onkelbeh/fwbuilder
1
0
Fork 0
mirror of https://github.com/fwbuilder/fwbuilder synced 2025-10-17 07:57:43 +02:00
Code Issues Releases Wiki Activity

see #2367 removed actions Tag, Classify, Route and added options instead; added functions to class PolicyRule to check and set these options; replaced checks for those actions with calls to the functions everywhere.

Browse Source
This commit is contained in:
Vadim Kurland 2011-04-27 18:44:38 -07:00
parent 57a195538b
commit 629b0b31e2
29 changed files with 269 additions and 243 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
VERSION
View File

@ -7,13 +7,13 @@ FWB_MICRO_VERSION=1
# build number is like "nano" version number. I am incrementing build
# number during development cycle
#
BUILD_NUM="3532"
BUILD_NUM="ma_1"
VERSION="$FWB_MAJOR_VERSION.$FWB_MINOR_VERSION.$FWB_MICRO_VERSION.$BUILD_NUM"
GENERATION="$FWB_MAJOR_VERSION.$FWB_MINOR_VERSION"
# Data format version
FWBUILDER_XML_VERSION=18
FWBUILDER_XML_VERSION=19

2
VERSION.h
View File

@ -1,2 +1,2 @@
#define VERSION "4.2.1.3532"
#define VERSION "4.2.1.ma_1"
#define GENERATION "4.2"

2
packaging/fwbuilder-static-qt.spec
View File

@ -3,7 +3,7 @@
%define name fwbuilder
%define version 4.2.1.3532
%define version 4.2.1.ma_1
%define release 1
%if "%_vendor" == "MandrakeSoft"

2
packaging/fwbuilder.control
View File

@ -4,6 +4,6 @@ Replaces: fwbuilder (<=4.1.1-1), fwbuilder-common, fwbuilder-bsd, fwbuilder-linu
Priority: extra
Section: checkinstall
Maintainer: vadim@fwbuilder.org
Version: 4.2.1.3532-1
Version: 4.2.1.ma_1-1
Depends: libqt4-gui (>= 4.3.0), libxml2, libxslt1.1, libsnmp | libsnmp15
Description: Firewall Builder GUI and policy compilers

2
packaging/fwbuilder.spec
View File

@ -1,6 +1,6 @@
%define name fwbuilder
%define version 4.2.1.3532
%define version 4.2.1.ma_1
%define release 1
%if "%_vendor" == "MandrakeSoft"

14
src/import/IPTImporter.cpp
View File

@ -726,7 +726,11 @@ void IPTImporter::pushPolicyRule()
if (target=="QUEUE") action = PolicyRule::Pipe;
if (target=="CLASSIFY") action = PolicyRule::Classify;
if (target=="CLASSIFY") // #2367
{
action = PolicyRule::Continue;
rule->setClassification(true);
}
if (target=="LOG")
{
@ -782,6 +786,7 @@ void IPTImporter::pushPolicyRule()
{
action = PolicyRule::Continue;
rule->setLogging(true);
fwopt->setBool("use_ULOG", true);
QString log_prefix = action_params["log_prefix"].c_str();
log_prefix.replace("\"", "");
@ -790,7 +795,9 @@ void IPTImporter::pushPolicyRule()
if (target=="MARK")
{
action = PolicyRule::Tag;
action = PolicyRule::Continue;
rule->setTagging(true);
last_mark_rule = rule;
ObjectSignature sig(error_tracker);
@ -803,7 +810,8 @@ void IPTImporter::pushPolicyRule()
if (target=="ROUTE")
{
action = PolicyRule::Route;
action = PolicyRule::Continue;
rule->setRouting(true);
if (!action_params["route_iif"].empty())
newInterface(action_params["route_iif"]);

22
src/iptlib/MangleTableCompiler_ipt.cpp
View File

@ -48,22 +48,6 @@ string MangleTableCompiler_ipt::myPlatformName() { return "iptables"; }
int MangleTableCompiler_ipt::prolog()
{
return PolicyCompiler_ipt::prolog();
int n = 0;
for(FWObject::iterator i=source_ruleset->begin();
i!=source_ruleset->end(); i++)
{
PolicyRule *r = PolicyRule::cast( *i );
if (r == NULL) continue; // skip RuleSetOptions object
FWOptions *ruleopt = r->getOptionsObject();
if (r->isDisabled()) continue;
if (r->getAction() == PolicyRule::Tag ||
r->getAction() == PolicyRule::Classify) n++;
if (r->getAction() == PolicyRule::Branch &&
ruleopt->getBool("ipt_branch_in_mangle")) n++;
}
return n;
}
bool MangleTableCompiler_ipt::keepMangleTableRules::processNext()
@ -140,9 +124,9 @@ bool MangleTableCompiler_ipt::keepMangleTableRules::processNext()
return true;
}
if (rule->getAction() == PolicyRule::Tag ||
rule->getAction() == PolicyRule::Route ||
rule->getAction() == PolicyRule::Classify ||
if (rule->getTagging() ||
rule->getRouting() ||
rule->getClassification() ||
ruleopt->getBool("put_in_mangle_table")) tmp_queue.push_back(rule);
}

