onkelbeh/fwbuilder
1
0
Fork 0
mirror of https://github.com/fwbuilder/fwbuilder synced 2026-03-24 20:27:22 +01:00
Code Issues Releases Wiki Activity

fixes #353, #355, #356 Using configlets to generate .fw script for pf, ipfilter and ipfw

Browse Source
This commit is contained in:
Vadim Kurland 2009-10-09 18:23:54 +00:00
parent 4af6f83ef1
commit 4fc1735694
42 changed files with 1125 additions and 781 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
build_num
View File

@ -1 +1 @@
#define BUILD_NUM 1566
#define BUILD_NUM 1567

3
src/compiler_lib/CompilerDriver.cpp
View File

@ -93,6 +93,8 @@ CompilerDriver::CompilerDriver(FWObjectDatabase *db) : BaseCompiler()
objdb = new FWObjectDatabase(*db);
prolog_done = false;
epilog_done = false;
have_filter = false;
have_nat = false;
}
CompilerDriver::~CompilerDriver()
@ -962,4 +964,3 @@ bool CompilerDriver::isReachable(const Address* const client,
return false;
}

24
src/compiler_lib/CompilerDriver.h
View File

@ -28,6 +28,8 @@
#include "fwcompiler/BaseCompiler.h"
#include "Configlet.h"
#include <string>
#include <sstream>
@ -52,7 +54,10 @@ namespace libfwbuilder {
namespace fwcompiler {
class CompilerDriver : public BaseCompiler {
class OSConfigurator;
class CompilerDriver : public BaseCompiler
{
protected:
@ -85,7 +90,9 @@ protected:
bool fw_by_id;
bool prolog_done;
bool epilog_done;
bool have_filter;
bool have_nat;
std::map<std::string,libfwbuilder::RuleSet*> branches;
libfwbuilder::FWObjectDatabase *objdb;
@ -105,6 +112,19 @@ protected:
static bool isReachable(const libfwbuilder::Address* const subnet,
const libfwbuilder::InetAddr* const addr);
/* Virtual methods used to compose generated script */
virtual QString printPathForAllTools(libfwbuilder::Firewall* fw,
const std::string &os);
virtual QString printActivationCommands(libfwbuilder::Firewall *fw);
virtual QString assembleManifest(libfwbuilder::Firewall* fw);
virtual void assembleFwScriptInternal(libfwbuilder::Firewall* fw,
OSConfigurator *ocsnf,
Configlet *script_skeleton,
Configlet *top_comment);
public:
CompilerDriver(libfwbuilder::FWObjectDatabase *db);

175
src/compiler_lib/CompilerDriver_generators.cpp Normal file
View File

@ -0,0 +1,175 @@
/*
Firewall Builder
Copyright (C) 2009 NetCitadel, LLC
Author: Vadim Kurland vadim@vk.crocodile.org
$Id: CompilerDriver.cpp 1533 2009-10-01 16:42:02Z vadim $
This program is free software which we release under the GNU General Public
License. You may redistribute and/or modify this program under the terms
of that license as published by the Free Software Foundation; either
version 2 of the License, or (at your option) any later version.
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
To get a copy of the GNU General Public License, write to the Free Software
Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
*/
#include "../../config.h"
#include <fstream>
#include <iostream>
#include <iomanip>
#ifndef _WIN32
# include <unistd.h>
# include <pwd.h>
#else
# include <direct.h>
# include <stdlib.h>
# include <io.h>
#endif
#include "CompilerDriver.h"
#include "Configlet.h"
#include "fwbuilder/FWObject.h"
#include "fwbuilder/Cluster.h"
#include "fwbuilder/Firewall.h"
#include "fwbuilder/Resources.h"
#include "fwcompiler/OSConfigurator.h"
#include <QStringList>
#include <QFileInfo>
using namespace std;
using namespace libfwbuilder;
using namespace fwcompiler;
QString CompilerDriver::printPathForAllTools(Firewall*, const std::string &)
{
return "";
}
QString CompilerDriver::printActivationCommands(Firewall*)
{
return "";
}
QString CompilerDriver::assembleManifest(Firewall*)
{
return "";
}
void CompilerDriver::assembleFwScriptInternal(Firewall* fw,
OSConfigurator *oscnf,
Configlet *script_skeleton,
Configlet *top_comment)
{
FWOptions* options = fw->getOptionsObject();
string platform = fw->getStr("platform");
string fw_version = fw->getStr("version");
string host_os = fw->getStr("host_OS");
string family = Resources::os_res[host_os]->Resources::getResourceStr(
"/FWBuilderResources/Target/family");
bool debug = options->getBool("debug");
string shell_dbg = (debug)?"set -x":"" ;
string cmd_dbg = (debug)?"-v ":"";
string prolog_place = options->getStr("prolog_place");
if (prolog_place.empty()) prolog_place = "fw_file"; // old default
string pre_hook = fw->getOptionsObject()->getStr("prolog_script");
string firewall_dir = options->getStr("firewall_dir");
if (firewall_dir=="") firewall_dir = "/etc/fw";
char *timestr;
time_t tm;
struct tm *stm;
tm = time(NULL);
stm = localtime(&tm);
timestr = strdup(ctime(&tm));
timestr[strlen(timestr)-1] = '\0';
#ifdef _WIN32
char* user_name=getenv("USERNAME");
#else
struct passwd *pwd=getpwuid(getuid());
assert(pwd);
char *user_name=pwd->pw_name;
#endif
if (user_name==NULL)
{
user_name=getenv("LOGNAME");
if (user_name==NULL)
abort("Can't figure out your user name");
}
QString script_buffer;
QTextStream script(&script_buffer, QIODevice::WriteOnly);
script_skeleton->removeComments();
script_skeleton->setVariable("shell_debug", shell_dbg.c_str());
script_skeleton->setVariable("firewall_dir", firewall_dir.c_str());
top_comment->setVariable("version", VERSION);
QString build_num;
build_num.setNum(BUILD_NUM);
top_comment->setVariable("build", build_num);
top_comment->setVariable("timestamp", timestr);
top_comment->setVariable("tz", tzname[stm->tm_isdst]);
top_comment->setVariable("user", user_name);
QFileInfo fw_file_info(fw_file_name);
top_comment->setVariable("manifest", assembleManifest(fw));
top_comment->setVariable("platform", platform.c_str());
top_comment->setVariable("fw_version", fw_version.c_str());
top_comment->setVariable("comment", prepend("# ", fw->getComment().c_str()));
script_skeleton->setVariable("have_nat", have_nat);
script_skeleton->setVariable("have_filter", have_filter);
script_skeleton->setVariable("top_comment", top_comment->expand());
script_skeleton->setVariable("errors_and_warnings",
prepend("# ", all_errors.join("\n")));
script_skeleton->setVariable("tools", printPathForAllTools(fw, family));
script_skeleton->setVariable("timestamp", timestr);
script_skeleton->setVariable("user", user_name);
if (prolog_place == "fw_file")
script_skeleton->setVariable("prolog_script", pre_hook.c_str());
else
script_skeleton->setVariable("prolog_script", "");
script_buffer = "";
script_skeleton->setVariable("shell_functions", oscnf->printFunctions().c_str());
script_skeleton->setVariable("kernel_vars_commands",
prepend(" ", oscnf->printKernelVarsCommands().c_str()));
script_skeleton->setVariable("configure_interfaces",
prepend(" ", oscnf->configureInterfaces().c_str()));
// this really adds nothing for the most of the systems
script_skeleton->setVariable("other_os_configuration_commands", oscnf->getCompiledScript().c_str());
script_skeleton->setVariable("activation_commands", printActivationCommands(fw));
script_skeleton->setVariable("verify_interfaces", "");
script_skeleton->setVariable("epilog_script",
fw->getOptionsObject()->getStr("epilog_script").c_str());
}

1
src/compiler_lib/compiler_lib.pro
View File

@ -9,6 +9,7 @@ TEMPLATE = lib
SOURCES = CompilerDriver.cpp \
CompilerDriver_compile.cpp \
CompilerDriver_generators.cpp \
Configlet.cpp \
interfaceProperties.cpp \
linux24Interfaces.cpp \

11
src/pflib/CompilerDriver_ipf.cpp
View File

@ -53,8 +53,10 @@ using namespace fwcompiler;
CompilerDriver_ipf::CompilerDriver_ipf(FWObjectDatabase *db) :
CompilerDriver(db)
CompilerDriver_pf(db)
{
have_nat = false;
have_filter = false;
}
// create a copy of itself, including objdb
@ -63,24 +65,21 @@ CompilerDriver* CompilerDriver_ipf::clone()
return new CompilerDriver_ipf(objdb);
}
QString CompilerDriver_ipf::printActivationCommandWithSubstitution(
Firewall *fw, const QString &filePath, const QString &cmd)
QString CompilerDriver_ipf::printActivationCommandWithSubstitution(Firewall *fw)
{
QString script_buffer;
QTextStream str(&script_buffer, QIODevice::WriteOnly);
str << "cat " << filePath << " | grep -v '#' ";
FWObjectTypedChildIterator j=fw->findByType(Interface::TYPENAME);
for ( ; j!=j.end(); ++j )
{
Interface *iface=Interface::cast(*j);
if ( iface->isDyn() )
{
str << "| sed \"s/ (" << iface->getName() << ") "
str << "sed \"s/ (" << iface->getName() << ") "
<< "/ $i_" << iface->getName() << " /\"";
}
}
str << " | " << cmd << endl;
return script_buffer;
}

21
src/pflib/CompilerDriver_ipf.h
View File

@ -26,14 +26,14 @@
#ifndef __COMPILER_DRIVER_IPF_HH__
#define __COMPILER_DRIVER_IPF_HH__
#include "../compiler_lib/CompilerDriver.h"
#include "CompilerDriver_pf.h"
#include "TableFactory.h"
#include <string>
#include <QString>
#include <QTextStream>
#include <QStringList>
namespace libfwbuilder {
@ -48,13 +48,24 @@ namespace libfwbuilder {
namespace fwcompiler {
class CompilerDriver_ipf : public CompilerDriver {
class CompilerDriver_ipf : public CompilerDriver_pf
{
QStringList activation_commands;
QString composeActivationCommand(libfwbuilder::Firewall *fw,
bool filter,
const std::string &debug,
const std::string &version,
const std::string &remote_file_name);
protected:
QString printActivationCommandWithSubstitution(
libfwbuilder::Firewall *fw, const QString &filePath, const QString &cmd);
QString printActivationCommandWithSubstitution(libfwbuilder::Firewall *fw);
virtual QString assembleManifest(libfwbuilder::Firewall* fw);
virtual QString printActivationCommands(libfwbuilder::Firewall *fw);
virtual QString assembleFwScript(libfwbuilder::Firewall* fw,
OSConfigurator *ocsnf);
public:
CompilerDriver_ipf(libfwbuilder::FWObjectDatabase *db);

