onkelbeh/fwbuilder
1
0
Fork 0
mirror of https://github.com/fwbuilder/fwbuilder synced 2026-03-20 18:27:16 +01:00
Code Issues Releases Wiki Activity

see #153 deprecating getInterfaceStr: eliminated use of this function in policy compiler for PIX and IOS ACL

Browse Source
This commit is contained in:
Vadim Kurland 2011-02-20 16:11:29 -08:00
parent c272997b6b
commit 926db9b942
12 changed files with 389 additions and 296 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
VERSION
View File

@ -7,7 +7,7 @@ FWB_MICRO_VERSION=0
# build number is like "nano" version number. I am incrementing build
# number during development cycle
#
BUILD_NUM="3482"
BUILD_NUM="3483"
VERSION="$FWB_MAJOR_VERSION.$FWB_MINOR_VERSION.$FWB_MICRO_VERSION.$BUILD_NUM"

2
VERSION.h
View File

@ -1,2 +1,2 @@
#define VERSION "4.2.0.3482"
#define VERSION "4.2.0.3483"
#define GENERATION "4.2"

2
packaging/fwbuilder-static-qt.spec
View File

@ -3,7 +3,7 @@
%define name fwbuilder
%define version 4.2.0.3482
%define version 4.2.0.3483
%define release 1
%if "%_vendor" == "MandrakeSoft"

2
packaging/fwbuilder.control
View File

@ -4,6 +4,6 @@ Replaces: fwbuilder (<=4.1.1-1), fwbuilder-common, fwbuilder-bsd, fwbuilder-linu
Priority: extra
Section: checkinstall
Maintainer: vadim@fwbuilder.org
Version: 4.2.0.3482-1
Version: 4.2.0.3483-1
Depends: libqt4-gui (>= 4.3.0), libxml2, libxslt1.1, libsnmp | libsnmp15
Description: Firewall Builder GUI and policy compilers

2
packaging/fwbuilder.spec
View File

@ -1,6 +1,6 @@
%define name fwbuilder
%define version 4.2.0.3482
%define version 4.2.0.3483
%define release 1
%if "%_vendor" == "MandrakeSoft"

4
src/cisco_lib/NamedObjectsAndGroupsSupport.cpp
View File

@ -106,10 +106,6 @@ bool CreateObjectGroups::processNext()
string version = compiler->fw->getStr("version");
string platform = compiler->fw->getStr("platform");
// Interface *rule_iface = Interface::cast(compiler->dbcopy->findInIndex(
// rule->getInterfaceId()));
//assert(rule_iface);
RuleElement *re = RuleElement::cast(rule->getFirstByType(re_type));
if (re->size()==1)

51
src/cisco_lib/PolicyCompiler_cisco.cpp
View File

@ -131,15 +131,18 @@ string PolicyCompiler_cisco::debugPrintRule(Rule *r)
{
ostringstream str;
PolicyRule *rule = PolicyRule::cast(r);
FWObject *rule_iface = dbcopy->findInIndex(rule->getInterfaceId());
string iname = (rule_iface!=NULL)?rule_iface->getName():"";
// FWObject *rule_iface = dbcopy->findInIndex(rule->getInterfaceId());
// string iname = (rule_iface!=NULL)?rule_iface->getName():"";
string dir = rule->getDirectionAsString();
str << PolicyCompiler::debugPrintRule(rule) <<
" " << dir << " " << iname << " " << rule->getStr("acl") <<
" intfId=" << rule->getInterfaceId() <<
" intfstr=" << rule->getInterfaceStr();
" " << dir
// << " " << iname
<< " " << rule->getStr("acl");
// " intfId=" << rule->getInterfaceId() <<
// " intfstr=" << rule->getInterfaceStr();
return str.str();
}
@ -449,15 +452,16 @@ bool PolicyCompiler_cisco::specialCaseWithDynInterface::dropDynamicInterface(
PolicyRule *rule, PolicyRule::Direction cmp_dir, RuleElement *re)
{
PolicyRule::Direction dir=rule->getDirection();
FWObject *rule_iface = compiler->dbcopy->findInIndex(rule->getInterfaceId());
// FWObject *rule_iface = compiler->dbcopy->findInIndex(rule->getInterfaceId());
RuleElementItf *intf_re = rule->getItf();
FWObject *rule_iface = FWObjectReference::getObject(intf_re->front());
list<FWObject*> cl;
for (list<FWObject*>::iterator i1=re->begin(); i1!=re->end(); ++i1)
{
FWObject *o = *i1;
FWObject *obj = o;
if (FWReference::cast(o)!=NULL) obj=FWReference::cast(o)->getPointer();
Interface *ifs =Interface::cast( obj );
FWObject *obj = FWObjectReference::getObject(*i1);
Interface *ifs = Interface::cast( obj );
if (ifs!=NULL && ifs->isDyn())
{
@ -585,11 +589,14 @@ bool PolicyCompiler_cisco::tcpServiceToFW::processNext()
bool PolicyCompiler_cisco::replaceFWinSRCInterfacePolicy::processNext()
{
PolicyRule *rule=getNext(); if (rule==NULL) return false;
FWObject *rule_iface = compiler->dbcopy->findInIndex(rule->getInterfaceId());
// FWObject *rule_iface = compiler->dbcopy->findInIndex(rule->getInterfaceId());
RuleElementItf *intf_re = rule->getItf();
Interface *rule_iface = Interface::cast(
FWObjectReference::getObject(intf_re->front()));
if (rule_iface!=NULL && rule->getDirection()==PolicyRule::Outbound)
if ( rule_iface!=NULL && rule->getDirection()==PolicyRule::Outbound)
{
RuleElementSrc *src=rule->getSrc();
RuleElementSrc *src = rule->getSrc();
if (compiler->getFirstSrc(rule)->getId()==compiler->fw->getId())
{
@ -605,11 +612,14 @@ bool PolicyCompiler_cisco::replaceFWinSRCInterfacePolicy::processNext()
bool PolicyCompiler_cisco::replaceFWinDSTInterfacePolicy::processNext()
{
PolicyRule *rule=getNext(); if (rule==NULL) return false;
FWObject *rule_iface = compiler->dbcopy->findInIndex(rule->getInterfaceId());
// FWObject *rule_iface = compiler->dbcopy->findInIndex(rule->getInterfaceId());
RuleElementItf *intf_re = rule->getItf();
Interface *rule_iface = Interface::cast(
FWObjectReference::getObject(intf_re->front()));
if (rule_iface!=NULL && rule->getDirection()==PolicyRule::Inbound)
if ( rule_iface!=NULL && rule->getDirection()==PolicyRule::Inbound)
{
RuleElementDst *dst=rule->getDst();
RuleElementDst *dst = rule->getDst();
if (compiler->getFirstDst(rule)->getId()==compiler->fw->getId())
{
@ -630,12 +640,13 @@ bool PolicyCompiler_cisco::replaceFWinDSTPolicy::processNext()
{
Helper helper(compiler);
PolicyRule *rule=getNext(); if (rule==NULL) return false;
FWObject *rule_iface = compiler->dbcopy->findInIndex(rule->getInterfaceId());
// FWObject *rule_iface = compiler->dbcopy->findInIndex(rule->getInterfaceId());
RuleElementItf *intf_re = rule->getItf();
if (rule_iface==NULL)
if (intf_re->isAny())
{
RuleElementSrc *src=rule->getSrc();
RuleElementDst *dst=rule->getDst();
RuleElementSrc *src = rule->getSrc();
RuleElementDst *dst = rule->getDst();
if (!src->isAny() && compiler->getFirstDst(rule)->getId()==compiler->fw->getId())
{