50
src/iptlib/PolicyCompiler_PrintRule.cpp
View File

@ -384,39 +384,27 @@ string PolicyCompiler_ipt::PrintRule::_printTarget(PolicyRule *rule)
return ostr.str();
}
// there is no ULOG for ip6tables yet
if (!ipt_comp->ipv6 && compiler->getCachedFwOpt()->getBool("use_ULOG") &&
target=="LOG") target="ULOG";
if (target==".CONTINUE") // not a real target !
return ostr.str();
ostr << " -j " << target << " ";
if (target=="REJECT")
ostr << _printActionOnReject(rule);
if (target=="LOG" || target=="ULOG")
ostr << _printLogParameters(rule);
if (target=="MARK")
if (rule->getTagging())
{
// ostr << " --set-mark " << ruleopt->getStr("tagvalue");
ostr << " -j MARK";
ostr << " --set-mark " << rule->getTagValue();
return ostr.str();
}
if (target=="CONNMARK")
{
ostr << ruleopt->getStr("CONNMARK_arg");
}
if (target=="CLASSIFY")
if (rule->getClassification())
{
ostr << " -j CLASSIFY";
ostr << " --set-class " << ruleopt->getStr("classify_str");
return ostr.str();
}
if (target=="ROUTE")
if (rule->getRouting())
{
ostr << " -j ROUTE";
string a;
a = ruleopt->getStr("ipt_iif");
if (!a.empty()) ostr << " --iif " << a;
@ -432,6 +420,26 @@ string PolicyCompiler_ipt::PrintRule::_printTarget(PolicyRule *rule)
c = ruleopt->getBool("ipt_tee");
if (c) ostr << " --tee";
return ostr.str();
}
// there is no ULOG for ip6tables yet
if (!ipt_comp->ipv6 && compiler->getCachedFwOpt()->getBool("use_ULOG") &&
target=="LOG") target="ULOG";
ostr << " -j " << target << " ";
if (target=="REJECT")
ostr << _printActionOnReject(rule);
if (target=="LOG" || target=="ULOG")
ostr << _printLogParameters(rule);
if (target=="CONNMARK")
{
ostr << ruleopt->getStr("CONNMARK_arg");
}
return ostr.str();

