onkelbeh/fwbuilder
1
0
Fork 0
mirror of https://github.com/fwbuilder/fwbuilder synced 2026-03-20 10:17:16 +01:00
Code Issues Releases Wiki Activity

compiler for ipfilter works with getAddressPtr()

Browse Source
This commit is contained in:
Vadim Kurland 2008-05-19 18:15:11 +00:00
parent 5ef33f87e4
commit 678bd9fe17
4 changed files with 95 additions and 100 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

78
src/pflib/NATCompiler_ipf_writers.cpp
View File

@ -90,9 +90,6 @@ void NATCompiler_ipf::PrintRule::_printAddr_L(Address *o, bool print_netmask)
assert(atrt==NULL);
}
const InetAddr *addr = o->getAddressPtr();
InetAddr mask = *(o->getNetmaskPtr());
if (Interface::cast(o)!=NULL && Interface::cast(o)->isDyn())
{
if (options->getBool("dynAddr"))
@ -103,50 +100,67 @@ void NATCompiler_ipf::PrintRule::_printAddr_L(Address *o, bool print_netmask)
return;
}
if (Interface::cast(o)!=NULL && ! Interface::cast(o)->isDyn())
mask = InetAddr(InetAddr::getAllOnes());
if (o->dimension()==1)
mask = InetAddr(InetAddr::getAllOnes());
if (addr->isAny() && mask.isAny())
{
compiler->output << "any ";
} else
const InetAddr *addr = o->getAddressPtr();
if (addr)
{
InetAddr mask = *(o->getNetmaskPtr());
compiler->output << addr->toString();
if (Interface::cast(o)!=NULL && ! Interface::cast(o)->isDyn())
mask = InetAddr(InetAddr::getAllOnes());
if (print_netmask)
compiler->output << "/" << mask.getLength();
compiler->output << " ";
}
if (o->dimension()==1)
mask = InetAddr(InetAddr::getAllOnes());
if (addr->isAny() && mask.isAny())
{
compiler->output << "any ";
} else
{
compiler->output << addr->toString();
if (print_netmask)
compiler->output << "/" << mask.getLength();
compiler->output << " ";
}
}
}
void NATCompiler_ipf::PrintRule::_printAddr_R(Address *o, bool print_netmask)
{
const InetAddr *addr = o->getAddressPtr();
InetAddr mask = *(o->getNetmaskPtr)();
if (Interface::cast(o) != NULL)
mask = InetAddr(InetAddr::getAllOnes());
if (o->dimension()==1)
mask = InetAddr(InetAddr::getAllOnes());
if (addr->isAny() && print_netmask && mask.isHostMask())
// check for the case when dynamic interface is used in TSrc (or when
// interface in TSrc just has no IP address )
if (Interface::cast(o) != NULL && (addr==NULL || addr->isAny()))
{
compiler->output << "0/32 ";
} else
return;
}
if (addr)
{
compiler->output << addr->toString();
if (print_netmask)
compiler->output << "/" << mask.getLength();
compiler->output << " ";
InetAddr mask = *(o->getNetmaskPtr)();
if (Interface::cast(o) != NULL)
mask = InetAddr(InetAddr::getAllOnes());
if (o->dimension()==1)
mask = InetAddr(InetAddr::getAllOnes());
if (addr->isAny() && print_netmask && mask.isHostMask())
{
compiler->output << "0/32 ";
} else
{
compiler->output << addr->toString();
if (print_netmask)
compiler->output << "/" << mask.getLength();
compiler->output << " ";
}
}
}
void NATCompiler_ipf::PrintRule::_printAddr_R_LB(RuleElementTDst *tdst)
{
bool first=true;

