onkelbeh/fwbuilder
1
0
Fork 0
mirror of https://github.com/fwbuilder/fwbuilder synced 2025-10-15 23:18:51 +02:00
Code Issues Releases Wiki Activity

see #2667

Browse Source 
fixed bug (no number) introduced when I was working on #2667.
Setting broadcast address in the network object with netmask /31
to 255.255.255.255 broke rule shadowing algorithm.
This commit is contained in:
Vadim Kurland 2011-11-16 10:47:21 -08:00
parent edb126f3e3
commit 734069f16f
10 changed files with 537 additions and 11 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
doc/ChangeLog
View File

@ -1,3 +1,10 @@
2011-11-16 Vadim Kurland <vadim@netcitadel.com>
* InetAddrMask.cpp (InetAddrMask::setNetworkAndBroadcastAddress):
fixed bug (no number) introduced when I was working on #2670.
Setting broadcast address in the network object with netmask /31
to 255.255.255.255 broke rule shadowing algorithm.
2011-11-10 Vadim Kurland <vadim@netcitadel.com>
* configlets/linux24/check_utilities: fixes #2664 Update error

9
src/libfwbuilder/src/fwbuilder/InetAddrMask.cpp
View File

@ -53,10 +53,13 @@ void InetAddrMask::setNetworkAndBroadcastAddress()
{
*network_address = *address;
*broadcast_address = InetAddr(32);
*last_host = *address;
if (netmask->getLength() == 31) *last_host = *last_host + 1;
} else
{
*network_address = *address & *netmask;
*broadcast_address = *address | (~(*netmask));
*last_host = *broadcast_address;
}
}
@ -70,6 +73,7 @@ InetAddrMask::InetAddrMask(bool)
netmask = NULL;
broadcast_address = NULL;
network_address = NULL;
last_host = NULL;
}
InetAddrMask::InetAddrMask()
@ -78,6 +82,7 @@ InetAddrMask::InetAddrMask()
netmask = new InetAddr();
broadcast_address = new InetAddr();
network_address = new InetAddr();
last_host = new InetAddr();
}
InetAddrMask::InetAddrMask(const InetAddr &a, const InetAddr &n)
@ -86,6 +91,7 @@ InetAddrMask::InetAddrMask(const InetAddr &a, const InetAddr &n)
netmask = new InetAddr(n);
broadcast_address = new InetAddr();
network_address = new InetAddr();
last_host = new InetAddr();
setNetworkAndBroadcastAddress();
}
@ -95,6 +101,7 @@ InetAddrMask::InetAddrMask(const InetAddrMask& other)
netmask = new InetAddr(*(other.netmask));
broadcast_address = new InetAddr();
network_address = new InetAddr();
last_host = new InetAddr();
setNetworkAndBroadcastAddress();
}
@ -104,6 +111,7 @@ InetAddrMask::InetAddrMask(const string &s) throw(FWException)
netmask = new InetAddr();
broadcast_address = new InetAddr();
network_address = new InetAddr();
last_host = new InetAddr();
if(s.find_first_not_of(".1234567890/")!=string::npos)
{
@ -142,6 +150,7 @@ InetAddrMask::~InetAddrMask()
if (netmask!=NULL) delete netmask;
if (network_address!=NULL) delete network_address;
if (broadcast_address!=NULL) delete broadcast_address;
if (last_host!=NULL) delete last_host;
}
bool InetAddrMask::isAny()

6
src/libfwbuilder/src/fwbuilder/InetAddrMask.h
View File

@ -74,6 +74,7 @@ protected:
InetAddr* netmask;
InetAddr* broadcast_address;
InetAddr* network_address;
InetAddr* last_host;
explicit InetAddrMask(bool no_address);
@ -94,6 +95,11 @@ public:
virtual const InetAddr* getBroadcastAddressPtr() const {
return broadcast_address; }
const InetAddr* getFirstHostPtr() const {
return network_address;}
const InetAddr* getLastHostPtr() const{
return last_host;}
virtual void setAddress(const InetAddr &a);
virtual void setNetmask(const InetAddr &nm);