50
src/iptlib/PolicyCompiler_ipt.cpp
View File

@ -628,7 +628,7 @@ bool PolicyCompiler_ipt::Route::processNext()
PolicyRule *rule=getNext(); if (rule==NULL) return false;
FWOptions *ruleopt =rule->getOptionsObject();
if (rule->getAction() == PolicyRule::Route)
if (rule->getRouting())
{
string iif,oif,gw;
iif = ruleopt->getStr("ipt_iif");
@ -689,9 +689,9 @@ bool PolicyCompiler_ipt::dropMangleTableRules::processNext()
FWOptions *rulesetopts = ipt_comp->getSourceRuleSet()->getOptionsObject();
if (rulesetopts->getBool("mangle_only_rule_set")) return true;
if (rule->getAction() == PolicyRule::Tag ||
rule->getAction() == PolicyRule::Route ||
rule->getAction() == PolicyRule::Classify) return true;
if (rule->getTagging() ||
rule->getRouting() ||
rule->getClassification()) return true;
// Another special case (while working on #1415, although not
// related directly): branching rule that has "branch in mangle table"
@ -1615,14 +1615,15 @@ bool PolicyCompiler_ipt::setChainPreroutingForTag::processNext()
*/
RuleElementItf *itf_re = rule->getItf(); assert(itf_re!=NULL);
if ( (rule->getAction() == PolicyRule::Tag ||
if ( (rule->getTagging() ||
rule->getStr("stored_action")=="Tag") &&
rule->getStr("ipt_chain").empty() &&
(rule->getDirection()==PolicyRule::Both ||
rule->getDirection()==PolicyRule::Inbound) &&
itf_re->isAny())
// rule->getInterfaceId()==-1 )
{
ipt_comp->setChain(rule, "PREROUTING");
}
tmp_queue.push_back(rule);
@ -1636,7 +1637,7 @@ bool PolicyCompiler_ipt::setChainPostroutingForTag::processNext()
PolicyRule *rule = getNext(); if (rule==NULL) return false;
RuleElementItf *itf_re = rule->getItf(); assert(itf_re!=NULL);
if ( (rule->getAction() == PolicyRule::Tag ||
if ( (rule->getTagging() ||
rule->getStr("stored_action")=="Tag") &&
rule->getStr("ipt_chain").empty() &&
(rule->getDirection()==PolicyRule::Both ||
@ -1656,7 +1657,7 @@ bool PolicyCompiler_ipt::checkForRestoreMarkInOutput::processNext()
PolicyRule *rule = getNext(); if (rule==NULL) return false;
FWOptions *ruleopt = rule->getOptionsObject();
if ( (rule->getAction() == PolicyRule::Tag ||
if ( (rule->getTagging() ||
rule->getStr("stored_action")=="Tag") &&
ruleopt->getBool("ipt_mark_connections") &&
rule->getStr("ipt_chain")=="OUTPUT")
@ -1725,7 +1726,7 @@ bool PolicyCompiler_ipt::splitIfTagAndConnmark::processNext()
bool make_terminating =
compiler->fw->getOptionsObject()->getBool("classify_mark_terminating");
if (rule->getAction() == PolicyRule::Tag &&
if (rule->getTagging() &&
ruleopt->getBool("ipt_mark_connections"))
{
PolicyRule *r, *r1;
@ -2182,7 +2183,7 @@ bool PolicyCompiler_ipt::splitIfSrcAny::processNext()
// work with mangle table can only go into POSTROUTING chain
// such as CLASSIFY
if (ipt_comp->my_table=="mangle" &&
rule->getAction()==PolicyRule::Classify)
rule->getClassification())
{
r= compiler->dbcopy->createPolicyRule();
compiler->temp_ruleset->add(r);
@ -2248,7 +2249,7 @@ bool PolicyCompiler_ipt::splitIfDstAny::processNext()
// POSTROUTING chain as well because some targets that
// work with mangle table can only go into POSTROUTING chain
// such as CLASSIFY
if (ipt_comp->my_table=="mangle" && rule->getAction()==PolicyRule::Classify)
if (ipt_comp->my_table=="mangle" && rule->getClassification())
{
r= compiler->dbcopy->createPolicyRule();
compiler->temp_ruleset->add(r);
@ -2269,7 +2270,7 @@ bool PolicyCompiler_ipt::splitIfSrcAnyForShadowing::processNext()
PolicyCompiler_ipt *ipt_comp = dynamic_cast<PolicyCompiler_ipt*>(compiler);
PolicyRule *rule=getNext(); if (rule==NULL) return false;
if (rule->getAction() == PolicyRule::Classify)
if (rule->getClassification())
{
tmp_queue.push_back(rule);
return true;
@ -2302,7 +2303,7 @@ bool PolicyCompiler_ipt::splitIfDstAnyForShadowing::processNext()
PolicyCompiler_ipt *ipt_comp = dynamic_cast<PolicyCompiler_ipt*>(compiler);
PolicyRule *rule=getNext(); if (rule==NULL) return false;
if (rule->getAction() == PolicyRule::Classify)
if (rule->getClassification())
{
tmp_queue.push_back(rule);
return true;
@ -2336,7 +2337,7 @@ bool PolicyCompiler_ipt::splitIfSrcFWNetwork::processNext()
PolicyCompiler_ipt *ipt_comp = dynamic_cast<PolicyCompiler_ipt*>(compiler);
PolicyRule *rule=getNext(); if (rule==NULL) return false;
if (rule->getAction() == PolicyRule::Classify)
if (rule->getClassification())
{
tmp_queue.push_back(rule);
return true;
@ -2409,7 +2410,7 @@ bool PolicyCompiler_ipt::splitIfDstFWNetwork::processNext()
PolicyCompiler_ipt *ipt_comp = dynamic_cast<PolicyCompiler_ipt*>(compiler);
PolicyRule *rule=getNext(); if (rule==NULL) return false;
if (rule->getAction() == PolicyRule::Classify)
if (rule->getClassification())
{
tmp_queue.push_back(rule);
return true;
@ -2527,7 +2528,7 @@ bool PolicyCompiler_ipt::specialCaseWithFW1::processNext()
{
PolicyRule *rule=getNext(); if (rule==NULL) return false;
if (rule->getAction() == PolicyRule::Classify)
if (rule->getClassification())
{
tmp_queue.push_back(rule);
return true;
@ -2889,8 +2890,7 @@ bool PolicyCompiler_ipt::decideOnChainIfSrcFW::processNext()
PolicyCompiler_ipt *ipt_comp = dynamic_cast<PolicyCompiler_ipt*>(compiler);
PolicyRule *rule=getNext(); if (rule==NULL) return false;
if ( ! rule->getStr("ipt_chain").empty() ||
rule->getAction() == PolicyRule::Classify)
if ( ! rule->getStr("ipt_chain").empty() || rule->getClassification())
{
tmp_queue.push_back(rule);
return true;
@ -2987,8 +2987,7 @@ bool PolicyCompiler_ipt::decideOnChainIfDstFW::processNext()
PolicyCompiler_ipt *ipt_comp = dynamic_cast<PolicyCompiler_ipt*>(compiler);
PolicyRule *rule=getNext(); if (rule==NULL) return false;
if ( ! rule->getStr("ipt_chain").empty() ||
rule->getAction() == PolicyRule::Classify)
if ( ! rule->getStr("ipt_chain").empty() || rule->getClassification())
{
tmp_queue.push_back(rule);
return true;
@ -3153,7 +3152,7 @@ bool PolicyCompiler_ipt::decideOnChainForClassify::processNext()
PolicyCompiler_ipt *ipt_comp = dynamic_cast<PolicyCompiler_ipt*>(compiler);
PolicyRule *rule=getNext(); if (rule==NULL) return false;
if (rule->getAction() != PolicyRule::Classify)
if ( ! rule->getClassification())
{
tmp_queue.push_back(rule);
return true;
@ -3288,15 +3287,16 @@ bool PolicyCompiler_ipt::decideOnTarget::processNext()
if ( ! rule->getStr("ipt_target").empty() ) return true; // already defined
// note that we use pseudo-target for action Continue
switch (rule->getAction()) {
switch (rule->getAction())
{
case PolicyRule::Accept: rule->setStr("ipt_target", "ACCEPT"); break;
case PolicyRule::Deny: rule->setStr("ipt_target", "DROP"); break;
case PolicyRule::Reject: rule->setStr("ipt_target", "REJECT"); break;
case PolicyRule::Return: rule->setStr("ipt_target", "RETURN"); break;
case PolicyRule::Tag: rule->setStr("ipt_target", "MARK"); break;
// case PolicyRule::Tag: rule->setStr("ipt_target", "MARK"); break;
case PolicyRule::Pipe: rule->setStr("ipt_target", "QUEUE"); break;
case PolicyRule::Classify: rule->setStr("ipt_target", "CLASSIFY"); break;
case PolicyRule::Route: rule->setStr("ipt_target", "ROUTE"); break;
// case PolicyRule::Classify: rule->setStr("ipt_target", "CLASSIFY"); break;
// case PolicyRule::Route: rule->setStr("ipt_target", "ROUTE"); break;
case PolicyRule::Continue: rule->setStr("ipt_target", ".CONTINUE"); break;
case PolicyRule::Custom: rule->setStr("ipt_target", ".CUSTOM"); break;