45
src/pflib/PolicyCompiler_ipf_writers.cpp
View File

@ -267,9 +267,6 @@ void PolicyCompiler_ipf::PrintRule::_printAddr(Address *o,bool neg)
assert(atrt==NULL);
}
const InetAddr *addr = o->getAddressPtr();
InetAddr mask = *(o->getNetmaskPtr());
if (options->getBool("dynAddr") &&
Interface::cast(o)!=NULL && Interface::cast(o)->isDyn())
{
@ -278,26 +275,36 @@ void PolicyCompiler_ipf::PrintRule::_printAddr(Address *o,bool neg)
return;
}
if (Interface::cast(o)!=NULL) {
mask = InetAddr(InetAddr::getAllOnes());
}
if (o->dimension()==1)
const InetAddr *addr = o->getAddressPtr();
if (Interface::cast(o)!=NULL && addr==NULL)
{
mask = InetAddr(InetAddr::getAllOnes());
compiler->output << "<thishost> ";
}
if (addr->isAny() && mask.isAny())
if (addr)
{
compiler->output << "any ";
} else {
if (neg) compiler->output << "! ";
compiler->output << addr->toString();
if (!mask.isHostMask())
InetAddr mask = *(o->getNetmaskPtr());
if (Interface::cast(o)!=NULL) {
mask = InetAddr(InetAddr::getAllOnes());
}
if (o->dimension()==1)
{
compiler->output << "/" << mask.getLength();
}
compiler->output << " ";
mask = InetAddr(InetAddr::getAllOnes());
}
if (addr->isAny() && mask.isAny())
{
compiler->output << "any ";
} else {
if (neg) compiler->output << "! ";
compiler->output << addr->toString();
if (!mask.isHostMask())
{
compiler->output << "/" << mask.getLength();
}
compiler->output << " ";
}
}
}

