustomServiceCommand platform="procurve_acl">established</CustomServiceCommand>
-        <CustomServiceCommand platform="unknown"></CustomServiceCommand>
      </CustomService>
      <CustomService id="stdid14_2" name="ESTABLISHED ipv6" comment="This service matches all packets which are part of network connections established through the firewall, or connections 'related' to those established through the firewall. Term 'established' refers to the state tracking mechanism which exists inside iptables and other stateful firewalls and does not mean any particular combination of packet header options. Packet is considered to correspond to the state 'ESTABLISHED' if it belongs to the network session, for which proper initiation has been seen by the firewall, so its stateful inspection module made appropriate record in the state table. Usually stateful firewalls keep track of network connections using not only tcp protocol, but also udp and sometimes even icmp protocols. 'RELATED' describes packet belonging to a separate network connection, related to the session firewall is keeping track of. One example is FTP command and FTP data sessions." ro="False" protocol="any" address_family="ipv6">
        <CustomServiceCommand platform="Undefined"></CustomServiceCommand>
-        <CustomServiceCommand platform="fwsm"></CustomServiceCommand>
        <CustomServiceCommand platform="iosacl">established</CustomServiceCommand>
-        <CustomServiceCommand platform="ipf"></CustomServiceCommand>
        <CustomServiceCommand platform="ipfilter"></CustomServiceCommand>
        <CustomServiceCommand platform="ipfw">established</CustomServiceCommand>
        <CustomServiceCommand platform="iptables">-m state --state ESTABLISHED,RELATED</CustomServiceCommand>
-        <CustomServiceCommand platform="pf"></CustomServiceCommand>
-        <CustomServiceCommand platform="pix"></CustomServiceCommand>
        <CustomServiceCommand platform="procurve_acl">established</CustomServiceCommand>
-        <CustomServiceCommand platform="unknown"></CustomServiceCommand>
      </CustomService>
      <ServiceGroup id="stdid10" name="Groups" comment="" ro="False">
        <ServiceGroup id="sg-DHCP" name="DHCP" comment="" ro="False">
@ -3574,6 +3564,7 @@
        <IPv4 id="id55255X40565" name="gw_011" comment="" ro="False" address="192.168.11.200" netmask="0.0.0.0"/>
        <IPv4 id="id55275X40565" name="gw_201" comment="" ro="False" address="192.168.201.200" netmask="0.0.0.0"/>
        <IPv4 id="id55295X40565" name="gw_202" comment="" ro="False" address="192.168.202.200" netmask="0.0.0.0"/>
+        <IPv4 id="id55476X84465" name="fw35_dyn_intf_broadcast" comment="this address represents broadcast on the subnet where dynamic interface eth0.100 of fw35 is located" ro="False" address="192.168.222.255" netmask="0.0.0.0"/>
      </ObjectGroup>
      <ObjectGroup id="stdid04_1" name="Groups" comment="" ro="False">
        <ObjectGroup id="id3B4572AF" name="group1" comment="" ro="False">
@ -23549,7 +23540,7 @@ echo '%FWBPROMPT%'; sh /tmp/%FWSCRIPT%
          <Option name="verify_interfaces">False</Option>
        </FirewallOptions>
      </Firewall>
-      <Firewall id="id439254F225682" host_OS="linux24" inactive="False" lastCompiled="1272404440" lastInstalled="1142003872" lastModified="1270847973" platform="iptables" version="" name="firewall35" comment="testing AddressTable object&#10;&#10;like firewall34, but uses different script format" ro="False">
+      <Firewall id="id439254F225682" host_OS="linux24" inactive="False" lastCompiled="1272404440" lastInstalled="1142003872" lastModified="1276021114" platform="iptables" version="" name="firewall35" comment="testing AddressTable object&#10;&#10;like firewall34, but uses different script format" ro="False">
        <NAT id="id4392558E25682" name="NAT" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
          <NATRule id="id4392558F25682" disabled="False" position="0" action="Translate" comment="">
            <OSrc neg="True">
@ -23696,7 +23687,74 @@ echo '%FWBPROMPT%'; sh /tmp/%FWSCRIPT%
              <Option name="stateless">True</Option>
            </PolicyRuleOptions>
          </PolicyRule>
-          <PolicyRule id="id4392553725682" disabled="False" log="True" position="5" action="Deny" direction="Both" comment="">