4
src/libfwbuilder/etc/fwbuilder.dtd
View File

@ -52,7 +52,7 @@
*
-->
<!ENTITY % ACTION "(Accept|Reject|Deny|Scrub|Return|Skip|Continue|Accounting|Modify|Tag|Pipe|Classify|Custom|Branch|Route)">
<!ENTITY % ACTION "(Accept|Reject|Deny|Scrub|Return|Skip|Continue|Accounting|Modify|Pipe|Custom|Branch)">
<!ENTITY % NAT_ACTION "(Translate|NATBranch)">
<!ENTITY % DIRECTION "(Inbound|Outbound|Both)">
<!ENTITY % IPADDRESS "CDATA">
@ -79,7 +79,7 @@
<!ELEMENT FWObjectDatabase (Library*)>
<!ATTLIST FWObjectDatabase
xmlns CDATA #FIXED "http://www.fwbuilder.org/1.0/"
version %STRING; #FIXED "18"
version %STRING; #FIXED "19"
lastModified %NUMBER; #IMPLIED
id ID #REQUIRED
>

2
src/libfwbuilder/etc/fwbuilder.dtd.in
View File

@ -52,7 +52,7 @@
*
-->
<!ENTITY % ACTION "(Accept|Reject|Deny|Scrub|Return|Skip|Continue|Accounting|Modify|Tag|Pipe|Classify|Custom|Branch|Route)">
<!ENTITY % ACTION "(Accept|Reject|Deny|Scrub|Return|Skip|Continue|Accounting|Modify|Pipe|Custom|Branch)">
<!ENTITY % NAT_ACTION "(Translate|NATBranch)">
<!ENTITY % DIRECTION "(Inbound|Outbound|Both)">
<!ENTITY % IPADDRESS "CDATA">

25
src/libfwbuilder/src/fwbuilder/FWObjectDatabase_search.cpp
View File

@ -196,19 +196,7 @@ bool FWObjectDatabase::_findWhereObjectIsUsed(FWObject *o,
PolicyRule *rule = PolicyRule::cast(p);
if (rule)
{
switch (rule->getAction())
{
case PolicyRule::Tag:
{
FWObject *tagobj = rule->getTagObject();
if (o==tagobj)
{
resset.insert(p);
res = true;
}
break;
}
case PolicyRule::Branch:
if (rule->getAction() == PolicyRule::Branch)
{
FWObject *ruleset = rule->getBranch();
if (o==ruleset)
@ -216,9 +204,16 @@ bool FWObjectDatabase::_findWhereObjectIsUsed(FWObject *o,
resset.insert(p);
res = true;
}
break;
}
default: ;
if (rule->getTagging())
{
FWObject *tagobj = rule->getTagObject();
if (o==tagobj)
{
resset.insert(p);
res = true;
}
}
}

80
src/libfwbuilder/src/fwbuilder/Rule.cpp
View File

@ -6,9 +6,6 @@
Author: Vadim Kurland vadim@fwbuilder.org
$Id$
This program is free software which we release under the GNU General Public
License. You may redistribute and/or modify this program under the terms
of that license as published by the Free Software Foundation; either
@ -60,14 +57,14 @@ void Rule::init(FWObjectDatabase*)
{
}
FWOptions* Rule::getOptionsObject() { return NULL; }
RuleSet* Rule::getBranch() { return NULL; }
void Rule::setPosition(int n) { setInt("position",n); }
int Rule::getPosition() const { return getInt("position");}
void Rule::disable() { setBool("disabled",true); }
void Rule::enable() { setBool("disabled",false);}
bool Rule::isDisabled() const { return( getBool("disabled") );}
bool Rule::isEmpty() { return false; }
FWOptions* Rule::getOptionsObject() const { return NULL; }
RuleSet* Rule::getBranch() { return NULL; }
void Rule::setPosition(int n) { setInt("position", n); }
int Rule::getPosition() const { return getInt("position"); }
void Rule::disable() { setBool("disabled",true); }
void Rule::enable() { setBool("disabled",false); }
bool Rule::isDisabled() const { return( getBool("disabled")); }
bool Rule::isEmpty() { return false; }
void Rule::setBranch(RuleSet*) {};
@ -250,12 +247,9 @@ string PolicyRule::getActionAsString(int act)
case Continue: return "Continue";
case Accounting: return "Accounting";
case Modify: return "Modify";
case Tag: return "Tag";
case Pipe: return "Pipe";
case Classify: return "Classify";
case Custom: return "Custom";
case Branch: return "Branch";
case Route: return "Route";
default: return "Unknown";
}
return "Deny";
@ -272,12 +266,9 @@ void PolicyRule::setAction(const string& act)
if (act=="Continue") { setAction(Continue); return; }
if (act=="Accounting") { setAction(Accounting); return; }
if (act=="Modify") { setAction(Modify); return; }
if (act=="Tag") { setAction(Tag); return; }
if (act=="Pipe") { setAction(Pipe); return; }
if (act=="Classify") { setAction(Classify); return; }
if (act=="Custom") { setAction(Custom); return; }
if (act=="Branch") { setAction(Branch); return; }
if (act=="Route") { setAction(Route); return; }
setAction(Deny);
}
@ -402,7 +393,7 @@ xmlNodePtr PolicyRule::toXML(xmlNodePtr parent) throw(FWException)
return me;
}
FWOptions* PolicyRule::getOptionsObject()
FWOptions* PolicyRule::getOptionsObject() const
{
return FWOptions::cast( getFirstByType(PolicyRuleOptions::TYPENAME) );
}
@ -413,25 +404,17 @@ FWOptions* PolicyRule::getOptionsObject()
*/
void PolicyRule::updateNonStandardObjectReferences()
{
switch (getAction())
{
case PolicyRule::Branch:
if (getAction() == PolicyRule::Branch)
{
RuleSet *branch_ruleset = getBranch();
setBranch(branch_ruleset);
setTagObject(NULL);
break;
}
case PolicyRule::Tag:
if (getTagging())
{
FWObject *tag_object = getTagObject();
setTagObject(tag_object);
setBranch(NULL);
break;
}
default:
break;
}
}
RuleSet* PolicyRule::getBranch()
@ -464,6 +447,37 @@ void PolicyRule::setBranch(RuleSet* ruleset)
getOptionsObject()->setStr("branch_id", branch_id);
}
bool PolicyRule::getRouting() const
{
return getOptionsObject()->getBool("routing");
}
void PolicyRule::setRouting(bool f)
{
getOptionsObject()->setBool("routing", f);
}
bool PolicyRule::getClassification() const
{
return getOptionsObject()->getBool("classification");
}
void PolicyRule::setClassification(bool f)
{
getOptionsObject()->setBool("classification", f);
}
bool PolicyRule::getTagging() const
{
return getOptionsObject()->getBool("tagging");
}
void PolicyRule::setTagging(bool f)
{
getOptionsObject()->setBool("tagging", f);
}
void PolicyRule::setTagObject(FWObject *tag_object)
{
string tag_id =
@ -473,7 +487,7 @@ void PolicyRule::setTagObject(FWObject *tag_object)
FWObject* PolicyRule::getTagObject()
{
if (getAction() == Tag)
if (getTagging())
{
string tagobj_id = getOptionsObject()->getStr("tagobject_id");
if (!tagobj_id.empty())
@ -487,7 +501,7 @@ FWObject* PolicyRule::getTagObject()
string PolicyRule::getTagValue()
{
if (getAction() == Tag)
if (getTagging())
{
TagService *tagobj = TagService::cast(getTagObject());
if (tagobj) return tagobj->getCode();
@ -829,7 +843,7 @@ xmlNodePtr NATRule::toXML(xmlNodePtr parent) throw(FWException)
return me;
}
FWOptions* NATRule::getOptionsObject()
FWOptions* NATRule::getOptionsObject() const
{
return FWOptions::cast( getFirstByType(NATRuleOptions::TYPENAME) );
}
@ -1052,7 +1066,7 @@ xmlNodePtr RoutingRule::toXML(xmlNodePtr parent) throw(FWException)
return me;
}
FWOptions* RoutingRule::getOptionsObject()
FWOptions* RoutingRule::getOptionsObject() const
{
return FWOptions::cast( getFirstByType(RoutingRuleOptions::TYPENAME) );
}

