2009-07-28 vadim <vadim@vk.crocodile.org>

* NATCompiler_pf_writers.cpp (PrintRule::_printSrcPort): remove extra white space after tcp port spec if source port match was not used in the rule. * PolicyCompiler_pf.cpp (fillDirection::processNext): Applied patch per bug report #2828633: "Patch: Warning when changing rule direction in compiler". This adds warning when rule direction is changed by the compiler because object in source or destination was firewall itself. * PolicyCompiler_pf.cpp (PolicyCompiler_pf::compile): Implemented change per bug #2828602: "PF Compiler Direction Both no Duplication Patch". PF rules with direction "both" used to be split to make two rules, one with direction "inbound" and another with direction "outbound". This was an artefact of old rule generation model where user could choose to permit everything outbound and only generate inbound rules, or generate both inbound and outbound rules. Since we now always generate both in abd out rules and PF matches both directions when neither "in" or "out" is specificed, this splitting has become redundant.
2026-03-21 18:57:14 +01:00 · 2009-07-29 01:42:55 +00:00 · 2009-07-29 01:42:55 +00:00 · 830033c295
commit 830033c295
parent 34fee341d3
5 changed files with 37 additions and 5 deletions
--- a/2
+++ b/2
@ -1 +1 @@
-#define BUILD_NUM 1209
+#define BUILD_NUM 1212
--- a/doc/ChangeLog
+++ b/doc/ChangeLog
@ -1,3 +1,26 @@
+2009-07-28  vadim  <vadim@vk.crocodile.org>
+
+	* NATCompiler_pf_writers.cpp (PrintRule::_printSrcPort): remove
+	extra white space after tcp port spec if source port match was not
+	used in the rule.
+
+	* PolicyCompiler_pf.cpp (fillDirection::processNext): Applied
+	patch per bug report #2828633: "Patch: Warning when changing rule
+	direction in compiler". This adds warning when rule direction is
+	changed by the compiler because object in source or destination
+	was firewall itself.
+
+	* PolicyCompiler_pf.cpp (PolicyCompiler_pf::compile): Implemented
+	change per bug #2828602: "PF Compiler Direction Both no
+	Duplication Patch". PF rules with direction "both" used to be
+	split to make two rules, one with direction "inbound" and another
+	with direction "outbound". This was an artefact of old rule
+	generation model where user could choose to permit everything
+	outbound and only generate inbound rules, or generate both inbound
+	and outbound rules. Since we now always generate both in abd out
+	rules and PF matches both directions when neither "in" or "out" is
+	specificed, this splitting has become redundant.
+
 2009-07-26  vadim  <vadim@vk.crocodile.org>

 	* PolicyCompiler_ipt_optimizer.cpp (optimizeForMinusIOPlus::processNext):
--- a/src/pflib/NATCompiler_pf_writers.cpp
+++ b/src/pflib/NATCompiler_pf_writers.cpp
@ -304,8 +304,8 @@ void NATCompiler_pf::PrintRule::_printSrcPort(libfwbuilder::Service *srv)
            {
                compiler->output << ":" << sre;
            }
+            compiler->output  << " ";
        }
-        compiler->output  << " ";
    }
 }

--- a/src/pflib/PolicyCompiler_pf.cpp
+++ b/src/pflib/PolicyCompiler_pf.cpp
@ -376,9 +376,15 @@ bool PolicyCompiler_pf::fillDirection::processNext()
            compiler->complexMatch(compiler->fw, dst)) return true;

        if (!src->isAny() && compiler->complexMatch(compiler->fw, src))
+        {
            rule->setDirection( PolicyRule::Outbound );
+            compiler->warning("Changing rule direction due to self reference in rule "+rule->getLabel());
+        }
        if (!dst->isAny() && compiler->complexMatch(compiler->fw, dst))
+        {
            rule->setDirection( PolicyRule::Inbound );
+            compiler->warning("Changing rule direction due to self reference in rule "+rule->getLabel());
+        }
    }
    return true;
 }
@ -1071,7 +1077,10 @@ void PolicyCompiler_pf::compile()
 	add( new splitIfFirewallInSrc("split rule if firewall is in Src"   ));
 	add( new splitIfFirewallInDst("split rule if firewall is in Dst"   ));
 	add( new fillDirection("determine directions"               ));
-	add( new SplitDirection("split rules with direction 'both'"  ));
+
+// commented out for bug #2828602
+//	add( new SplitDirection("split rules with direction 'both'"  ));
+
        add( new addLoopbackForRedirect(
                 "add loopback to rules that permit redirected services" ) );
 	add( new ExpandMultipleAddresses(
--- a/src/pflib/PolicyCompiler_pf_writers.cpp
+++ b/src/pflib/PolicyCompiler_pf_writers.cpp
@ -339,8 +339,8 @@ void PolicyCompiler_pf::PrintRule::_printTag(PolicyRule *rule)

 void PolicyCompiler_pf::PrintRule::_printDirection(PolicyRule *rule)
 {
-    if (rule->getDirection()==PolicyRule::Outbound)  compiler->output << "out "; 
-    else	                                     compiler->output << "in  "; 
+    if (rule->getDirection()==PolicyRule::Outbound) compiler->output << "out ";
+    if (rule->getDirection()==PolicyRule::Inbound) compiler->output << "in  ";
 }

 void PolicyCompiler_pf::PrintRule::_printLogging(PolicyRule *rule)