78
src/cisco_lib/PolicyCompiler_cisco_acls.cpp
View File

@ -75,13 +75,18 @@ bool PolicyCompiler_cisco::setInterfaceAndDirectionBySrc::processNext()
list<int> intf_id_list;
if (rule->getInterfaceId() == -1)
RuleElementItf *intf_re = rule->getItf();
if (intf_re->isAny())
{
bool cluster_member = compiler->fw->getOptionsObject()->getBool("cluster_member");
bool cluster_member =
compiler->fw->getOptionsObject()->getBool("cluster_member");
Cluster *cluster = NULL;
if (cluster_member)
cluster = Cluster::cast(
compiler->dbcopy->findInIndex(compiler->fw->getInt("parent_cluster_id")));
compiler->dbcopy->findInIndex(
compiler->fw->getInt("parent_cluster_id")));
RuleElementSrc *srcre = rule->getSrc();
RuleElementDst *dstre = rule->getDst();
@ -108,7 +113,12 @@ bool PolicyCompiler_cisco::setInterfaceAndDirectionBySrc::processNext()
PolicyRule *new_rule = compiler->dbcopy->createPolicyRule();
compiler->temp_ruleset->add(new_rule);
new_rule->duplicate(rule);
new_rule->setInterfaceId(intf_id);
// new_rule->setInterfaceId(intf_id);
RuleElementItf *itf_re = new_rule->getItf(); assert(itf_re!=NULL);
itf_re->reset();
itf_re->addRef(ifs);
new_rule->setDirection(PolicyRule::Inbound);
new_rule->setBool("interface_and_direction_set_from_src",true);
tmp_queue.push_back(new_rule);
@ -144,15 +154,20 @@ bool PolicyCompiler_cisco::setInterfaceAndDirectionByDst::processNext()
return true;
}
RuleElementItf *intf_re = rule->getItf();
list<int> intf_id_list;
if (rule->getInterfaceId() == -1)
if (intf_re->isAny())
{
bool cluster_member = compiler->fw->getOptionsObject()->getBool("cluster_member");
bool cluster_member =
compiler->fw->getOptionsObject()->getBool("cluster_member");
Cluster *cluster = NULL;
if (cluster_member)
cluster = Cluster::cast(
compiler->dbcopy->findInIndex(compiler->fw->getInt("parent_cluster_id")));
compiler->dbcopy->findInIndex(
compiler->fw->getInt("parent_cluster_id")));
RuleElementDst *dstre = rule->getDst();
Address *dstobj = compiler->getFirstDst(rule);
@ -178,7 +193,13 @@ bool PolicyCompiler_cisco::setInterfaceAndDirectionByDst::processNext()
PolicyRule *new_rule = compiler->dbcopy->createPolicyRule();
compiler->temp_ruleset->add(new_rule);
new_rule->duplicate(rule);
new_rule->setInterfaceId(intf_id);
// new_rule->setInterfaceId(intf_id);
RuleElementItf *itf_re = new_rule->getItf(); assert(itf_re!=NULL);
itf_re->reset();
itf_re->addRef(ifs);
new_rule->setDirection(PolicyRule::Outbound);
new_rule->setBool("interface_and_direction_set_from_dst",true);
tmp_queue.push_back(new_rule);
@ -195,7 +216,9 @@ bool PolicyCompiler_cisco::setInterfaceAndDirectionIfInterfaceSet::processNext()
//RuleElementItf *itfre=rule->getItf();
if (rule->getInterfaceId() == -1 ||
RuleElementItf *intf_re = rule->getItf();
if (intf_re->isAny() ||
rule->getBool("interface_and_direction_set_from_src") ||
rule->getBool("interface_and_direction_set_from_dst"))
{
@ -205,16 +228,22 @@ bool PolicyCompiler_cisco::setInterfaceAndDirectionIfInterfaceSet::processNext()
PolicyRule *new_rule;
if ( rule->getInterfaceId() > -1 )
if ( ! intf_re->isAny())
{
int rule_iface_id = rule->getInterfaceId();
FWObject *rule_iface = FWObjectReference::getObject(intf_re->front());
RuleElementItf *itf_re;
if (rule->getDirection()==PolicyRule::Both)
{
new_rule =compiler->dbcopy->createPolicyRule();
compiler->temp_ruleset->add(new_rule);
new_rule->duplicate(rule);
new_rule->setInterfaceId( rule_iface_id );
// new_rule->setInterfaceId( rule_iface_id );
itf_re = new_rule->getItf(); assert(itf_re!=NULL);
itf_re->reset();
itf_re->addRef(rule_iface);
new_rule->setDirection(PolicyRule::Inbound);
new_rule->setBool("interface_and_direction_set",true);
tmp_queue.push_back(new_rule);
@ -222,7 +251,12 @@ bool PolicyCompiler_cisco::setInterfaceAndDirectionIfInterfaceSet::processNext()
new_rule =compiler->dbcopy->createPolicyRule();
compiler->temp_ruleset->add(new_rule);
new_rule->duplicate(rule);
new_rule->setInterfaceId( rule_iface_id );
// new_rule->setInterfaceId( rule_iface_id );
itf_re = new_rule->getItf(); assert(itf_re!=NULL);
itf_re->reset();
itf_re->addRef(rule_iface);
new_rule->setDirection(PolicyRule::Outbound);
new_rule->setBool("interface_and_direction_set",true);
tmp_queue.push_back(new_rule);
@ -231,7 +265,12 @@ bool PolicyCompiler_cisco::setInterfaceAndDirectionIfInterfaceSet::processNext()
new_rule =compiler->dbcopy->createPolicyRule();
compiler->temp_ruleset->add(new_rule);
new_rule->duplicate(rule);
new_rule->setInterfaceId( rule_iface_id );
// new_rule->setInterfaceId( rule_iface_id );
itf_re = new_rule->getItf(); assert(itf_re!=NULL);
itf_re->reset();
itf_re->addRef(rule_iface);
// direction is copied from the original rule
new_rule->setBool("interface_and_direction_set",true);
tmp_queue.push_back(new_rule);
@ -244,10 +283,15 @@ bool PolicyCompiler_cisco::pickACL::processNext()
{
PolicyCompiler_cisco *cisco_comp = dynamic_cast<PolicyCompiler_cisco*>(
compiler);
PolicyRule *rule=getNext(); if (rule==NULL) return false;
PolicyRule *rule = getNext(); if (rule==NULL) return false;
Interface *rule_iface = Interface::cast(compiler->dbcopy->findInIndex(
rule->getInterfaceId()));
// Interface *rule_iface = Interface::cast(compiler->dbcopy->findInIndex(
// rule->getInterfaceId()));
RuleElementItf *intf_re = rule->getItf();
Interface *rule_iface = Interface::cast(
FWObjectReference::getObject(intf_re->front()));
if(rule_iface==NULL)
{
compiler->abort(rule, "Missing interface assignment");