13
src/libfwbuilder/src/fwbuilder/Network.cpp
View File

@ -116,3 +116,16 @@ void Network::setAddressNetmask(const std::string& s)
inet_addr_mask = new InetAddrMask(s);
}
const InetAddr* Network::getFirstHostPtr() const
{
const InetAddrMask *inet_addr_mask = getInetAddrMaskObjectPtr();
if (inet_addr_mask) return inet_addr_mask->getFirstHostPtr();
return NULL;
}
const InetAddr* Network::getLastHostPtr() const
{
const InetAddrMask *inet_addr_mask = getInetAddrMaskObjectPtr();
if (inet_addr_mask) return inet_addr_mask->getLastHostPtr();
return NULL;
}

3
src/libfwbuilder/src/fwbuilder/Network.h
View File

@ -63,6 +63,9 @@ public:
virtual const Address* getAddressObject() const { return this; }
const InetAddr* getFirstHostPtr() const;
const InetAddr* getLastHostPtr() const;
virtual void setAddress(const InetAddr &a);
virtual void setNetmask(const InetAddr &nm);
virtual void setAddressNetmask(const std::string& s);

10
src/libfwbuilder/src/fwcompiler/Compiler_ops.cpp
View File

@ -504,7 +504,7 @@ bool Compiler::checkForShadowing(const Address &o1,const Address &o2)
bool res = (o1_pa->getPhysAddress()==o2_pa->getPhysAddress());
RETURN(res);
}
const InetAddr *o1b;
const InetAddr *o1e;
const InetAddr *o2b;
@ -518,8 +518,8 @@ bool Compiler::checkForShadowing(const Address &o1,const Address &o2)
{
if (Network::isA(&o1))
{
o1b = o1.getAddressPtr();
o1e = o1.getBroadcastAddressPtr();
o1b = static_cast<const Network*>(&o1)->getFirstHostPtr();
o1e = static_cast<const Network*>(&o1)->getLastHostPtr();
} else
{
o1b = o1.getAddressPtr();
@ -535,8 +535,8 @@ bool Compiler::checkForShadowing(const Address &o1,const Address &o2)
{
if (Network::isA(&o2))
{
o2b = o2.getAddressPtr();
o2e = o2.getBroadcastAddressPtr();
o2b = static_cast<const Network*>(&o2)->getFirstHostPtr();
o2e = static_cast<const Network*>(&o2)->getLastHostPtr();
} else
{
o2b = o2.getAddressPtr();

6
test/ipt/firewall95.fw.orig
View File

@ -4,13 +4,13 @@
#
# Firewall Builder fwb_ipt v5.0.1.3585
#
# Generated Thu Nov 10 11:58:48 2011 PST by vadim
# Generated Wed Nov 16 10:13:00 2011 PST by vadim
#
# files: * firewall95.fw /etc/fw/firewall95.fw
#
# Compiled for iptables 1.3.0
#
# testing rules that use address ranges that include or not include fw
# firewall has intrface with netmask /31
@ -393,7 +393,7 @@ test -z "$cmd" && {
case "$cmd" in
start)
log "Activating firewall script generated Thu Nov 10 11:58:48 2011 by vadim"
log "Activating firewall script generated Wed Nov 16 10:13:00 2011 by vadim"
check_tools
prolog_commands
check_run_time_address_table_files

