onkelbeh/fwbuilder
1
0
Fork 0
mirror of https://github.com/fwbuilder/fwbuilder synced 2026-03-19 17:57:22 +01:00
Code Issues Releases Wiki Activity

* IPTImporterRun.cpp (run): see #2275 Importer for iptables now

Browse Source 
correctly handles both "intrapositioned" ("-s ! address") and
"extrapositioned" ("! -s address") negation.
This commit is contained in:
Vadim Kurland 2011-04-14 18:19:54 -07:00
parent 17263fb3ff
commit 838116ab50
14 changed files with 1806 additions and 1858 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
doc/ChangeLog
View File

@ -1,5 +1,9 @@
2011-04-14 vadim <vadim@netcitadel.com>
* IPTImporterRun.cpp (run): see #2275 Importer for iptables now
correctly handles both "intrapositioned" ("-s ! address") and
"extrapositioned" ("! -s address") negation.
* platform/fwsm.xml: see #2295 Added FWSM version "3.2". According to
Cisco documentation, FWSM version 3.2 matches PIX 7.

2
src/import/IPTImporter.cpp
View File

@ -121,7 +121,7 @@ void IPTImporter::clear()
target = "";
tmp_port_range_start = "";
tmp_port_range_end = "";
src_neg = dst_neg = srv_neg = intf_neg = false;
src_neg = dst_neg = srv_neg = intf_neg = tmp_neg = false;
match_mark = "";
neg_match_mark = false;
recent_match = "";

3
src/import/IPTImporter.h
View File

@ -115,7 +115,8 @@ class IPTImporter : public Importer
bool dst_neg;
bool srv_neg;
bool intf_neg;
bool tmp_neg;
std::string limit_val;
std::string limit_suffix;
std::string limit_burst;

38
src/import/IPTImporterRun.cpp
View File

@ -29,6 +29,8 @@
#include <QString>
#include <QStringList>
#include <QRegExp>
#include <QtDebug>
#include <ios>
#include <iostream>
@ -82,6 +84,9 @@ void IPTImporter::run()
string normalized_input_buffer;
normalized_input_buffer.reserve(input_size);
QRegExp old_negation_short("(-[^- ])\\s!");
QRegExp old_negation_long("(--[^- ]+)\\s!");
input.seekg (0, ios::beg);
char buf[8192];
while (!input.eof())
@ -97,6 +102,39 @@ void IPTImporter::run()
str.replace("--dport", "--destination-ports");
}
// negation: "-s ! something" format is deprecated and is replaced with
// "! -s something", but our parser understands only old format.
int pos = 0;
while (true)
{
QString option;
int match_length = 0;
int old_pos = 0;
old_pos = old_negation_short.indexIn(str, pos);
if (old_pos != -1)
{
option = old_negation_short.cap(1);
match_length = old_negation_short.matchedLength();
} else
{
old_pos = old_negation_long.indexIn(str, pos);
if (old_pos != -1)
{
option = old_negation_long.cap(1);
match_length = old_negation_long.matchedLength();
}
}
if (old_pos == -1) break;
QString new_format = QString("! %1").arg(option);
str.replace(old_pos, match_length, new_format);
pos = old_pos + match_length;
}
cerr << str.toStdString() << endl;
normalized_input_buffer.append(str.toStdString());
normalized_input_buffer.append("\n");
}