21
src/cisco_lib/PolicyCompiler_pix_replace_translations.cpp
View File

@ -48,11 +48,6 @@ bool PolicyCompiler_pix::matchTranslatedAddresses::processNext()
transformed_rules.clear();
// string rule_iface_id=rule->getInterfaceId();
// Address *src=compiler->getFirstSrc(rule);
// Service *srv=compiler->getFirstSrv(rule);
RuleElementSrc *srcrel = rule->getSrc();
RuleElementDst *dstrel = rule->getDst();
RuleElementSrv *srvrel = rule->getSrv();
@ -132,8 +127,12 @@ void PolicyCompiler_pix::replaceTranslatedAddresses::action(
PolicyRule* policy_rule,
NATRule* nat_rule, Address *src, Address*, Service *srv)
{
FWObject *rule_iface = compiler->dbcopy->findInIndex(
policy_rule->getInterfaceId());
// FWObject *rule_iface = compiler->dbcopy->findInIndex(
// policy_rule->getInterfaceId());
RuleElementItf *intf_re = policy_rule->getItf();
FWObject *rule_iface = FWObjectReference::getObject(intf_re->front());
RuleElement *re = nat_rule->getOSrc();
FWObject *o = FWReference::getObject(re->front());
@ -204,8 +203,12 @@ void PolicyCompiler_pix::warnWhenTranslatedAddressesAreUsed::action(
PolicyRule* policy_rule,
NATRule* nat_rule, Address*, Address *dst, Service*)
{
FWObject *rule_iface = compiler->dbcopy->findInIndex(
policy_rule->getInterfaceId());
// FWObject *rule_iface = compiler->dbcopy->findInIndex(
// policy_rule->getInterfaceId());
RuleElementItf *intf_re = policy_rule->getItf();
FWObject *rule_iface = FWObjectReference::getObject(intf_re->front());
string version = compiler->fw->getStr("version");
RuleElement *re;