+          <PolicyRule id="id55557X84465" disabled="False" group="" log="False" position="5" action="Branch" direction="Inbound" comment="test rule for the discussion&#10;https://sourceforge.net/projects/fwbuilder/forums/forum/16372/topic/3733964/index/page/1">
+            <Src neg="False">
+              <ObjectRef ref="sysid0"/>
+            </Src>
+            <Dst neg="False">
+              <ObjectRef ref="id439254F225682"/>
+            </Dst>
+            <Srv neg="False">
+              <ServiceRef ref="sysid1"/>
+            </Srv>
+            <Itf neg="False">
+              <ObjectRef ref="sysid0"/>
+            </Itf>
+            <When neg="False">
+              <IntervalRef ref="sysid2"/>
+            </When>
+            <PolicyRuleOptions>
+              <Option name="action_on_reject"></Option>
+              <Option name="branch_id">id55450X84465</Option>
+              <Option name="classify_str"></Option>
+              <Option name="connlimit_above_not">False</Option>
+              <Option name="connlimit_masklen">0</Option>
+              <Option name="connlimit_value">0</Option>
+              <Option name="custom_str"></Option>
+              <Option name="firewall_is_part_of_any_and_networks"></Option>
+              <Option name="hashlimit_burst">0</Option>
+              <Option name="hashlimit_dstlimit">False</Option>
+              <Option name="hashlimit_expire">0</Option>
+              <Option name="hashlimit_gcinterval">0</Option>
+              <Option name="hashlimit_max">0</Option>
+              <Option name="hashlimit_mode_dstip">False</Option>
+              <Option name="hashlimit_mode_dstport">False</Option>
+              <Option name="hashlimit_mode_srcip">False</Option>
+              <Option name="hashlimit_mode_srcport">False</Option>
+              <Option name="hashlimit_name"></Option>
+              <Option name="hashlimit_size">0</Option>
+              <Option name="hashlimit_suffix"></Option>
+              <Option name="hashlimit_value">0</Option>
+              <Option name="ipf_route_opt_addr"></Option>
+              <Option name="ipf_route_opt_if"></Option>
+              <Option name="ipf_route_option">route_through</Option>
+              <Option name="ipfw_classify_method">2</Option>
+              <Option name="ipfw_pipe_port_num">0</Option>
+              <Option name="ipfw_pipe_queue_num">0</Option>
+              <Option name="ipt_branch_in_mangle">False</Option>
+              <Option name="ipt_continue">False</Option>
+              <Option name="ipt_gw"></Option>
+              <Option name="ipt_iif"></Option>
+              <Option name="ipt_mark_connections">False</Option>
+              <Option name="ipt_oif"></Option>
+              <Option name="ipt_tee">False</Option>
+              <Option name="limit_burst">0</Option>
+              <Option name="limit_suffix"></Option>
+              <Option name="limit_value">0</Option>
+              <Option name="limit_value_not">False</Option>
+              <Option name="log_level"></Option>
+              <Option name="log_prefix"></Option>
+              <Option name="pf_fastroute">False</Option>
+              <Option name="pf_route_load_option">none</Option>
+              <Option name="pf_route_opt_addr"></Option>
+              <Option name="pf_route_opt_if"></Option>
+              <Option name="pf_route_option">none</Option>
+              <Option name="rule_name_accounting"></Option>
+              <Option name="stateless">True</Option>
+              <Option name="ulog_nlgroup">1</Option>
+            </PolicyRuleOptions>
+          </PolicyRule>
+          <PolicyRule id="id4392553725682" disabled="False" log="True" position="6" action="Deny" direction="Both" comment="">
            <Src neg="False">
              <ObjectRef ref="id4389EE9118346"/>
            </Src>
@ -23716,7 +23774,7 @@ echo '%FWBPROMPT%'; sh /tmp/%FWSCRIPT%
              <Option name="stateless">True</Option>
            </PolicyRuleOptions>
          </PolicyRule>
-          <PolicyRule id="id4392554325682" disabled="False" log="True" position="6" action="Deny" direction="Both" comment="">
+          <PolicyRule id="id4392554325682" disabled="False" log="True" position="7" action="Deny" direction="Both" comment="">