72
src/parsers/IPTCfgLexer.cpp
View File

@ -1,5 +1,5 @@
/* $ANTLR 2.7.7 (20090306): "iptables.g" -> "IPTCfgLexer.cpp"$ */
#line 44 "iptables.g"
#line 55 "iptables.g"
// gets inserted before the antlr generated includes in the cpp
// file
@ -14,7 +14,7 @@
#include <antlr/CharStreamIOException.hpp>
#include <antlr/NoViableAltForCharException.hpp>
#line 50 "iptables.g"
#line 61 "iptables.g"
// gets inserted after the antlr generated includes in the cpp
// file
@ -713,7 +713,7 @@ void IPTCfgLexer::mWhitespace(bool _createToken) {
}
}
if ( inputState->guessing==0 ) {
#line 1231 "iptables.g"
#line 1237 "iptables.g"
_ttype = ANTLR_USE_NAMESPACE(antlr)Token::SKIP;
#line 719 "IPTCfgLexer.cpp"
}
@ -746,7 +746,7 @@ void IPTCfgLexer::mNEWLINE(bool _createToken) {
}
if ( inputState->guessing==0 ) {
#line 1233 "iptables.g"
#line 1239 "iptables.g"
newline(); resetText();
#line 752 "IPTCfgLexer.cpp"
}
@ -997,10 +997,10 @@ void IPTCfgLexer::mNUMBER(bool _createToken) {
_ttype = NUMBER;
ANTLR_USE_NAMESPACE(std)string::size_type _saveIndex;
bool synPredMatched193 = false;
bool synPredMatched185 = false;
if ((((LA(1) >= 0x30 /* '0' */ && LA(1) <= 0x39 /* '9' */ )) && (_tokenSet_2.member(LA(2))) && (_tokenSet_2.member(LA(3))) && (_tokenSet_2.member(LA(4))) && (_tokenSet_2.member(LA(5))) && (_tokenSet_2.member(LA(6))) && (_tokenSet_2.member(LA(7))) && (true) && (true) && (true) && (true) && (true) && (true) && (true) && (true) && (true) && (true) && (true) && (true) && (true))) {
int _m193 = mark();
synPredMatched193 = true;
int _m185 = mark();
synPredMatched185 = true;
inputState->guessing++;
try {
{
@ -1011,12 +1011,12 @@ void IPTCfgLexer::mNUMBER(bool _createToken) {
}
}
catch (ANTLR_USE_NAMESPACE(antlr)RecognitionException& pe) {
synPredMatched193 = false;
synPredMatched185 = false;
}
rewind(_m193);
rewind(_m185);
inputState->guessing--;
}
if ( synPredMatched193 ) {
if ( synPredMatched185 ) {
{
mNUM_3DIGIT(false);
match('.' /* charlit */ );
@ -1026,17 +1026,17 @@ void IPTCfgLexer::mNUMBER(bool _createToken) {
match('.' /* charlit */ );
mNUM_3DIGIT(false);
if ( inputState->guessing==0 ) {
#line 1300 "iptables.g"
#line 1306 "iptables.g"
_ttype = IPV4;
#line 1032 "IPTCfgLexer.cpp"
}
}
}
else {
bool synPredMatched196 = false;
bool synPredMatched188 = false;
if ((((LA(1) >= 0x30 /* '0' */ && LA(1) <= 0x39 /* '9' */ )) && (_tokenSet_2.member(LA(2))) && (_tokenSet_2.member(LA(3))) && (_tokenSet_2.member(LA(4))) && (_tokenSet_2.member(LA(5))) && (true) && (true) && (true) && (true) && (true) && (true) && (true) && (true) && (true) && (true) && (true) && (true) && (true) && (true) && (true))) {
int _m196 = mark();
synPredMatched196 = true;
int _m188 = mark();
synPredMatched188 = true;
inputState->guessing++;
try {
{
@ -1047,12 +1047,12 @@ void IPTCfgLexer::mNUMBER(bool _createToken) {
}
}
catch (ANTLR_USE_NAMESPACE(antlr)RecognitionException& pe) {
synPredMatched196 = false;
synPredMatched188 = false;
}
rewind(_m196);
rewind(_m188);
inputState->guessing--;
}
if ( synPredMatched196 ) {
if ( synPredMatched188 ) {
{
mNUM_3DIGIT(false);
match('.' /* charlit */ );
@ -1060,7 +1060,7 @@ void IPTCfgLexer::mNUMBER(bool _createToken) {
match('.' /* charlit */ );
mNUM_3DIGIT(false);
if ( inputState->guessing==0 ) {
#line 1304 "iptables.g"
#line 1310 "iptables.g"
