From 629b0b31e2d2a85e89ec411ae015bcc262ccdcca Mon Sep 17 00:00:00 2001 From: Vadim Kurland Date: Wed, 27 Apr 2011 18:44:38 -0700 Subject: [PATCH] see #2367 removed actions Tag, Classify, Route and added options instead; added functions to class PolicyRule to check and set these options; replaced checks for those actions with calls to the functions everywhere. --- VERSION | 4 +- VERSION.h | 2 +- packaging/fwbuilder-static-qt.spec | 2 +- packaging/fwbuilder.control | 2 +- packaging/fwbuilder.spec | 2 +- src/import/IPTImporter.cpp | 14 +++- src/iptlib/MangleTableCompiler_ipt.cpp | 22 +---- src/iptlib/PolicyCompiler_PrintRule.cpp | 50 +++++++----- src/iptlib/PolicyCompiler_ipt.cpp | 50 ++++++------ src/libfwbuilder/etc/fwbuilder.dtd | 4 +- src/libfwbuilder/etc/fwbuilder.dtd.in | 2 +- .../src/fwbuilder/FWObjectDatabase_search.cpp | 25 +++--- src/libfwbuilder/src/fwbuilder/Rule.cpp | 80 +++++++++++-------- src/libfwbuilder/src/fwbuilder/Rule.h | 35 ++++---- .../src/fwcompiler/PolicyCompiler.cpp | 17 ++-- src/libgui/FWObjectPropertiesFactory.cpp | 18 ++++- src/libgui/RuleSetModel.cpp | 2 +- src/libgui/RuleSetView.cpp | 38 ++++----- src/libgui/RuleSetView.h | 3 - src/libgui/platforms.cpp | 10 +-- src/pflib/PolicyCompiler_ipfw_writers.cpp | 35 ++++---- src/pflib/PolicyCompiler_pf.cpp | 34 ++++---- src/pflib/PolicyCompiler_pf_writers.cpp | 36 +++++---- src/res/objects_init.xml | 2 +- src/res/platform/ipf.xml | 2 +- src/res/platform/ipfw.xml | 2 +- src/res/platform/iptables.xml | 6 +- src/res/platform/pf.xml | 11 ++- src/res/templates.xml | 2 +- 29 files changed, 269 insertions(+), 243 deletions(-) diff --git a/VERSION b/VERSION index 583844547..c4daec2db 100644 --- a/VERSION +++ b/VERSION @@ -7,13 +7,13 @@ FWB_MICRO_VERSION=1 # build number is like "nano" version number. I am incrementing build # number during development cycle # -BUILD_NUM="3532" +BUILD_NUM="ma_1" VERSION="$FWB_MAJOR_VERSION.$FWB_MINOR_VERSION.$FWB_MICRO_VERSION.$BUILD_NUM" GENERATION="$FWB_MAJOR_VERSION.$FWB_MINOR_VERSION" # Data format version -FWBUILDER_XML_VERSION=18 +FWBUILDER_XML_VERSION=19 diff --git a/VERSION.h b/VERSION.h index 8e245c358..2121c626e 100644 --- a/VERSION.h +++ b/VERSION.h @@ -1,2 +1,2 @@ -#define VERSION "4.2.1.3532" +#define VERSION "4.2.1.ma_1" #define GENERATION "4.2" diff --git a/packaging/fwbuilder-static-qt.spec b/packaging/fwbuilder-static-qt.spec index 1f2ed0c7b..007d95f35 100644 --- a/packaging/fwbuilder-static-qt.spec +++ b/packaging/fwbuilder-static-qt.spec @@ -3,7 +3,7 @@ %define name fwbuilder -%define version 4.2.1.3532 +%define version 4.2.1.ma_1 %define release 1 %if "%_vendor" == "MandrakeSoft" diff --git a/packaging/fwbuilder.control b/packaging/fwbuilder.control index 84c4b72e6..b8afe1148 100644 --- a/packaging/fwbuilder.control +++ b/packaging/fwbuilder.control @@ -4,6 +4,6 @@ Replaces: fwbuilder (<=4.1.1-1), fwbuilder-common, fwbuilder-bsd, fwbuilder-linu Priority: extra Section: checkinstall Maintainer: vadim@fwbuilder.org -Version: 4.2.1.3532-1 +Version: 4.2.1.ma_1-1 Depends: libqt4-gui (>= 4.3.0), libxml2, libxslt1.1, libsnmp | libsnmp15 Description: Firewall Builder GUI and policy compilers diff --git a/packaging/fwbuilder.spec b/packaging/fwbuilder.spec index 3f3a6cf88..b25bfa6aa 100644 --- a/packaging/fwbuilder.spec +++ b/packaging/fwbuilder.spec @@ -1,6 +1,6 @@ %define name fwbuilder -%define version 4.2.1.3532 +%define version 4.2.1.ma_1 %define release 1 %if "%_vendor" == "MandrakeSoft" diff --git a/src/import/IPTImporter.cpp b/src/import/IPTImporter.cpp index 0259066d4..2d0e93b09 100644 --- a/src/import/IPTImporter.cpp +++ b/src/import/IPTImporter.cpp @@ -726,7 +726,11 @@ void IPTImporter::pushPolicyRule() if (target=="QUEUE") action = PolicyRule::Pipe; - if (target=="CLASSIFY") action = PolicyRule::Classify; + if (target=="CLASSIFY") // #2367 + { + action = PolicyRule::Continue; + rule->setClassification(true); + } if (target=="LOG") { @@ -782,6 +786,7 @@ void IPTImporter::pushPolicyRule() { action = PolicyRule::Continue; rule->setLogging(true); + fwopt->setBool("use_ULOG", true); QString log_prefix = action_params["log_prefix"].c_str(); log_prefix.replace("\"", ""); @@ -790,7 +795,9 @@ void IPTImporter::pushPolicyRule() if (target=="MARK") { - action = PolicyRule::Tag; + action = PolicyRule::Continue; + rule->setTagging(true); + last_mark_rule = rule; ObjectSignature sig(error_tracker); @@ -803,7 +810,8 @@ void IPTImporter::pushPolicyRule() if (target=="ROUTE") { - action = PolicyRule::Route; + action = PolicyRule::Continue; + rule->setRouting(true); if (!action_params["route_iif"].empty()) newInterface(action_params["route_iif"]); diff --git a/src/iptlib/MangleTableCompiler_ipt.cpp b/src/iptlib/MangleTableCompiler_ipt.cpp index 3ff80ffd4..fc67f24d2 100644 --- a/src/iptlib/MangleTableCompiler_ipt.cpp +++ b/src/iptlib/MangleTableCompiler_ipt.cpp @@ -48,22 +48,6 @@ string MangleTableCompiler_ipt::myPlatformName() { return "iptables"; } int MangleTableCompiler_ipt::prolog() { return PolicyCompiler_ipt::prolog(); - - int n = 0; - - for(FWObject::iterator i=source_ruleset->begin(); - i!