35
src/libfwbuilder/src/fwbuilder/Rule.h
View File

@ -6,9 +6,6 @@
Author: Vadim Kurland vadim@fwbuilder.org
$Id$
This program is free software which we release under the GNU General Public
License. You may redistribute and/or modify this program under the terms
of that license as published by the Free Software Foundation; either
@ -116,7 +113,7 @@ class Rule : public Group
virtual bool cmp(const FWObject *obj, bool recursive=false) throw(FWException);
virtual FWOptions* getOptionsObject();
virtual FWOptions* getOptionsObject() const;
// find branch ruleset for policy rules with action Branch
// We may support some kind of branching in NAT in the future, so
@ -176,11 +173,8 @@ class PolicyRule : public Rule
Accounting,
Modify,
Pipe,
Tag,
Classify,
Custom,
Branch,
Route} Action;
Branch} Action;
typedef enum { Undefined,
Inbound,
@ -221,7 +215,7 @@ public:
DECLARE_DISPATCH_METHODS(PolicyRule);
virtual FWOptions* getOptionsObject();
virtual FWOptions* getOptionsObject() const;
virtual RuleSet* getBranch();
virtual void setBranch(RuleSet *ruleset);
@ -265,15 +259,28 @@ public:
std::string getDirectionAsString() const;
void setDirection(const std::string& dir);
bool getLogging() const;
void setLogging(bool flag);
bool getLogging() const;
void setLogging(bool flag);
// find TagService object for rules with action Tag
// return true if rule does tagging
bool getTagging() const;
void setTagging(bool f);
// return true if rule does routing
bool getRouting() const;
void setRouting(bool f);
// return true if rule does classification
bool getClassification() const;
void setClassification(bool f);
// find TagService object for rules that do tagging
FWObject* getTagObject();
std::string getTagValue();
void setTagObject(FWObject *tag_object);
};
class NATRule : public Rule
{
public:
@ -363,7 +370,7 @@ public:
DECLARE_DISPATCH_METHODS(NATRule);
virtual FWOptions* getOptionsObject();
virtual FWOptions* getOptionsObject() const;
virtual RuleSet* getBranch();
virtual void setBranch(RuleSet *ruleset);
@ -439,7 +446,7 @@ class RoutingRule : public Rule
DECLARE_DISPATCH_METHODS(RoutingRule);
virtual FWOptions* getOptionsObject();
virtual FWOptions* getOptionsObject() const;
virtual RuleSet* getBranch();
virtual bool isEmpty() const;