70
test/ipf/objects-for-regression-tests.fwb
View File

@ -1,6 +1,6 @@
<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE FWObjectDatabase SYSTEM "fwbuilder.dtd">
<FWObjectDatabase xmlns="http://www.fwbuilder.org/1.0/" version="5" id="root">
<FWObjectDatabase xmlns="http://www.fwbuilder.org/1.0/" version="6" id="root">
<Library color="#FFFFFF" comment="" id="id40D07E7A" name="LAX" ro="True">
<ObjectGroup id="id40D07E7B" name="Objects">
<ObjectGroup id="id40D07E7B_og_ats_1" name="Address Tables"/>
@ -20,13 +20,8 @@
<ObjectGroup id="id4386560318752" name="DNS Names"/>
</ObjectGroup>
<ServiceGroup id="id40D07E81" name="Services">
<ServiceGroup id="id40D07E81_og_tag_1" name="TagServices"/>
<ServiceGroup id="id40D07E82" name="Groups"/>
<ServiceGroup id="id40D07E83" name="ICMP"/>
<ServiceGroup id="id40D07E84" name="IP"/>
<ServiceGroup id="id40D07E85" name="TCP"/>
<ServiceGroup id="id40D07E86" name="UDP"/>
<ServiceGroup id="id40D07E87" name="Custom"/>
<ServiceGroup id="id40D07E81_og_tag_1" name="TagServices"/><ServiceGroup id="id40D07E82" name="Groups"/><ServiceGroup id="id40D07E83" name="ICMP"/><ServiceGroup id="id40D07E84" name="IP"/><ServiceGroup id="id40D07E85" name="TCP"/><ServiceGroup id="id40D07E86" name="UDP"/><ServiceGroup id="id40D07E87" name="Custom"/>
<ServiceGroup id="id40D07E81_userservices" name="User"/>
</ServiceGroup>
<ObjectGroup id="id40D07E88" name="Firewalls"/>
<IntervalGroup id="id40D07E89" name="Time"/>
@ -47,13 +42,8 @@
<ObjectGroup id="id4386560418752" name="DNS Names"/>
</ObjectGroup>
<ServiceGroup id="id40E233FA" name="Services">
<ServiceGroup id="id40E233FA_og_tag_1" name="TagServices"/>
<ServiceGroup id="id40E233FB" name="Groups"/>
<ServiceGroup id="id40E233FC" name="ICMP"/>
<ServiceGroup id="id40E233FD" name="IP"/>
<ServiceGroup id="id40E233FE" name="TCP"/>
<ServiceGroup id="id40E233FF" name="UDP"/>
<ServiceGroup id="id40E23400" name="Custom"/>
<ServiceGroup id="id40E233FA_og_tag_1" name="TagServices"/><ServiceGroup id="id40E233FB" name="Groups"/><ServiceGroup id="id40E233FC" name="ICMP"/><ServiceGroup id="id40E233FD" name="IP"/><ServiceGroup id="id40E233FE" name="TCP"/><ServiceGroup id="id40E233FF" name="UDP"/><ServiceGroup id="id40E23400" name="Custom"/>
<ServiceGroup id="id40E233FA_userservices" name="User"/>
</ServiceGroup>
<ObjectGroup id="id40E23401" name="Firewalls"/>
<IntervalGroup id="id40E23402" name="Time"/>
@ -587,8 +577,7 @@
</ObjectGroup>
</ObjectGroup>
<ServiceGroup id="stdid05_1" name="Services">
<ServiceGroup id="stdid05_1_og_tag_1" name="TagServices"/>
<ServiceGroup id="stdid10_1" name="Groups">
<ServiceGroup id="stdid05_1_og_tag_1" name="TagServices"/><ServiceGroup id="stdid10_1" name="Groups">
<ServiceGroup id="id3B457567" name="svcgroup1">
<ServiceRef ref="id3B457561"/>
<ServiceRef ref="ip-IPSEC"/>
@ -641,31 +630,27 @@
<ServiceRef ref="id3B4FED69"/>
<ServiceRef ref="id3AECF776"/>
</ServiceGroup>
</ServiceGroup>
<ServiceGroup id="stdid07_1" name="ICMP">
</ServiceGroup><ServiceGroup id="stdid07_1" name="ICMP">
<ICMPService code="-1" comment="" id="id3C1A5D46" name="any ICMP" type="-1"/>
</ServiceGroup>
<ServiceGroup id="stdid06_1" name="IP">
</ServiceGroup><ServiceGroup id="stdid06_1" name="IP">
<IPService comment="" fragm="False" id="id3B457561" lsrr="False" name="ICMP" protocol_num="1" rr="False" short_fragm="False" ssrr="False" ts="False"/>
<IPService comment="" fragm="False" id="id3B6659A5" lsrr="False" name="TS" protocol_num="0" rr="False" short_fragm="False" ssrr="False" ts="True"/>
</ServiceGroup>
<ServiceGroup id="stdid09_1" name="TCP">
</ServiceGroup><ServiceGroup id="stdid09_1" name="TCP">
<TCPService ack_flag="False" ack_flag_mask="False" comment="" dst_range_end="70" dst_range_start="70" fin_flag="False" fin_flag_mask="False" id="id3C1A66EF" name="gopher" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" src_range_end="0" src_range_start="0" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False"/>
<TCPService ack_flag="False" ack_flag_mask="False" comment="" dst_range_end="6667" dst_range_start="6667" fin_flag="False" fin_flag_mask="False" id="tcp-IRC" name="irc" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" src_range_end="0" src_range_start="0" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False"/>