_ttype = THREE_COMPONENT_VERSION;
#line 1066 "IPTCfgLexer.cpp"
}
@ -1071,43 +1071,43 @@ void IPTCfgLexer::mNUMBER(bool _createToken) {
match('0' /* charlit */ );
match('x' /* charlit */ );
{ // ( ... )+
int _cnt200=0;
int _cnt192=0;
for (;;) {
if ((_tokenSet_1.member(LA(1)))) {
mHEXDIGIT(false);
}
else {
if ( _cnt200>=1 ) { goto _loop200; } else {throw ANTLR_USE_NAMESPACE(antlr)NoViableAltForCharException(LA(1), getFilename(), getLine(), getColumn());}
if ( _cnt192>=1 ) { goto _loop192; } else {throw ANTLR_USE_NAMESPACE(antlr)NoViableAltForCharException(LA(1), getFilename(), getLine(), getColumn());}
}
_cnt200++;
_cnt192++;
}
_loop200:;
_loop192:;
} // ( ... )+
}
if ( inputState->guessing==0 ) {
#line 1308 "iptables.g"
#line 1314 "iptables.g"
_ttype = HEX_CONST;
#line 1092 "IPTCfgLexer.cpp"
}
}
else if (((LA(1) >= 0x30 /* '0' */ && LA(1) <= 0x39 /* '9' */ )) && (true) && (true) && (true) && (true) && (true) && (true) && (true) && (true) && (true) && (true) && (true) && (true) && (true) && (true) && (true) && (true) && (true) && (true) && (true)) {
{ // ( ... )+
int _cnt202=0;
int _cnt194=0;
for (;;) {
if (((LA(1) >= 0x30 /* '0' */ && LA(1) <= 0x39 /* '9' */ ))) {
mDIGIT(false);
}
else {
if ( _cnt202>=1 ) { goto _loop202; } else {throw ANTLR_USE_NAMESPACE(antlr)NoViableAltForCharException(LA(1), getFilename(), getLine(), getColumn());}
if ( _cnt194>=1 ) { goto _loop194; } else {throw ANTLR_USE_NAMESPACE(antlr)NoViableAltForCharException(LA(1), getFilename(), getLine(), getColumn());}
}
_cnt202++;
_cnt194++;
}
_loop202:;
_loop194:;
} // ( ... )+
if ( inputState->guessing==0 ) {
#line 1310 "iptables.g"
#line 1316 "iptables.g"
_ttype = INT_CONST;
#line 1113 "IPTCfgLexer.cpp"
}
@ -1362,11 +1362,11 @@ void IPTCfgLexer::mWORD(bool _createToken) {
}
default:
{
goto _loop206;
goto _loop198;
}
}
}
_loop206:;
_loop198:;
} // ( ... )*
if ( _createToken && _token==ANTLR_USE_NAMESPACE(antlr)nullToken && _ttype!=ANTLR_USE_NAMESPACE(antlr)Token::SKIP ) {
_token = makeToken(_ttype);
@ -1388,11 +1388,11 @@ void IPTCfgLexer::mSTRING(bool _createToken) {
matchNot('\"' /* charlit */ );
}
else {
goto _loop209;
goto _loop201;
}
}
_loop209:;
_loop201:;
} // ( ... )*
match('\"' /* charlit */ );
if ( _createToken && _token==ANTLR_USE_NAMESPACE(antlr)nullToken && _ttype!=ANTLR_USE_NAMESPACE(antlr)Token::SKIP ) {
@ -1423,7 +1423,7 @@ void IPTCfgLexer::mRSOURCE(bool _createToken) {
match("--rsource");
if ( inputState->guessing==0 ) {
#line 1334 "iptables.g"
#line 1340 "iptables.g"
_ttype = UNSUPPORTED_OPTION;
#line 1429 "IPTCfgLexer.cpp"
}
@ -2086,7 +2086,7 @@ void IPTCfgLexer::mULOG_QTHR(bool _createToken) {
match("--ulog-qthreshold");
if ( inputState->guessing==0 ) {
#line 1401 "iptables.g"
#line 1407 "iptables.g"
_ttype = UNSUPPORTED_OPTION;
#line 2092 "IPTCfgLexer.cpp"
}
@ -2105,7 +2105,7 @@ void IPTCfgLexer::mULOG_NLG(bool _createToken) {
match("--ulog-nlgroup");
if ( inputState->guessing==0 ) {
#line 1402 "iptables.g"
#line 1408 "iptables.g"
_ttype = UNSUPPORTED_OPTION;
#line 2111 "IPTCfgLexer.cpp"
}
@ -2124,7 +2124,7 @@ void IPTCfgLexer::mULOG_CPR(bool _createToken) {
match("--ulog-cprange");
if ( inputState->guessing==0 ) {
#line 1403 "iptables.g"
#line 1409 "iptables.g"
_ttype = UNSUPPORTED_OPTION;
#line 2130 "IPTCfgLexer.cpp"
}