=source_ruleset->end(); i++) - { - PolicyRule *r = PolicyRule::cast( *i ); - if (r == NULL) continue; // skip RuleSetOptions object - FWOptions *ruleopt = r->getOptionsObject(); - if (r->isDisabled()) continue; - if (r->getAction() == PolicyRule::Tag || - r->getAction() == PolicyRule::Classify) n++; - if (r->getAction() == PolicyRule::Branch && - ruleopt->getBool("ipt_branch_in_mangle")) n++; - } - return n; } bool MangleTableCompiler_ipt::keepMangleTableRules::processNext() @@ -140,9 +124,9 @@ bool MangleTableCompiler_ipt::keepMangleTableRules::processNext() return true; } - if (rule->getAction() == PolicyRule::Tag || - rule->getAction() == PolicyRule::Route || - rule->getAction() == PolicyRule::Classify || + if (rule->getTagging() || + rule->getRouting() || + rule->getClassification() || ruleopt->getBool("put_in_mangle_table")) tmp_queue.push_back(rule); } diff --git a/src/iptlib/PolicyCompiler_PrintRule.cpp b/src/iptlib/PolicyCompiler_PrintRule.cpp index 7181a58e5..214aeb09b 100644 --- a/src/iptlib/PolicyCompiler_PrintRule.cpp +++ b/src/iptlib/PolicyCompiler_PrintRule.cpp @@ -384,39 +384,27 @@ string PolicyCompiler_ipt::PrintRule::_printTarget(PolicyRule *rule) return ostr.str(); } - // there is no ULOG for ip6tables yet - if (!ipt_comp->ipv6 && compiler->getCachedFwOpt()->getBool("use_ULOG") && - target=="LOG") target="ULOG"; - if (target==".CONTINUE") // not a real target ! return ostr.str(); - ostr << " -j " << target << " "; - - if (target=="REJECT") - ostr << _printActionOnReject(rule); - - if (target=="LOG" || target=="ULOG") - ostr << _printLogParameters(rule); - - if (target=="MARK") + if (rule->getTagging()) { -// ostr << " --set-mark " << ruleopt->getStr("tagvalue"); + ostr << " -j MARK"; ostr << " --set-mark " << rule->getTagValue(); + return ostr.str(); } - if (target=="CONNMARK") - { - ostr << ruleopt->getStr("CONNMARK_arg"); - } - - if (target=="CLASSIFY") + if (rule->getClassification()) { + ostr << " -j CLASSIFY"; ostr << " --set-class " << ruleopt->getStr("classify_str"); + return ostr.str(); } - if (target=="ROUTE") + if (rule->getRouting()) { + ostr << " -j ROUTE"; + string a; a = ruleopt->getStr("ipt_iif"); if (!a.empty()) ostr << " --iif " << a; @@ -432,6 +420,26 @@ string PolicyCompiler_ipt::PrintRule::_printTarget(PolicyRule *rule) c = ruleopt->getBool("ipt_tee"); if (c) ostr << " --tee"; + + return ostr.str(); + } + + + // there is no ULOG for ip6tables yet + if (!ipt_comp->ipv6 && compiler->getCachedFwOpt()->getBool("use_ULOG") && + target=="LOG") target="ULOG"; + + ostr << " -j " << target << " "; + + if (target=="REJECT") + ostr << _printActionOnReject(rule); + + if (target=="LOG" || target=="ULOG") + ostr << _printLogParameters(rule); + + if (target=="CONNMARK") + { + ostr << ruleopt->getStr("CONNMARK_arg"); } return ostr.str(); diff --git a/src/iptlib/PolicyCompiler_ipt.cpp b/src/iptlib/PolicyCompiler_ipt.cpp index 492fea66d..24cc3a919 100644 --- a/src/iptlib/PolicyCompiler_ipt.cpp +++ b/src/iptlib/PolicyCompiler_ipt.cpp @@ -628,7 +628,7 @@ bool PolicyCompiler_ipt::Route::processNext() PolicyRule *rule=getNext(); if (rule==NULL) return false; FWOptions *ruleopt =rule->getOptionsObject(); - if (rule->getAction() == PolicyRule::Route) + if (rule->getRouting()) { string iif,oif,gw; iif = ruleopt->getStr("ipt_iif"); @@ -689,9 +689,9 @@ bool PolicyCompiler_ipt::dropMangleTableRules::processNext() FWOptions *rulesetopts = ipt_comp->getSourceRuleSet()->getOptionsObject(); if (rulesetopts->getBool("mangle_only_rule_set")) return true; - if (rule->getAction() == PolicyRule::Tag || - rule->getAction() == PolicyRule::Route || - rule->getAction() == PolicyRule::Classify) return true; + if (rule->getTagging() || + rule->getRouting() || + rule->getClassification()) return true; // Another special case (while working on #1415, although not // related directly): branching rule that has "branch in mangle table" @@ -1615,14 +1615,15 @@ bool PolicyCompiler_ipt::setChainPreroutingForTag::processNext() */ RuleElementItf *itf_re = rule->getItf(); assert(itf_re!=NULL); - if ( (rule->getAction() == PolicyRule::Tag || + if ( (rule->getTagging() || rule->getStr("stored_action")=="Tag") && rule->getStr("ipt_chain").empty() && (rule->getDirection()==PolicyRule::Both || rule->getDirection()==PolicyRule::Inbound) && itf_re->isAny()) -// rule->getInterfaceId()==-1 ) + { ipt_comp->setChain(rule, "PREROUTING"); + } tmp_queue.push_back(rule); @@ -1636,7 +1637,7 @@ bool PolicyCompiler_ipt::setChainPostroutingForTag::processNext() PolicyRule *rule = getNext(); if (rule==NULL) return false; RuleElementItf *itf_re = rule->getItf(); assert(itf_re!