253
test/ipt/objects-for-regression-tests.fwb
View File

@ -1,6 +1,6 @@
<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE FWObjectDatabase SYSTEM "fwbuilder.dtd">
<FWObjectDatabase xmlns="http://www.fwbuilder.org/1.0/" version="22" lastModified="1320805960" id="root">
<FWObjectDatabase xmlns="http://www.fwbuilder.org/1.0/" version="22" lastModified="1321469139" id="root">
<Library id="syslib000" color="#d4f8ff" name="Standard" comment="Standard objects" ro="True">
<AnyNetwork id="sysid0" name="Any" comment="Any Network" ro="False" address="0.0.0.0" netmask="0.0.0.0"/>
<AnyIPService id="sysid1" protocol_num="0" name="Any" comment="Any IP Service" ro="False"/>
@ -4756,6 +4756,118 @@
<InterfaceOptions/>
</Interface>
<IPv6 id="id101907X15152" name="firewall95:eth0:ip6" comment="" ro="False" address="fe80::20c:29ff:fe28:c078" netmask="64"/>
<Firewall id="id211140X25212" host_OS="linux24" inactive="False" lastCompiled="0" lastInstalled="0" lastModified="1321462676" platform="iptables" version="1.3.0" name="firewall96" comment="firewall has interface with netmask /31" ro="False">
<NAT id="id211187X25212" name="NAT" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
<RuleSetOptions/>
</NAT>
<Policy id="id211153X25212" name="Policy" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
<PolicyRule id="id211155X25212" disabled="False" group="" log="False" position="0" action="Accept" direction="Both" comment="address 192.168.1.11 should not be considered a broadcast on the subnet attached to eth0">
<Src neg="False">
<ObjectRef ref="sysid0"/>
</Src>
<Dst neg="False">
<ObjectRef ref="id102617X15152"/>
</Dst>
<Srv neg="False">
<ServiceRef ref="sysid1"/>
</Srv>
<Itf neg="False">
<ObjectRef ref="sysid0"/>
</Itf>
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions>
<Option name="color">#C86E6E</Option>
<Option name="pf_classify_str"></Option>
<Option name="stateless">False</Option>
</PolicyRuleOptions>
</PolicyRule>
<RuleSetOptions/>
</Policy>
<Policy id="id211184X25212" name="Policy_v6" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="True" top_rule_set="False">
<RuleSetOptions>
<Option name="mangle_only_rule_set">False</Option>
</RuleSetOptions>
</Policy>
<Routing id="id211190X25212" name="Routing" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
<RuleSetOptions/>
</Routing>
<Interface id="id211148X25212" dedicated_failover="False" dyn="False" label="" security_level="0" unnum="False" unprotected="False" name="eth0" comment="" ro="False">
<IPv4 id="id211151X25212" name="firewall96:eth0:ip" comment="/31 netmask" ro="False" address="192.168.1.10" netmask="255.255.255.254"/>
<InterfaceOptions/>
</Interface>
<Interface id="id211280X25212" dedicated_failover="False" dyn="False" label="" mgmt="False" security_level="0" unnum="False" unprotected="False" name="ppp0" comment="" ro="False">
<IPv4 id="id211314X25212" name="firewall96:ppp0:ip" comment="" ro="False" address="10.1.1.10" netmask="255.255.255.254"/>
<InterfaceOptions>
<Option name="type">ethernet</Option>
</InterfaceOptions>
</Interface>
<Management address="0.0.0.0">
<SNMPManagement enabled="False" snmp_read_community="" snmp_write_community=""/>
<FWBDManagement enabled="False" identity="" port="-1"/>
<PolicyInstallScript arguments="" command="" enabled="False"/>