17
src/libfwbuilder/src/fwcompiler/PolicyCompiler.cpp
View File

@ -170,6 +170,14 @@ bool PolicyCompiler::checkForShadowing(PolicyRule &r1, PolicyRule &r2)
if (dstrel2->getNeg()) return false;
if (srvrel2->getNeg()) return false;
/*
* TODO: actually, route rule may shadow other rules if it
* translates into "final" target, that is stops processing. This
* may or may not be so, depending on the platform and combination
* of rule options.
*/
if (r1.getRouting() || r2.getRouting()) return false;
PolicyRule::Action r1_action = r1.getAction();
PolicyRule::Action r2_action = r2.getAction();
@ -186,15 +194,6 @@ bool PolicyCompiler::checkForShadowing(PolicyRule &r1, PolicyRule &r2)
if (r1_action==PolicyRule::Return ||
r2_action==PolicyRule::Return ) return false;
/*
* TODO: actually, route rule may shadow other rules if it
* translates into "final" target, that is stops processing. This
* may or may not be so, depending on the platform and combination
* of rule options.
*/
if (r1_action==PolicyRule::Route ||
r2_action==PolicyRule::Route ) return false;
/*
* the problem with branching rules is that it is combination of
* the head rule and rules in the branch rather than a single rule

18
src/libgui/FWObjectPropertiesFactory.cpp
View File

@ -945,6 +945,10 @@ QString FWObjectPropertiesFactory::getRuleActionProperties(Rule *rule)
case PolicyRule::Reject:
par = ropt->getStr("action_on_reject").c_str();
break;
/*
* TODO #2367 This should move to getPolicyRuleOptions()
*
case PolicyRule::Tag:
{
FWObject *tag_object = PolicyRule::cast(rule)->getTagObject();
@ -954,6 +958,8 @@ QString FWObjectPropertiesFactory::getRuleActionProperties(Rule *rule)
par = QString::fromUtf8(PolicyRule::cast(rule)->getTagValue().c_str());
break;
}
*/
case PolicyRule::Accounting :
par = ropt->getStr("rule_name_accounting").c_str();
break;
@ -968,6 +974,10 @@ QString FWObjectPropertiesFactory::getRuleActionProperties(Rule *rule)
// ropt->getStr("branch_name").c_str();
break;
}
/*
* TODO #2367 This should move to getPolicyRuleOptions()
*
case PolicyRule::Classify:
if (platform=="ipfw")
{
@ -986,6 +996,8 @@ QString FWObjectPropertiesFactory::getRuleActionProperties(Rule *rule)
par = ropt->getStr("classify_str").c_str();
}
break;
*/
case PolicyRule::Pipe :
if (platform=="ipfw")
{
@ -993,6 +1005,10 @@ QString FWObjectPropertiesFactory::getRuleActionProperties(Rule *rule)
ropt->getStr("ipfw_pipe_port_num").c_str();
}
break;
/*
* TODO #2367 This should move to getPolicyRuleOptions()
*
case PolicyRule::Route :
if (platform=="iptables")
{
@ -1030,7 +1046,7 @@ QString FWObjectPropertiesFactory::getRuleActionProperties(Rule *rule)
if (!a.empty()) par = par + " "+ a.c_str();
}
break;
*/
default : {}
}

2
src/libgui/RuleSetModel.cpp
View File

@ -1315,7 +1315,7 @@ QModelIndexList RuleSetModel::findObject (FWObject* object)
list.append(this->index(rule, column));
// qDebug() << "Branch column:" << column;
}
} else if (pr->getAction() == PolicyRule::Tag)
} else if (pr->getTagging())
{
if (pr->getTagObject() == object)
{

38
src/libgui/RuleSetView.cpp
View File

@ -600,6 +600,10 @@ void RuleSetView::addColumnRelatedMenu(QMenu *menu, const QModelIndex &index,
action_name,
this, SLOT( changeActionToPipe() ));
}
/*
* #2367
if (Resources::isTargetActionSupported(platform,"Tag"))
{
action_name = getActionNameForPlatform(
@ -616,6 +620,17 @@ void RuleSetView::addColumnRelatedMenu(QMenu *menu, const QModelIndex &index,
action_name,
this, SLOT( changeActionToClassify() ));
}
if (Resources::isTargetActionSupported(platform,"Route"))
{
action_name = getActionNameForPlatform(
f, PolicyRule::getActionAsString(PolicyRule::Route));
menu->addAction( QIcon(LoadPixmap(":/Icons/Route/icon")),
action_name,
this, SLOT( changeActionToRoute() ));
}
*/
if (Resources::isTargetActionSupported(platform,"Custom"))
{
action_name = getActionNameForPlatform(
@ -632,14 +647,6 @@ void RuleSetView::addColumnRelatedMenu(QMenu *menu, const QModelIndex &index,
action_name,
this, SLOT( changeActionToBranch() ));
}
if (Resources::isTargetActionSupported(platform,"Route"))
{
action_name = getActionNameForPlatform(
f, PolicyRule::getActionAsString(PolicyRule::Route));
menu->addAction( QIcon(LoadPixmap(":/Icons/Route/icon")),
action_name,
this, SLOT( changeActionToRoute() ));
}
if (Resources::isTargetActionSupported(platform,"Continue"))
{
action_name = getActionNameForPlatform(
@ -1911,26 +1918,11 @@ void RuleSetView::changeActionToPipe()
changeAction( PolicyRule::Pipe );
}
void RuleSetView::changeActionToTag()
{
changeAction( PolicyRule::Tag );
}
void RuleSetView::changeActionToClassify()
{
changeAction( PolicyRule::Classify );
}
void RuleSetView::changeActionToCustom()
{
changeAction( PolicyRule::Custom );
}
void RuleSetView::changeActionToRoute()
{
changeAction( PolicyRule::Route );
}
void RuleSetView::changeActionToContinue()
{
changeAction( PolicyRule::Continue );

3
src/libgui/RuleSetView.h
View File

@ -176,11 +176,8 @@ public slots:
void changeActionToReject();
void changeActionToAccounting();
void changeActionToPipe();
void changeActionToTag();
void changeActionToClassify();
void changeActionToCustom();
void changeActionToBranch();
void changeActionToRoute();
void changeActionToContinue();
void changeActionToTranslate();
void changeActionToNATBranch();