88
src/cisco_lib/PolicyCompiler_pix_v6_acls.cpp
View File

@ -67,24 +67,26 @@ using namespace libfwbuilder;
using namespace fwcompiler;
using namespace std;
bool PolicyCompiler_pix::InterfaceAndDirection_v6::processNext()
{
PolicyRule *rule=getNext(); if (rule==NULL) return false;
PolicyRule *rule = getNext(); if (rule==NULL) return false;
tmp_queue.push_back(rule);
bool icmp_cmd = rule->getBool("icmp_cmd");
bool ssh_telnet_cmd = rule->getBool("ssh_telnet_cmd");
int interface_id = rule->getInterfaceId();
// int interface_id = rule->getInterfaceId();
RuleElementItf *intf_re = rule->getItf();
if (rule->getDirection()==PolicyRule::Undefined)
rule->setDirection( PolicyRule::Both );
if (interface_id==-1 && rule->getDirection()==PolicyRule::Both)
if (intf_re->isAny() && rule->getDirection()==PolicyRule::Both)
return true;
if (interface_id==-1 && !icmp_cmd && !ssh_telnet_cmd && (
if (intf_re->isAny() && !icmp_cmd && !ssh_telnet_cmd && (
rule->getDirection()==PolicyRule::Inbound ||
rule->getDirection()==PolicyRule::Outbound)
) compiler->abort(rule, "Direction set without interface");
@ -106,12 +108,13 @@ bool PolicyCompiler_pix::InterfaceAndDirection_v6::processNext()
*/
bool PolicyCompiler_pix::SplitDirection_v6::processNext()
{
PolicyRule *rule=getNext(); if (rule==NULL) return false;
FWObject *rule_iface = compiler->dbcopy->findInIndex(rule->getInterfaceId());
PolicyRule *rule = getNext(); if (rule==NULL) return false;
// FWObject *rule_iface = compiler->dbcopy->findInIndex(rule->getInterfaceId());
RuleElementItf *intf_re = rule->getItf();
if (rule->getDirection()==PolicyRule::Both)
{
if (rule_iface!=NULL)
if ( ! intf_re->isAny())
{
PolicyRule *r= compiler->dbcopy->createPolicyRule();
compiler->temp_ruleset->add(r);
@ -176,9 +179,11 @@ bool PolicyCompiler_pix::EmulateOutboundACL_v6::processNext()
{
Helper helper(compiler);
PolicyRule *rule = getNext(); if (rule==NULL) return false;
FWObject *rule_iface = compiler->dbcopy->findInIndex(rule->getInterfaceId());
// FWObject *rule_iface = compiler->dbcopy->findInIndex(rule->getInterfaceId());
RuleElementItf *intf_re = rule->getItf();
FWObject *rule_iface = FWObjectReference::getObject(intf_re->front());
if (rule->getDirection()==PolicyRule::Outbound && rule_iface!=NULL)
if (rule->getDirection()==PolicyRule::Outbound && ! intf_re->isAny())
{
if ( compiler->fw->getOptionsObject()->getBool("pix_emulate_out_acl") )
{
@ -196,7 +201,7 @@ bool PolicyCompiler_pix::EmulateOutboundACL_v6::processNext()
* network zone is the same as the one this rule is assigned to, but
* direction is Outbound - drop this rule
*/
if (iface1_id==rule->getInterfaceId())
if (iface1_id == rule_iface->getId())
{
compiler->warning(rule,
"Rule with direction 'Outbound' was suppressed "
@ -206,7 +211,10 @@ bool PolicyCompiler_pix::EmulateOutboundACL_v6::processNext()
return true;
}
rule->setInterfaceId(iface1_id);
// rule->setInterfaceId(iface1_id);
intf_re->reset();
intf_re->addRef(compiler->dbcopy->findInIndex(iface1_id));
rule->setDirection(PolicyRule::Inbound);
tmp_queue.push_back(rule);
} else
@ -215,16 +223,21 @@ bool PolicyCompiler_pix::EmulateOutboundACL_v6::processNext()
iface2_id = helper.findInterfaceByNetzone(
compiler->getFirstDst(rule) );
list<FWObject*> l2=compiler->fw->getByType(Interface::TYPENAME);
list<FWObject*> l2 = compiler->fw->getByTypeDeep(
Interface::TYPENAME);
for (list<FWObject*>::iterator i=l2.begin(); i!=l2.end(); ++i)
{
if ( (*i)->getId()==iface2_id ) continue;
PolicyRule *r= compiler->dbcopy->createPolicyRule();
PolicyRule *r = compiler->dbcopy->createPolicyRule();
compiler->temp_ruleset->add(r);
r->duplicate(rule);
r->setInterfaceId((*i)->getId());
// r->setInterfaceId((*i)->getId());
RuleElementItf *itf_re = r->getItf(); assert(itf_re!=NULL);
itf_re->reset();
itf_re->addRef(*i);
rule->setDirection(PolicyRule::Inbound);
tmp_queue.push_back(r);
@ -283,21 +296,27 @@ bool PolicyCompiler_pix::EmulateOutboundACL_v6::processNext()
*/
bool PolicyCompiler_pix::assignRuleToInterface_v6::processNext()
{
PolicyRule *rule=getNext(); if (rule==NULL) return false;
PolicyRule *rule = getNext(); if (rule==NULL) return false;
Helper helper(compiler);
RuleElementSrc *src=rule->getSrc(); assert(src);
RuleElementDst *dst=rule->getDst(); assert(dst);
RuleElementSrc *src = rule->getSrc(); assert(src);
RuleElementDst *dst = rule->getDst(); assert(dst);
if (rule->getInterfaceId()==-1)
RuleElementItf *intf_re = rule->getItf();
// FWObject *rule_iface = FWObjectReference::getObject(intf_re->front());
if (intf_re->isAny())
{
try
{
if (! src->isAny() )
{
Address *a=compiler->getFirstSrc(rule);
Address *a = compiler->getFirstSrc(rule);
int iface1_id = helper.findInterfaceByNetzone(a);
rule->setInterfaceId(iface1_id);
// rule->setInterfaceId(iface1_id);
intf_re->reset();
intf_re->addRef(compiler->dbcopy->findInIndex(iface1_id));
tmp_queue.push_back(rule);
} else
{
@ -305,7 +324,10 @@ bool PolicyCompiler_pix::assignRuleToInterface_v6::processNext()
if ( ! dst->isAny() && compiler->complexMatch(a,compiler->fw))
{
int iface2_id = helper.findInterfaceByNetzone( a );
rule->setInterfaceId(iface2_id);
// rule->setInterfaceId(iface2_id);
intf_re->reset();
intf_re->addRef(compiler->dbcopy->findInIndex(iface2_id));
rule->setStr("direction","Inbound");
tmp_queue.push_back(rule);
return true;
@ -316,13 +338,18 @@ bool PolicyCompiler_pix::assignRuleToInterface_v6::processNext()
{
Interface *intf = Interface::cast(*i);
if (intf->isUnprotected()) continue;
if (intf->getOptionsObject()->getBool("cluster_interface")) continue;
if (intf->getOptionsObject()->getBool("cluster_interface"))
continue;
PolicyRule *r = compiler->dbcopy->createPolicyRule();
compiler->temp_ruleset->add(r);
r->duplicate(rule);
r->setInterfaceId(intf->getId());
// r->setInterfaceId(intf->getId());
RuleElementItf *itf_re = r->getItf(); assert(itf_re!=NULL);
itf_re->reset();
itf_re->addRef(intf);
r->setStr("direction","Inbound");
tmp_queue.push_back(r);
@ -351,13 +378,18 @@ bool PolicyCompiler_pix::assignRuleToInterface_v6::processNext()
*/
bool PolicyCompiler_pix::pickACL_v6::processNext()
{
PolicyCompiler_pix *pix_comp=dynamic_cast<PolicyCompiler_pix*>(compiler);
PolicyRule *rule=getNext(); if (rule==NULL) return false;
Interface *rule_iface = Interface::cast(compiler->dbcopy->findInIndex(rule->getInterfaceId()));
if(rule_iface==NULL)
PolicyCompiler_pix *pix_comp = dynamic_cast<PolicyCompiler_pix*>(compiler);
PolicyRule *rule = getNext(); if (rule==NULL) return false;
// Interface *rule_iface = Interface::cast(compiler->dbcopy->findInIndex(rule->getInterfaceId()));
RuleElementItf *intf_re = rule->getItf();
Interface *rule_iface = Interface::cast(
FWObjectReference::getObject(intf_re->front()));
if (intf_re->isAny() || rule_iface==NULL)
compiler->abort(rule, "Missing interface assignment");
string acl_name= rule_iface->getLabel() + "_acl_in";
string acl_name = rule_iface->getLabel() + "_acl_in";
rule->setStr("acl", acl_name);
ciscoACL *acl = new ciscoACL(acl_name, rule_iface, "in");

23
src/cisco_lib/PolicyCompiler_pix_writers.cpp
View File

@ -272,8 +272,13 @@ string PolicyCompiler_pix::PrintRule::_printICMPCommand(PolicyRule *rule)
FWObject *srv = srvrel->front();
if (FWReference::cast(srv)!=NULL) srv = FWReference::cast(srv)->getPointer();
Interface *rule_iface =
Interface::cast(compiler->dbcopy->findInIndex(rule->getInterfaceId()));
// Interface *rule_iface =
// Interface::cast(compiler->dbcopy->findInIndex(rule->getInterfaceId()));
RuleElementItf *intf_re = rule->getItf();
Interface *rule_iface = Interface::cast(
FWObjectReference::getObject(intf_re->front()));
assert(rule_iface);
if (PIXObjectGroup::cast(srv)!=NULL)
@ -314,18 +319,20 @@ string PolicyCompiler_pix::PrintRule::_printICMPCommand(PolicyRule *rule)
string PolicyCompiler_pix::PrintRule::_printSSHTelnetCommand(PolicyRule *rule)
{
// Helper helper(this);
ostringstream str;
int port;
RuleElementSrc *rel=rule->getSrc();
Service *srv=compiler->getFirstSrv(rule);
RuleElementSrc *rel = rule->getSrc();
Service *srv = compiler->getFirstSrv(rule);
Interface *rule_iface = Interface::cast(compiler->dbcopy->findInIndex(rule->getInterfaceId()));
// Interface *rule_iface = Interface::cast(compiler->dbcopy->findInIndex(rule->getInterfaceId()));
RuleElementItf *intf_re = rule->getItf();
Interface *rule_iface = Interface::cast(
FWObjectReference::getObject(intf_re->front()));
assert(rule_iface);
port=TCPUDPService::cast(srv)->getDstRangeStart();
port = TCPUDPService::cast(srv)->getDstRangeStart();
for (FWObject::iterator i=rel->begin(); i!=rel->end(); ++i)
{