</Management>
<FirewallOptions>
<Option name="accept_established">True</Option>
<Option name="accept_new_tcp_with_no_syn">True</Option>
<Option name="action_on_reject"></Option>
<Option name="activationCmd"></Option>
<Option name="add_mgmt_ssh_rule_when_stoped">False</Option>
<Option name="add_rules_for_ipv6_neighbor_discovery">False</Option>
<Option name="admUser"></Option>
<Option name="altAddress"></Option>
<Option name="bridging_fw">False</Option>
<Option name="check_shading">False</Option>
<Option name="clamp_mss_to_mtu">False</Option>
<Option name="clear_unknown_interfaces">False</Option>
<Option name="cmdline"></Option>
<Option name="compiler"></Option>
<Option name="configure_bonding_interfaces">False</Option>
<Option name="configure_bridge_interfaces">False</Option>
<Option name="configure_interfaces">True</Option>
<Option name="configure_vlan_interfaces">False</Option>
<Option name="debug">False</Option>
<Option name="drop_invalid">False</Option>
<Option name="epilog_script"></Option>
<Option name="firewall_dir"></Option>
<Option name="firewall_is_part_of_any_and_networks">True</Option>
<Option name="flush_and_set_default_policy">True</Option>
<Option name="ignore_empty_groups">False</Option>
<Option name="ipv4_6_order">ipv4_first</Option>
<Option name="limit_suffix"></Option>
<Option name="limit_value">0</Option>
<Option name="linux24_ip_forward">1</Option>
<Option name="load_modules">True</Option>
<Option name="local_nat">False</Option>
<Option name="log_all">False</Option>
<Option name="log_invalid">False</Option>
<Option name="log_ip_opt">False</Option>
<Option name="log_level">info</Option>
<Option name="log_prefix">RULE %N -- %A</Option>
<Option name="log_tcp_opt">False</Option>
<Option name="log_tcp_seq">False</Option>
<Option name="loopback_interface">lo</Option>
<Option name="manage_virtual_addr">True</Option>
<Option name="mgmt_addr"></Option>
<Option name="mgmt_ssh">False</Option>
<Option name="modules_dir">/lib/modules/`uname -r`/kernel/net/</Option>
<Option name="output_file"></Option>
<Option name="prolog_place">top</Option>
<Option name="prolog_script"></Option>
<Option name="scpArgs"></Option>
<Option name="script_name_on_firewall"></Option>
<Option name="sshArgs"></Option>
<Option name="ulog_cprange">0</Option>
<Option name="ulog_nlgroup">1</Option>
<Option name="ulog_qthreshold">1</Option>
<Option name="use_ULOG">False</Option>
<Option name="use_iptables_restore">False</Option>
<Option name="use_m_set">False</Option>
<Option name="use_numeric_log_levels">False</Option>
<Option name="verify_interfaces">True</Option>
</FirewallOptions>
</Firewall>
</Library>
<Library id="syslib001" color="#d2ffd0" name="User" comment="User defined objects" ro="False">
<ObjectGroup id="stdid01_1_clusters" name="Clusters" comment="" ro="False"/>
@ -4811,6 +4923,8 @@
<IPv4 id="id58601X22302" name="Address" comment="comment&#10;foo&#10;bar&#10;" ro="False" address="192.0.2.100" netmask="0.0.0.0"/>
<IPv4 id="id1880621X8221" name="addr-222.222.222.40" comment="" ro="False" address="222.222.222.40" netmask="0.0.0.0"/>
<IPv4 id="id102617X15152" name="a-192.168.1.11" comment="" ro="False" address="192.168.1.11" netmask="0.0.0.0"/>
<IPv4 id="id103971X10701" name="addr-24.56.78.90" comment="" ro="False" address="24.56.78.90" netmask="0.0.0.0"/>