276
src/pflib/CompilerDriver_ipf_run.cpp
View File

@ -88,6 +88,83 @@ using namespace std;
using namespace libfwbuilder;
using namespace fwcompiler;
QString CompilerDriver_ipf::composeActivationCommand(libfwbuilder::Firewall *fw,
bool filter,
const std::string &debug,
const std::string &version,
const std::string &remote_file)
{
Configlet act(fw, "bsd", "ipf_activation");
act.removeComments();
act.collapseEmptyStrings(true);
act.setVariable("dyn_addr", fw->getOptionsObject()->getBool("dynAddr"));
act.setVariable("not_dyn_addr", !fw->getOptionsObject()->getBool("dynAddr"));
act.setVariable("filter", filter);
act.setVariable("nat", !filter);
act.setVariable("ipf_debug", debug.c_str());
act.setVariable("remote_file", remote_file.c_str());
act.setVariable("interface_name_substitution_commands",
printActivationCommandWithSubstitution(fw));
return act.expand();
}
QString CompilerDriver_ipf::assembleManifest(Firewall* fw)
{
FWOptions* options = fw->getOptionsObject();
QFileInfo fw_file_info(fw_file_name);
QString ipf_file_name = fw_file_info.completeBaseName() + "-ipf.conf";
QString nat_file_name = fw_file_info.completeBaseName() + "-nat.conf";
if (fw_file_info.path() != ".")
{
ipf_file_name = fw_file_info.path() + "/" + ipf_file_name;
nat_file_name = fw_file_info.path() + "/" + nat_file_name;
}
QString remote_ipf_name = options->getStr("ipf_conf_file_name_on_firewall").c_str();
if (remote_ipf_name.isEmpty()) remote_ipf_name = ipf_file_name;
QString remote_nat_name = options->getStr("nat_conf_file_name_on_firewall").c_str();
if (remote_nat_name.isEmpty()) remote_nat_name = nat_file_name;
QString script_buffer;
QTextStream script(&script_buffer, QIODevice::WriteOnly);
script << MANIFEST_MARKER << "* " << fw_file_info.fileName();
string remote_name = fw->getOptionsObject()->getStr("script_name_on_firewall");
if (!remote_name.empty()) script << " " << remote_name;
script << endl;
if (have_filter)
{
script << MANIFEST_MARKER << " " << QFileInfo(ipf_file_name).fileName();
if (remote_ipf_name != ipf_file_name) script << " " << remote_ipf_name;
script << endl;
}
if (have_nat)
{
script << MANIFEST_MARKER << " " << QFileInfo(nat_file_name).fileName();
if (remote_nat_name != nat_file_name) script << " " << remote_nat_name;
script << endl;
}
return script_buffer;
}
QString CompilerDriver_ipf::assembleFwScript(Firewall* fw, OSConfigurator *oscnf)
{
Configlet script_skeleton(fw, "bsd", "ipf_script_skeleton");
Configlet top_comment(fw, "bsd", "top_comment");
assembleFwScriptInternal(fw, oscnf, &script_skeleton, &top_comment);
return script_skeleton.expand();
}
QString CompilerDriver_ipf::printActivationCommands(libfwbuilder::Firewall*)
{
return activation_commands.join("\n");
}
string CompilerDriver_ipf::run(const std::string &cluster_id,
const std::string &firewall_id,
const std::string &single_rule_id)
@ -107,6 +184,7 @@ string CompilerDriver_ipf::run(const std::string &cluster_id,
commonChecks2(cluster, fw);
FWOptions* options = fw->getOptionsObject();
string fw_version = fw->getStr("version");
// Note that fwobjectname may be different from the name of the
// firewall fw This happens when we compile a member of a cluster
@ -135,8 +213,7 @@ string CompilerDriver_ipf::run(const std::string &cluster_id,
if (firewall_dir=="") firewall_dir = "/etc/fw";
bool debug = options->getBool("debug");
QString shell_dbg = (debug)?"-x":"" ;
QString ipf_dbg = (debug)?"-v":"";
string ipf_dbg = (debug)?"-v":"";
std::auto_ptr<Preprocessor> prep(new Preprocessor(objdb , fw, false));
prep->compile();
@ -144,20 +221,21 @@ string CompilerDriver_ipf::run(const std::string &cluster_id,
/*
* Process firewall options, build OS network configuration script
*/
std::auto_ptr<OSConfigurator> oscnf;
string family=Resources::os_res[fw->getStr("host_OS")]->Resources::getResourceStr("/FWBuilderResources/Target/family");
if ( family=="solaris" )
oscnf = std::auto_ptr<OSConfigurator>(new OSConfigurator_solaris(objdb , fw, false));
std::auto_ptr<OSConfigurator_bsd> oscnf;
string host_os = fw->getStr("host_OS");
string family=Resources::os_res[host_os]->Resources::getResourceStr("/FWBuilderResources/Target/family");
if ( host_os == "solaris" )
oscnf = std::auto_ptr<OSConfigurator_bsd>(new OSConfigurator_solaris(objdb , fw, false));
if ( family=="openbsd")
oscnf = std::auto_ptr<OSConfigurator>(new OSConfigurator_openbsd(objdb , fw, false));
if ( host_os == "openbsd")
oscnf = std::auto_ptr<OSConfigurator_bsd>(new OSConfigurator_openbsd(objdb , fw, false));
if ( family=="freebsd")
oscnf = std::auto_ptr<OSConfigurator>(new OSConfigurator_freebsd(objdb , fw, false));
if ( host_os == "freebsd")
oscnf = std::auto_ptr<OSConfigurator_bsd>(new OSConfigurator_freebsd(objdb , fw, false));
if (oscnf.get()==NULL)
throw FWException("Unrecognized host OS " +
fw->getStr("host_OS")+" (family "+family+")");
host_os + " (family " + family + ")");
oscnf->prolog();
@ -178,10 +256,9 @@ string CompilerDriver_ipf::run(const std::string &cluster_id,
if (inTestMode()) c.setTestMode();
if (inEmbeddedMode()) c.setEmbeddedMode();
bool have_ipf=false;
if ( c.prolog() > 0 )
{
have_ipf = true;
have_filter = true;
c.compile();
c.epilog();
}
@ -200,7 +277,6 @@ string CompilerDriver_ipf::run(const std::string &cluster_id,
if (inTestMode()) n.setTestMode();
if (inEmbeddedMode()) n.setEmbeddedMode();
bool have_nat=false;
if ( n.prolog() > 0 )
{
have_nat = true;
@ -218,7 +294,7 @@ string CompilerDriver_ipf::run(const std::string &cluster_id,
// in single rule compile mode just return the result
ostringstream ostr;
if (have_ipf)
if (have_filter)
{
if (c.haveErrorsAndWarnings())
{
@ -248,38 +324,7 @@ string CompilerDriver_ipf::run(const std::string &cluster_id,
}
/*
* now write generated scripts to files
*/
char *timestr;
time_t tm;
struct tm *stm;
tm=time(NULL);
stm=localtime(&tm);
timestr=strdup(ctime(&tm));
timestr[ strlen(timestr)-1 ]='\0';
#ifdef _WIN32
char* user_name=getenv("USERNAME");
#else
struct passwd *pwd=getpwuid(getuid());
assert(pwd);
char *user_name=pwd->pw_name;
#endif
if (user_name==NULL)
{
user_name=getenv("LOGNAME");
if (user_name==NULL)
abort("Can't figure out your user name");
}
QString activation_commands_buffer;
QTextStream activation_commands(&activation_commands_buffer, QIODevice::WriteOnly);
if (have_ipf)
if (have_filter)
{
QFile ipf_file(ipf_file_name);
if (ipf_file.open(QIODevice::WriteOnly))
@ -306,19 +351,13 @@ string CompilerDriver_ipf::run(const std::string &cluster_id,
" for writing");
}
QString cmd = QString("$IPF ") + ipf_dbg + " -I -f ";
QString filePath;
if (remote_ipf_name[0] == '/') filePath = remote_ipf_name;
else filePath = QString("${FWDIR}/") + remote_ipf_name;
if (fw->getOptionsObject()->getBool("dynAddr"))
{
cmd += "-";
activation_commands << printActivationCommandWithSubstitution(fw, filePath, cmd);
} else
{
activation_commands << cmd << filePath << endl;
}
activation_commands.push_back(
composeActivationCommand(
fw, true, ipf_dbg, fw_version, filePath.toStdString()));
}
if (have_nat)
@ -348,132 +387,21 @@ string CompilerDriver_ipf::run(const std::string &cluster_id,
" for writing");
}
QString cmd = QString("$IPNAT ") + ipf_dbg + " -f ";
QString filePath;
if (remote_nat_name[0] == '/') filePath = remote_nat_name;
else filePath = QString("${FWDIR}/") + remote_nat_name;
if (fw->getOptionsObject()->getBool("dynAddr"))
{
cmd += "-";
activation_commands << printActivationCommandWithSubstitution(fw, filePath, cmd);
} else
{
activation_commands << cmd << filePath << endl;
}
activation_commands.push_back(
composeActivationCommand(
fw, false, ipf_dbg, fw_version, filePath.toStdString()));
}
/*
* assemble the script and then perhaps post-process it if needed
*/
QString script_buffer = assembleFwScript(fw, oscnf.get());
QString script_buffer;
QTextStream script(&script_buffer, QIODevice::WriteOnly);
script << "#!/bin/sh " << shell_dbg << endl << endl;
script << "#\n\
# This is automatically generated file. DO NOT MODIFY !\n\
#\n\
# Firewall Builder fwb_ipf v" << VERSION << "-" << BUILD_NUM << " \n\
#\n\
# Generated " << timestr << " " << tzname[stm->tm_isdst] << " by "
<< user_name << "\n#\n#\n";
info("Output file name: " + fw_file_name.toStdString());
QFileInfo fw_file_info(fw_file_name);
script << MANIFEST_MARKER << "* " << fw_file_info.fileName();
string remote_name = fw->getOptionsObject()->getStr("script_name_on_firewall");
if (!remote_name.empty()) script << " " << remote_name;
script << endl;
if (have_ipf)
{
script << MANIFEST_MARKER << " " << QFileInfo(ipf_file_name).fileName();
if (remote_ipf_name != ipf_file_name) script << " " << remote_ipf_name;
script << endl;
}
if (have_nat)
{
script << MANIFEST_MARKER << " " << QFileInfo(nat_file_name).fileName();
if (remote_nat_name != nat_file_name) script << " " << remote_nat_name;
script << endl;
}
script << "#" << endl;
script << "#" << endl;
string fwcomment=fw->getComment();
string::size_type n1,n2;
n1=n2=0;
while ( (n2=fwcomment.find("\n",n1))!=string::npos )
{
script << "# " << fwcomment.substr(n1,n2-n1) << endl;
n1=n2+1;
}
script << "# " << fwcomment.substr(n1) << endl;
script << "#\n#\n#\n";
script << prepend("# ", all_errors.join("\n")).toStdString() << endl;
script << "FWDIR=`dirname $0`" << endl << endl;
script << oscnf->getCompiledScript();
script << endl;
script << "log '";
script << "Activating firewall script generated "
<< timestr << " " << " by "
<< user_name;
script << "'" << endl;
script << endl;
script << endl
<< "$IPF -Fa" << endl
<< "$IPNAT -C" << endl;
/*
* we add prolog and epilog to the activation shell script rather
* than to ipf and nat .conf files. This is more flexible since user
* can execute some shell commands, as well as add any policy and/or
* nat rules by putting them into their .conf file and loading them
* from prolog or epilog script. Because of this, prolog is added
* after all policy and nat rules are flushed.
*/
script << endl;
script << "#" << endl;
script << "# Prolog script" << endl;
script << "#" << endl;
string pre_hook= fw->getOptionsObject()->getStr("prolog_script");
script << pre_hook << endl;
script << "#" << endl;
script << "# End of prolog script" << endl;
script << "#" << endl;
script << activation_commands_buffer.toStdString();
if (have_ipf)
script << "$IPF " << ipf_dbg << " -s " << endl;
script << endl;
script << "#" << endl;
script << "# Epilog script" << endl;
script << "#" << endl;
string post_hook= fw->getOptionsObject()->getStr("epilog_script");
script << post_hook << endl;
script << endl;
script << "# End of epilog script" << endl;
script << "#" << endl;
script << endl;
script << "/sbin/kldstat -n ipl.ko > /dev/null 2>&1 || $IPF -E" << endl;
script << endl;
QFile fw_file(fw_file_name);
if (fw_file.open(QIODevice::WriteOnly))
{

2
src/pflib/CompilerDriver_ipfw.cpp
View File

@ -37,7 +37,7 @@ using namespace fwcompiler;
CompilerDriver_ipfw::CompilerDriver_ipfw(FWObjectDatabase *db) :
CompilerDriver(db)
CompilerDriver_pf(db)
{
}

12
src/pflib/CompilerDriver_ipfw.h
View File

@ -26,7 +26,7 @@
#ifndef __COMPILER_DRIVER_IPFW_HH__
#define __COMPILER_DRIVER_IPFW_HH__
#include "../compiler_lib/CompilerDriver.h"
#include "CompilerDriver_pf.h"
#include "TableFactory.h"
@ -48,7 +48,15 @@ namespace libfwbuilder {
namespace fwcompiler {
class CompilerDriver_ipfw : public CompilerDriver {
class CompilerDriver_ipfw : public CompilerDriver_pf
{
QStringList activation_commands;
protected:
virtual QString assembleManifest(libfwbuilder::Firewall* fw);
virtual QString printActivationCommands(libfwbuilder::Firewall *fw);
virtual QString assembleFwScript(libfwbuilder::Firewall* fw,
OSConfigurator *ocsnf);
public:

83
src/pflib/CompilerDriver_ipfw_run.cpp
View File

@ -84,6 +84,34 @@ using namespace std;
using namespace libfwbuilder;
using namespace fwcompiler;
QString CompilerDriver_ipfw::assembleManifest(Firewall* fw)
{
QString script_buffer;
QTextStream script(&script_buffer, QIODevice::WriteOnly);
script << MANIFEST_MARKER << "* " << QFileInfo(fw_file_name).fileName();
string remote_name = fw->getOptionsObject()->getStr("script_name_on_firewall");
if (!remote_name.empty()) script << " " << remote_name;
script << "\n";
script << "#" << endl;
script << "#" << endl;
return script_buffer;
}
QString CompilerDriver_ipfw::printActivationCommands(Firewall *fw)
{
return activation_commands.join("\n");
}
QString CompilerDriver_ipfw::assembleFwScript(Firewall* fw, OSConfigurator *oscnf)
{
Configlet script_skeleton(fw, "bsd", "ipfw_script_skeleton");
Configlet top_comment(fw, "bsd", "top_comment");
assembleFwScriptInternal(fw, oscnf, &script_skeleton, &top_comment);
return script_skeleton.expand();
}
string CompilerDriver_ipfw::run(const std::string &cluster_id,
const std::string &firewall_id,
const std::string &single_rule_id)
@ -121,16 +149,17 @@ string CompilerDriver_ipfw::run(const std::string &cluster_id,
/*
* Process firewall options, build OS network configuration script
*/
std::auto_ptr<OSConfigurator> oscnf;
string family=Resources::os_res[fw->getStr("host_OS")]->Resources::getResourceStr("/FWBuilderResources/Target/family");
if ( family=="macosx")
oscnf = std::auto_ptr<OSConfigurator>(new OSConfigurator_macosx(objdb , fw, false));
std::auto_ptr<OSConfigurator_bsd> oscnf;
string host_os = fw->getStr("host_OS");
string family = Resources::os_res[host_os]->Resources::getResourceStr("/FWBuilderResources/Target/family");
if ( host_os == "macosx")
oscnf = std::auto_ptr<OSConfigurator_bsd>(new OSConfigurator_macosx(objdb , fw, false));
if ( family=="freebsd")
oscnf = std::auto_ptr<OSConfigurator>(new OSConfigurator_freebsd(objdb , fw, false));
if ( host_os == "freebsd")
oscnf = std::auto_ptr<OSConfigurator_bsd>(new OSConfigurator_freebsd(objdb , fw, false));
if (oscnf.get()==NULL)
throw FWException("Unrecognized host OS "+fw->getStr("host_OS")+" (family "+family+")");
throw FWException("Unrecognized host OS " + host_os + " (family " + family + ")");
oscnf->prolog();
@ -258,29 +287,6 @@ string CompilerDriver_ipfw::run(const std::string &cluster_id,
generated_script += c_str.str();
}
#if NO_IPV6
/*
* create compilers and run the whole thing
*/
PolicyCompiler_ipfw c( objdb , fw, false , oscnf.get() );
c.setDebugLevel( dl );
if (rule_debug_on) c.setDebugRule( drp );
c.setVerbose( verbose );
if (inTestMode()) c.setTestMode();
if (inEmbeddedMode()) c.setEmbeddedMode();
bool have_ipfw=false;
if ( c.prolog() > 0 )
{
have_ipfw=true;
c.compile();
c.epilog();
}
#endif
if (haveErrorsAndWarnings())
{
all_errors.push_front(getErrors("").c_str());
@ -293,6 +299,18 @@ string CompilerDriver_ipfw::run(const std::string &cluster_id,
generated_script;
}
PolicyCompiler_ipfw c(objdb, fw, false, oscnf.get());
activation_commands.push_back(c.defaultRules().c_str());
activation_commands.push_back(generated_script.c_str());
/*
* assemble the script and then perhaps post-process it if needed
*/
QString script_buffer = assembleFwScript(fw, oscnf.get());
/*********************************************************************/
#if OLD_SCHOOL
/*
* now write generated scripts to files
*/
@ -423,6 +441,11 @@ string CompilerDriver_ipfw::run(const std::string &cluster_id,
script << endl;
#endif
info("Output file name: " + fw_file_name.toStdString());
QFile fw_file(fw_file_name);
if (fw_file.open(QIODevice::WriteOnly))
{

32
src/pflib/CompilerDriver_pf.cpp
View File

@ -55,6 +55,8 @@ using namespace fwcompiler;
CompilerDriver_pf::CompilerDriver_pf(FWObjectDatabase *db) :
CompilerDriver(db)
{
have_nat = false;
have_filter = false;
}
// create a copy of itself, including objdb
@ -314,3 +316,33 @@ void CompilerDriver_pf::printStaticOptions(QTextStream &file, Firewall* fw)
}
void CompilerDriver_pf::setToolPathVar(Firewall* fw,
const string &os,
const string &var_path_suffix,
OSData::tools osdata_tool_type,
Configlet *configlet)
{
OSData os_data;
FWOptions* options = fw->getOptionsObject();
string s;
string path;
s = options->getStr(os + "_" + var_path_suffix);
if (!s.empty()) path = s;
else path = os_data.getPathForTool(os, osdata_tool_type);
configlet->setVariable(var_path_suffix.c_str(), path.c_str());
}
QString CompilerDriver_pf::printPathForAllTools(Firewall* fw, const string &os)
{
Configlet tools = Configlet(fw, "bsd", "tools");
tools.removeComments();
setToolPathVar(fw, os, "path_ipf", OSData::IPF, &tools);
setToolPathVar(fw, os, "path_ipnat", OSData::IPNAT, &tools);
setToolPathVar(fw, os, "path_ipfw", OSData::IPFW, &tools);
setToolPathVar(fw, os, "path_pfctl", OSData::PFCTL, &tools);
setToolPathVar(fw, os, "path_sysctl", OSData::SYSCTL, &tools);
setToolPathVar(fw, os, "path_logger", OSData::LOGGER, &tools);
return tools.expand();
}

28
src/pflib/CompilerDriver_pf.h
View File

@ -27,8 +27,10 @@
#define __COMPILER_DRIVER_PF_HH__
#include "CompilerDriver.h"
#include "OSConfigurator_bsd.h"
#include "TableFactory.h"
#include "OSData.h"
#include "Configlet.h"
#include <string>
#include <sstream>
@ -85,9 +87,20 @@ namespace fwcompiler {
// std::map<std::string, fwcompiler::TableFactory*> table_factories;
MapTableFactory table_factories;
protected:
void setToolPathVar(libfwbuilder::Firewall* fw,
const std::string &os,
const std::string &var_path_suffix,
OSData::tools osdata_tool_type,
Configlet *configlet);
QString composeActivationCommand(libfwbuilder::Firewall *fw,
const std::string &pfctl_debug,
const std::string &anchor_name,
const std::string &pf_version,
const std::string &remote_file_name);
protected:
std::string getConfFileName(const std::string &ruleset_name,
const std::string &fwobjectname,
const std::string &fw_file_name);
@ -102,8 +115,15 @@ protected:
void printProlog(QTextStream &file, const std::string &prolog_code);
void printStaticOptions(QTextStream &file, libfwbuilder::Firewall* fw);
virtual QString printPathForAllTools(libfwbuilder::Firewall* fw,
const std::string &os);
virtual QString printActivationCommands(libfwbuilder::Firewall *fw);
virtual QString assembleFwScript(libfwbuilder::Firewall* fw,
OSConfigurator *ocsnf);
virtual QString assembleManifest(libfwbuilder::Firewall* fw);
public:
CompilerDriver_pf(libfwbuilder::FWObjectDatabase *db);

