onkelbeh/fwbuilder
1
0
Fork 0
mirror of https://github.com/fwbuilder/fwbuilder synced 2026-03-18 17:27:20 +01:00
Code Issues Releases Wiki Activity

* PolicyCompiler_ipt.cpp (decideOnChainIfDstFW::processNext):

Browse Source 
fixes #1231 rules are placed FORWARD chain if firewall object is
"bridging firewall". This bugfix concerns specific rule
configuration used with bridging firewall where firewall object or
one of its interfaces is used in "destination" and an interface
which is not a bridge port is in the "interface" rule column. Rule
like this should go into INPUT chain but compiler used to splut it
and put generated iptables rules in both INPUT and FORWARD chains.
Rule should be placed in the FORWARD chain only if interface in
"interface" column is bridge port. The same algorithm also applies
to rules with firewall or one if its interfaces in the "Source"
column.
This commit is contained in:
Vadim Kurland 2010-02-14 18:54:47 +00:00
parent a7c22c80c9
commit 76dd6e285c
4 changed files with 64 additions and 17 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
build_num
View File

@ -1 +1 @@
#define BUILD_NUM 2528
#define BUILD_NUM 2529

15
doc/ChangeLog
View File

@ -1,3 +1,18 @@
2010-02-14 vadim <vadim@vk.crocodile.org>
* PolicyCompiler_ipt.cpp (decideOnChainIfDstFW::processNext):
fixes #1231 rules are placed FORWARD chain if firewall object is
"bridging firewall". This bugfix concerns specific rule
configuration used with bridging firewall where firewall object or
one of its interfaces is used in "destination" and an interface
which is not a bridge port is in the "interface" rule column. Rule
like this should go into INPUT chain but compiler used to splut it
and put generated iptables rules in both INPUT and FORWARD chains.
Rule should be placed in the FORWARD chain only if interface in
"interface" column is bridge port. The same algorithm also applies
to rules with firewall or one if its interfaces in the "Source"
column.
2010-02-13 vadim <vadim@vk.crocodile.org>
* OSConfigurator_bsd.cpp (OSConfigurator_bsd::configureInterfaces):

52
src/iptlib/PolicyCompiler_ipt.cpp
View File

@ -2853,14 +2853,24 @@ bool PolicyCompiler_ipt::decideOnChainIfSrcFW::processNext()
if ( compiler->getCachedFwOpt()->getBool("bridging_fw") &&
compiler->complexMatch(src,compiler->fw,false,false) )
{
PolicyRule *r;
/* Correction for bug #1231 : as of fwbuilder v4.0 (and
* really, probably as of 3.0), bridge ports must be created
* in the GUI for the compiler to process policy of the
* bridging firewall correctly. Will split the rule if it is
* not associated with any particular interface or associated
* with an interface which is a bridge port.
*/
r= compiler->dbcopy->createPolicyRule();
compiler->temp_ruleset->add(r);
r->duplicate(rule);
ipt_comp->setChain(r,"FORWARD");
tmp_queue.push_back(r);
RuleElementItf *itfre = rule->getItf();
Interface *rule_iface = compiler->getFirstItf(rule);
if (rule_iface == NULL || rule_iface->isBridgePort())
{
PolicyRule *r = compiler->dbcopy->createPolicyRule();
compiler->temp_ruleset->add(r);
r->duplicate(rule);
ipt_comp->setChain(r,"FORWARD");
tmp_queue.push_back(r);
}
}
bool b,m;
@ -2903,6 +2913,9 @@ bool PolicyCompiler_ipt::decideOnChainIfSrcFW::processNext()
return true;
}
/*
* Call this processor before InterfacePolicyRulesWithOptimization
*/
bool PolicyCompiler_ipt::decideOnChainIfDstFW::processNext()
{
PolicyCompiler_ipt *ipt_comp = dynamic_cast<PolicyCompiler_ipt*>(compiler);
@ -2936,19 +2949,28 @@ bool PolicyCompiler_ipt::decideOnChainIfDstFW::processNext()
*
* Bug #934949: "duplicate rules". Split the rule only if firewall is
* in src or dst. Otherwise compiler produces duplicates.
*
*/
if ( compiler->getCachedFwOpt()->getBool("bridging_fw") &&
compiler->complexMatch(dst,compiler->fw,false,false) )
{
PolicyRule *r;
/* Correction for bug #1231 : as of fwbuilder v4.0 (and
* really, probably as of 3.0), bridge ports must be created
* in the GUI for the compiler to process policy of the
* bridging firewall correctly. Will split the rule if it is
* not associated with any particular interface or associated
* with an interface which is a bridge port.
*/
r= compiler->dbcopy->createPolicyRule();
compiler->temp_ruleset->add(r);
r->duplicate(rule);
ipt_comp->setChain(r,"FORWARD");
tmp_queue.push_back(r);
RuleElementItf *itfre = rule->getItf();
Interface *rule_iface = compiler->getFirstItf(rule);
if (rule_iface == NULL || rule_iface->isBridgePort())
{
PolicyRule *r = compiler->dbcopy->createPolicyRule();
compiler->temp_ruleset->add(r);
r->duplicate(rule);
ipt_comp->setChain(r,"FORWARD");
tmp_queue.push_back(r);
}
}
bool b,m;