            <Src neg="False">
              <ObjectRef ref="id4389EE9118346"/>
              <ObjectRef ref="id4388C37D674"/>
@ -23737,7 +23795,7 @@ echo '%FWBPROMPT%'; sh /tmp/%FWSCRIPT%
              <Option name="stateless">True</Option>
            </PolicyRuleOptions>
          </PolicyRule>
-          <PolicyRule id="id4392555025682" disabled="False" log="False" position="7" action="Accept" direction="Both" comment="">
+          <PolicyRule id="id4392555025682" disabled="False" log="False" position="8" action="Accept" direction="Both" comment="">
            <Src neg="True">
              <ObjectRef ref="id4389EE9118346"/>
              <ObjectRef ref="id4388C37D674"/>
@ -23756,7 +23814,7 @@ echo '%FWBPROMPT%'; sh /tmp/%FWSCRIPT%
            </When>
            <PolicyRuleOptions/>
          </PolicyRule>
-          <PolicyRule id="id4392555D25682" disabled="False" log="False" position="8" action="Accept" direction="Both" comment="">
+          <PolicyRule id="id4392555D25682" disabled="False" log="False" position="9" action="Accept" direction="Both" comment="">
            <Src neg="False">
              <ObjectRef ref="id439255AC25682"/>
            </Src>
@ -23775,7 +23833,7 @@ echo '%FWBPROMPT%'; sh /tmp/%FWSCRIPT%
            </When>
            <PolicyRuleOptions/>
          </PolicyRule>
-          <PolicyRule id="id4392556A25682" disabled="False" log="False" position="9" action="Accept" direction="Both" comment="">
+          <PolicyRule id="id4392556A25682" disabled="False" log="False" position="10" action="Accept" direction="Both" comment="">
            <Src neg="False">
              <ObjectRef ref="sysid0"/>
            </Src>
@ -23793,7 +23851,7 @@ echo '%FWBPROMPT%'; sh /tmp/%FWSCRIPT%
            </When>
            <PolicyRuleOptions/>
          </PolicyRule>
-          <PolicyRule id="id4392557625682" disabled="False" log="False" position="10" action="Accept" direction="Both" comment="">
+          <PolicyRule id="id4392557625682" disabled="False" log="False" position="11" action="Accept" direction="Both" comment="">
            <Src neg="False">
              <ObjectRef ref="id43913DEA25682"/>
            </Src>
@ -23811,7 +23869,7 @@ echo '%FWBPROMPT%'; sh /tmp/%FWSCRIPT%
            </When>
            <PolicyRuleOptions/>
          </PolicyRule>
-          <PolicyRule id="id4392558225682" disabled="False" log="True" position="11" action="Deny" direction="Both" comment="">
+          <PolicyRule id="id4392558225682" disabled="False" log="True" position="12" action="Deny" direction="Both" comment="">
            <Src neg="False">
              <ObjectRef ref="sysid0"/>
            </Src>
@ -23833,6 +23891,31 @@ echo '%FWBPROMPT%'; sh /tmp/%FWSCRIPT%
          </PolicyRule>
          <RuleSetOptions/>
        </Policy>
+        <Policy id="id55450X84465" name="block_local_bcast" comment="" ro="False" ipv4_rule_set="True" ipv6_rule_set="False" top_rule_set="False">
+          <PolicyRule id="id55485X84465" disabled="False" log="False" position="0" action="Deny" direction="Both" comment="an attempt to build rule blocking local broadcast packets on the subnet where firewall has dynamic interface">
+            <Src neg="False">
+              <ObjectRef ref="sysid0"/>
+            </Src>
+            <Dst neg="False">
+              <ObjectRef ref="id55476X84465"/>
+            </Dst>
+            <Srv neg="False">
+              <ServiceRef ref="sysid1"/>
+            </Srv>
+            <Itf neg="False">
+              <ObjectRef ref="sysid0"/>
+            </Itf>
+            <When neg="False">
+              <IntervalRef ref="sysid2"/>
+            </When>
+            <PolicyRuleOptions>
+              <Option name="stateless">True</Option>
+            </PolicyRuleOptions>
+          </PolicyRule>
+          <RuleSetOptions>
+            <Option name="mangle_only_rule_set">False</Option>
+          </RuleSetOptions>
+        </Policy>
        <Routing id="id439255AB25682" name="Routing" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
          <RoutingRule id="id53770X97650" disabled="True" metric="0" position="0" comment="for bug 1404 - routing_functions configlet should be expanded">
            <RDst neg="False">