6
src/parsers/IPTCfgLexer.hpp
View File

@ -1,7 +1,7 @@
#ifndef INC_IPTCfgLexer_hpp_
#define INC_IPTCfgLexer_hpp_
#line 27 "iptables.g"
#line 38 "iptables.g"
// gets inserted before antlr generated includes in the header
// file
@ -15,7 +15,7 @@
#include <antlr/BitSet.hpp>
#include "IPTCfgParserTokenTypes.hpp"
#include <antlr/CharScanner.hpp>
#line 34 "iptables.g"
#line 45 "iptables.g"
// gets inserted after antlr generated includes in the header file
// outside any generated namespace specifications
@ -25,7 +25,7 @@
class IPTImporter;
#line 28 "IPTCfgLexer.hpp"
#line 63 "iptables.g"
#line 74 "iptables.g"
// gets inserted after generated namespace specifications in the
// header file. But outside the generated class.

891
src/parsers/IPTCfgParser.cpp
View File

File diff suppressed because it is too large Load Diff

9
src/parsers/IPTCfgParser.hpp
View File

@ -1,7 +1,7 @@
#ifndef INC_IPTCfgParser_hpp_
#define INC_IPTCfgParser_hpp_
#line 27 "iptables.g"
#line 38 "iptables.g"
// gets inserted before antlr generated includes in the header
// file
@ -15,7 +15,7 @@
#include "IPTCfgParserTokenTypes.hpp"
#include <antlr/LLkParser.hpp>
#line 34 "iptables.g"
#line 45 "iptables.g"
// gets inserted after antlr generated includes in the header file
// outside any generated namespace specifications
@ -25,7 +25,7 @@
class IPTImporter;
#line 28 "IPTCfgParser.hpp"
#line 63 "iptables.g"
#line 74 "iptables.g"
// gets inserted after generated namespace specifications in the
// header file. But outside the generated class.
@ -33,7 +33,7 @@ class IPTImporter;
#line 34 "IPTCfgParser.hpp"
class CUSTOM_API IPTCfgParser : public ANTLR_USE_NAMESPACE(antlr)LLkParser, public IPTCfgParserTokenTypes
{
#line 80 "iptables.g"
#line 91 "iptables.g"
// additional methods and members
@ -96,6 +96,7 @@ public:
public: void commit();
public: void chain_def();
public: void ipt_option();
public: void negation();
public: void module();
public: void match_mark();
public: void match_recent();

12
src/parsers/IPTCfgParserTokenTypes.hpp
View File

@ -31,12 +31,12 @@ struct CUSTOM_API IPTCfgParserTokenTypes {
INT_CONST = 20,
CLOSING_SQUARE = 21,
ADD_RULE = 22,
UNSUPPORTED_OPTION = 23,
DIGIT = 24,
SLASH = 25,
OPT_MODULE = 26,
OPT_SRC = 27,
EXCLAMATION = 28,
EXCLAMATION = 23,
UNSUPPORTED_OPTION = 24,
DIGIT = 25,
SLASH = 26,
OPT_MODULE = 27,
OPT_SRC = 28,
OPT_DST = 29,
OPT_IN_INTF = 30,
OPT_OUT_INTF = 31,