<IPv4 id="id103974X10701" name="addr-192.168.11.11" comment="" ro="False" address="192.168.11.11" netmask="0.0.0.0"/>
</ObjectGroup>
<ObjectGroup id="stdid04_1" name="Groups" comment="" ro="False">
<ObjectGroup id="id3B4572AF" name="group1" comment="" ro="False">
@ -5739,6 +5853,8 @@
<Network id="id55251X40565" name="lan_192.168.111" comment="" ro="False" address="192.168.111.0" netmask="255.255.255.0"/>
<Network id="id55271X40565" name="lan_192.168.211" comment="" ro="False" address="192.168.211.0" netmask="255.255.255.0"/>
<Network id="id55291X40565" name="lan_192.168.212" comment="" ro="False" address="192.168.212.0" netmask="255.255.255.0"/>
<Network id="id103983X10701" name="net-192.168.11.10/31" comment="" ro="False" address="192.168.11.10" netmask="255.255.255.254"/>
<Network id="id104090X10701" name="net-192.168.11.0" comment="" ro="False" address="192.168.11.0" netmask="255.255.255.0"/>
</ObjectGroup>
<ObjectGroup id="stdid15_1" name="Address Ranges" comment="" ro="False">
<AddressRange id="id3CD8769F" name="test_range_1" comment="" ro="False" start_address="192.168.1.11" end_address="192.168.1.15"/>
@ -56086,7 +56202,7 @@ echo '%FWBPROMPT%'; sh /tmp/%FWSCRIPT%
<Option name="verify_interfaces">True</Option>
</FirewallOptions>
</Firewall>
<Firewall id="id54445X20318" host_OS="linux24" inactive="False" lastCompiled="1272404602" lastInstalled="0" lastModified="1272387229" platform="iptables" version="" name="test-shadowing-3" comment="testing shadowing detection&#10;compiler runs with -xt flag&#10;testing shadowing when rules have non-default options" ro="False">
<Firewall id="id54445X20318" host_OS="linux24" inactive="False" lastCompiled="1272404602" lastInstalled="0" lastModified="1321469200" platform="iptables" version="" name="test-shadowing-3" comment="testing shadowing detection&#10;compiler runs with -xt flag&#10;testing shadowing when rules have non-default options" ro="False">
<NAT id="id54554X20318" name="NAT" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
<RuleSetOptions/>
</NAT>
@ -56674,6 +56790,137 @@ echo '%FWBPROMPT%'; sh /tmp/%FWSCRIPT%
</PolicyRule>
<RuleSetOptions/>
</Policy>
<Policy id="id103984X10701" name="Policy_6" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="False">
<PolicyRule id="id104030X10701" disabled="False" group="" log="False" position="0" action="Deny" direction="Inbound" comment="">
<Src neg="False">
<ObjectRef ref="id104090X10701"/>
</Src>
<Dst neg="False">
<ObjectRef ref="sysid0"/>
</Dst>
<Srv neg="False">
<ServiceRef ref="sysid1"/>
</Srv>
<Itf neg="False">
<ObjectRef ref="sysid0"/>
</Itf>
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions>
<Option name="stateless">True</Option>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id104050X10701" disabled="False" group="" log="False" position="1" action="Deny" direction="Inbound" comment="">
<Src neg="False">
<ObjectRef ref="id103983X10701"/>
</Src>
<Dst neg="False">
<ObjectRef ref="sysid0"/>
</Dst>
<Srv neg="False">
<ServiceRef ref="sysid1"/>
</Srv>
<Itf neg="False">
<ObjectRef ref="sysid0"/>
</Itf>
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions>
<Option name="stateless">True</Option>
</PolicyRuleOptions>
</PolicyRule>
<RuleSetOptions/>