283
src/pflib/CompilerDriver_pf_run.cpp
View File

@ -46,6 +46,7 @@
#include <cstring>
#include <iomanip>
#include "Configlet.h"
#include "CompilerDriver_pf.h"
#include "PolicyCompiler_pf.h"
@ -84,12 +85,111 @@
#include <QFile>
#include <QTextStream>
using namespace std;
using namespace libfwbuilder;
using namespace fwcompiler;
QString CompilerDriver_pf::composeActivationCommand(Firewall *fw,
const string &pfctl_debug,
const string &anchor_name,
const string &pf_version,
const string &remote_file_name)
{
Configlet act(fw, "bsd", "pf_activation");
act.removeComments();
act.setVariable("pfctl_debug", pfctl_debug.c_str());
act.setVariable("anchor", !anchor_name.empty());
act.setVariable("anchor_name", anchor_name.c_str());
if (pf_version == "obsd_lt_3.2")
{
act.setVariable("pf_version_lt_3_2", 1);
act.setVariable("pf_version_ge_3_2", 0);
} else
{
act.setVariable("pf_version_lt_3_2", 0);
act.setVariable("pf_version_ge_3_2", 1);
}
act.setVariable("remote_file", remote_file_name.c_str());
return act.expand();
}
QString CompilerDriver_pf::printActivationCommands(Firewall *fw)
{
FWOptions* options = fw->getOptionsObject();
bool debug = options->getBool("debug");
string pfctl_dbg = (debug)?"-v ":"";
QStringList activation_commands;
string remote_file = remote_conf_files["__main__"];
if (remote_file.empty()) remote_file = conf_files["__main__"];
if (remote_file[0] != '/') remote_file = "${FWDIR}/" + remote_file;
activation_commands.push_back(
composeActivationCommand(
fw, pfctl_dbg, "", fw->getStr("version"), remote_file));
for (map<string,string>::iterator i=conf_files.begin();
i!=conf_files.end(); ++i)
{
string remote_file = remote_conf_files[i->first];
if (remote_file.empty()) remote_file = i->second;
if (remote_file[0] != '/') remote_file = "${FWDIR}/" + remote_file;
if (i->first != "__main__")
activation_commands.push_back(
composeActivationCommand(
fw, pfctl_dbg, i->first, fw->getStr("version"), remote_file));
}
return activation_commands.join("\n");
}
QString CompilerDriver_pf::assembleManifest(Firewall* fw)
{
QFileInfo fw_file_info(fw_file_name);
QString script_buffer;
QTextStream script(&script_buffer, QIODevice::WriteOnly);
script << MANIFEST_MARKER << "* " << fw_file_info.fileName();
string remote_name = fw->getOptionsObject()->getStr("script_name_on_firewall");
if (!remote_name.empty()) script << " " << remote_name;
script << "\n";
for (map<string,string>::iterator i=conf_files.begin();
i!=conf_files.end(); ++i)
{
string ruleset_name = i->first;
QString file_name = QFileInfo(i->second.c_str()).fileName();
QString remote_file_name = remote_conf_files[ruleset_name].c_str();
script << MANIFEST_MARKER << " " << file_name;
if (!remote_file_name.isEmpty() && remote_file_name != file_name)
script << " " << remote_file_name;
script << "\n";
}
return script_buffer;
}
QString CompilerDriver_pf::assembleFwScript(Firewall* fw, OSConfigurator *oscnf)
{
FWOptions* options = fw->getOptionsObject();
Configlet script_skeleton(fw, "bsd", "pf_script_skeleton");
Configlet top_comment(fw, "bsd", "top_comment");
assembleFwScriptInternal(fw, oscnf, &script_skeleton, &top_comment);
if (fw->getStr("platform") == "pf")
{
script_skeleton.setVariable("pf_flush_states", options->getBool("pf_flush_states"));
script_skeleton.setVariable("pf_version_ge_4_x", fw->getStr("version")=="4.x");
} else
{
script_skeleton.setVariable("pf_flush_states", 0);
script_skeleton.setVariable("pf_version_ge_4_x", 0);
}
return script_skeleton.expand();
}
string CompilerDriver_pf::run(const std::string &cluster_id,
const std::string &firewall_id,
const std::string &single_rule_id)
@ -124,35 +224,35 @@ string CompilerDriver_pf::run(const std::string &cluster_id,
string pre_hook = fw->getOptionsObject()->getStr("prolog_script");
bool debug = options->getBool("debug");
string shell_dbg = (debug)?"-x":"" ;
string shell_dbg = (debug)?"set -x":"" ;
string pfctl_dbg = (debug)?"-v ":"";
string pfctl_f_option = "-f ";
// if (fw->getStr("version")=="obsd_3.2") pfctl_f_option="-f ";
if (fw->getStr("version")=="obsd_lt_3.2") pfctl_f_option="-R ";
/*
* Process firewall options, build OS network configuration script
*/
std::auto_ptr<OSConfigurator> oscnf;
string family = Resources::os_res[fw->getStr("host_OS")
std::auto_ptr<OSConfigurator_bsd> oscnf;
string platform = fw->getStr("platform");
string fw_version = fw->getStr("version");
string host_os = fw->getStr("host_OS");
string family = Resources::os_res[host_os
]->Resources::getResourceStr("/FWBuilderResources/Target/family");
if (family=="solaris")
oscnf = std::auto_ptr<OSConfigurator>(new OSConfigurator_solaris(
objdb , fw, false));
if (host_os == "solaris")
oscnf = std::auto_ptr<OSConfigurator_bsd>(new OSConfigurator_solaris(
objdb , fw, false));
if (family=="openbsd")
oscnf = std::auto_ptr<OSConfigurator>(new OSConfigurator_openbsd(
objdb , fw, false));
if (family=="freebsd")
oscnf = std::auto_ptr<OSConfigurator>(new OSConfigurator_freebsd(
objdb , fw, false));
if (host_os == "openbsd")
oscnf = std::auto_ptr<OSConfigurator_bsd>(new OSConfigurator_openbsd(
objdb , fw, false));
if (host_os == "freebsd")
oscnf = std::auto_ptr<OSConfigurator_bsd>(new OSConfigurator_freebsd(
objdb , fw, false));
if (oscnf.get()==NULL)
throw FWException("Unrecognized host OS " +
fw->getStr("host_OS")+" (family "+family+")");
host_os + " (family " + family + ")");
oscnf->prolog();
@ -165,8 +265,6 @@ string CompilerDriver_pf::run(const std::string &cluster_id,
findImportedRuleSets(fw, all_policies);
vector<int> ipv4_6_runs;
bool have_nat = false;
bool have_pf = false;
// command line options -4 and -6 control address family for which
// script will be generated. If "-4" is used, only ipv4 part will
@ -348,7 +446,7 @@ string CompilerDriver_pf::run(const std::string &cluster_id,
c.compile();
c.epilog();
}
have_pf = (have_pf || (pf_rules_count > 0));
have_filter = (have_filter || (pf_rules_count > 0));
if (policy->isTop())
{
@ -456,152 +554,16 @@ string CompilerDriver_pf::run(const std::string &cluster_id,
}
}
char *timestr;
time_t tm;
struct tm *stm;
tm=time(NULL);
stm=localtime(&tm);
timestr=strdup(ctime(&tm));
timestr[ strlen(timestr)-1 ]='\0';
#ifdef _WIN32
char* user_name=getenv("USERNAME");
#else
struct passwd *pwd=getpwuid(getuid());
assert(pwd);
char *user_name=pwd->pw_name;
#endif
if (user_name==NULL)
{
user_name=getenv("LOGNAME");
if (user_name==NULL)
abort("Can't figure out your user name");
}
/*
* assemble the script and then perhaps post-process it if needed
*/
QString script_buffer;
QTextStream script(&script_buffer, QIODevice::WriteOnly);
script << "#!/bin/sh ";
script << shell_dbg << "\n";
script << "#\n\
# This is automatically generated file. DO NOT MODIFY !\n\
#\n\
# Firewall Builder fwb_pf v" << VERSION << "-" << BUILD_NUM << " \n\
#\n\
# Generated " << timestr << " " << tzname[stm->tm_isdst] << " by "
<< user_name << "\n#\n";
info("Output file name: " + fw_file_name.toStdString());
QFileInfo fw_file_info(fw_file_name);
script << MANIFEST_MARKER << "* " << fw_file_info.fileName();
string remote_name = fw->getOptionsObject()->getStr("script_name_on_firewall");
if (!remote_name.empty()) script << " " << remote_name;
script << "\n";
for (map<string,string>::iterator i=conf_files.begin();
i!=conf_files.end(); ++i)
{
string ruleset_name = i->first;
QString file_name = QFileInfo(i->second.c_str()).fileName();
QString remote_file_name = remote_conf_files[ruleset_name].c_str();
script << MANIFEST_MARKER << " " << file_name;
if (!remote_file_name.isEmpty() && remote_file_name != file_name)
script << " " << remote_file_name;
script << "\n";
}
script << "#" << "\n";
script << "#" << "\n";
string fwcomment=fw->getComment();
string::size_type n1,n2;
n1=n2=0;
while ( (n2=fwcomment.find("\n",n1))!=string::npos )
{
script << "# " << fwcomment.substr(n1,n2-n1) << "\n";
n1=n2+1;
}
script << "# " << fwcomment.substr(n1) << "\n";
script << "#\n#\n#\n";
script << prepend("# ", all_errors.join("\n")).toStdString() << endl;
script << "FWDIR=`dirname $0`" << "\n" << "\n";
script << oscnf->getCompiledScript();
script << "\n";
script << "log '";
script << "Activating firewall script generated "
<< timestr << " " << " by "
<< user_name;
script << "'" << "\n";
script << "\n";
if (prolog_place == "fw_file")
printProlog(script, pre_hook);
script << "\n";
string remote_file = remote_conf_files["__main__"];
if (remote_file.empty()) remote_file = conf_files["__main__"];
if (remote_file[0] != '/') remote_file = "${FWDIR}/" + remote_file;
script << "$PFCTL " << pfctl_dbg << pfctl_f_option
<< remote_file
<< " || exit 1"
<< "\n";
for (map<string,string>::iterator i=conf_files.begin();
i!=conf_files.end(); ++i)
{
string remote_file = remote_conf_files[i->first];
if (remote_file.empty()) remote_file = i->second;
if (remote_file[0] != '/') remote_file = "${FWDIR}/" + remote_file;
if (i->first != "__main__")
script << "$PFCTL " << pfctl_dbg
<< "-a " << i->first << " "
<< pfctl_f_option
<< remote_file
<< " || exit 1"
<< "\n";
}
if (options->getBool("pf_flush_states") && fw->getStr("version")=="4.x")
script << "$PFCTL -F states" << "\n";
script << "\n";
script << "#" << "\n";
script << "# Epilog script" << "\n";
script << "#" << "\n";
string post_hook= fw->getOptionsObject()->getStr("epilog_script");
script << post_hook << "\n";
script << "\n";
script << "# End of epilog script" << "\n";
script << "#" << "\n";
script << "\n";
QString script_buffer = assembleFwScript(fw, oscnf.get());
// clear() calls destructors of all elements in the container
table_factories.clear();
generated_scripts.clear();
info("Output file name: " + fw_file_name.toStdString());
QFile fw_file(fw_file_name);
if (fw_file.open(QIODevice::WriteOnly))
@ -651,3 +613,4 @@ void MapTableFactory::clear()
delete it->second;
std::map<std::string, fwcompiler::TableFactory*>::clear();
}

101
src/pflib/OSConfigurator_bsd.cpp
View File

@ -25,6 +25,7 @@
#include <assert.h>
#include "Configlet.h"
#include "OSConfigurator_bsd.h"
#include "fwbuilder/Firewall.h"
@ -34,6 +35,9 @@
#include "fwbuilder/FailoverClusterGroup.h"
#include "fwbuilder/StateSyncClusterGroup.h"
#include <QTextStream>
#include <QString>
#include <algorithm>
#include <functional>
#include <iostream>
@ -49,8 +53,9 @@ string OSConfigurator_bsd::getInterfaceVarName(FWObject *iface)
return string("i_") + iface->getName();
}
void OSConfigurator_bsd::processFirewallOptions()
string OSConfigurator_bsd::printKernelVarsCommands()
{
return "";
}
void OSConfigurator_bsd::addVirtualAddressForNAT(const Network*)
@ -88,52 +93,21 @@ int OSConfigurator_bsd::prolog()
return 0;
}
void OSConfigurator_bsd::printPathForAllTools(const string &)
{
}
void OSConfigurator_bsd::printFunctions()
string OSConfigurator_bsd::printFunctions()
{
FWOptions* options=fw->getOptionsObject();
output << endl;
output << "log() {" << endl;
output << " test -x \"$LOGGER\" && $LOGGER -p info \"$1\"" << endl;
output << "}" << endl;
output << endl;
output << "add_addr() {" << endl;
output << " addr=$1" << endl;
output << " nm=$2" << endl;
output << " dev=$3" << endl;
output << " ( ifconfig $dev | egrep -q \"inet +${addr} \" ) || " << endl;
output << " { " << endl;
output << " echo \"$dev: $addr/$nm\"" << endl;
output << " ifconfig $dev inet $addr netmask $nm alias" << endl;
output << " } " << endl;
output << "}" << endl;
output << endl;
output << endl;
Configlet functions(fw, "bsd", "shell_functions");
functions.removeComments();
functions.setVariable("dyn_addr", options->getBool("dynAddr"));
if (options->getBool("dynAddr"))
{
output << "getaddr() {" << endl;
output << " intf=$1" << endl;
output << " varname=$2" << endl;
output << " L=`ifconfig $1 | grep 'inet '`" << endl;
output << " if [ -z \"$L\" ]; then" << endl;
output << " L=\"inet 0.0.0.0/32\"" << endl;
output << " fi" << endl;
output << " set $L" << endl;
output << " a=$2" << endl;
output << " eval \"$varname=$a\"" << endl;
output << "}" << endl;
output << endl;
output << endl;
/*
* get addresses of dynamic interfaces
*/
QString script_buffer;
QTextStream ostr(&script_buffer, QIODevice::WriteOnly);
FWObjectTypedChildIterator j=fw->findByType(Interface::TYPENAME);
for ( ; j!=j.end(); ++j )
{
@ -147,25 +121,28 @@ void OSConfigurator_bsd::printFunctions()
* Do we support wildcard interfaces on *BSD at all ?
*/
if (iface->getName().find("*")==string::npos)
output << "getaddr "
<< iface->getName()
<< " "
<< getInterfaceVarName(iface)
<< endl;
ostr << "getaddr "
<< iface->getName().c_str()
<< " "
<< getInterfaceVarName(iface).c_str()
<< "\n";
}
}
}
functions.setVariable("get_dyn_addr_commands", script_buffer);
} else
functions.setVariable("get_dyn_addr_commands", "");
output << endl;
return functions.expand().toStdString();
}
void OSConfigurator_bsd::configureInterfaces()
string OSConfigurator_bsd::configureInterfaces()
{
FWOptions* options=fw->getOptionsObject();
ostringstream ostr;
FWOptions* options = fw->getOptionsObject();
if ( options->getBool("configure_interfaces") )
{
output << endl;
ostr << endl;
FWObjectTypedChildIterator i=fw->findByType(Interface::TYPENAME);
for ( ; i!=i.end(); ++i )
@ -180,14 +157,14 @@ void OSConfigurator_bsd::configureInterfaces()
for ( ; j!=j.end(); ++j )
{
Address *iaddr = Address::cast(*j);
output << "add_addr "
ostr << "add_addr "
<< iaddr->getAddressPtr()->toString() << " "
<< iaddr->getNetmaskPtr()->toString() << " "
<< iface->getName() << endl;
virtual_addresses.push_back(*(iaddr->getAddressPtr()));
}
}
output << endl;
ostr << endl;
}
if ( options->getBool("configure_carp_interfaces") )
@ -284,8 +261,8 @@ void OSConfigurator_bsd::configureInterfaces()
}
if (have_carp_interfaces)
{
output << "$SYSCTL -w net.inet.carp.allow=1" << endl;
output << carp_output.str() << endl;
ostr << "$SYSCTL -w net.inet.carp.allow=1" << endl;
ostr << carp_output.str() << endl;
}
}
@ -347,7 +324,7 @@ void OSConfigurator_bsd::configureInterfaces()
}
if (have_pfsync_interfaces)
{
output << pfsync_output.str() << endl;
ostr << pfsync_output.str() << endl;
}
}
@ -388,9 +365,25 @@ void OSConfigurator_bsd::configureInterfaces()
}
if (have_vlan_interfaces)
{
output << vlan_output.str() << endl;
ostr << vlan_output.str() << endl;
}
}
return ostr.str();
}
void OSConfigurator_bsd::setKernelVariable(Firewall *fw,
const string &var_name,
Configlet *configlet)
{
FWOptions* options = fw->getOptionsObject();
string s;
s = options->getStr(var_name);
if (!s.empty())
{
configlet->setVariable(QString("have_") + var_name.c_str(), 1);
configlet->setVariable(var_name.c_str(), s=="1" || s=="on" || s=="On");
}
}