12
src/parsers/IPTCfgParserTokenTypes.txt
View File

@ -19,12 +19,12 @@ OPENING_SQUARE=19
INT_CONST=20
CLOSING_SQUARE=21
ADD_RULE=22
UNSUPPORTED_OPTION=23
DIGIT=24
SLASH=25
OPT_MODULE=26
OPT_SRC=27
EXCLAMATION=28
EXCLAMATION=23
UNSUPPORTED_OPTION=24
DIGIT=25
SLASH=26
OPT_MODULE=27
OPT_SRC=28
OPT_DST=29
OPT_IN_INTF=30
OPT_OUT_INTF=31

106
src/parsers/iptables.g
View File

@ -23,6 +23,17 @@
*/
/*
Note about negation:
this grammar parses only extrapositioned negation "! -s address" for
all recognized options that can have it. Intrapositioned negation ("-s ! address")
should be converted to extrapositioned in IPTImporter class before running
the parser.
*/
header "pre_include_hpp"
{
// gets inserted before antlr generated includes in the header
@ -243,6 +254,8 @@ add_rule : ADD_RULE chain_def
//****************************************************************
ipt_option :
(
negation
|
module
|
match_mark
@ -285,6 +298,13 @@ ipt_option :
)
;
//****************************************************************
negation : EXCLAMATION
{
importer->tmp_neg = true;
}
;
//****************************************************************
unknown_option :
(
@ -357,16 +377,12 @@ module : OPT_MODULE ( m_state | m_mport | m_icmp | m_tcp | m_udp | m_limit |
;
//****************************************************************
src : OPT_SRC
src : OPT_SRC
{
*dbg << " SRC=";
importer->src_neg = importer->tmp_neg;
importer->tmp_neg = false;
}
(
EXCLAMATION
{
importer->src_neg = true;
}
)?
( (WORD | IPV4)
{
importer->src_a = LT(0)->getText();
@ -384,13 +400,9 @@ src : OPT_SRC
dst : OPT_DST
{
*dbg << " DST=";
importer->dst_neg = importer->tmp_neg;
importer->tmp_neg = false;
}
(
EXCLAMATION
{
importer->dst_neg = true;
}
)?
( (WORD | IPV4)
{
importer->dst_a = LT(0)->getText();
@ -406,31 +418,27 @@ dst : OPT_DST
//****************************************************************
i_intf : OPT_IN_INTF
(
EXCLAMATION
{
importer->intf_neg = true;
}
)?
i:WORD
{
importer->intf_neg = importer->tmp_neg;
importer->tmp_neg = false;
}
WORD
{
importer->i_intf = LT(0)->getText();
*dbg << " I_INTF=" << i->getText();
*dbg << " I_INTF=" << LT(0)->getText();
}
;
//****************************************************************
o_intf : OPT_OUT_INTF
(
EXCLAMATION
{
importer->intf_neg = true;
}
)?
i:WORD
{
importer->intf_neg = importer->tmp_neg;
importer->tmp_neg = false;
}
WORD
{
importer->o_intf = LT(0)->getText();
*dbg << " O_INTF=" << i->getText();
*dbg << " O_INTF=" << LT(0)->getText();
}
;
@ -439,12 +447,10 @@ protocol_word : (TCP | UDP | ICMP | WORD | INT_CONST )
;
proto : OPT_PROTO
(
EXCLAMATION
{
importer->srv_neg = true;
}
)?
{
importer->srv_neg = importer->tmp_neg;
importer->tmp_neg = false;
}
protocol_word
{
std::string tmp_s = LT(0)->getText();
@ -718,6 +724,7 @@ match_mark : OPT_MODULE m_mark
( EXCLAMATION {importer->neg_match_mark = true;} )?
MATCH_MARK (INT_CONST | HEX_CONST)
{
importer->tmp_neg = false;
importer->match_mark = LT(0)->getText();
*dbg << " MATCH MARK " << LT(0)->getText();
}
@ -1043,24 +1050,20 @@ nat_port_def_with_range :
//****************************************************************
basic_tcp_udp_port_spec :
(MATCH_SRC_PORT | MATCH_SRC_PORT_SHORT)
(
EXCLAMATION
{
importer->srv_neg = true;
}
)?
{
importer->srv_neg = importer->tmp_neg;
importer->tmp_neg = false;
}
(port_def_with_range | port_def_with_incomplete_range)
{
importer->pushTmpPortSpecToSrcPortList();
}
|
(MATCH_DST_PORT | MATCH_DST_PORT_SHORT)
(
EXCLAMATION
{
importer->srv_neg = true;
}
)?
{
importer->srv_neg = importer->tmp_neg;
importer->tmp_neg = false;
}
(port_def_with_range | port_def_with_incomplete_range)
{
importer->pushTmpPortSpecToDstPortList();
@ -1091,8 +1094,11 @@ m_tcp : TCP
// at least in the older versions of iptables
tcp_options :
( EXCLAMATION { importer->srv_neg = true; } )?
( syn | tcp_flags | tcp_option)
( syn | tcp_flags | tcp_option)
{
importer->srv_neg = importer->tmp_neg;
importer->tmp_neg = false;
}
;
syn : MATCH_SYN
@ -1165,7 +1171,7 @@ tcp_flags : MATCH_TCP_FLAGS
;
// --tcp-option is not supported in fwbuilder at this time
tcp_option : MATCH_TCP_OPTION (INT_CONST | EXCLAMATION INT_CONST)
tcp_option : MATCH_TCP_OPTION INT_CONST
;
//****************************************************************