</Policy>
<Policy id="id104117X10701" name="Policy_7" comment="" ro="False" ipv4_rule_set="True" ipv6_rule_set="False" top_rule_set="False">
<PolicyRule id="id104175X10701" disabled="False" group="" log="False" position="0" action="Deny" direction="Inbound" comment="">
<Src neg="False">
<ObjectRef ref="id103983X10701"/>
</Src>
<Dst neg="False">
<ObjectRef ref="sysid0"/>
</Dst>
<Srv neg="False">
<ServiceRef ref="sysid1"/>
</Srv>
<Itf neg="False">
<ObjectRef ref="sysid0"/>
</Itf>
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions>
<Option name="stateless">True</Option>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id104203X10701" disabled="False" group="" log="False" position="1" action="Deny" direction="Inbound" comment="">
<Src neg="False">
<ObjectRef ref="id103974X10701"/>
</Src>
<Dst neg="False">
<ObjectRef ref="sysid0"/>
</Dst>
<Srv neg="False">
<ServiceRef ref="sysid1"/>
</Srv>
<Itf neg="False">
<ObjectRef ref="sysid0"/>
</Itf>
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions>
<Option name="stateless">True</Option>
</PolicyRuleOptions>
</PolicyRule>
<RuleSetOptions>
<Option name="mangle_only_rule_set">False</Option>
</RuleSetOptions>
</Policy>
<Policy id="id104272X10701" name="Policy_8" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="False">
<PolicyRule id="id104310X10701" disabled="False" group="" log="False" position="0" action="Deny" direction="Inbound" comment="even though this is a trivial case,&#10;I had a bug with handling networks with netmask /31 that broke it">
<Src neg="False">
<ObjectRef ref="id103971X10701"/>
</Src>
<Dst neg="False">
<ObjectRef ref="sysid0"/>
</Dst>
<Srv neg="False">
<ServiceRef ref="sysid1"/>
</Srv>
<Itf neg="False">
<ObjectRef ref="sysid0"/>
</Itf>
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions>
<Option name="stateless">True</Option>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id104298X10701" disabled="False" group="" log="False" position="1" action="Deny" direction="Inbound" comment="">
<Src neg="False">
<ObjectRef ref="id3CEBFCAE"/>
</Src>
<Dst neg="False">
<ObjectRef ref="sysid0"/>
</Dst>
<Srv neg="False">
<ServiceRef ref="sysid1"/>
</Srv>
<Itf neg="False">
<ObjectRef ref="sysid0"/>
</Itf>
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions>
<Option name="stateless">True</Option>
</PolicyRuleOptions>
</PolicyRule>
<RuleSetOptions/>
</Policy>
<Routing id="id54556X20318" name="Routing" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
<RuleSetOptions/>
</Routing>
@ -65204,7 +65451,7 @@ echo '%FWBPROMPT%'; sh /tmp/%FWSCRIPT%
<Option name="verify_interfaces">True</Option>
</FirewallOptions>
</Firewall>
<Firewall id="id101894X15152" host_OS="linux24" inactive="False" lastCompiled="0" lastInstalled="0" lastModified="1320806245" platform="iptables" version="1.3.0" name="firewall95" comment="testing rules that use address ranges that include or not include fw" ro="False">
<Firewall id="id101894X15152" host_OS="linux24" inactive="False" lastCompiled="0" lastInstalled="0" lastModified="1321462732" platform="iptables" version="1.3.0" name="firewall95" comment="firewall has intrface with netmask /31&#10;" ro="False">
<NAT id="id102533X15152" name="NAT" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
<RuleSetOptions/>
</NAT>