10
src/libgui/platforms.cpp
View File

@ -310,8 +310,9 @@ bool isDefaultPolicyRuleOptions(FWOptions *opt)
if (rule!=NULL)
{
PolicyRule::Action act=rule->getAction();
if (act==PolicyRule::Accept || act==PolicyRule::Tag || act==PolicyRule::Route)
PolicyRule::Action act = rule->getAction();
if (act==PolicyRule::Accept)
{
// by default, these actions are not stateless
res = res && (!opt->getBool("stateless"));
@ -320,6 +321,7 @@ bool isDefaultPolicyRuleOptions(FWOptions *opt)
// other actions are stateless by default
res = res && opt->getBool("stateless");
}
}
// all rules are stateless for IOS ACL
@ -762,9 +764,7 @@ QString getActionNameForPlatform(Firewall *fw, const std::string &action)
bool getStatelessFlagForAction(PolicyRule *rule)
{
PolicyRule::Action act = rule->getAction();
if (act==PolicyRule::Accept ||
act==PolicyRule::Tag ||
act==PolicyRule::Route) return false;
if (act==PolicyRule::Accept) return false;
else
return true;
}

35
src/pflib/PolicyCompiler_ipfw_writers.cpp
View File

@ -224,24 +224,6 @@ void PolicyCompiler_ipfw::PrintRule::_printAction(PolicyRule *rule)
}
break;
case PolicyRule::Classify:
{
int portNum = ruleopt->getInt("ipfw_pipe_queue_num");
switch (ruleopt->getInt("ipfw_classify_method"))
{
case DUMMYNETPIPE:
compiler->output << "pipe " << portNum << " ";
break;
case DUMMYNETQUEUE:
compiler->output << "queue " << portNum << " ";
break;
default:
compiler->output << "divert " << portNum << " ";
break;
}
}
break;
case PolicyRule::Pipe:
compiler->output << "divert " << ruleopt->getInt("ipfw_pipe_port_num") << " ";
break;
@ -258,6 +240,23 @@ void PolicyCompiler_ipfw::PrintRule::_printAction(PolicyRule *rule)
// compiler->output << rule->getActionAsString() << " ";
}
if (rule->getClassification())
{
int portNum = ruleopt->getInt("ipfw_pipe_queue_num");
switch (ruleopt->getInt("ipfw_classify_method"))
{
case DUMMYNETPIPE:
compiler->output << "pipe " << portNum << " ";
break;
case DUMMYNETQUEUE:
compiler->output << "queue " << portNum << " ";
break;
default:
compiler->output << "divert " << portNum << " ";
break;
}
}
}
/*

34
src/pflib/PolicyCompiler_pf.cpp
View File

@ -426,8 +426,7 @@ bool PolicyCompiler_pf::SplitDirection::processNext()
{
PolicyRule *rule=getNext(); if (rule==NULL) return false;
if (rule->getDirection()==PolicyRule::Both &&
rule->getAction()==PolicyRule::Route)
if (rule->getDirection()==PolicyRule::Both && rule->getRouting())
{
PolicyRule *r= compiler->dbcopy->createPolicyRule();
compiler->temp_ruleset->add(r);
@ -509,12 +508,6 @@ bool PolicyCompiler_pf::setQuickFlag::processNext()
FWOptions *ropt = rule->getOptionsObject();
// as of 4.2.0 build 3477 we provide checkboxes to make Tag and
// Classify actions (PF) terminating or non-terminating on
// per-rule basis. Old behavior: Tag was non-terminating and
// Classify was terminating. Set options accordingly if they are
// not set.
switch (rule->getAction())
{
case PolicyRule::Scrub:
@ -522,27 +515,34 @@ bool PolicyCompiler_pf::setQuickFlag::processNext()
case PolicyRule::Branch:
break;
case PolicyRule::Tag:
default:
rule->setBool("quick", true);
break;
}
// as of 4.2.0 build 3477 we provide checkboxes to make Tag and
// Classify actions (PF) terminating or non-terminating on
// per-rule basis. Old behavior: Tag was non-terminating and
// Classify was terminating. Set options accordingly if they are
// not set.
//
// TODO #2367: now instead of checkboxes, user should use actions Accept
// or Continue
if (rule->getTagging())
{
string pf_tag_terminating = ropt->getStr("pf_tag_terminating");
if (pf_tag_terminating.empty())
ropt->setBool("pf_tag_terminating", false);
if (ropt->getBool("pf_tag_terminating")) rule->setBool("quick", true);
break;
}
case PolicyRule::Classify:
if (rule->getClassification())
{
string pf_classify_terminating = ropt->getStr("pf_classify_terminating");
if (pf_classify_terminating.empty())
ropt->setBool("pf_classify_terminating", true);
if (ropt->getBool("pf_classify_terminating")) rule->setBool("quick", true);
break;
}
default:
rule->setBool("quick", true);
break;
}
return true;