2403
src/unit_tests/ImporterTest/test_data/ipt.fwb
View File

File diff suppressed because it is too large Load Diff

104
src/unit_tests/ImporterTest/test_data/ipt.output
View File

@ -25,59 +25,59 @@
42: New interface: eth0
42: Warning: Creating branch ruleset 'Policy_eth1' to match inbound and outbound interfaces -i eth0 -o eth1
103: Warning: Rule matches states 'RELATED,ESTABLISHED'. Consider using automatic rule controlled by the checkbox in the firewall settings dialog. Automatic rule matches in all standard chains which may be different from the original imported configuration. This requires manual checking.
191: Created branch user_chain_42_mod_match
195: Created branch user_chain_43_mod_match
196: Created branch user_chain_44_mod_match
197: Created branch user_chain_45_mod_match
200: Created branch user_chain_46_mod_match
203: Created branch user_chain_47_mod_match
206: Created branch user_chain_48_mod_match
206: Error: Original rule combines match of tcp/udp/icmp protocols with two or more module matches, such as module 'mark', 'recent' or 'length'. Use additional branches to implement this complex match.
206: Error: Error: Original rule combines match of tcp/udp/icmp protocols with two or more module matches, such as module 'mark', 'recent' or 'length'. Use additional branches to implement this complex match.
207: Created branch user_chain_49_mod_match
207: Error: Original rule combines match of tcp/udp/icmp protocols with two or more module matches, such as module 'mark', 'recent' or 'length'. Use additional branches to implement this complex match.
207: Error: Error: Original rule combines match of tcp/udp/icmp protocols with two or more module matches, such as module 'mark', 'recent' or 'length'. Use additional branches to implement this complex match.
218: New ruleset: mangle / PREROUTING
218: Default action: Accept
219: New ruleset: mangle / INPUT
219: Default action: Accept
220: New ruleset: mangle / FORWARD
193: Created branch user_chain_42_mod_match
197: Created branch user_chain_43_mod_match
198: Created branch user_chain_44_mod_match
199: Created branch user_chain_45_mod_match
202: Created branch user_chain_46_mod_match
205: Created branch user_chain_47_mod_match
208: Created branch user_chain_48_mod_match
208: Error: Original rule combines match of tcp/udp/icmp protocols with two or more module matches, such as module 'mark', 'recent' or 'length'. Use additional branches to implement this complex match.
208: Error: Error: Original rule combines match of tcp/udp/icmp protocols with two or more module matches, such as module 'mark', 'recent' or 'length'. Use additional branches to implement this complex match.
209: Created branch user_chain_49_mod_match
209: Error: Original rule combines match of tcp/udp/icmp protocols with two or more module matches, such as module 'mark', 'recent' or 'length'. Use additional branches to implement this complex match.
209: Error: Error: Original rule combines match of tcp/udp/icmp protocols with two or more module matches, such as module 'mark', 'recent' or 'length'. Use additional branches to implement this complex match.
220: New ruleset: mangle / PREROUTING
220: Default action: Accept
221: New ruleset: mangle / OUTPUT