234
test/ipt/rc.firewall.local Executable file
View File

@ -0,0 +1,234 @@
#!/bin/sh
#
# This is automatically generated file. DO NOT MODIFY !
#
# Firewall Builder fwb_ipt v5.0.1.3585
#
# Generated Wed Nov 16 10:13:40 2011 PST by vadim
#
# files: * rc.firewall.local /etc/rc.d//rc.firewall.local
#
# Compiled for iptables (any version)
#
# Endian firewall appliance, 2 interfaces:
# br0 is GREEN
# eth1 is RED
# Do not forget to change IP addresses to
# match your firewall.
PATH="/sbin:/usr/sbin:/bin:/usr/bin:${PATH}"
export PATH
LSMOD="/sbin/lsmod"
MODPROBE="/sbin/modprobe"
IPTABLES="/sbin/iptables"
IP6TABLES="/sbin/ip6tables"
IPTABLES_RESTORE="/sbin/iptables-restore"
IP6TABLES_RESTORE="/sbin/ip6tables-restore"
IP="/sbin/ip"
IFCONFIG="/sbin/ifconfig"
VCONFIG="/sbin/vconfig"
BRCTL="/sbin/brctl"
IFENSLAVE="/sbin/ifenslave"
IPSET="/usr/sbin/ipset"
LOGGER="/usr/bin/logger"
log() {
echo "$1"
which "$LOGGER" >/dev/null 2>&1 && $LOGGER -p info "$1"
}
check_file() {
test -r "$2" || {
echo "Can not find file $2 referenced by AddressTable object $1"
exit 1
}
}
getInterfaceVarName() {
echo $1 | sed 's/\./_/'
}
# function getinterfaces is used to process wildcard interfaces
getinterfaces() {
NAME=$1
$IP link show | grep ": $NAME" | while read L; do
OIFS=$IFS
IFS=" :"
set $L
IFS=$OIFS
echo $2
done
}
find_program() {
PGM=$1
which $PGM >/dev/null 2>&1 || {
echo "\"$PGM\" not found"
exit 1
}
}
check_tools() {
find_program which
find_program $IPTABLES
find_program $MODPROBE
find_program $IP
}
reset_iptables_v4() {
$IPTABLES -P OUTPUT DROP
$IPTABLES -P INPUT DROP
$IPTABLES -P FORWARD DROP
cat /proc/net/ip_tables_names | while read table; do
$IPTABLES -t $table -L -n | while read c chain rest; do
if test "X$c" = "XChain" ; then
$IPTABLES -t $table -F $chain
fi
done
$IPTABLES -t $table -X
done
}
reset_iptables_v6() {
$IP6TABLES -P OUTPUT DROP
$IP6TABLES -P INPUT DROP
$IP6TABLES -P FORWARD DROP
cat /proc/net/ip6_tables_names | while read table; do
$IP6TABLES -t $table -L -n | while read c chain rest; do
if test "X$c" = "XChain" ; then
$IP6TABLES -t $table -F $chain
fi
done
$IP6TABLES -t $table -X
done
}
check_file() {
test -r "$2" || {
echo "Can not find file $2 referenced by address table object $1"
exit 1
}
}
check_run_time_address_table_files() {
:
check_file "atbl.1" "addr-table-1.tbl"
}
verify_interfaces() {
:
echo "Verifying interfaces: et0 eth1"
for i in et0 eth1 ; do
$IP link show "$i" > /dev/null 2>&1 || {
log "Interface $i does not exist"
exit 1
}
done
}
prolog_commands() {
echo "Running prolog script"
}
epilog_commands() {
echo "Running epilog script"
}
run_epilog_and_exit() {
epilog_commands
exit $1
}
script_body() {
# ================ IPv4
# ================ Table 'filter', rule set Policy
#
# Rule 0 (global)
#
echo "Rule 0 (global)"
#
$IPTABLES -A OUTPUT -p tcp -m tcp -d 10.3.14.40 --dport 80 -m state --state NEW -j ACCEPT
$IPTABLES -A FORWARD -p tcp -m tcp -d 10.3.14.40 --dport 80 -m state --state NEW -j ACCEPT
#
# Rule 1 (global)
#
echo "Rule 1 (global)"
#
$IPTABLES -N RULE_1
$IPTABLES -A INPUT -s 192.168.1.1 -j RULE_1
$IPTABLES -A INPUT -s 192.168.1.2 -j RULE_1
$IPTABLES -A INPUT -s 192.168.1.3/30 -j RULE_1
$IPTABLES -A INPUT -s 192.168.1.200 -j RULE_1
$IPTABLES -A INPUT -s 192.168.1.201 -j RULE_1
$IPTABLES -A INPUT -s 192.168.2.128/25 -j RULE_1
$IPTABLES -A FORWARD -s 192.168.1.1 -j RULE_1
$IPTABLES -A FORWARD -s 192.168.1.2 -j RULE_1
$IPTABLES -A FORWARD -s 192.168.1.3/30 -j RULE_1
$IPTABLES -A FORWARD -s 192.168.1.200 -j RULE_1
$IPTABLES -A FORWARD -s 192.168.1.201 -j RULE_1
$IPTABLES -A FORWARD -s 192.168.2.128/25 -j RULE_1
$IPTABLES -A RULE_1 -j LOG --log-level info --log-prefix "RULE 1 -- DENY "
$IPTABLES -A RULE_1 -j DROP
#
# Rule 2 (global)
#
echo "Rule 2 (global)"
#
$IPTABLES -N RULE_2
grep -Ev '^#|^;|^\s*$' addr-table-1.tbl | while read L ; do
set $L; at_atbl_1=$1; $IPTABLES -A INPUT -s $at_atbl_1 -j RULE_2
done
grep -Ev '^#|^;|^\s*$' addr-table-1.tbl | while read L ; do
set $L; at_atbl_1=$1; $IPTABLES -A FORWARD -s $at_atbl_1 -j RULE_2
done
$IPTABLES -A RULE_2 -j LOG --log-level info --log-prefix "RULE 2 -- DENY "
$IPTABLES -A RULE_2 -j DROP
}
reset_all() {
:
reset_iptables_v4
}
case "$1" in
start)
check_tools
check_run_time_address_table_files
verify_interfaces
prolog_commands
script_body
epilog_commands
;;
stop)
# on IPCOP "/etc/rc.firewall stop" purges all tables and chains
# and then calls this script with command "stop", but there is
# nothing left for us to do here.
;;
reload)
$0 stop
$0 start
;;
*)
echo "Usage $0 {start|stop|reload}"
;;
esac