21
src/pflib/OSConfigurator_bsd.h
View File

@ -30,36 +30,43 @@
#include "fwcompiler/OSConfigurator.h"
#include "OSData.h"
#include <QString>
class Configlet;
namespace fwcompiler {
class OSConfigurator_bsd : public OSConfigurator {
protected:
OSData os_data;
std::vector<libfwbuilder::InetAddr> virtual_addresses;
void setKernelVariable(libfwbuilder::Firewall *fw,
const std::string &var_name,
Configlet *configlet);
public:
virtual ~OSConfigurator_bsd() {};
OSConfigurator_bsd(libfwbuilder::FWObjectDatabase *_db,
libfwbuilder::Firewall *fw,
bool ipv6_policy) :
OSConfigurator(_db, fw, ipv6_policy) , os_data() {}
OSConfigurator(_db, fw, ipv6_policy) {}
virtual int prolog();
virtual std::string myPlatformName();
virtual void processFirewallOptions();
virtual void addVirtualAddressForNAT(const libfwbuilder::Address *addr);
virtual void addVirtualAddressForNAT(const libfwbuilder::Network *nw);
virtual void printPathForAllTools(const std::string &os);
virtual void printFunctions();
virtual void configureInterfaces();
virtual std::string printFunctions();
virtual std::string printKernelVarsCommands();
virtual std::string configureInterfaces();
std::string getInterfaceVarName(libfwbuilder::FWObject *iface);
virtual void processFirewallOptions() {}
};
};

90
src/pflib/OSConfigurator_freebsd.cpp
View File

@ -26,6 +26,7 @@
#include <assert.h>
#include "OSConfigurator_freebsd.h"
#include "Configlet.h"
#include "fwbuilder/Firewall.h"
#include "fwbuilder/FWOptions.h"
@ -42,92 +43,27 @@ using namespace std;
string OSConfigurator_freebsd::myPlatformName() { return "FreeBSD"; }
void OSConfigurator_freebsd::processFirewallOptions()
string OSConfigurator_freebsd::printKernelVarsCommands()
{
FWOptions* options=fw->getOptionsObject();
string s;
s=options->getStr("freebsd_ip_forward");
if (!s.empty()) {
if (s=="1" || s=="On" || s=="on") s="1";
else s="0";
output << "$SYSCTL -w net.inet.ip.forwarding=" << s << endl;
}
s=options->getStr("freebsd_ipv6_forward");
if (!s.empty()) {
if (s=="1" || s=="On" || s=="on") s="1";
else s="0";
// by the way, this is different from OpenBSD
output << "$SYSCTL -w net.inet6.ip6.forwarding=" << s << endl;
}
s=options->getStr("freebsd_ip_sourceroute");
if (!s.empty()) {
if (s!="0" && s!="1")
throw FWException("Illegal value for OS parameter freebsd_ip_sourceroute: '"+s+"'");
output << "$SYSCTL -w net.inet.ip.sourceroute=" << s << endl;
}
s=options->getStr("freebsd_ip_redirect");
if (!s.empty()) {
if (s!="0" && s!="1")
throw FWException("Illegal value for OS parameter freebsd_ip_redirect: '"+s+"'");
output << "$SYSCTL -w net.inet.ip.redirect=" << s << endl;
}
Configlet kernel_vars(fw, "bsd", "kernel_vars");
kernel_vars.removeComments();
setKernelVariable(fw, "freebsd_ip_forward", &kernel_vars);
setKernelVariable(fw, "freebsd_ipv6_forward", &kernel_vars);
setKernelVariable(fw, "freebsd_ip_sourceroute", &kernel_vars);
setKernelVariable(fw, "freebsd_ip_redirect", &kernel_vars);
return kernel_vars.expand().toStdString();
}
int OSConfigurator_freebsd::prolog()
{
printPathForAllTools("freebsd");
printFunctions();
//printPathForAllTools("freebsd");
//printFunctions();
processFirewallOptions();
//processFirewallOptions();
configureInterfaces();
//configureInterfaces();
return 0;
}
void OSConfigurator_freebsd::printPathForAllTools(const string &os)
{
FWOptions* options=fw->getOptionsObject();
string s, path_ipf, path_ipnat, path_ipfw, path_pfctl, path_sysctl, path_logger;
s=options->getStr("freebsd_path_ipf");
if (!s.empty()) path_ipf=s;
else path_ipf=os_data.getPathForTool(os,OSData::IPF);
s=options->getStr("freebsd_path_ipnat");
if (!s.empty()) path_ipnat=s;
else path_ipnat=os_data.getPathForTool(os,OSData::IPNAT);
s=options->getStr("freebsd_path_ipfw");
if (!s.empty()) path_ipfw=s;
else path_ipfw=os_data.getPathForTool(os,OSData::IPFW);
s=options->getStr("openbsd_path_pfctl");
if (!s.empty()) path_pfctl=s;
else path_pfctl=os_data.getPathForTool(os,OSData::PFCTL);
s=options->getStr("freebsd_path_sysctl");
if (!s.empty()) path_sysctl=s;
else path_sysctl=os_data.getPathForTool(os,OSData::SYSCTL);
s=options->getStr("freebsd_path_logger");
if (!s.empty()) path_logger=s;
else path_logger=os_data.getPathForTool(os,OSData::LOGGER);
output << "IPF=\"" + path_ipf + "\"\n";
output << "IPNAT=\"" + path_ipnat + "\"\n";
output << "IPFW=\"" + path_ipfw + "\"\n";
output << "PFCTL=\"" + path_pfctl + "\"\n";
output << "SYSCTL=\"" + path_sysctl + "\"\n";
output << "LOGGER=\"" + path_logger + "\"\n";
output << endl;
}

3
src/pflib/OSConfigurator_freebsd.h
View File

@ -46,8 +46,7 @@ namespace fwcompiler {
virtual int prolog();
virtual std::string myPlatformName();
virtual void processFirewallOptions();
virtual void printPathForAllTools(const std::string &os);
virtual std::string printKernelVarsCommands();
};
};

67
src/pflib/OSConfigurator_macosx.cpp
View File

@ -26,6 +26,7 @@
#include <assert.h>
#include "OSConfigurator_macosx.h"
#include "Configlet.h"
#include "fwbuilder/Firewall.h"
#include "fwbuilder/FWOptions.h"
@ -42,69 +43,25 @@ using namespace std;
string OSConfigurator_macosx::myPlatformName() { return "Macosx"; }
void OSConfigurator_macosx::processFirewallOptions()
string OSConfigurator_macosx::printKernelVarsCommands()
{
FWOptions* options=fw->getOptionsObject();
string s;
s=options->getStr("macosx_ip_forward");
if (!s.empty()) {
if (s=="1" || s=="On" || s=="on") s="1";
else s="0";
output << "$SYSCTL -w net.inet.ip.forwarding=" << s << endl;
}
s=options->getStr("macosx_ip_sourceroute");
if (!s.empty()) {
if (s!="0" && s!="1")
throw FWException("Illegal value for OS parameter macosx_ip_sourceroute: '"+s+"'");
output << "$SYSCTL -w net.inet.ip.sourceroute=" << s << endl;
}
s=options->getStr("macosx_ip_redirect");
if (!s.empty()) {
if (s!="0" && s!="1")
throw FWException("Illegal value for OS parameter macosx_ip_redirect: '"+s+"'");
output << "$SYSCTL -w net.inet.ip.redirect=" << s << endl;
}
Configlet kernel_vars(fw, "bsd", "kernel_vars");
kernel_vars.removeComments();
setKernelVariable(fw, "macosx_ip_forward", &kernel_vars);
setKernelVariable(fw, "macosx_ip_sourceroute", &kernel_vars);
setKernelVariable(fw, "macosx_ip_redirect", &kernel_vars);
return kernel_vars.expand().toStdString();
}
int OSConfigurator_macosx::prolog()
{
printPathForAllTools("macosx");
printFunctions();
//printPathForAllTools("macosx");
//printFunctions();
processFirewallOptions();
//processFirewallOptions();
configureInterfaces();
//configureInterfaces();
return 0;
}
void OSConfigurator_macosx::printPathForAllTools(const string &os)
{
FWOptions* options=fw->getOptionsObject();
string s, path_ipfw, path_sysctl, path_logger;
s=options->getStr("macosx_path_ipfw");
if (!s.empty()) path_ipfw=s;
else path_ipfw=os_data.getPathForTool(os,OSData::IPFW);
s=options->getStr("macosx_path_sysctl");
if (!s.empty()) path_sysctl=s;
else path_sysctl=os_data.getPathForTool(os,OSData::SYSCTL);
s=options->getStr("macosx_path_logger");
if (!s.empty()) path_logger=s;
else path_logger=os_data.getPathForTool(os,OSData::LOGGER);
output << "IPFW=\"" + path_ipfw + "\"\n";
output << "SYSCTL=\"" + path_sysctl + "\"\n";
output << "LOGGER=\"" + path_logger + "\"\n";
output << endl;
}

3
src/pflib/OSConfigurator_macosx.h
View File

@ -46,8 +46,7 @@ namespace fwcompiler {
virtual int prolog();
virtual std::string myPlatformName();
virtual void processFirewallOptions();
virtual void printPathForAllTools(const std::string &os);
virtual std::string printKernelVarsCommands();
};
};

86
src/pflib/OSConfigurator_openbsd.cpp
View File

@ -26,6 +26,7 @@
#include <assert.h>
#include "OSConfigurator_openbsd.h"
#include "Configlet.h"
#include "fwbuilder/Firewall.h"
#include "fwbuilder/FWOptions.h"
@ -34,6 +35,8 @@
#include "fwbuilder/FailoverClusterGroup.h"
#include "fwbuilder/StateSyncClusterGroup.h"
#include "Configlet.h"
#include <algorithm>
#include <functional>
#include <iostream>
@ -44,85 +47,28 @@ using namespace std;
string OSConfigurator_openbsd::myPlatformName() { return "OpenBSD"; }
void OSConfigurator_openbsd::processFirewallOptions()
string OSConfigurator_openbsd::printKernelVarsCommands()
{
FWOptions* options=fw->getOptionsObject();
string s;
Configlet kernel_vars(fw, "bsd", "kernel_vars");
kernel_vars.removeComments();
s=options->getStr("openbsd_ip_directed_broadcast");
if (!s.empty()) {
if (s!="0" && s!="1")
throw FWException("Illegal value for OS parameter openbsd_ip_directed_broadcast: '"+s+"'");
output << "$SYSCTL -w net.inet.ip.directed-broadcast=" << s << endl;
}
s=options->getStr("openbsd_ip_forward");
if (!s.empty()) {
if (s=="1" || s=="On" || s=="on") s="1";
else s="0";
output << "$SYSCTL -w net.inet.ip.forwarding=" << s << endl;
}
s=options->getStr("openbsd_ipv6_forward");
if (!s.empty()) {
if (s=="1" || s=="On" || s=="on") s="1";
else s="0";
output << "$SYSCTL -w net.inet6.ip6.forwarding=" << s << endl;
}
s=options->getStr("openbsd_ip_sourceroute");
if (!s.empty()) {
if (s!="0" && s!="1")
throw FWException("Illegal value for OS parameter openbsd_ip_sourceroute: '"+s+"'");
output << "$SYSCTL -w net.inet.ip.sourceroute=" << s << endl;
}
s=options->getStr("openbsd_ip_redirect");
if (!s.empty()) {
if (s!="0" && s!="1")
throw FWException("Illegal value for OS parameter openbsd_ip_redirect: '"+s+"'");
output << "$SYSCTL -w net.inet.ip.redirect=" << s << endl;
}
setKernelVariable(fw, "openbsd_ip_directed_broadcast", &kernel_vars);
setKernelVariable(fw, "openbsd_ip_forward", &kernel_vars);
setKernelVariable(fw, "openbsd_ipv6_forward", &kernel_vars);
setKernelVariable(fw, "openbsd_ip_sourceroute", &kernel_vars);
setKernelVariable(fw, "openbsd_ip_redirect", &kernel_vars);
return kernel_vars.expand().toStdString();
}
int OSConfigurator_openbsd::prolog()
{
printPathForAllTools("openbsd");
printFunctions();
//printPathForAllTools("openbsd");
//printFunctions();
processFirewallOptions();
//processFirewallOptions();
configureInterfaces();
//configureInterfaces();
return 0;
}
void OSConfigurator_openbsd::printPathForAllTools(const string &os)
{
FWOptions* options=fw->getOptionsObject();
string s, path_pfctl, path_sysctl, path_logger;
s=options->getStr("openbsd_path_pfctl");
if (!s.empty()) path_pfctl=s;
else path_pfctl=os_data.getPathForTool(os,OSData::PFCTL);
s=options->getStr("openbsd_path_sysctl");
if (!s.empty()) path_sysctl=s;
else path_sysctl=os_data.getPathForTool(os,OSData::SYSCTL);
s=options->getStr("openbsd_path_logger");
if (!s.empty()) path_logger=s;
else path_logger=os_data.getPathForTool(os,OSData::LOGGER);
output << "PFCTL=\"" + path_pfctl + "\"\n";
output << "SYSCTL=\"" + path_sysctl + "\"\n";
output << "LOGGER=\"" + path_logger + "\"\n";
output << endl;
}