<TCPService ack_flag="False" ack_flag_mask="False" comment="" dst_range_end="3128" dst_range_start="3128" fin_flag="False" fin_flag_mask="False" id="id3B5009F7" name="squid" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" src_range_end="0" src_range_start="0" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False"/>
<TCPService ack_flag="False" ack_flag_mask="False" comment="port range" dst_range_end="11000" dst_range_start="10000" fin_flag="False" fin_flag_mask="False" id="id3B20468D" name="test-TCP" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" src_range_end="0" src_range_start="0" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False"/>
<TCPService ack_flag="True" ack_flag_mask="True" comment="" dst_range_end="0" dst_range_start="0" fin_flag="True" fin_flag_mask="True" id="id3B58E3F1" name="xmas-tree" psh_flag="False" psh_flag_mask="True" rst_flag="True" rst_flag_mask="True" src_range_end="0" src_range_start="0" syn_flag="True" syn_flag_mask="True" urg_flag="False" urg_flag_mask="True"/>
</ServiceGroup>
<ServiceGroup id="stdid08_1" name="UDP">
</ServiceGroup><ServiceGroup id="stdid08_1" name="UDP">
<UDPService comment="" dst_range_end="500" dst_range_start="500" id="id3DEA6281" name="ISAKMP" src_range_end="0" src_range_start="0"/>
</ServiceGroup>
<ServiceGroup id="stdid13_1" name="Custom">
</ServiceGroup><ServiceGroup id="stdid13_1" name="Custom">
<CustomService comment="Talk support" id="id3B64FE22" name="talk">
<CustomServiceCommand platform="Undefined"/>
<CustomServiceCommand platform="ipfilter"/>
<CustomServiceCommand platform="iptables">-m ip_conntrack_talk -m ip_nat_talk</CustomServiceCommand>
</CustomService>
</ServiceGroup>
<ServiceGroup id="stdid05_1_userservices" name="User"/>
</ServiceGroup>
<ObjectGroup id="stdid12_1" name="Firewalls">
<Firewall comment="this is simple firewall with two interfaces. Test regular policy rules, including IP_fragments rule" host_OS="freebsd" id="fw-firewall2" inactive="False" lastCompiled="1172982686" lastInstalled="0" lastModified="1156049375" name="firewall" platform="ipf" ro="False" version="">
@ -5842,13 +5827,8 @@
<ObjectGroup id="id4386560918752" name="Address Ranges"/>
</ObjectGroup>
<ServiceGroup id="id4386560A18752" name="Services">
<ServiceGroup id="id4386560A18752_og_tag_1" name="TagServices"/>
<ServiceGroup id="id4386560B18752" name="Groups"/>
<ServiceGroup id="id4386560C18752" name="ICMP"/>
<ServiceGroup id="id4386560D18752" name="IP"/>
<ServiceGroup id="id4386560E18752" name="TCP"/>
<ServiceGroup id="id4386560F18752" name="UDP"/>
<ServiceGroup id="id4386561018752" name="Custom"/>
<ServiceGroup id="id4386560A18752_og_tag_1" name="TagServices"/><ServiceGroup id="id4386560B18752" name="Groups"/><ServiceGroup id="id4386560C18752" name="ICMP"/><ServiceGroup id="id4386560D18752" name="IP"/><ServiceGroup id="id4386560E18752" name="TCP"/><ServiceGroup id="id4386560F18752" name="UDP"/><ServiceGroup id="id4386561018752" name="Custom"/>
<ServiceGroup id="id4386560A18752_userservices" name="User"/>
</ServiceGroup>
<ObjectGroup id="id4386561118752" name="Firewalls"/>
<IntervalGroup id="id4386561218752" name="Time"/>
@ -5867,13 +5847,8 @@
<ObjectGroup id="id4387B43F18346" name="Address Ranges"/>
</ObjectGroup>
<ServiceGroup id="id4387B44018346" name="Services">
<ServiceGroup id="id4387B44018346_og_tag_1" name="TagServices"/>
<ServiceGroup id="id4387B44118346" name="Groups"/>
<ServiceGroup id="id4387B44218346" name="ICMP"/>
<ServiceGroup id="id4387B44318346" name="IP"/>
<ServiceGroup id="id4387B44418346" name="TCP"/>
<ServiceGroup id="id4387B44518346" name="UDP"/>
<ServiceGroup id="id4387B44618346" name="Custom"/>
<ServiceGroup id="id4387B44018346_og_tag_1" name="TagServices"/><ServiceGroup id="id4387B44118346" name="Groups"/><ServiceGroup id="id4387B44218346" name="ICMP"/><ServiceGroup id="id4387B44318346" name="IP"/><ServiceGroup id="id4387B44418346" name="TCP"/><ServiceGroup id="id4387B44518346" name="UDP"/><ServiceGroup id="id4387B44618346" name="Custom"/>
<ServiceGroup id="id4387B44018346_userservices" name="User"/>
</ServiceGroup>
<ObjectGroup id="id4387B44718346" name="Firewalls"/>
<IntervalGroup id="id4387B44818346" name="Time"/>
@ -5885,8 +5860,7 @@
<IPService comment="'Short' fragments" fragm="False" id="ip-IP_Fragments" lsrr="False" name="ip_fragments" protocol_num="0" rr="False" short_fragm="True" ssrr="False" ts="False"/>
<IPService comment="Route recording packets" fragm="False" id="ip-RR" lsrr="False" name="RR" protocol_num="0" rr="True" short_fragm="False" ssrr="False" ts="False"/>