7
test/pf/cluster-tests.fwb
View File

@ -92,6 +92,13 @@
<NetworkIPv6 id="id2383X75851" name="link-local ipv6" comment="RFC4291 Link-local unicast net" ro="False" address="fe80::" netmask="10"/>
<NetworkIPv6 id="id2685X75851" name="multicast ipv6" comment="RFC4291 ipv6 multicast addresses" ro="False" address="ff00::" netmask="8"/>
<NetworkIPv6 id="id2986X75851" name="experimental ipv6" comment="RFC2928, RFC4773 &#10;&#10;&quot;The block of Sub-TLA IDs assigned to the IANA&#10;(i.e., 2001:0000::/29 - 2001:01F8::/29) is for&#10;assignment for testing and experimental usage to&#10;support activities such as the 6bone, and&#10;for new approaches like exchanges.&quot; [RFC2928]&#10;&#10;" ro="False" address="2001::" netmask="23"/>
<Network id="id3289X12564" name="TEST-NET-2" comment="RFC 5735&#10;RFC 5737&#10;" ro="False" address="198.51.100.0" netmask="255.255.255.0"/>
<Network id="id3300X12564" name="TEST-NET-3" comment="RFC 5735&#10;RFC 5737" ro="False" address="203.0.113.0" netmask="255.255.255.0"/>
<Network id="id3311X12564" name="Benchmark tests network" comment="RFC 5735" ro="False" address="198.18.0.0" netmask="255.254.0.0"/>
<NetworkIPv6 id="id3326X12564" name="mapped-ipv4" comment="" ro="False" address="::ffff:0.0.0.0" netmask="96"/>
<NetworkIPv6 id="id3341X12564" name="translated-ipv4" comment="" ro="False" address="::ffff:0:0:0" netmask="96"/>
<NetworkIPv6 id="id3350X12564" name="Teredo" comment="" ro="False" address="2001::" netmask="32"/>
<NetworkIPv6 id="id3359X12564" name="unique-local" comment="" ro="False" address="fc00::" netmask="7"/>
</ObjectGroup>
<ObjectGroup id="stdid15" name="Address Ranges" comment="" ro="False">
<AddressRange id="id3F6D115C" name="broadcast" comment="" ro="False" start_address="255.255.255.255" end_address="255.255.255.255"/>