3
src/pflib/OSConfigurator_openbsd.h
View File

@ -46,8 +46,7 @@ namespace fwcompiler {
virtual int prolog();
virtual std::string myPlatformName();
virtual void processFirewallOptions();
virtual void printPathForAllTools(const std::string &os);
virtual std::string printKernelVarsCommands();
};
};

116
src/pflib/OSConfigurator_solaris.cpp
View File

@ -26,6 +26,7 @@
#include <assert.h>
#include "OSConfigurator_solaris.h"
#include "Configlet.h"
#include "fwbuilder/Firewall.h"
#include "fwbuilder/FWOptions.h"
@ -42,51 +43,16 @@ using namespace std;
string OSConfigurator_solaris::myPlatformName() { return "Solaris"; }
void OSConfigurator_solaris::processFirewallOptions()
string OSConfigurator_solaris::printKernelVarsCommands()
{
FWOptions* options=fw->getOptionsObject();
string s;
s=options->getStr("solaris_ip_forward");
if (!s.empty()) {
if (s=="1" || s=="On" || s=="on") s="1";
else s="0";
output << "ndd -set /dev/ip ip_forwarding " << s << endl;
}
s=options->getStr("solaris_ip_ignore_redirect");
if (!s.empty()) {
if (s!="0" && s!="1")
throw FWException("Illegal value for OS parameter solaris_ip_ignore_redirect: '"+s+"'");
output << "ndd -set /dev/ip ip_ignore_redirect " << s << endl;
}
s=options->getStr("solaris_ip_respond_to_echo_broadcast");
if (!s.empty()) {
if (s!="0" && s!="1")
throw FWException("Illegal value for OS parameter solaris_ip_respond_to_echo_broadcast: '"+s+"'");
output << "ndd -set /dev/ip ip_respond_to_echo_broadcast " << s << endl;
}
s=options->getStr("solaris_ip_forward_directed_broadcasts");
if (!s.empty()) {
if (s!="0" && s!="1")
throw FWException("Illegal value for OS parameter solaris_ip_forward_directed_broadcasts: '"+s+"'");
output << "ndd -set /dev/ip ip_forward_directed_broadcasts " << s << endl;
}
s=options->getStr("solaris_ip_forward_src_routed");
if (!s.empty()) {
if (s!="0" && s!="1")
throw FWException("Illegal value for OS parameter solaris_ip_forward_src_routed: '"+s+"'");
output << "ndd -set /dev/ip ip_forward_src_routed " << s << endl;
}
Configlet kernel_vars(fw, "bsd", "kernel_vars");
kernel_vars.removeComments();
setKernelVariable(fw, "solaris_ip_forward", &kernel_vars);
setKernelVariable(fw, "solaris_ip_ignore_redirect", &kernel_vars);
setKernelVariable(fw, "solaris_ip_respond_to_echo_broadcast", &kernel_vars);
setKernelVariable(fw, "solaris_ip_forward_directed_broadcasts", &kernel_vars);
setKernelVariable(fw, "solaris_ip_forward_src_routed", &kernel_vars);
return kernel_vars.expand().toStdString();
}
void OSConfigurator_solaris::addVirtualAddressForNAT(const Network*)
@ -120,68 +86,23 @@ void OSConfigurator_solaris::addVirtualAddressForNAT(const Address *addr)
int OSConfigurator_solaris::prolog()
{
printPathForAllTools("solaris");
//printPathForAllTools("solaris");
processFirewallOptions();
//processFirewallOptions();
configureInterfaces();
//configureInterfaces();
return 0;
}
void OSConfigurator_solaris::printPathForAllTools(const string &os)
{
FWOptions* options=fw->getOptionsObject();
string s, path_ipf, path_ipnat, path_logger;
s=options->getStr("solaris_path_ipf");
if (!s.empty()) path_ipf=s;
else path_ipf=os_data.getPathForTool(os,OSData::IPF);
s=options->getStr("solaris_path_ipnat");
if (!s.empty()) path_ipnat=s;
else path_ipnat=os_data.getPathForTool(os,OSData::IPNAT);
s=options->getStr("solaris_path_logger");
if (!s.empty()) path_logger=s;
else path_logger=os_data.getPathForTool(os,OSData::LOGGER);
output << endl;
output << "log() {" << endl;
output << " test -x \"$LOGGER\" && $LOGGER -p info \"$1\"" << endl;
output << "}" << endl;
output << endl;
output << "add_addr() {" << endl;
output << " addr=$1" << endl;
output << " nm=$2" << endl;
output << " dev=$3" << endl;
output << " ( ifconfig $dev | egrep -s \"inet +${addr} \" ) || " << endl;
output << " { " << endl;
output << " echo \"$dev: $addr\"" << endl;
output << " ifconfig $dev $addr alias" << endl;
output << " } " << endl;
output << "}" << endl;
output << endl;
output << endl;
output << "IPF=\"" + path_ipf + "\"\n";
output << "IPNAT=\"" + path_ipnat + "\"\n";
output << "LOGGER=\"" + path_logger + "\"\n";
output << endl;
output << endl;
}
void OSConfigurator_solaris::configureInterfaces()
string OSConfigurator_solaris::configureInterfaces()
{
ostringstream ostr;
FWOptions* options=fw->getOptionsObject();
if ( options->getBool("configure_interfaces") )
{
output << endl;
ostr << endl;
FWObjectTypedChildIterator i=fw->findByType(Interface::TYPENAME);
for ( ; i!=i.end(); ++i )
@ -195,7 +116,7 @@ void OSConfigurator_solaris::configureInterfaces()
for ( ; j!=j.end(); ++j )
{
Address *iaddr = Address::cast(*j);
output << "add_addr "
ostr << "add_addr "
<< iaddr->getAddressPtr()->toString() << " "
<< iaddr->getNetmaskPtr()->toString() << " "
<< iface->getName() << endl;
@ -203,8 +124,9 @@ void OSConfigurator_solaris::configureInterfaces()
virtual_addresses.push_back(*(iaddr->getAddressPtr()));
}
}
output << endl;
ostr << endl;
}
return ostr.str();
}

21
src/pflib/OSConfigurator_solaris.h
View File

@ -28,16 +28,24 @@
#include "config.h"
#include "fwcompiler/OSConfigurator.h"
#include "fwbuilder/InetAddr.h"
#include <vector>
#include "OSConfigurator_bsd.h"
#include "OSData.h"
/*
* Of course Solaris has nothing to do with BSD. Class
* OSConfigurator_solaris inherits OSConfigurator_bsd only because the
* latter is the base class for all OSConfigurator classes for the
* pf-ipf-ipfw family. TODO: rename OSConfigurator_bsd to use more
* generic name, something like OSConfigurator_generic_pf_ipf_family
*/
namespace fwcompiler {
class OSConfigurator_solaris : public OSConfigurator {
class OSConfigurator_solaris : public OSConfigurator_bsd {
OSData os_data;
@ -49,16 +57,17 @@ namespace fwcompiler {
OSConfigurator_solaris(libfwbuilder::FWObjectDatabase *_db,
libfwbuilder::Firewall *fw,
bool ipv6_policy) :
OSConfigurator(_db, fw, ipv6_policy) , os_data() {}
OSConfigurator_bsd(_db, fw, ipv6_policy) , os_data() {}
virtual int prolog();
virtual std::string myPlatformName();
virtual void processFirewallOptions();
virtual std::string printKernelVarsCommands();
virtual void addVirtualAddressForNAT(const libfwbuilder::Address *addr);
virtual void addVirtualAddressForNAT(const libfwbuilder::Network *nw);
void printPathForAllTools(const std::string &os);
void configureInterfaces();
virtual std::string configureInterfaces();
};
};

21
src/res/configlets/bsd/ipf_activation Normal file
View File

@ -0,0 +1,21 @@
## -*- mode: shell-script; -*-
##
{{if dyn_addr}}
{{if filter}}
cat {{$remote_file}} | grep -v '#' | {{$interface_name_substitution_commands}} | $IPF {{$ipf_debug}} -I -f -
{{endif}}
{{if nat}}
cat {{$remote_file}} | grep -v '#' | {{$interface_name_substitution_commands}} | $IPNAT {{$ipf_debug}} -f -
{{endif}}
{{endif}}
{{if not_dyn_addr}}
{{if filter}}
$IPF {{$ipf_debug}} -I -f {{$remote_file}}
{{endif}}
{{if nat}}
$IPNAT {{$ipf_debug}} -f {{$remote_file}}
{{endif}}
{{endif}}

59
src/res/configlets/bsd/ipf_script_skeleton Normal file
View File

@ -0,0 +1,59 @@
## -*- mode: shell-script; -*-
##
## Double '##' comments are removed when configlet is processed.
## Single '#' comments stay.
{{$top_comment}}
{{$errors_and_warnings}}
FWDIR=`dirname $0`
{{$shell_debug}}
{{$tools}}
{{$shell_functions}}
verify_interfaces() {
{{$verify_interfaces}}
}
set_kernel_vars() {
{{$kernel_vars_commands}}
}
prolog_commands() {
{{$prolog_script}}
}
epilog_commands() {
{{$epilog_script}}
}
run_epilog_and_exit() {
epilog_commands
exit $1
}
configure_interfaces() {
{{$configure_interfaces}}
}
log "Activating firewall script generated {{$timestamp}} by {{$user}}"
set_kernel_vars
configure_interfaces
prolog_commands
$IPF -Fa
$IPNAT -C
{{$activation_commands}}
{{if have_filter}}
$IPF -s
{{endif}}
epilog_commands
/sbin/kldstat -n ipl.ko > /dev/null 2>&1 || $IPF -E

53
src/res/configlets/bsd/ipfw_script_skeleton Normal file
View File

@ -0,0 +1,53 @@
## -*- mode: shell-script; -*-
##
## Double '##' comments are removed when configlet is processed.
## Single '#' comments stay.
{{$top_comment}}
{{$errors_and_warnings}}
{{$shell_debug}}
cd {{$firewall_dir}} || exit 1
{{$tools}}
{{$shell_functions}}
verify_interfaces() {
{{$verify_interfaces}}
}
set_kernel_vars() {
{{$kernel_vars_commands}}
}
prolog_commands() {
{{$prolog_script}}
}
epilog_commands() {
{{$epilog_script}}
}
run_epilog_and_exit() {
epilog_commands
exit $1
}
configure_interfaces() {
{{$configure_interfaces}}
}
log "Activating firewall script generated {{$timestamp}} by {{$user}}"
set_kernel_vars
configure_interfaces
prolog_commands
{{$activation_commands}}
epilog_commands
"$IPFW" set swap 0 1 || exit 1
"$IPFW" delete set 1