410
test/procurve_acl/objects-for-regression-tests.fwb
View File

@ -1,6 +1,6 @@
<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE FWObjectDatabase SYSTEM "fwbuilder.dtd">
<FWObjectDatabase xmlns="http://www.fwbuilder.org/1.0/" version="17" lastModified="1273676680" id="root">
<FWObjectDatabase xmlns="http://www.fwbuilder.org/1.0/" version="18" lastModified="1273676680" id="root">
<Library id="syslib000" color="#d4f8ff" name="Standard" comment="Standard objects" ro="True">
<AnyNetwork id="sysid0" name="Any" comment="Any Network" ro="False" address="0.0.0.0" netmask="0.0.0.0"/>
<AnyIPService id="sysid1" protocol_num="0" name="Any" comment="Any IP Service" ro="False"/>
@ -51,9 +51,9 @@
<PolicyInstallScript arguments="" command="" enabled="False"/>
</Management>
<HostOptions>
<Option name="snmp_contact"></Option>
<Option name="snmp_description"></Option>
<Option name="snmp_location"></Option>
<Option name="snmp_contact"/>
<Option name="snmp_description"/>
<Option name="snmp_location"/>
<Option name="use_mac_addr">false</Option>
<Option name="use_mac_addr_filter">False</Option>
</HostOptions>
@ -69,9 +69,9 @@
<PolicyInstallScript arguments="" command="" enabled="False"/>
</Management>
<HostOptions>
<Option name="snmp_contact"></Option>
<Option name="snmp_description"></Option>
<Option name="snmp_location"></Option>
<Option name="snmp_contact"/>
<Option name="snmp_description"/>
<Option name="snmp_location"/>
<Option name="use_mac_addr">false</Option>
<Option name="use_mac_addr_filter">False</Option>
</HostOptions>
@ -100,17 +100,17 @@
</ObjectGroup>
<ServiceGroup id="stdid05" name="Services" comment="" ro="False">
<CustomService id="stdid14_1" name="ESTABLISHED" comment="This service matches all packets which are part of network connections established through the firewall, or connections 'related' to those established through the firewall. Term 'established' refers to the state tracking mechanism which exists inside iptables and other stateful firewalls and does not mean any particular combination of packet header options. Packet is considered to correspond to the state 'ESTABLISHED' if it belongs to the network session, for which proper initiation has been seen by the firewall, so its stateful inspection module made appropriate record in the state table. Usually stateful firewalls keep track of network connections using not only tcp protocol, but also udp and sometimes even icmp protocols. 'RELATED' describes packet belonging to a separate network connection, related to the session firewall is keeping track of. One example is FTP command and FTP data sessions." ro="False" protocol="any" address_family="ipv4">
<CustomServiceCommand platform="Undefined"></CustomServiceCommand>
<CustomServiceCommand platform="Undefined"/>
<CustomServiceCommand platform="iosacl">established</CustomServiceCommand>
<CustomServiceCommand platform="ipfilter"></CustomServiceCommand>
<CustomServiceCommand platform="ipfilter"/>
<CustomServiceCommand platform="ipfw">established</CustomServiceCommand>
<CustomServiceCommand platform="iptables">-m state --state ESTABLISHED,RELATED</CustomServiceCommand>
<CustomServiceCommand platform="procurve_acl">established</CustomServiceCommand>
</CustomService>
<CustomService id="stdid14_2" name="ESTABLISHED ipv6" comment="This service matches all packets which are part of network connections established through the firewall, or connections 'related' to those established through the firewall. Term 'established' refers to the state tracking mechanism which exists inside iptables and other stateful firewalls and does not mean any particular combination of packet header options. Packet is considered to correspond to the state 'ESTABLISHED' if it belongs to the network session, for which proper initiation has been seen by the firewall, so its stateful inspection module made appropriate record in the state table. Usually stateful firewalls keep track of network connections using not only tcp protocol, but also udp and sometimes even icmp protocols. 'RELATED' describes packet belonging to a separate network connection, related to the session firewall is keeping track of. One example is FTP command and FTP data sessions." ro="False" protocol="any" address_family="ipv6">
<CustomServiceCommand platform="Undefined"></CustomServiceCommand>
<CustomServiceCommand platform="Undefined"/>
<CustomServiceCommand platform="iosacl">established</CustomServiceCommand>
<CustomServiceCommand platform="ipfilter"></CustomServiceCommand>
<CustomServiceCommand platform="ipfilter"/>
<CustomServiceCommand platform="ipfw">established</CustomServiceCommand>
<CustomServiceCommand platform="iptables">-m state --state ESTABLISHED,RELATED</CustomServiceCommand>
<CustomServiceCommand platform="procurve_acl">established</CustomServiceCommand>
@ -352,54 +352,54 @@
</ServiceGroup>
<ServiceGroup id="stdid13" name="Custom" comment="" ro="False">
<CustomService id="id3B64EEA8" name="rpc" comment="works in iptables and requires patch-o-matic.&#10;For more information look for patch-o-matic on http://www.netfilter.org/" ro="False" protocol="any" address_family="ipv4">
<CustomServiceCommand platform="Undefined"></CustomServiceCommand>
<CustomServiceCommand platform="ipf"></CustomServiceCommand>
<CustomServiceCommand platform="ipfilter"></CustomServiceCommand>
<CustomServiceCommand platform="ipfw"></CustomServiceCommand>
<CustomServiceCommand platform="Undefined"/>
<CustomServiceCommand platform="ipf"/>
<CustomServiceCommand platform="ipfilter"/>
<CustomServiceCommand platform="ipfw"/>
<CustomServiceCommand platform="iptables">-m record_rpc</CustomServiceCommand>
<CustomServiceCommand platform="pf"></CustomServiceCommand>
<CustomServiceCommand platform="pix"></CustomServiceCommand>
<CustomServiceCommand platform="unknown"></CustomServiceCommand>
<CustomServiceCommand platform="pf"/>
<CustomServiceCommand platform="pix"/>
<CustomServiceCommand platform="unknown"/>
</CustomService>
<CustomService id="id3B64EF4E" name="irc-conn" comment="IRC connection tracker, supports DCC.&#10;Works on iptables and requires patch-o-matic.&#10;For more information look for patch-o-matic on http://www.netfilter.org/&#10;" ro="False" protocol="any" address_family="ipv4">