<IPService comment="All sorts of Source Routing Packets" fragm="False" id="ip-SRR" lsrr="True" name="SRR" protocol_num="0" rr="False" short_fragm="False" ssrr="True" ts="False"/>
</ServiceGroup>
<ServiceGroup id="stdid09" name="TCP">
</ServiceGroup><ServiceGroup id="stdid09" name="TCP">
<TCPService ack_flag="False" ack_flag_mask="False" comment="" dst_range_end="113" dst_range_start="113" fin_flag="False" fin_flag_mask="False" id="tcp-Auth" name="auth" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" src_range_end="0" src_range_start="0" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False"/>
<TCPService ack_flag="False" ack_flag_mask="False" comment="" dst_range_end="53" dst_range_start="53" fin_flag="False" fin_flag_mask="False" id="tcp-DNS_zone_transf" name="dns-tcp" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" src_range_end="0" src_range_start="0" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False"/>
<TCPService ack_flag="False" ack_flag_mask="False" comment="" dst_range_end="21" dst_range_start="21" fin_flag="False" fin_flag_mask="False" id="tcp-FTP" name="ftp" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" src_range_end="0" src_range_start="0" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False"/>
@ -5924,27 +5898,25 @@
<TCPService ack_flag="False" ack_flag_mask="False" comment="" dst_range_end="3128" dst_range_start="3128" fin_flag="False" fin_flag_mask="False" id="id3B4FF09A" name="squid" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" src_range_end="0" src_range_start="0" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False"/>
<TCPService ack_flag="False" ack_flag_mask="False" comment="" dst_range_end="1720" dst_range_start="1720" fin_flag="False" fin_flag_mask="False" id="id3AEDBEAC" name="H323" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" src_range_end="0" src_range_start="0" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False"/>
<TCPService ack_flag="False" ack_flag_mask="False" comment="" dst_range_end="0" dst_range_start="0" fin_flag="False" fin_flag_mask="False" id="tcp-All_TCP" name="All TCP" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" src_range_end="0" src_range_start="0" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False"/>
</ServiceGroup>
<ServiceGroup id="stdid08" name="UDP">
</ServiceGroup><ServiceGroup id="stdid08" name="UDP">
<UDPService comment="" dst_range_end="53" dst_range_start="53" id="udp-DNS" name="domain" src_range_end="0" src_range_start="0"/>
<UDPService comment="" dst_range_end="161" dst_range_start="161" id="udp-SNMP" name="snmp" src_range_end="0" src_range_start="0"/>
<UDPService comment="" dst_range_end="68" dst_range_start="68" id="udp-bootpc" name="bootpc" src_range_end="0" src_range_start="0"/>
</ServiceGroup>
<ServiceGroup id="stdid10" name="Groups">
</ServiceGroup><ServiceGroup id="stdid10" name="Groups">
<ServiceGroup comment="" id="sg-Useful_ICMP" name="Useful_ICMP">
<ServiceRef ref="icmp-Time_exceeded"/>
<ServiceRef ref="icmp-Time_exceeded_in_transit"/>
<ServiceRef ref="icmp-ping_reply"/>
<ServiceRef ref="icmp-Unreachables"/>
</ServiceGroup>
</ServiceGroup>
<ServiceGroup id="stdid07" name="ICMP">
</ServiceGroup><ServiceGroup id="stdid07" name="ICMP">
<ICMPService code="0" comment="" id="icmp-ping_request" name="ping request" type="8"/>
<ICMPService code="-1" comment="" id="icmp-Unreachables" name="all ICMP unreachables" type="3"/>
<ICMPService code="0" comment="ICMP messages of this type are needed for traceroute" id="icmp-Time_exceeded" name="time exceeded" type="11"/>
<ICMPService code="1" comment="" id="icmp-Time_exceeded_in_transit" name="time exceeded in transit" type="11"/>
<ICMPService code="0" comment="" id="icmp-ping_reply" name="ping reply" type="0"/>
</ServiceGroup>
<ServiceGroup id="stdid05_userservices" name="User"/>
</ServiceGroup>
<AnyNetwork comment="Any Network" id="sysid0" name="Any" address="0.0.0.0" netmask="0.0.0.0"/>
<AnyInterval comment="Any Interval" from_day="-1" from_hour="-1" from_minute="-1" from_month="-1" from_weekday="-1" from_year="-1" id="sysid2" name="Any" to_day="-1" to_hour="-1" to_minute="-1" to_month="-1" to_weekday="-1" to_year="-1"/>

2
test/ipf/run.all
View File

@ -8,6 +8,8 @@ while (<>) {
while ( $str=~ /<Firewall / ) {
$str=~ /<Firewall [^>]+name="([^"]*).*$"/;
$fw=$1;
printf "\n";
printf "echo '******* $fw'\n";
printf "fwb_ipf -v -f $XMLFILE $fw\n";
$str=~ s/^.*<Firewall [^>]+name="$fw"[^>]+>//;
}