2
src/res/configlets/bsd/kernel_vars Normal file
View File

@ -0,0 +1,2 @@
## -*- mode: shell-script; -*-

5
src/res/configlets/bsd/pf_activation Normal file
View File

@ -0,0 +1,5 @@
## -*- mode: shell-script; -*-
##
$PFCTL {{$pfctl_debug}} {{if anchor}}-a {{$anchor_name}}{{endif}} \
{{if pf_version_lt_3_2}}-R{{endif}} {{if pf_version_ge_3_2}}-f{{endif}} \
{{$remote_file}} || exit 1

56
src/res/configlets/bsd/pf_script_skeleton Normal file
View File

@ -0,0 +1,56 @@
## -*- mode: shell-script; -*-
##
## Double '##' comments are removed when configlet is processed.
## Single '#' comments stay.
{{$top_comment}}
{{$errors_and_warnings}}
{{$shell_debug}}
FWDIR=`dirname $0`
{{$tools}}
{{$shell_functions}}
verify_interfaces() {
{{$verify_interfaces}}
}
set_kernel_vars() {
{{$kernel_vars_commands}}
}
prolog_commands() {
{{$prolog_script}}
}
epilog_commands() {
{{$epilog_script}}
}
run_epilog_and_exit() {
epilog_commands
exit $1
}
configure_interfaces() {
{{$configure_interfaces}}
}
log "Activating firewall script generated {{$timestamp}} by {{$user}}"
set_kernel_vars
configure_interfaces
prolog_commands
{{$activation_commands}}
{{if pf_version_ge_4_x}}
{{if pf_flush_states}}
$PFCTL -F states
{{endif}}
{{endif}}
epilog_commands

34
src/res/configlets/bsd/shell_functions Normal file
View File

@ -0,0 +1,34 @@
## -*- mode: shell-script; -*-
log() {
echo "$1"
test -x "$LOGGER" && $LOGGER -p info "$1"
}
add_addr() {
addr=$1
nm=$2
dev=$3
( ifconfig $dev | egrep -q "inet +${addr} " ) ||
{
echo "$dev: $addr/$nm"
ifconfig $dev inet $addr netmask $nm alias
}
}
{{if dyn_addr}}
getaddr() {
intf=$1
varname=$2
L=`ifconfig $1 | grep 'inet '`
if [ -z "$L" ]; then
L="inet 0.0.0.0/32"
fi
set $L
a=$2
eval "$varname=$a"
}
{{$get_dyn_addr_commands}}
{{endif}}

3
src/res/configlets/bsd/tools Normal file
View File

@ -0,0 +1,3 @@
## -*- mode: shell-script; -*-
##
## Set path to all utilities that we need

13
src/res/configlets/bsd/top_comment Normal file
View File

@ -0,0 +1,13 @@
#!/bin/sh
#
# This is automatically generated file. DO NOT MODIFY !
#
# Firewall Builder fwb_pf v{{$version}}-{{$build}}
#
# Generated {{$timestamp}} {{$tz}} by {{$user}}
#
{{$manifest}}
#
# Compiled for {{$platform}} {{$fw_version}}
#
{{$comment}}

7
src/res/configlets/freebsd/kernel_vars Normal file
View File

@ -0,0 +1,7 @@
## -*- mode: shell-script; -*-
{{if have_freebsd_ip_forward}}$SYSCTL -w net.inet.ip.forwarding={{$freebsd_ip_forward}}{{endif}}
{{if have_freebsd_ipv6_forward}}$SYSCTL -w net.inet6.ip6.forwarding={{$freebsd_ipv6_forward}}{{endif}}
{{if have_freebsd_ip_sourceroute}}$SYSCTL -w net.inet.ip.sourceroute={{$freebsd_ip_sourceroute}}{{endif}}
{{if have_freebsd_ip_redirect}}$SYSCTL -w net.inet.ip.redirect={{$freebsd_ip_redirect}}{{endif}}

10
src/res/configlets/freebsd/tools Normal file
View File

@ -0,0 +1,10 @@
## -*- mode: shell-script; -*-
##
## Set path to all utilities that we need
PFCTL="{{$path_pfctl}}"
IPFW="{{$path_ipfw}}"
IPF="{{$path_ipf}}"
IPNAT="{{$path_ipnat}}"
SYSCTL="{{$path_sysctl}}"
LOGGER="{{$path_logger}}"

6
src/res/configlets/macosx/kernel_vars Normal file
View File

@ -0,0 +1,6 @@
## -*- mode: shell-script; -*-
{{if have_macosx_ip_forward}}$SYSCTL -w net.inet.ip.forwarding={{$macosx_ip_forward}}{{endif}}
{{if have_macosx_ip_sourceroute}}$SYSCTL -w net.inet.ip.sourceroute={{$macosx_ip_sourceroute}}{{endif}}
{{if have_macosx_ip_redirect}}$SYSCTL -w net.inet.ip.redirect={{$macosx_ip_redirect}}{{endif}}

7
src/res/configlets/macosx/tools Normal file
View File

@ -0,0 +1,7 @@
## -*- mode: shell-script; -*-
##
## Set path to all utilities that we need
IPFW="{{$path_ipfw}}"
SYSCTL="{{$path_sysctl}}"
LOGGER="{{$path_logger}}"

8
src/res/configlets/openbsd/kernel_vars Normal file
View File

@ -0,0 +1,8 @@
## -*- mode: shell-script; -*-
{{if have_openbsd_ip_directed_broadcast}}$SYSCTL -w net.inet.ip.directed-broadcast={{$openbsd_ip_directed_broadcast}}{{endif}}
{{if have_openbsd_ip_forward}}$SYSCTL -w net.inet.ip.forwarding={{$openbsd_ip_forward}}{{endif}}
{{if have_openbsd_ipv6_forward}}$SYSCTL -w net.inet6.ip6.forwarding={{$openbsd_ipv6_forward}}{{endif}}
{{if have_openbsd_ip_sourceroute}}$SYSCTL -w net.inet.ip.sourceroute={{$openbsd_ip_sourceroute}}{{endif}}
{{if have_openbsd_ip_redirect}}$SYSCTL -w net.inet.ip.redirect={{$openbsd_ip_redirect}}{{endif}}

7
src/res/configlets/openbsd/tools Normal file
View File

@ -0,0 +1,7 @@
## -*- mode: shell-script; -*-
##
## Set path to all utilities that we need
PFCTL="{{$path_pfctl}}"
SYSCTL="{{$path_sysctl}}"
LOGGER="{{$path_logger}}"

8
src/res/configlets/solaris/kernel_vars Normal file
View File

@ -0,0 +1,8 @@
## -*- mode: shell-script; -*-
{{if have_solaris_ip_forward}}ndd -set /dev/ip ip_forwarding {{$solaris_ip_forward}}{{endif}}
{{if have_solaris_ip_ignore_redirect}}ndd -set /dev/ip ip_ignore_redirect {{$solaris_ip_ignore_redirect}}{{endif}}
{{if have_solaris_ip_respond_to_echo_broadcast}}ndd -set /dev/ip ip_respond_to_echo_broadcast {{$solaris_ip_respond_to_echo_broadcast}}{{endif}}
{{if have_solaris_ip_forward_directed_broadcasts}}ndd -set /dev/ip ip_forward_directed_broadcasts {{$solaris_ip_forward_directed_broadcasts}}{{endif}}
{{if have_solaris_ip_forward_src_routed}}ndd -set /dev/ip ip_forward_src_routed {{$solaris_ip_forward_src_routed}}{{endif}}

9
src/res/configlets/solaris/tools Normal file
View File

@ -0,0 +1,9 @@
## -*- mode: shell-script; -*-
##
## Set path to all utilities that we need
IPFW="{{$path_ipfw}}"
IPF="{{$path_ipf}}"
IPNAT="{{$path_ipnat}}"
SYSCTL="{{$path_sysctl}}"
LOGGER="{{$path_logger}}"