=NULL); - if ( (rule->getAction() == PolicyRule::Tag || + if ( (rule->getTagging() || rule->getStr("stored_action")=="Tag") && rule->getStr("ipt_chain").empty() && (rule->getDirection()==PolicyRule::Both || @@ -1656,7 +1657,7 @@ bool PolicyCompiler_ipt::checkForRestoreMarkInOutput::processNext() PolicyRule *rule = getNext(); if (rule==NULL) return false; FWOptions *ruleopt = rule->getOptionsObject(); - if ( (rule->getAction() == PolicyRule::Tag || + if ( (rule->getTagging() || rule->getStr("stored_action")=="Tag") && ruleopt->getBool("ipt_mark_connections") && rule->getStr("ipt_chain")=="OUTPUT") @@ -1725,7 +1726,7 @@ bool PolicyCompiler_ipt::splitIfTagAndConnmark::processNext() bool make_terminating = compiler->fw->getOptionsObject()->getBool("classify_mark_terminating"); - if (rule->getAction() == PolicyRule::Tag && + if (rule->getTagging() && ruleopt->getBool("ipt_mark_connections")) { PolicyRule *r, *r1; @@ -2182,7 +2183,7 @@ bool PolicyCompiler_ipt::splitIfSrcAny::processNext() // work with mangle table can only go into POSTROUTING chain // such as CLASSIFY if (ipt_comp->my_table=="mangle" && - rule->getAction()==PolicyRule::Classify) + rule->getClassification()) { r= compiler->dbcopy->createPolicyRule(); compiler->temp_ruleset->add(r); @@ -2248,7 +2249,7 @@ bool PolicyCompiler_ipt::splitIfDstAny::processNext() // POSTROUTING chain as well because some targets that // work with mangle table can only go into POSTROUTING chain // such as CLASSIFY - if (ipt_comp->my_table=="mangle" && rule->getAction()==PolicyRule::Classify) + if (ipt_comp->my_table=="mangle" && rule->getClassification()) { r= compiler->dbcopy->createPolicyRule(); compiler->temp_ruleset->add(r); @@ -2269,7 +2270,7 @@ bool PolicyCompiler_ipt::splitIfSrcAnyForShadowing::processNext() PolicyCompiler_ipt *ipt_comp = dynamic_cast(compiler); PolicyRule *rule=getNext(); if (rule==NULL) return false; - if (rule->getAction() == PolicyRule::Classify) + if (rule->getClassification()) { tmp_queue.push_back(rule); return true; @@ -2302,7 +2303,7 @@ bool PolicyCompiler_ipt::splitIfDstAnyForShadowing::processNext() PolicyCompiler_ipt *ipt_comp = dynamic_cast(compiler); PolicyRule *rule=getNext(); if (rule==NULL) return false; - if (rule->getAction() == PolicyRule::Classify) + if (rule->getClassification()) { tmp_queue.push_back(rule); return true; @@ -2336,7 +2337,7 @@ bool PolicyCompiler_ipt::splitIfSrcFWNetwork::processNext() PolicyCompiler_ipt *ipt_comp = dynamic_cast(compiler); PolicyRule *rule=getNext(); if (rule==NULL) return false; - if (rule->getAction() == PolicyRule::Classify) + if (rule->getClassification()) { tmp_queue.push_back(rule); return true; @@ -2409,7 +2410,7 @@ bool PolicyCompiler_ipt::splitIfDstFWNetwork::processNext() PolicyCompiler_ipt *ipt_comp = dynamic_cast(compiler); PolicyRule *rule=getNext(); if (rule==NULL) return false; - if (rule->getAction() == PolicyRule::Classify) + if (rule->getClassification()) { tmp_queue.push_back(rule); return true; @@ -2527,7 +2528,7 @@ bool PolicyCompiler_ipt::specialCaseWithFW1::processNext() { PolicyRule *rule=getNext(); if (rule==NULL) return false; - if (rule->getAction() == PolicyRule::Classify) + if (rule->getClassification()) { tmp_queue.push_back(rule); return true; @@ -2889,8 +2890,7 @@ bool PolicyCompiler_ipt::decideOnChainIfSrcFW::processNext() PolicyCompiler_ipt *ipt_comp = dynamic_cast(compiler); PolicyRule *rule=getNext(); if (rule==NULL) return false; - if ( ! rule->getStr("ipt_chain").empty() || - rule->getAction() == PolicyRule::Classify) + if ( ! rule->getStr("ipt_chain").empty() || rule->getClassification()) { tmp_queue.push_back(rule); return true; @@ -2987,8 +2987,7 @@ bool PolicyCompiler_ipt::decideOnChainIfDstFW::processNext() PolicyCompiler_ipt *ipt_comp = dynamic_cast(compiler); PolicyRule *rule=getNext(); if (rule==NULL) return false; - if ( ! rule->getStr("ipt_chain").empty() || - rule->getAction() == PolicyRule::Classify) + if ( ! rule->getStr("ipt_chain").empty() || rule->getClassification()) { tmp_queue.push_back(rule); return true; @@ -3153,7 +3152,7 @@ bool PolicyCompiler_ipt::decideOnChainForClassify::processNext() PolicyCompiler_ipt *ipt_comp = dynamic_cast(compiler); PolicyRule *rule=getNext(); if (rule==NULL) return false; - if (rule->getAction() != PolicyRule::Classify) + if ( ! rule->getClassification()) { tmp_queue.push_back(rule); return true; @@ -3288,15 +3287,16 @@ bool PolicyCompiler_ipt::decideOnTarget::processNext() if ( ! rule->getStr("ipt_target").empty() ) return true; // already defined // note that we use pseudo-target for action Continue - switch (rule->getAction()) { + switch (rule->getAction()) + { case PolicyRule::Accept: rule->setStr("ipt_target", "ACCEPT"); break; case PolicyRule::Deny: rule->setStr("ipt_target", "DROP"); break; case PolicyRule::Reject: rule->setStr("ipt_target", "REJECT"); break; case PolicyRule::Return: rule->setStr("ipt_target", "RETURN"); break; - case PolicyRule::Tag: rule->setStr("ipt_target", "MARK"); break; +// case PolicyRule::Tag: rule->setStr("ipt_target", "MARK"); break; case PolicyRule::Pipe: rule->setStr("ipt_target", "QUEUE"); break; - case PolicyRule::Classify: rule->setStr("ipt_target", "CLASSIFY"); break; - case PolicyRule::Route: rule->setStr("ipt_target", "ROUTE"); break; +// case PolicyRule::Classify: rule->setStr("ipt_target", "CLASSIFY"); break; +// case PolicyRule::Route: rule->setStr("ipt_target", "ROUTE"); break; case PolicyRule::Continue: rule->setStr("ipt_target", ".CONTINUE"); break; case PolicyRule::Custom: rule->setStr("ipt_target", ".CUSTOM"); break; diff --git a/src/libfwbuilder/etc/fwbuilder.dtd b/src/libfwbuilder/etc/fwbuilder.dtd index 97bcff7b0..a7bd3e7e9 100644 --- a/src/libfwbuilder/etc/fwbuilder.dtd +++ b/src/libfwbuilder/etc/fwbuilder.dtd @@ -52,7 +52,7 @@ * --> - + @@ -79,7 +79,7 @@ diff --git a/src/libfwbuilder/etc/fwbuilder.dtd.in b/src/libfwbuilder/etc/fwbuilder.dtd.in index 4041567df..2700a85f1 100644 --- a/src/libfwbuilder/etc/fwbuilder.dtd.in +++ b/src/libfwbuilder/etc/fwbuilder.dtd.in @@ -52,7 +52,7 @@ * --> - + diff --git a/src/libfwbuilder/src/fwbuilder/FWObjectDatabase_search.cpp b/src/libfwbuilder/src/fwbuilder/FWObjectDatabase_search.cpp index 64b58ff33..0e18ed8f8 100644 --- a/src/libfwbuilder/src/fwbuilder/FWObjectDatabase_search.cpp +++ b/src/libfwbuilder/src/fwbuilder/FWObjectDatabase_search.cpp @@ -196,19 +196,7 @@ bool FWObjectDatabase::_findWhereObjectIsUsed(FWObject *o, PolicyRule *rule = PolicyRule::cast(p); if (rule) { - switch (rule->getAction()) - { - case PolicyRule::Tag: - { - FWObject *tagobj = rule->getTagObject(); - if (o==tagobj) - { - resset.insert(p); - res = true; - } - break; - } - case PolicyRule::Branch: + if (rule->getAction() == PolicyRule::Branch) { FWObject *ruleset = rule->getBranch(); if (o==ruleset) @@ -216,9 +204,16 @@ bool FWObjectDatabase::_findWhereObjectIsUsed(FWObject *o, resset.insert(p); res = true; } - break; } - default: ; + + if (rule->getTagging()) + { + FWObject *tagobj = rule->getTagObject(); + if (o==tagobj) + { + resset.insert(p); + res = true; + } } } diff --git a/src/libfwbuilder/src/fwbuilder/Rule.cpp b/src/libfwbuilder/src/fwbuilder/Rule.cpp index c9b0bf396..200f37129 100644 --- a/src/libfwbuilder/src/fwbuilder/Rule.cpp +++ b/src/libfwbuilder/src/fwbuilder/Rule.cpp @@ -6,9 +6,6 @@ Author: Vadim Kurland vadim@fwbuilder.org - $Id$ - - This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either @@ -60,14 +57,14 @@ void Rule::init(FWObjectDatabase*) { } -FWOptions* Rule::getOptionsObject() { return NULL; } -RuleSet* Rule::getBranch() { return NULL; } -void Rule::setPosition(int n) { setInt("position",n); } -int Rule::getPosition() const { return getInt("position");} -void Rule::disable() { setBool("disabled",true); } -void Rule::enable() { setBool("disabled",false);} -bool Rule::isDisabled() const { return( getBool("disabled") );} -bool Rule::isEmpty() { return false; } +FWOptions* Rule::getOptionsObject() const { return NULL; } +RuleSet* Rule::getBranch() { return NULL; } +void Rule::setPosition(int n) { setInt("position", n); } +int Rule::getPosition() const { return getInt("position"); } +void Rule::disable() { setBool("disabled",true); } +void Rule::enable() { setBool("disabled",false); } +bool Rule::isDisabled() const { return( getBool("disabled")); } +bool Rule::isEmpty() { return false; } void Rule::setBranch(RuleSet*) {}; @@ -250,12 +247,9 @@ string PolicyRule::getActionAsString(int act) case Continue: return "Continue"; case Accounting: return "Accounting"; case Modify: return "Modify"; - case Tag: return "Tag"; case Pipe: return "Pipe"; - case Classify: return "Classify"; case Custom: return "Custom"; case Branch: return "Branch"; - case Route: return "Route"; default: return "Unknown"; } return "Deny"; @@ -272,12 +266,9 @@ void PolicyRule::setAction(const string& act) if (act=="Continue") { setAction(Continue); return; } if (act=="Accounting") { setAction(Accounting); return; } if (act=="Modify") { setAction(Modify); return; } - if (act=="Tag") { setAction(Tag); return; } if (act=="Pipe") { setAction(Pipe); return; } - if (act=="Classify") { setAction(Classify); return; } if (act=="Custom") { setAction(Custom); return; } if (act=="Branch") { setAction(Branch); return; } - if (act=="Route") { setAction(Route); return; } setAction(Deny); } @@ -402,7 +393,7 @@ xmlNodePtr PolicyRule::toXML(xmlNodePtr parent) throw(FWException) return me; } -FWOptions* PolicyRule::getOptionsObject() +FWOptions* PolicyRule::getOptionsObject() const { return FWOptions::cast( getFirstByType(PolicyRuleOptions::TYPENAME) ); } @@ -413,25 +404,17 @@ FWOptions* PolicyRule::getOptionsObject() */ void PolicyRule::updateNonStandardObjectReferences() { - switch (getAction()) - { - case PolicyRule::Branch: + if (getAction() == PolicyRule::Branch) { RuleSet *branch_ruleset = getBranch(); setBranch(branch_ruleset); - setTagObject(NULL); - break; } - case PolicyRule::Tag: + + if (getTagging()) { FWObject *tag_object = getTagObject(); setTagObject(tag_object); - setBranch(NULL); - break; } - default: - break; - } } RuleSet* PolicyRule::getBranch() @@ -464,6 +447,37 @@ void PolicyRule::setBranch(RuleSet* ruleset) getOptionsObject()->setStr("branch_id", branch_id); } +bool PolicyRule::getRouting() const +{ + return getOptionsObject()->getBool("routing"); +} + +void PolicyRule::setRouting(bool f) +{ + getOptionsObject()->setBool("routing", f); +} + +bool PolicyRule::getClassification() const +{ + return getOptionsObject()->getBool("classification"); +} + +void PolicyRule::setClassification(bool f) +{ + getOptionsObject()->setBool("classification", f); +} + + +bool PolicyRule::getTagging() const +{ + return getOptionsObject()->getBool("tagging"); +} + +void PolicyRule::setTagging(bool f) +{ + getOptionsObject()->setBool("tagging", f); +} + void PolicyRule::setTagObject(FWObject *tag_object) { string tag_id = @@ -473,7 +487,7 @@ void PolicyRule::setTagObject(FWObject *tag_object) FWObject* PolicyRule::getTagObject() { - if (getAction() == Tag) + if (getTagging()) { string tagobj_id = getOptionsObject()->getStr("tagobject_id"); if (!tagobj_id.empty()) @@ -487,7 +501,7 @@ FWObject* PolicyRule::getTagObject() string PolicyRule::getTagValue() { - if (getAction() == Tag) + if (getTagging()) { TagService *tagobj = TagService::cast(getTagObject()); if (tagobj) return tagobj->getCode(); @@ -829,7 +843,7 @@ xmlNodePtr NATRule::toXML(xmlNodePtr parent) throw(FWException) return me; } -FWOptions* NATRule::getOptionsObject() +FWOptions* NATRule::getOptionsObject() const { return FWOptions::cast( getFirstByType(NATRuleOptions::TYPENAME) ); } @@ -1052,7 +1066,7 @@ xmlNodePtr RoutingRule::toXML(xmlNodePtr parent) throw(FWException) return me; } -FWOptions* RoutingRule::getOptionsObject() +FWOptions* RoutingRule::getOptionsObject() const { return FWOptions::cast( getFirstByType(RoutingRuleOptions::TYPENAME) ); } diff --git a/src/libfwbuilder/src/fwbuilder/Rule.h b/src/libfwbuilder/src/fwbuilder/Rule.h index ab4ab5e6f..480ddf4fd 100644 --- a/src/libfwbuilder/src/fwbuilder/Rule.h +++ b/src/libfwbuilder/src/fwbuilder/Rule.h @@ -6,9 +6,6 @@ Author: Vadim Kurland vadim@fwbuilder.org - $Id$ - - This program is free software which we release under the GNU General Public License. You may redistribute and/or modify this program under the terms of that license as published by the Free Software Foundation; either @@ -116,7 +113,7 @@ class Rule : public Group virtual bool cmp(const FWObject *obj, bool recursive=false) throw(FWException); - virtual FWOptions* getOptionsObject(); + virtual FWOptions* getOptionsObject() const; // find branch ruleset for policy rules with action Branch // We may support some kind of branching in NAT in the future, so @@ -176,11 +173,8 @@ class PolicyRule : public Rule Accounting, Modify, Pipe, - Tag, - Classify, Custom, - Branch, - Route} Action; + Branch} Action; typedef enum { Undefined, Inbound, @@ -221,7 +215,7 @@ public: DECLARE_DISPATCH_METHODS(PolicyRule); - virtual FWOptions* getOptionsObject(); + virtual FWOptions* getOptionsObject() const; virtual RuleSet* getBranch(); virtual void setBranch(RuleSet *ruleset); @@ -265,15 +259,28 @@ public: std::string getDirectionAsString() const; void setDirection(const std::string& dir); - bool getLogging() const; - void setLogging(bool flag); + bool getLogging() const; + void setLogging(bool flag); - // find TagService object for rules with action Tag + // return true if rule does tagging + bool getTagging() const; + void setTagging(bool f); + + // return true if rule does routing + bool getRouting() const; + void setRouting(bool f); + + // return true if rule does classification + bool getClassification() const; + void setClassification(bool f); + + // find TagService object for rules that do tagging FWObject* getTagObject(); std::string getTagValue(); void setTagObject(FWObject *tag_object); }; + class NATRule : public Rule { public: @@ -363,7 +370,7 @@ public: DECLARE_DISPATCH_METHODS(NATRule); - virtual FWOptions* getOptionsObject(); + virtual FWOptions* getOptionsObject() const; virtual RuleSet* getBranch(); virtual void setBranch(RuleSet *ruleset); @@ -439,7 +446,7 @@ class RoutingRule : public Rule DECLARE_DISPATCH_METHODS(RoutingRule); - virtual FWOptions* getOptionsObject(); + virtual FWOptions* getOptionsObject() const; virtual RuleSet* getBranch(); virtual bool isEmpty() const; diff --git a/src/libfwbuilder/src/fwcompiler/PolicyCompiler.cpp b/src/libfwbuilder/src/fwcompiler/PolicyCompiler.cpp index 6d2969d7f..3baec8459 100644 --- a/src/libfwbuilder/src/fwcompiler/PolicyCompiler.cpp +++ b/src/libfwbuilder/src/fwcompiler/PolicyCompiler.cpp @@ -170,6 +170,14 @@ bool PolicyCompiler::checkForShadowing(PolicyRule &r1, PolicyRule &r2) if (dstrel2->getNeg()) return false; if (srvrel2->getNeg()) return false; + /* + * TODO: actually, route rule may shadow other rules if it + * translates into "final" target, that is stops processing. This + * may or may not be so, depending on the platform and combination + * of rule options. + */ + if (r1.getRouting() || r2.getRouting()) return false; + PolicyRule::Action r1_action = r1.getAction(); PolicyRule::Action r2_action = r2.getAction(); @@ -186,15 +194,6 @@ bool PolicyCompiler::checkForShadowing(PolicyRule &r1, PolicyRule &r2) if (r1_action==PolicyRule::Return || r2_action==PolicyRule::Return ) return false; - /* - * TODO: actually, route rule may shadow other rules if it - * translates into "final" target, that is stops processing. This - * may or may not be so, depending on the platform and combination - * of rule options. - */ - if (r1_action==PolicyRule::Route || - r2_action==PolicyRule::Route ) return false; - /* * the problem with branching rules is that it is combination of * the head rule and rules in the branch rather than a single rule diff --git a/src/libgui/FWObjectPropertiesFactory.cpp b/src/libgui/FWObjectPropertiesFactory.cpp index 0182fce25..ed7f426d5 100644 --- a/src/libgui/FWObjectPropertiesFactory.cpp +++ b/src/libgui/FWObjectPropertiesFactory.cpp @@ -945,6 +945,10 @@ QString FWObjectPropertiesFactory::getRuleActionProperties(Rule *rule) case PolicyRule::Reject: par = ropt->getStr("action_on_reject").c_str(); break; + +/* + * TODO #2367 This should move to getPolicyRuleOptions() + * case PolicyRule::Tag: { FWObject *tag_object = PolicyRule::cast(rule)->getTagObject(); @@ -954,6 +958,8 @@ QString FWObjectPropertiesFactory::getRuleActionProperties(Rule *rule) par = QString::fromUtf8(PolicyRule::cast(rule)->getTagValue().c_str()); break; } +*/ + case PolicyRule::Accounting : par = ropt->getStr("rule_name_accounting").c_str(); break; @@ -968,6 +974,10 @@ QString FWObjectPropertiesFactory::getRuleActionProperties(Rule *rule) // ropt->getStr("branch_name").c_str(); break; } + +/* + * TODO #2367 This should move to getPolicyRuleOptions() + * case PolicyRule::Classify: if (platform=="ipfw") { @@ -986,6 +996,8 @@ QString FWObjectPropertiesFactory::getRuleActionProperties(Rule *rule) par = ropt->getStr("classify_str").c_str(); } break; +*/ + case PolicyRule::Pipe : if (platform=="ipfw") { @@ -993,6 +1005,10 @@ QString FWObjectPropertiesFactory::getRuleActionProperties(Rule *rule) ropt->getStr("ipfw_pipe_port_num").c_str(); } break; + +/* + * TODO #2367 This should move to getPolicyRuleOptions() + * case PolicyRule::Route : if (platform=="iptables") { @@ -1030,7 +1046,7 @@ QString FWObjectPropertiesFactory::getRuleActionProperties(Rule *rule) if (!a.empty()) par = par + " "+ a.c_str(); } break; - +*/ default : {} } diff --git a/src/libgui/RuleSetModel.cpp b/src/libgui/RuleSetModel.cpp index d2c7ed6de..2936c6ec8 100644 --- a/src/libgui/RuleSetModel.cpp +++ b/src/libgui/RuleSetModel.cpp @@ -1315,7 +1315,7 @@ QModelIndexList RuleSetModel::findObject (FWObject* object) list.append(this->index(rule, column)); // qDebug() << "Branch column:" << column; } - } else if (pr->getAction() == PolicyRule::Tag) + } else if (pr->getTagging()) { if (pr->getTagObject() == object) { diff --git a/src/libgui/RuleSetView.cpp b/src/libgui/RuleSetView.cpp index d8c260ff8..37124b778 100644 --- a/src/libgui/RuleSetView.cpp +++ b/src/libgui/RuleSetView.cpp @@ -600,6 +600,10 @@ void RuleSetView::addColumnRelatedMenu(QMenu *menu, const QModelIndex &index, action_name, this, SLOT( changeActionToPipe() )); } + +/* + * #2367 + if (Resources::isTargetActionSupported(platform,"Tag")) { action_name = getActionNameForPlatform( @@ -616,6 +620,17 @@ void RuleSetView::addColumnRelatedMenu(QMenu *menu, const QModelIndex &index, action_name, this, SLOT( changeActionToClassify() )); } + if (Resources::isTargetActionSupported(platform,"Route")) + { + action_name = getActionNameForPlatform( + f, PolicyRule::getActionAsString(PolicyRule::Route)); + menu->addAction( QIcon(LoadPixmap(":/Icons/Route/icon")), + action_name, + this, SLOT( changeActionToRoute() )); + } +*/ + + if (Resources::isTargetActionSupported(platform,"Custom")) { action_name = getActionNameForPlatform( @@ -632,14 +647,6 @@ void RuleSetView::addColumnRelatedMenu(QMenu *menu, const QModelIndex &index, action_name, this, SLOT( changeActionToBranch() )); } - if (Resources::isTargetActionSupported(platform,"Route")) - { - action_name = getActionNameForPlatform( - f, PolicyRule::getActionAsString(PolicyRule::Route)); - menu->addAction( QIcon(LoadPixmap(":/Icons/Route/icon")), - action_name, - this, SLOT( changeActionToRoute() )); - } if (Resources::isTargetActionSupported(platform,"Continue")) { action_name = getActionNameForPlatform( @@ -1911,26 +1918,11 @@ void RuleSetView::changeActionToPipe() changeAction( PolicyRule::Pipe ); } -void RuleSetView::changeActionToTag() -{ - changeAction( PolicyRule::Tag ); -} - -void RuleSetView::changeActionToClassify() -{ - changeAction( PolicyRule::Classify ); -} - void RuleSetView::changeActionToCustom() { changeAction( PolicyRule::Custom ); } -void RuleSetView::changeActionToRoute() -{ - changeAction( PolicyRule::Route ); -} - void RuleSetView::changeActionToContinue() { changeAction( PolicyRule::Continue ); diff --git a/src/libgui/RuleSetView.h b/src/libgui/RuleSetView.h index 00d870a15..c3093df27 100644 --- a/src/libgui/RuleSetView.h +++ b/src/libgui/RuleSetView.h @@ -176,11 +176,8 @@ public slots: void changeActionToReject(); void changeActionToAccounting(); void changeActionToPipe(); - void changeActionToTag(); - void changeActionToClassify(); void changeActionToCustom(); void changeActionToBranch(); - void changeActionToRoute(); void changeActionToContinue(); void changeActionToTranslate(); void changeActionToNATBranch(); diff --git a/src/libgui/platforms.cpp b/src/libgui/platforms.cpp index bfaf6f0ca..3a7579547 100644 --- a/src/libgui/platforms.cpp +++ b/src/libgui/platforms.cpp @@ -310,8 +310,9 @@ bool isDefaultPolicyRuleOptions(FWOptions *opt) if (rule!=NULL) { - PolicyRule::Action act=rule->getAction(); - if (act==PolicyRule::Accept || act==PolicyRule::Tag || act==PolicyRule::Route) + PolicyRule::Action act = rule->getAction(); + + if (act==PolicyRule::Accept) { // by default, these actions are not stateless res = res && (!opt->getBool("stateless")); @@ -320,6 +321,7 @@ bool isDefaultPolicyRuleOptions(FWOptions *opt) // other actions are stateless by default res = res && opt->getBool("stateless"); } + } // all rules are stateless for IOS ACL @@ -762,9 +764,7 @@ QString getActionNameForPlatform(Firewall *fw, const std::string &action) bool getStatelessFlagForAction(PolicyRule *rule) { PolicyRule::Action act = rule->getAction(); - if (act==PolicyRule::Accept || - act==PolicyRule::Tag || - act==PolicyRule::Route) return false; + if (act==PolicyRule::Accept) return false; else return true; } diff --git a/src/pflib/PolicyCompiler_ipfw_writers.cpp b/src/pflib/PolicyCompiler_ipfw_writers.cpp index c0bdcba86..73a1a20ba 100644 --- a/src/pflib/PolicyCompiler_ipfw_writers.cpp +++ b/src/pflib/PolicyCompiler_ipfw_writers.cpp @@ -224,24 +224,6 @@ void PolicyCompiler_ipfw::PrintRule::_printAction(PolicyRule *rule) } break; - case PolicyRule::Classify: - { - int portNum = ruleopt->getInt("ipfw_pipe_queue_num"); - switch (ruleopt->getInt("ipfw_classify_method")) - { - case DUMMYNETPIPE: - compiler->output << "pipe " << portNum << " "; - break; - case DUMMYNETQUEUE: - compiler->output << "queue " << portNum << " "; - break; - default: - compiler->output << "divert " << portNum << " "; - break; - } - } - break; - case PolicyRule::Pipe: compiler->output << "divert " << ruleopt->getInt("ipfw_pipe_port_num") << " "; break; @@ -258,6 +240,23 @@ void PolicyCompiler_ipfw::PrintRule::_printAction(PolicyRule *rule) // compiler->output << rule->getActionAsString() << " "; } + + if (rule->getClassification()) + { + int portNum = ruleopt->getInt("ipfw_pipe_queue_num"); + switch (ruleopt->getInt("ipfw_classify_method")) + { + case DUMMYNETPIPE: + compiler->output << "pipe " << portNum << " "; + break; + case DUMMYNETQUEUE: + compiler->output << "queue " << portNum << " "; + break; + default: + compiler->output << "divert " << portNum << " "; + break; + } + } } /* diff --git a/src/pflib/PolicyCompiler_pf.cpp b/src/pflib/PolicyCompiler_pf.cpp index 3c23119e9..c0a8a856b 100644 --- a/src/pflib/PolicyCompiler_pf.cpp +++ b/src/pflib/PolicyCompiler_pf.cpp @@ -426,8 +426,7 @@ bool PolicyCompiler_pf::SplitDirection::processNext() { PolicyRule *rule=getNext(); if (rule==NULL) return false; - if (rule->getDirection()==PolicyRule::Both && - rule->getAction()==PolicyRule::Route) + if (rule->getDirection()==PolicyRule::Both && rule->getRouting()) { PolicyRule *r= compiler->dbcopy->createPolicyRule(); compiler->temp_ruleset->add(r); @@ -509,12 +508,6 @@ bool PolicyCompiler_pf::setQuickFlag::processNext() FWOptions *ropt = rule->getOptionsObject(); - // as of 4.2.0 build 3477 we provide checkboxes to make Tag and - // Classify actions (PF) terminating or non-terminating on - // per-rule basis. Old behavior: Tag was non-terminating and - // Classify was terminating. Set options accordingly if they are - // not set. - switch (rule->getAction()) { case PolicyRule::Scrub: @@ -522,27 +515,34 @@ bool PolicyCompiler_pf::setQuickFlag::processNext() case PolicyRule::Branch: break; - case PolicyRule::Tag: + default: + rule->setBool("quick", true); + break; + } + + // as of 4.2.0 build 3477 we provide checkboxes to make Tag and + // Classify actions (PF) terminating or non-terminating on + // per-rule basis. Old behavior: Tag was non-terminating and + // Classify was terminating. Set options accordingly if they are + // not set. + // + // TODO #2367: now instead of checkboxes, user should use actions Accept + // or Continue + + if (rule->getTagging()) { string pf_tag_terminating = ropt->getStr("pf_tag_terminating"); if (pf_tag_terminating.empty()) ropt->setBool("pf_tag_terminating", false); if (ropt->getBool("pf_tag_terminating")) rule->setBool("quick", true); - break; } - case PolicyRule::Classify: + if (rule->getClassification()) { string pf_classify_terminating = ropt->getStr("pf_classify_terminating"); if (pf_classify_terminating.empty()) ropt->setBool("pf_classify_terminating", true); if (ropt->getBool("pf_classify_terminating")) rule->setBool("quick", true); - break; - } - - default: - rule->setBool("quick", true); - break; } return true; diff --git a/src/pflib/PolicyCompiler_pf_writers.cpp b/src/pflib/PolicyCompiler_pf_writers.cpp index 8dab38435..40fe9e21b 100644 --- a/src/pflib/PolicyCompiler_pf_writers.cpp +++ b/src/pflib/PolicyCompiler_pf_writers.cpp @@ -76,21 +76,10 @@ void PolicyCompiler_pf::PrintRule::_printAction(PolicyRule *rule) switch (rule->getAction()) { - case PolicyRule::Tag: - { - if (XMLTools::version_compare(version, "4.6")>=0) - { - compiler->output << "match "; - }else - { - compiler->output << "pass "; - } - break; - } + // case PolicyRule::Classify: #2367 + // case PolicyRule::Route: #2367 case PolicyRule::Accept: - case PolicyRule::Classify: case PolicyRule::Accounting: - case PolicyRule::Route: compiler->output << "pass "; break; @@ -161,13 +150,27 @@ void PolicyCompiler_pf::PrintRule::_printAction(PolicyRule *rule) rule, string("Unknown action ") + rule->getActionAsString()); } + + // #2367 + // + // if (rule->getTagging()) + // { + // if (XMLTools::version_compare(version, "4.6")>=0) + // { + // compiler->output << "match "; + // }else + // { + // compiler->output << "pass "; + // } + // break; + // } } void PolicyCompiler_pf::PrintRule::_printRouteOptions(PolicyRule *rule) { FWOptions *ruleopt =rule->getOptionsObject(); - if (rule->getAction() == PolicyRule::Route) + if (rule->getRouting()) { string prefix = "pf"; if (compiler->myPlatformName()=="ipf") prefix="ipf"; @@ -336,7 +339,7 @@ void PolicyCompiler_pf::PrintRule::_printQueue(PolicyRule *rule) { FWOptions *ruleopt =rule->getOptionsObject(); - if (rule->getAction() == PolicyRule::Classify) + if (rule->getClassification()) compiler->output << "queue " << ruleopt->getStr("classify_str") << " "; } @@ -379,9 +382,8 @@ void PolicyCompiler_pf::PrintRule::_printUser(PolicyRule *rule) void PolicyCompiler_pf::PrintRule::_printTag(PolicyRule *rule) { - if (rule->getAction() == PolicyRule::Tag) + if (rule->getTagging()) compiler->output << "tag " << rule->getTagValue() << " "; -// compiler->output << "tag " << ruleopt->getStr("tagvalue") << " "; } void PolicyCompiler_pf::PrintRule::_printDirection(PolicyRule *rule) diff --git a/src/res/objects_init.xml b/src/res/objects_init.xml index bb668299e..6e4f94df5 100644 --- a/src/res/objects_init.xml +++ b/src/res/objects_init.xml @@ -1,6 +1,6 @@ - + diff --git a/src/res/platform/ipf.xml b/src/res/platform/ipf.xml index 50f4be2e3..fd2c9ab84 100644 --- a/src/res/platform/ipf.xml +++ b/src/res/platform/ipf.xml @@ -87,7 +87,7 @@ None - True + False Route RouteIPF diff --git a/src/res/platform/ipfw.xml b/src/res/platform/ipfw.xml index 0f40e1c14..d5654ef7e 100644 --- a/src/res/platform/ipfw.xml +++ b/src/res/platform/ipfw.xml @@ -70,7 +70,7 @@ PipeArgsIPFW - True + False Classify ClassifyArgsIPFW diff --git a/src/res/platform/iptables.xml b/src/res/platform/iptables.xml index 1b59a40a4..c5d2cda4e 100644 --- a/src/res/platform/iptables.xml +++ b/src/res/platform/iptables.xml @@ -71,7 +71,7 @@ AccountingStr - True + False Tag TagIptables @@ -81,7 +81,7 @@ None - True + False Classify ClassifyIptables @@ -96,7 +96,7 @@ BranchChain - True + False Routing RouteIPT diff --git a/src/res/platform/pf.xml b/src/res/platform/pf.xml index e753dedec..bebd0a1f6 100644 --- a/src/res/platform/pf.xml +++ b/src/res/platform/pf.xml @@ -65,7 +65,7 @@ None - True + False Tag TagPF @@ -75,7 +75,7 @@ None - True + False Classify ClassifyPF @@ -90,10 +90,15 @@ BranchAnchor - True + False Route RoutePF + + True + Continue + None + True Translate diff --git a/src/res/templates.xml b/src/res/templates.xml index 8899a690b..64c6af93c 100644 --- a/src/res/templates.xml +++ b/src/res/templates.xml @@ -1,6 +1,6 @@ - +