<CustomServiceCommand platform="Undefined"></CustomServiceCommand>
<CustomServiceCommand platform="ipf"></CustomServiceCommand>
<CustomServiceCommand platform="ipfilter"></CustomServiceCommand>
<CustomServiceCommand platform="ipfw"></CustomServiceCommand>
<CustomServiceCommand platform="Undefined"/>
<CustomServiceCommand platform="ipf"/>
<CustomServiceCommand platform="ipfilter"/>
<CustomServiceCommand platform="ipfw"/>
<CustomServiceCommand platform="iptables">-m irc</CustomServiceCommand>
<CustomServiceCommand platform="pf"></CustomServiceCommand>
<CustomServiceCommand platform="pix"></CustomServiceCommand>
<CustomServiceCommand platform="unknown"></CustomServiceCommand>
<CustomServiceCommand platform="pf"/>
<CustomServiceCommand platform="pix"/>
<CustomServiceCommand platform="unknown"/>
</CustomService>
<CustomService id="id3B64EF50" name="psd" comment="Port scan detector, works only on iptables and requires patch-o-matic &#10;For more information look for patch-o-matic on http://www.netfilter.org/" ro="False" protocol="any" address_family="ipv4">
<CustomServiceCommand platform="Undefined"></CustomServiceCommand>
<CustomServiceCommand platform="ipf"></CustomServiceCommand>
<CustomServiceCommand platform="ipfilter"></CustomServiceCommand>
<CustomServiceCommand platform="ipfw"></CustomServiceCommand>
<CustomServiceCommand platform="Undefined"/>
<CustomServiceCommand platform="ipf"/>
<CustomServiceCommand platform="ipfilter"/>
<CustomServiceCommand platform="ipfw"/>
<CustomServiceCommand platform="iptables">-m psd --psd-weight-threshold 5 --psd-delay-threshold 10000</CustomServiceCommand>
<CustomServiceCommand platform="pf"></CustomServiceCommand>
<CustomServiceCommand platform="pix"></CustomServiceCommand>
<CustomServiceCommand platform="unknown"></CustomServiceCommand>
<CustomServiceCommand platform="pf"/>
<CustomServiceCommand platform="pix"/>
<CustomServiceCommand platform="unknown"/>
</CustomService>
<CustomService id="id3B64EF52" name="string" comment="Matches a string in a whole packet, works in iptables and requires patch-o-matic.&#10;For more information look for patch-o-matic on http://www.netfilter.org/" ro="False" protocol="any" address_family="ipv4">
<CustomServiceCommand platform="Undefined"></CustomServiceCommand>
<CustomServiceCommand platform="ipf"></CustomServiceCommand>
<CustomServiceCommand platform="ipfilter"></CustomServiceCommand>
<CustomServiceCommand platform="ipfw"></CustomServiceCommand>
<CustomServiceCommand platform="Undefined"/>
<CustomServiceCommand platform="ipf"/>
<CustomServiceCommand platform="ipfilter"/>
<CustomServiceCommand platform="ipfw"/>
<CustomServiceCommand platform="iptables">-m string --string test_pattern</CustomServiceCommand>
<CustomServiceCommand platform="pf"></CustomServiceCommand>
<CustomServiceCommand platform="pix"></CustomServiceCommand>
<CustomServiceCommand platform="unknown"></CustomServiceCommand>
<CustomServiceCommand platform="pf"/>
<CustomServiceCommand platform="pix"/>
<CustomServiceCommand platform="unknown"/>
</CustomService>
<CustomService id="id3B64EF54" name="talk" comment="Talk protocol support. Works in iptables and requires patch-o-matic.&#10;For more information look for patch-o-matic on http://www.netfilter.org/" ro="False" protocol="any" address_family="ipv4">
<CustomServiceCommand platform="Undefined"></CustomServiceCommand>
<CustomServiceCommand platform="ipf"></CustomServiceCommand>
<CustomServiceCommand platform="ipfilter"></CustomServiceCommand>
<CustomServiceCommand platform="ipfw"></CustomServiceCommand>
<CustomServiceCommand platform="Undefined"/>
<CustomServiceCommand platform="ipf"/>
<CustomServiceCommand platform="ipfilter"/>
<CustomServiceCommand platform="ipfw"/>
<CustomServiceCommand platform="iptables">-m talk</CustomServiceCommand>
<CustomServiceCommand platform="pf"></CustomServiceCommand>
<CustomServiceCommand platform="pix"></CustomServiceCommand>
<CustomServiceCommand platform="unknown"></CustomServiceCommand>
<CustomServiceCommand platform="pf"/>
<CustomServiceCommand platform="pix"/>
<CustomServiceCommand platform="unknown"/>
</CustomService>
</ServiceGroup>
<ServiceGroup id="stdid19" name="TagServices" comment="" ro="False"/>
@ -566,34 +566,34 @@
<ServiceGroup id="id4511637123682" name="UDP" comment="" ro="False"/>
<ServiceGroup id="id4511637223682" name="Custom" comment="" ro="False">
<CustomService id="id4226X64279" name="dscp af11" comment="" ro="False" protocol="tcp" address_family="ipv4">
<CustomServiceCommand platform="fwsm"></CustomServiceCommand>
<CustomServiceCommand platform="fwsm"/>
<CustomServiceCommand platform="iosacl">dscp af11</CustomServiceCommand>
<CustomServiceCommand platform="ipf"></CustomServiceCommand>
<CustomServiceCommand platform="ipfw"></CustomServiceCommand>
<CustomServiceCommand platform="iptables"></CustomServiceCommand>
<CustomServiceCommand platform="pf"></CustomServiceCommand>
<CustomServiceCommand platform="pix"></CustomServiceCommand>
<CustomServiceCommand platform="unknown"></CustomServiceCommand>
<CustomServiceCommand platform="ipf"/>
<CustomServiceCommand platform="ipfw"/>
<CustomServiceCommand platform="iptables"/>
<CustomServiceCommand platform="pf"/>
<CustomServiceCommand platform="pix"/>
<CustomServiceCommand platform="unknown"/>
</CustomService>
<CustomService id="id8888X64279" name="esp dscp af12" comment="" ro="False" protocol="50" address_family="ipv4">
<CustomServiceCommand platform="fwsm"></CustomServiceCommand>
<CustomServiceCommand platform="fwsm"/>
<CustomServiceCommand platform="iosacl">dscp af12</CustomServiceCommand>
<CustomServiceCommand platform="ipf"></CustomServiceCommand>
<CustomServiceCommand platform="ipfw"></CustomServiceCommand>
<CustomServiceCommand platform="iptables"></CustomServiceCommand>
<CustomServiceCommand platform="pf"></CustomServiceCommand>
<CustomServiceCommand platform="pix"></CustomServiceCommand>
<CustomServiceCommand platform="unknown"></CustomServiceCommand>
<CustomServiceCommand platform="ipf"/>
<CustomServiceCommand platform="ipfw"/>
<CustomServiceCommand platform="iptables"/>
<CustomServiceCommand platform="pf"/>
<CustomServiceCommand platform="pix"/>