12
test/ipt/objects-for-regression-tests.fwb
View File

@ -12287,7 +12287,7 @@
<Option name="verify_interfaces">False</Option>
</FirewallOptions>
</Firewall>
<Firewall id="id3D94D4F8" host_OS="linux24" inactive="False" lastCompiled="1251648639" lastInstalled="1142003872" lastModified="1266167660" platform="iptables" version="" name="firewall11" comment="testing rules with broadcasts and multicasts and action-on-reject 'TCP reset'. &#10;&#10;This is BRIDGING FIREWALL &#10;Firewall is part of any is OFF&#10;&#10;Interfaces eth0 and eth1 are parts of the bridge; Interface eth2 is external interface (doing NAT and routing on this interface) Interface eth3 is connected to protected network and is used to manage firewall. This is rather realistic configuration for the bridging firewall " ro="False">
<Firewall id="id3D94D4F8" host_OS="linux24" inactive="False" lastCompiled="1251648639" lastInstalled="1142003872" lastModified="1266172388" platform="iptables" version="" name="firewall11" comment="testing rules with broadcasts and multicasts and action-on-reject 'TCP reset'. &#10;&#10;This is BRIDGING FIREWALL &#10;Firewall is part of any is OFF&#10;&#10;Interfaces eth0 and eth1 are parts of the bridge; Interface eth2 is external interface (doing NAT and routing on this interface) Interface eth3 is connected to protected network and is used to manage firewall. This is rather realistic configuration for the bridging firewall " ro="False">
<NAT id="id3D94D4F9" name="NAT" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
<NATRule id="id3E854D22" disabled="True" position="0" action="Translate" comment="">
<OSrc neg="False">
@ -12855,14 +12855,21 @@
<Option name="accept_new_tcp_with_no_syn">True</Option>
<Option name="action_on_reject">ICMP net unreachable</Option>
<Option name="activationCmd"></Option>
<Option name="add_mgmt_ssh_rule_when_stoped">False</Option>
<Option name="add_rules_for_ipv6_neighbor_discovery">False</Option>
<Option name="admUser"></Option>
<Option name="altAddress"></Option>
<Option name="bridging_fw">True</Option>
<Option name="check_shading">False</Option>
<Option name="clamp_mss_to_mtu">False</Option>
<Option name="classify_mark_terminating">False</Option>
<Option name="clear_unknown_interfaces">False</Option>
<Option name="cmdline"></Option>
<Option name="compiler"></Option>
<Option name="configure_bonding_interfaces">False</Option>
<Option name="configure_bridge_interfaces">False</Option>
<Option name="configure_interfaces">True</Option>
<Option name="configure_vlan_interfaces">False</Option>
<Option name="debug">False</Option>
<Option name="drop_invalid">False</Option>
<Option name="dyn_addr">False</Option>
@ -12874,6 +12881,7 @@
<Option name="inst_cmdline"></Option>
<Option name="inst_script"></Option>
<Option name="install_script"></Option>
<Option name="ipv4_6_order">ipv4_first</Option>
<Option name="limit_suffix">/day</Option>
<Option name="limit_value">0</Option>
<Option name="linux24_accept_redirects"></Option>
@ -12920,7 +12928,9 @@
<Option name="prolog_place">top</Option>
<Option name="prolog_script"></Option>
<Option name="proxy_arp">False</Option>
<Option name="scpArgs"></Option>
<Option name="script_env_path"></Option>
<Option name="script_name_on_firewall"></Option>
<Option name="snmp_contact"></Option>
<Option name="snmp_description"></Option>
<Option name="snmp_location"></Option>