221: New ruleset: mangle / INPUT
221: Default action: Accept
222: New ruleset: mangle / POSTROUTING
222: New ruleset: mangle / FORWARD
222: Default action: Accept
225: Error: Fwbuilder can not reproduce iptables rule in the table 'mangle', chain FORWARD
225: Error: Error: Fwbuilder can not reproduce iptables rule in the table 'mangle', chain FORWARD
228: Error: Fwbuilder can not reproduce iptables rule in the table 'mangle', chain FORWARD
228: Error: Error: Fwbuilder can not reproduce iptables rule in the table 'mangle', chain FORWARD
229: Error: Fwbuilder can not reproduce iptables rule in the table 'mangle', chain FORWARD
229: Error: Error: Fwbuilder can not reproduce iptables rule in the table 'mangle', chain FORWARD
235: Warning: Skipping command with '-j CONNMARK --restore-mark' This rule is generated automatically.
238: Error: Fwbuilder can not reproduce iptables rule in the table 'mangle', chain POSTROUTING
238: Error: Error: Fwbuilder can not reproduce iptables rule in the table 'mangle', chain POSTROUTING
239: Warning: Turned option on in previous rule with action Mark for '-j CONNMARK --save-mark'
242: Error: Fwbuilder can not reproduce iptables rule in the table 'mangle', chain POSTROUTING
242: Error: Error: Fwbuilder can not reproduce iptables rule in the table 'mangle', chain POSTROUTING
243: New interface: eth2
243: Error: Fwbuilder can not reproduce iptables rule in the table 'mangle', chain POSTROUTING
243: Error: Error: Fwbuilder can not reproduce iptables rule in the table 'mangle', chain POSTROUTING
247: Error: Fwbuilder can not reproduce iptables rule in the table 'mangle', chain POSTROUTING
247: Error: Error: Fwbuilder can not reproduce iptables rule in the table 'mangle', chain POSTROUTING
248: Error: Fwbuilder can not reproduce iptables rule in the table 'mangle', chain POSTROUTING
248: Error: Error: Fwbuilder can not reproduce iptables rule in the table 'mangle', chain POSTROUTING
253: New ruleset: nat / PREROUTING
253: Default action: Accept
254: New ruleset: nat / POSTROUTING
254: Default action: Accept
255: New ruleset: nat / OUTPUT
223: New ruleset: mangle / OUTPUT
223: Default action: Accept
224: New ruleset: mangle / POSTROUTING
224: Default action: Accept
227: Error: Fwbuilder can not reproduce iptables rule in the table 'mangle', chain FORWARD
227: Error: Error: Fwbuilder can not reproduce iptables rule in the table 'mangle', chain FORWARD
230: Error: Fwbuilder can not reproduce iptables rule in the table 'mangle', chain FORWARD
230: Error: Error: Fwbuilder can not reproduce iptables rule in the table 'mangle', chain FORWARD
231: Error: Fwbuilder can not reproduce iptables rule in the table 'mangle', chain FORWARD
231: Error: Error: Fwbuilder can not reproduce iptables rule in the table 'mangle', chain FORWARD
237: Warning: Skipping command with '-j CONNMARK --restore-mark' This rule is generated automatically.
240: Error: Fwbuilder can not reproduce iptables rule in the table 'mangle', chain POSTROUTING
240: Error: Error: Fwbuilder can not reproduce iptables rule in the table 'mangle', chain POSTROUTING
241: Warning: Turned option on in previous rule with action Mark for '-j CONNMARK --save-mark'