<CustomServiceCommand platform="unknown"/>
</CustomService>
<CustomService id="id26068X65694" name="esp dscp af11 ipv6" comment="" ro="False" protocol="50" address_family="ipv6">
<CustomServiceCommand platform="fwsm"></CustomServiceCommand>
<CustomServiceCommand platform="fwsm"/>
<CustomServiceCommand platform="iosacl">dscp af11</CustomServiceCommand>
<CustomServiceCommand platform="ipf"></CustomServiceCommand>
<CustomServiceCommand platform="ipfw"></CustomServiceCommand>
<CustomServiceCommand platform="iptables"></CustomServiceCommand>
<CustomServiceCommand platform="pf"></CustomServiceCommand>
<CustomServiceCommand platform="pix"></CustomServiceCommand>
<CustomServiceCommand platform="unknown"></CustomServiceCommand>
<CustomServiceCommand platform="ipf"/>
<CustomServiceCommand platform="ipfw"/>
<CustomServiceCommand platform="iptables"/>
<CustomServiceCommand platform="pf"/>
<CustomServiceCommand platform="pix"/>
<CustomServiceCommand platform="unknown"/>
</CustomService>
</ServiceGroup>
<ServiceGroup id="id4511637323682" name="TagServices" comment="" ro="False"/>
@ -1174,10 +1174,10 @@
<Option name="accept_established">true</Option>
<Option name="accept_new_tcp_with_no_syn">true</Option>
<Option name="add_check_state_rule">true</Option>
<Option name="admUser"></Option>
<Option name="altAddress"></Option>
<Option name="admUser"/>
<Option name="altAddress"/>
<Option name="check_shading">False</Option>
<Option name="compiler"></Option>
<Option name="compiler"/>
<Option name="configure_interfaces">true</Option>
<Option name="eliminate_duplicates">true</Option>
<Option name="filesystem">/etc</Option>
@ -1206,8 +1206,8 @@
<Option name="iosacl_logging_trap_level">3</Option>
<Option name="iosacl_prolog_script">! This is prolog</Option>
<Option name="iosacl_regroup_commands">False</Option>
<Option name="iosacl_syslog_facility"></Option>
<Option name="iosacl_syslog_host"></Option>
<Option name="iosacl_syslog_facility"/>
<Option name="iosacl_syslog_host"/>
<Option name="iosacl_use_acl_remarks">False</Option>
<Option name="ipv4_6_order">ipv4_first</Option>
<Option name="limit_value">0</Option>
@ -1222,7 +1222,7 @@
<Option name="mgmt_addr">10.10.11.10</Option>
<Option name="mgmt_ssh">True</Option>
<Option name="openbsd_ip_forward">1</Option>
<Option name="output_file"></Option>
<Option name="output_file"/>
<Option name="pass_all_out">false</Option>
<Option name="pf_limit_frags">5000</Option>
<Option name="pf_limit_states">10000</Option>
@ -1244,10 +1244,10 @@
<Option name="procurve_acl_acl_basic">True</Option>
<Option name="procurve_acl_acl_no_clear">False</Option>
<Option name="procurve_acl_acl_substitution">False</Option>
<Option name="procurve_acl_acl_temp_addr"></Option>
<Option name="procurve_acl_acl_temp_addr"/>
<Option name="procurve_acl_add_clear_statements">true</Option>
<Option name="procurve_acl_assume_fw_part_of_any">true</Option>
<Option name="procurve_acl_epilog_script"></Option>
<Option name="procurve_acl_epilog_script"/>
<Option name="procurve_acl_generate_logging_commands">False</Option>
<Option name="procurve_acl_include_comments">true</Option>
<Option name="procurve_acl_logging_buffered">False</Option>
@ -1256,14 +1256,14 @@
<Option name="procurve_acl_logging_console_level">2</Option>
<Option name="procurve_acl_logging_timestamp">False</Option>
<Option name="procurve_acl_logging_trap_level">2</Option>
<Option name="procurve_acl_prolog_script"></Option>
<Option name="procurve_acl_syslog_facility"></Option>
<Option name="procurve_acl_syslog_host"></Option>
<Option name="procurve_acl_prolog_script"/>
<Option name="procurve_acl_syslog_facility"/>
<Option name="procurve_acl_syslog_host"/>
<Option name="prompt1">$ </Option>
<Option name="prompt2"> # </Option>
<Option name="scpArgs"></Option>
<Option name="scpArgs"/>
<Option name="solaris_ip_forward">1</Option>
<Option name="sshArgs"></Option>
<Option name="sshArgs"/>
<Option name="ulog_nlgroup">1</Option>
<Option name="use_scp">False</Option>
<Option name="verify_interfaces">true</Option>
@ -1621,34 +1621,34 @@
<FirewallOptions>
<Option name="accept_established">True</Option>
<Option name="accept_new_tcp_with_no_syn">True</Option>
<Option name="action_on_reject"></Option>
<Option name="activationCmd"></Option>
<Option name="action_on_reject"/>
<Option name="activationCmd"/>
<Option name="add_check_state_rule">true</Option>
<Option name="admUser"></Option>
<Option name="altAddress"></Option>
<Option name="admUser"/>
<Option name="altAddress"/>
<Option name="bridging_fw">False</Option>
<Option name="check_shading">True</Option>
<Option name="clamp_mss_to_mtu">False</Option>
<Option name="classify_mark_terminating">False</Option>
<Option name="cmdline">-xt</Option>
<Option name="compiler"></Option>
<Option name="compiler"/>
<Option name="configure_interfaces">True</Option>
<Option name="debug">False</Option>
<Option name="drop_invalid">False</Option>
<Option name="eliminate_duplicates">true</Option>
<Option name="enable_ipv6">True</Option>
<Option name="epilog_script"></Option>
<Option name="epilog_script"/>
<Option name="fallback_log">False</Option>
<Option name="firewall_dir">/etc</Option>
<Option name="firewall_is_part_of_any_and_networks">True</Option>
<Option name="freebsd_ip_forward">1</Option>
<Option name="freebsd_ip_redirect"></Option>
<Option name="freebsd_ip_sourceroute"></Option>
<Option name="freebsd_ip_redirect"/>
<Option name="freebsd_ip_sourceroute"/>
<Option name="freebsd_ipv6_forward">1</Option>
<Option name="freebsd_path_ipf"></Option>
<Option name="freebsd_path_ipfw"></Option>
<Option name="freebsd_path_ipnat"></Option>
<Option name="freebsd_path_sysctl"></Option>
<Option name="freebsd_path_ipf"/>
<Option name="freebsd_path_ipfw"/>
<Option name="freebsd_path_ipnat"/>
<Option name="freebsd_path_sysctl"/>
<Option name="ignore_empty_groups">False</Option>
<Option name="in_out_code">True</Option>
<Option name="iosacl_acl_basic">False</Option>
@ -1657,7 +1657,7 @@
<Option name="iosacl_acl_temp_addr">fe80::21d:9ff:aaaa:bbbb</Option>
<Option name="iosacl_add_clear_statements">true</Option>
<Option name="iosacl_assume_fw_part_of_any">true</Option>
<Option name="iosacl_epilog_script"></Option>