36
src/pflib/PolicyCompiler_pf_writers.cpp
View File

@ -76,21 +76,10 @@ void PolicyCompiler_pf::PrintRule::_printAction(PolicyRule *rule)
switch (rule->getAction())
{
case PolicyRule::Tag:
{
if (XMLTools::version_compare(version, "4.6")>=0)
{
compiler->output << "match ";
}else
{
compiler->output << "pass ";
}
break;
}
// case PolicyRule::Classify: #2367
// case PolicyRule::Route: #2367
case PolicyRule::Accept:
case PolicyRule::Classify:
case PolicyRule::Accounting:
case PolicyRule::Route:
compiler->output << "pass ";
break;
@ -161,13 +150,27 @@ void PolicyCompiler_pf::PrintRule::_printAction(PolicyRule *rule)
rule,
string("Unknown action ") + rule->getActionAsString());
}
// #2367
//
// if (rule->getTagging())
// {
// if (XMLTools::version_compare(version, "4.6")>=0)
// {
// compiler->output << "match ";
// }else
// {
// compiler->output << "pass ";
// }
// break;
// }
}
void PolicyCompiler_pf::PrintRule::_printRouteOptions(PolicyRule *rule)
{
FWOptions *ruleopt =rule->getOptionsObject();
if (rule->getAction() == PolicyRule::Route)
if (rule->getRouting())
{
string prefix = "pf";
if (compiler->myPlatformName()=="ipf") prefix="ipf";
@ -336,7 +339,7 @@ void PolicyCompiler_pf::PrintRule::_printQueue(PolicyRule *rule)
{
FWOptions *ruleopt =rule->getOptionsObject();
if (rule->getAction() == PolicyRule::Classify)
if (rule->getClassification())
compiler->output << "queue " << ruleopt->getStr("classify_str") << " ";
}
@ -379,9 +382,8 @@ void PolicyCompiler_pf::PrintRule::_printUser(PolicyRule *rule)
void PolicyCompiler_pf::PrintRule::_printTag(PolicyRule *rule)
{
if (rule->getAction() == PolicyRule::Tag)
if (rule->getTagging())
compiler->output << "tag " << rule->getTagValue() << " ";
// compiler->output << "tag " << ruleopt->getStr("tagvalue") << " ";
}
void PolicyCompiler_pf::PrintRule::_printDirection(PolicyRule *rule)

2
src/res/objects_init.xml
View File

@ -1,6 +1,6 @@
<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE FWObjectDatabase SYSTEM "fwbuilder.dtd">
<FWObjectDatabase xmlns="http://www.fwbuilder.org/1.0/" version="18" lastModified="1265059184" id="root">
<FWObjectDatabase xmlns="http://www.fwbuilder.org/1.0/" version="19" lastModified="1265059184" id="root">
<Library id="syslib000" color="#d4f8ff" name="Standard" comment="Standard objects" ro="True">
<AnyNetwork id="sysid0" name="Any" comment="Any Network" ro="False" address="0.0.0.0" netmask="0.0.0.0"/>
<AnyIPService id="sysid1" protocol_num="0" name="Any" comment="Any IP Service" ro="False"/>

2
src/res/platform/ipf.xml
View File

@ -87,7 +87,7 @@
<dialog_page>None</dialog_page>
</Branch>
<Route>
<supported>True</supported>
<supported>False</supported>
<description>Route</description>
<dialog_page>RouteIPF</dialog_page>
</Route>

2
src/res/platform/ipfw.xml
View File

@ -70,7 +70,7 @@
<dialog_page>PipeArgsIPFW</dialog_page>
</Pipe>
<Classify>
<supported>True</supported>
<supported>False</supported>
<description>Classify</description>
<dialog_page>ClassifyArgsIPFW</dialog_page>
</Classify>

6
src/res/platform/iptables.xml
View File

@ -71,7 +71,7 @@
<dialog_page>AccountingStr</dialog_page>
</Accounting>
<Tag>
<supported>True</supported>
<supported>False</supported>
<description>Tag</description>
<dialog_page>TagIptables</dialog_page>
</Tag>
@ -81,7 +81,7 @@
<dialog_page>None</dialog_page>
</Pipe>
<Classify>
<supported>True</supported>
<supported>False</supported>
<description>Classify</description>
<dialog_page>ClassifyIptables</dialog_page>
</Classify>
@ -96,7 +96,7 @@
<dialog_page>BranchChain</dialog_page>
</Branch>
<Route>
<supported>True</supported>
<supported>False</supported>
<description>Routing</description>
<dialog_page>RouteIPT</dialog_page>
</Route>

11
src/res/platform/pf.xml
View File

@ -65,7 +65,7 @@
<dialog_page>None</dialog_page>
</Accounting>
<Tag>
<supported>True</supported>
<supported>False</supported>
<description>Tag</description>
<dialog_page>TagPF</dialog_page>
</Tag>
@ -75,7 +75,7 @@
<dialog_page>None</dialog_page>
</Pipe>
<Classify>
<supported>True</supported>
<supported>False</supported>
<description>Classify</description>
<dialog_page>ClassifyPF</dialog_page>
</Classify>
@ -90,10 +90,15 @@
<dialog_page>BranchAnchor</dialog_page>
</Branch>
<Route>
<supported>True</supported>
<supported>False</supported>
<description>Route</description>
<dialog_page>RoutePF</dialog_page>
</Route>
<Continue>
<supported>True</supported>
<description>Continue</description>
<dialog_page>None</dialog_page>
</Continue>
<Translate>
<supported>True</supported>
<description>Translate</description>

2
src/res/templates.xml
View File

@ -1,6 +1,6 @@
<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE FWObjectDatabase SYSTEM "fwbuilder.dtd">
<FWObjectDatabase xmlns="http://www.fwbuilder.org/1.0/" version="18" lastModified="1270752748" id="root">
<FWObjectDatabase xmlns="http://www.fwbuilder.org/1.0/" version="19" lastModified="1270752748" id="root">
<Library id="syslib000" color="#d4f8ff" name="Standard" comment="Standard objects" ro="True">
<AnyNetwork id="sysid0" name="Any" comment="Any Network" ro="False" address="0.0.0.0" netmask="0.0.0.0"/>
<AnyIPService id="sysid1" protocol_num="0" name="Any" comment="Any IP Service" ro="False"/>