244: Error: Fwbuilder can not reproduce iptables rule in the table 'mangle', chain POSTROUTING
244: Error: Error: Fwbuilder can not reproduce iptables rule in the table 'mangle', chain POSTROUTING
245: New interface: eth2
245: Error: Fwbuilder can not reproduce iptables rule in the table 'mangle', chain POSTROUTING
245: Error: Error: Fwbuilder can not reproduce iptables rule in the table 'mangle', chain POSTROUTING
249: Error: Fwbuilder can not reproduce iptables rule in the table 'mangle', chain POSTROUTING
249: Error: Error: Fwbuilder can not reproduce iptables rule in the table 'mangle', chain POSTROUTING
250: Error: Fwbuilder can not reproduce iptables rule in the table 'mangle', chain POSTROUTING
250: Error: Error: Fwbuilder can not reproduce iptables rule in the table 'mangle', chain POSTROUTING
255: New ruleset: nat / PREROUTING
255: Default action: Accept
259: New interface: eth+
286: Warning: Line 5: Added rule to reproduce default policy ACCEPT in filter/OUTPUT
286: Warning: Line 220: Can not reproduce default action in table 'mangle' chain 'FORWARD'. (Generated rule may not generate equivalent iptables command when compiled)
286: Warning: Line 220: Added rule to reproduce default policy ACCEPT in mangle/FORWARD
286: Warning: Line 219: Can not reproduce default action in table 'mangle' chain 'INPUT'. (Generated rule may not generate equivalent iptables command when compiled)
286: Warning: Line 219: Added rule to reproduce default policy ACCEPT in mangle/INPUT
286: Warning: Line 221: Added rule to reproduce default policy ACCEPT in mangle/OUTPUT
286: Warning: Line 222: Added rule to reproduce default policy ACCEPT in mangle/POSTROUTING
286: Warning: Line 218: Added rule to reproduce default policy ACCEPT in mangle/PREROUTING
256: New ruleset: nat / POSTROUTING
256: Default action: Accept
257: New ruleset: nat / OUTPUT
257: Default action: Accept
261: New interface: eth+
288: Warning: Line 5: Added rule to reproduce default policy ACCEPT in filter/OUTPUT
288: Warning: Line 222: Can not reproduce default action in table 'mangle' chain 'FORWARD'. (Generated rule may not generate equivalent iptables command when compiled)
288: Warning: Line 222: Added rule to reproduce default policy ACCEPT in mangle/FORWARD
288: Warning: Line 221: Can not reproduce default action in table 'mangle' chain 'INPUT'. (Generated rule may not generate equivalent iptables command when compiled)
288: Warning: Line 221: Added rule to reproduce default policy ACCEPT in mangle/INPUT
288: Warning: Line 223: Added rule to reproduce default policy ACCEPT in mangle/OUTPUT
288: Warning: Line 224: Added rule to reproduce default policy ACCEPT in mangle/POSTROUTING
288: Warning: Line 220: Added rule to reproduce default policy ACCEPT in mangle/PREROUTING

2
src/unit_tests/ImporterTest/test_data/ipt.test
View File

@ -144,6 +144,8 @@
-A scan_checks_chain -i eth0 -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j DROP
-A scan_checks_chain -i eth0 -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -j DROP
-A scan_checks_chain -i eth0 -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP
-A scan_checks_chain -i eth0 -p tcp -m tcp --syn -j ACCEPT
-A scan_checks_chain -i eth0 -p tcp -m tcp ! --syn -j ACCEPT
# was: bad port spec