134
test/pf/objects-for-regression-tests.fwb
View File

@ -1,6 +1,6 @@
<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE FWObjectDatabase SYSTEM "fwbuilder.dtd">
<FWObjectDatabase xmlns="http://www.fwbuilder.org/1.0/" version="10" lastModified="1253295600" id="root">
<FWObjectDatabase xmlns="http://www.fwbuilder.org/1.0/" version="12" lastModified="1255054018" id="root">
<Library id="sysid99" name="Deleted Objects" comment="" ro="False">
<ICMP6Service id="idE0C27650" code="0" type="1" name="ipv6 dest unreachable" comment="No route to destination" ro="False"/>
<Library id="id40E233F3" color="#FFFFFF" name="West Coast" comment="" ro="False">
@ -956,14 +956,17 @@
</PolicyRule>
</Policy>
<Routing id="id18593X75509" name="Routing" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True"/>
<Interface id="id18594X75509" bridgeport="False" dyn="False" security_level="0" unnum="False" unprotected="False" name="eth1" comment="" ro="False">
<Interface id="id18594X75509" dyn="False" security_level="0" unnum="False" unprotected="False" name="eth1" comment="" ro="False">
<IPv4 id="id18596X75509" name="firewall63:eth1:ip" comment="" ro="False" address="22.22.22.22" netmask="255.255.255.0"/>
<InterfaceOptions/>
</Interface>
<Interface id="id18597X75509" bridgeport="False" dyn="False" security_level="100" unnum="False" unprotected="False" name="eth0" comment="" ro="False">
<Interface id="id18597X75509" dyn="False" security_level="100" unnum="False" unprotected="False" name="eth0" comment="" ro="False">
<IPv4 id="id18599X75509" name="firewall63:eth0:ip" comment="" ro="False" address="192.168.1.1" netmask="255.255.255.0"/>
<InterfaceOptions/>
</Interface>
<Interface id="id18600X75509" bridgeport="False" dyn="False" label="" mgmt="False" security_level="0" unnum="False" unprotected="False" name="lo" comment="" ro="False">
<Interface id="id18600X75509" dyn="False" label="" mgmt="False" security_level="0" unnum="False" unprotected="False" name="lo" comment="" ro="False">
<IPv4 id="id18602X75509" name="firewall63:lo:ip" comment="" ro="False" address="127.0.0.1" netmask="255.0.0.0"/>
<InterfaceOptions/>
</Interface>
<Management address="127.0.0.1">
<SNMPManagement enabled="False" snmp_read_community="public" snmp_write_community=""/>
@ -1092,16 +1095,7 @@
<Option name="use_tables">True</Option>
</FirewallOptions>
</Firewall>
<ServiceRef ref="id3C6820443"/>
<ObjectRef ref="sysid0"/>
<ServiceRef ref="sysid1"/>
<ObjectRef ref="sysid0"/>
<ObjectRef ref="id34697X75509"/>
<ObjectRef ref="sysid0"/>
<ObjectRef ref="sysid0"/>
<ObjectRef ref="sysid0"/>
<ObjectRef ref="sysid0"/>
<ObjectRef ref="sysid0"/>
</Library>
<Library id="syslib001" color="#d2ffd0" name="User" comment="User defined objects" ro="False">
<ObjectGroup id="stdid01_1_clusters" name="Clusters" comment="" ro="False"/>
@ -13389,7 +13383,7 @@
<Option name="verify_interfaces">False</Option>
</FirewallOptions>
</Firewall>
<Firewall id="id4848F19020246" host_OS="openbsd" inactive="False" lastCompiled="0" lastInstalled="0" lastModified="1212808094" platform="pf" version="4.x" name="firewall62" comment="testing rules using UserService object&#10;Note that iptables does not allow entering&#10;iptables command that tries to match using module 'owner' in any chain&#10;other than OUTPUT. This includes user defined chains too (it checks&#10;how control passes to user defined chain and blocks command if&#10;it appears that user defined chain gets control not from OUTPUT)&#10;&#10;" ro="False">
<Firewall id="id4848F19020246" host_OS="openbsd" inactive="False" lastCompiled="1255054109" lastInstalled="0" lastModified="1255054100" platform="pf" version="4.x" name="firewall62" comment="testing rules using UserService object&#10;Note that iptables does not allow entering&#10;iptables command that tries to match using module 'owner' in any chain&#10;other than OUTPUT. This includes user defined chains too (it checks&#10;how control passes to user defined chain and blocks command if&#10;it appears that user defined chain gets control not from OUTPUT)&#10;&#10;" ro="False">
<NAT id="id4848F1D320246" name="NAT" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True"/>
<Policy id="id4848F19620246" name="Policy" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
<PolicyRule id="id484A6C465896" disabled="False" group="" log="False" position="0" action="Accept" direction="Inbound" comment="rule from FR 1948872&#10;should generate&#10;pass in quick on en0 user proxy&#10;">
@ -13704,14 +13698,19 @@
<Option name="check_shading">True</Option>
<Option name="clamp_mss_to_mtu">False</Option>
<Option name="classify_mark_terminating">False</Option>
<Option name="cmdline"></Option>
<Option name="cmdline">-xt</Option>
<Option name="compiler"></Option>
<Option name="conf_file_name_on_firewall"></Option>
<Option name="configure_carp_interfaces">False</Option>
<Option name="configure_interfaces">True</Option>
<Option name="configure_pfsync_interfaces">False</Option>
<Option name="configure_vlan_interfaces">False</Option>
<Option name="debug">False</Option>
<Option name="drop_invalid">False</Option>
<Option name="eliminate_duplicates">true</Option>
<Option name="enable_ipv6">False</Option>
<Option name="epilog_script"></Option>
<Option name="fallback_log">False</Option>
<Option name="firewall_dir">/etc</Option>
<Option name="firewall_is_part_of_any_and_networks">True</Option>
<Option name="freebsd_ip_forward">1</Option>
@ -13742,11 +13741,64 @@
<Option name="openbsd_ip_forward">1</Option>
<Option name="output_file"></Option>
<Option name="pass_all_out">false</Option>
<Option name="pf_adaptive_end">0</Option>
<Option name="pf_adaptive_start">0</Option>
<Option name="pf_do_limit_frags">False</Option>
<Option name="pf_do_limit_src_nodes">False</Option>
<Option name="pf_do_limit_states">False</Option>
<Option name="pf_do_limit_table_entries">False</Option>
<Option name="pf_do_limit_tables">False</Option>
<Option name="pf_do_scrub">False</Option>
<Option name="pf_do_timeout_frag">False</Option>
<Option name="pf_do_timeout_interval">False</Option>
<Option name="pf_flush_states">True</Option>
<Option name="pf_icmp_error">0</Option>
<Option name="pf_icmp_first">0</Option>
<Option name="pf_limit_frags">5000</Option>
<Option name="pf_limit_src_nodes">0</Option>
<Option name="pf_limit_states">10000</Option>
<Option name="pf_limit_table_entries">0</Option>
<Option name="pf_limit_tables">0</Option>
<Option name="pf_modulate_state">False</Option>
<Option name="pf_optimization"></Option>
<Option name="pf_other_first">0</Option>
<Option name="pf_other_multiple">0</Option>
<Option name="pf_other_single">0</Option>
<Option name="pf_scrub_fragm_crop">False</Option>
<Option name="pf_scrub_fragm_drop_ovl">False</Option>
<Option name="pf_scrub_maxmss">1460</Option>
<Option name="pf_scrub_minttl">0</Option>
<Option name="pf_scrub_no_df">False</Option>
<Option name="pf_scrub_random_id">False</Option>
<Option name="pf_scrub_reassemble">True</Option>
<Option name="pf_scrub_use_maxmss">False</Option>
<Option name="pf_scrub_use_minttl">False</Option>
<Option name="pf_set_adaptive">False</Option>
<Option name="pf_set_icmp_error">False</Option>
<Option name="pf_set_icmp_first">False</Option>
<Option name="pf_set_other_first">False</Option>
<Option name="pf_set_other_multiple">False</Option>
<Option name="pf_set_other_single">False</Option>
<Option name="pf_set_tcp_closed">False</Option>
<Option name="pf_set_tcp_closing">False</Option>
<Option name="pf_set_tcp_established">False</Option>
<Option name="pf_set_tcp_finwait">False</Option>
<Option name="pf_set_tcp_first">False</Option>
<Option name="pf_set_tcp_opening">False</Option>
<Option name="pf_set_udp_first">False</Option>
<Option name="pf_set_udp_multiple">False</Option>
<Option name="pf_set_udp_single">False</Option>
<Option name="pf_tcp_closed">0</Option>
<Option name="pf_tcp_closing">0</Option>
<Option name="pf_tcp_established">0</Option>
<Option name="pf_tcp_finwait">0</Option>
<Option name="pf_tcp_first">0</Option>
<Option name="pf_tcp_opening">0</Option>
<Option name="pf_timeout_frag">30</Option>
<Option name="pf_timeout_interval">10</Option>
<Option name="pf_udp_first">0</Option>
<Option name="pf_udp_multiple">0</Option>
<Option name="pf_udp_single">0</Option>
<Option name="pix_add_clear_statements">true</Option>
<Option name="pix_assume_fw_part_of_any">true</Option>
<Option name="pix_default_logint">300</Option>
@ -13759,10 +13811,12 @@
<Option name="pix_security_fragguard_supported">true</Option>
<Option name="pix_syslog_device_id_supported">false</Option>
<Option name="pix_use_acl_remarks">true</Option>
<Option name="prolog_place">top</Option>
<Option name="prolog_place">fw_file</Option>
<Option name="prolog_script"></Option>
<Option name="prompt1">$ </Option>
<Option name="prompt2"> # </Option>
<Option name="scpArgs"></Option>
<Option name="script_name_on_firewall"></Option>
<Option name="solaris_ip_forward">1</Option>
<Option name="sshArgs"></Option>
<Option name="ulog_cprange">0</Option>
@ -15918,19 +15972,25 @@
</PolicyRule>
</Policy>
<Routing id="id18692X75509" name="Routing" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True"/>
<Interface id="id18693X75509" bridgeport="False" dyn="False" label="" mgmt="False" security_level="0" unnum="False" unprotected="False" name="en1" comment="" ro="False">
<Interface id="id18693X75509" dyn="False" label="" mgmt="False" security_level="0" unnum="False" unprotected="False" name="en1" comment="" ro="False">
<IPv4 id="id18695X75509" name="firewall70:en1:ip" comment="" ro="False" address="22.22.22.22" netmask="255.255.255.0"/>
<InterfaceOptions/>
</Interface>
<Interface id="id18696X75509" bridgeport="False" dyn="False" label="" mgmt="False" security_level="100" unnum="False" unprotected="False" name="en0" comment="" ro="False">
<Interface id="id18696X75509" dyn="False" label="" mgmt="False" security_level="100" unnum="False" unprotected="False" name="en0" comment="" ro="False">
<IPv4 id="id18698X75509" name="firewall70:en0:ip" comment="" ro="False" address="192.168.1.1" netmask="255.255.255.0"/>
<InterfaceOptions/>
</Interface>
<Interface id="id18699X75509" bridgeport="False" dyn="False" label="" mgmt="False" security_level="0" unnum="False" unprotected="False" name="lo0" comment="" ro="False">
<Interface id="id18699X75509" dyn="False" label="" mgmt="False" security_level="0" unnum="False" unprotected="False" name="lo0" comment="" ro="False">
<IPv4 id="id18701X75509" name="firewall70:lo0:ip" comment="" ro="False" address="127.0.0.1" netmask="255.0.0.0"/>
<InterfaceOptions/>
</Interface>
<Interface id="id34697X75509" bridgeport="False" dyn="False" label="" mgmt="False" security_level="0" unnum="False" unprotected="False" name="en2" comment="" ro="False">
<Interface id="id34697X75509" dyn="False" label="" mgmt="False" security_level="0" unnum="False" unprotected="False" name="en2" comment="" ro="False">
<IPv4 id="id90782X75509" name="firewall70:en2:ip" comment="" ro="False" address="192.0.2.1" netmask="255.255.255.0"/>
<InterfaceOptions/>
</Interface>
<Interface id="id82758X75509" dyn="False" label="" mgmt="False" security_level="0" unnum="True" unprotected="True" name="en3" comment="" ro="False">
<InterfaceOptions/>
</Interface>
<Interface id="id82758X75509" bridgeport="False" dyn="False" label="" mgmt="False" security_level="0" unnum="True" unprotected="True" name="en3" comment="" ro="False"/>
<Management address="127.0.0.1">
<SNMPManagement enabled="False" snmp_read_community="public" snmp_write_community=""/>
<FWBDManagement enabled="True" identity="" port="9999"/>
@ -17123,7 +17183,7 @@
<Option name="use_tables">True</Option>
</FirewallOptions>
</Firewall>
<Firewall id="id47B07CD419082" host_OS="openbsd" inactive="False" lastCompiled="1229922308" lastInstalled="1229922366" lastModified="1229921217" platform="pf" version="4.x" name="openbsd-4.2" comment="firewall protects host it is running on&#10;&#10;Note that we set output file name to /tmp/labfw.fw to test what compiler is going to do (since it generates three files rather than one), as well as to test installer in this case&#10;" ro="False">
<Firewall id="id47B07CD419082" host_OS="openbsd" inactive="False" lastCompiled="1255112555" lastInstalled="1255112564" lastModified="1255112550" platform="pf" version="4.x" name="openbsd-4.2" comment="firewall protects host it is running on&#10;&#10;Note that we set output file name to /tmp/labfw.fw to test what compiler is going to do (since it generates three files rather than one), as well as to test installer in this case&#10;" ro="False">
<NAT id="id47B07D4319082" name="NAT" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True"/>
<Policy id="id47B07CDA19082" name="Policy" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
<PolicyRule id="id47B07CDB19082" disabled="True" log="False" position="0" action="Accept" direction="Both" comment="">
@ -17201,8 +17261,30 @@
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions>
<Option name="action_on_reject"></Option>
<Option name="branch_id">id47B07D0B19082</Option>
<Option name="branch_name">rule3_branch</Option>
<Option name="classify_str"></Option>
<Option name="color">#C0BA44</Option>
<Option name="custom_str"></Option>
<Option name="ipf_route_opt_addr"></Option>
<Option name="ipf_route_opt_if"></Option>
<Option name="ipf_route_option">route_through</Option>
<Option name="ipfw_classify_method">2</Option>
<Option name="ipfw_pipe_port_num">0</Option>
<Option name="ipfw_pipe_queue_num">0</Option>
<Option name="ipt_continue">False</Option>
<Option name="ipt_gw"></Option>
<Option name="ipt_iif"></Option>
<Option name="ipt_mark_connections">False</Option>
<Option name="ipt_oif"></Option>
<Option name="ipt_tee">False</Option>
<Option name="pf_fastroute">False</Option>
<Option name="pf_route_load_option">none</Option>
<Option name="pf_route_opt_addr"></Option>
<Option name="pf_route_opt_if"></Option>
<Option name="pf_route_option">none</Option>
<Option name="rule_name_accounting"></Option>
<Option name="stateless">True</Option>
</PolicyRuleOptions>
</PolicyRule>
@ -17317,8 +17399,12 @@
<Option name="clamp_mss_to_mtu">False</Option>
<Option name="cmdline"></Option>
<Option name="compiler"></Option>
<Option name="conf_file_name_on_firewall"></Option>
<Option name="configure_carp_interfaces">False</Option>
<Option name="configure_interfaces">False</Option>
<Option name="debug">True</Option>
<Option name="configure_pfsync_interfaces">False</Option>
<Option name="configure_vlan_interfaces">False</Option>
<Option name="debug">False</Option>
<Option name="dyn_addr">False</Option>
<Option name="epilog_script"></Option>
<Option name="fallback_log">False</Option>
@ -17377,6 +17463,7 @@
<Option name="pf_limit_states">10000</Option>
<Option name="pf_limit_table_entries">0</Option>
<Option name="pf_limit_tables">0</Option>
<Option name="pf_modulate_state">False</Option>
<Option name="pf_optimization"></Option>
<Option name="pf_other_first">0</Option>
<Option name="pf_other_multiple">0</Option>
@ -17421,6 +17508,7 @@
<Option name="prolog_script"></Option>
<Option name="scpArgs"></Option>
<Option name="script_env_path"></Option>
<Option name="script_name_on_firewall"></Option>
<Option name="snmp_contact"></Option>
<Option name="snmp_description"></Option>
<Option name="snmp_location"></Option>