<Option name="iosacl_epilog_script"/>
<Option name="iosacl_generate_logging_commands">False</Option>
<Option name="iosacl_include_comments">True</Option>
<Option name="iosacl_logging_buffered">False</Option>
@ -1666,13 +1666,13 @@
<Option name="iosacl_logging_console_level">0</Option>
<Option name="iosacl_logging_timestamp">False</Option>
<Option name="iosacl_logging_trap_level">0</Option>
<Option name="iosacl_prolog_script"></Option>
<Option name="iosacl_prolog_script"/>
<Option name="iosacl_regroup_commands">False</Option>
<Option name="iosacl_syslog_facility"></Option>
<Option name="iosacl_syslog_host"></Option>
<Option name="ipt_mangle_only_rulesets"></Option>
<Option name="iosacl_syslog_facility"/>
<Option name="iosacl_syslog_host"/>
<Option name="ipt_mangle_only_rulesets"/>
<Option name="ipv4_6_order">ipv4_first</Option>
<Option name="limit_suffix"></Option>
<Option name="limit_suffix"/>
<Option name="limit_value">0</Option>
<Option name="linux24_ip_forward">1</Option>
<Option name="load_modules">True</Option>
@ -1687,18 +1687,18 @@
<Option name="loopback_interface">lo0</Option>
<Option name="macosx_ip_forward">1</Option>
<Option name="manage_virtual_addr">True</Option>
<Option name="mgmt_addr"></Option>
<Option name="mgmt_addr"/>
<Option name="mgmt_ssh">False</Option>
<Option name="modulate_state">False</Option>
<Option name="no_ipv6_default_policy">False</Option>
<Option name="openbsd_ip_directed_broadcast"></Option>
<Option name="openbsd_ip_directed_broadcast"/>
<Option name="openbsd_ip_forward">1</Option>
<Option name="openbsd_ip_redirect"></Option>
<Option name="openbsd_ip_sourceroute"></Option>
<Option name="openbsd_ip_redirect"/>
<Option name="openbsd_ip_sourceroute"/>
<Option name="openbsd_ipv6_forward">1</Option>
<Option name="openbsd_path_pfctl"></Option>
<Option name="openbsd_path_sysctl"></Option>
<Option name="output_file"></Option>
<Option name="openbsd_path_pfctl"/>
<Option name="openbsd_path_sysctl"/>
<Option name="output_file"/>
<Option name="pass_all_out">False</Option>
<Option name="pf_adaptive_end">0</Option>
<Option name="pf_adaptive_start">0</Option>
@ -1717,7 +1717,7 @@
<Option name="pf_limit_states">10000</Option>
<Option name="pf_limit_table_entries">0</Option>
<Option name="pf_limit_tables">0</Option>
<Option name="pf_optimization"></Option>
<Option name="pf_optimization"/>
<Option name="pf_other_first">0</Option>
<Option name="pf_other_multiple">0</Option>
<Option name="pf_other_single">0</Option>
@ -1769,12 +1769,12 @@
<Option name="pix_syslog_device_id_supported">false</Option>
<Option name="pix_use_acl_remarks">true</Option>
<Option name="prolog_place">fw_file</Option>
<Option name="prolog_script"></Option>
<Option name="prolog_script"/>
<Option name="prompt1">$ </Option>
<Option name="prompt2"> # </Option>
<Option name="scpArgs"></Option>
<Option name="scpArgs"/>
<Option name="solaris_ip_forward">1</Option>
<Option name="sshArgs"></Option>
<Option name="sshArgs"/>
<Option name="ulog_cprange">0</Option>
<Option name="ulog_nlgroup">1</Option>
<Option name="ulog_qthreshold">1</Option>
@ -2136,34 +2136,34 @@
<FirewallOptions>
<Option name="accept_established">True</Option>
<Option name="accept_new_tcp_with_no_syn">True</Option>
<Option name="action_on_reject"></Option>
<Option name="activationCmd"></Option>
<Option name="action_on_reject"/>
<Option name="activationCmd"/>
<Option name="add_check_state_rule">true</Option>
<Option name="admUser"></Option>
<Option name="altAddress"></Option>
<Option name="admUser"/>
<Option name="altAddress"/>
<Option name="bridging_fw">False</Option>
<Option name="check_shading">True</Option>
<Option name="clamp_mss_to_mtu">False</Option>
<Option name="classify_mark_terminating">False</Option>
<Option name="cmdline">-xt</Option>
<Option name="compiler"></Option>
<Option name="compiler"/>
<Option name="configure_interfaces">True</Option>
<Option name="debug">False</Option>
<Option name="drop_invalid">False</Option>
<Option name="eliminate_duplicates">true</Option>
<Option name="enable_ipv6">True</Option>
<Option name="epilog_script"></Option>
<Option name="epilog_script"/>
<Option name="fallback_log">False</Option>
<Option name="firewall_dir">/etc</Option>
<Option name="firewall_is_part_of_any_and_networks">True</Option>
<Option name="freebsd_ip_forward">1</Option>
<Option name="freebsd_ip_redirect"></Option>
<Option name="freebsd_ip_sourceroute"></Option>
<Option name="freebsd_ip_redirect"/>
<Option name="freebsd_ip_sourceroute"/>
<Option name="freebsd_ipv6_forward">1</Option>
<Option name="freebsd_path_ipf"></Option>
<Option name="freebsd_path_ipfw"></Option>
<Option name="freebsd_path_ipnat"></Option>
<Option name="freebsd_path_sysctl"></Option>
<Option name="freebsd_path_ipf"/>
<Option name="freebsd_path_ipfw"/>
<Option name="freebsd_path_ipnat"/>
<Option name="freebsd_path_sysctl"/>
<Option name="ignore_empty_groups">False</Option>
<Option name="in_out_code">True</Option>
<Option name="iosacl_acl_basic">False</Option>
@ -2172,7 +2172,7 @@
<Option name="iosacl_acl_temp_addr">1.1.1.0/24</Option>
<Option name="iosacl_add_clear_statements">true</Option>
<Option name="iosacl_assume_fw_part_of_any">true</Option>
<Option name="iosacl_epilog_script"></Option>
<Option name="iosacl_epilog_script"/>
<Option name="iosacl_generate_logging_commands">False</Option>
<Option name="iosacl_include_comments">True</Option>
<Option name="iosacl_logging_buffered">False</Option>
@ -2181,13 +2181,13 @@
<Option name="iosacl_logging_console_level">2</Option>
<Option name="iosacl_logging_timestamp">False</Option>
<Option name="iosacl_logging_trap_level">2</Option>
<Option name="iosacl_prolog_script"></Option>
<Option name="iosacl_prolog_script"/>
<Option name="iosacl_regroup_commands">False</Option>
<Option name="iosacl_syslog_facility"></Option>
<Option name="iosacl_syslog_host"></Option>
<Option name="ipt_mangle_only_rulesets"></Option>
<Option name="iosacl_syslog_facility"/>
<Option name="iosacl_syslog_host"/>
<Option name="ipt_mangle_only_rulesets"/>
<Option name="ipv4_6_order">ipv4_first</Option>
<Option name="limit_suffix"></Option>
<Option name="limit_suffix"/>
<Option name="limit_value">0</Option>
<Option name="linux24_ip_forward">1</Option>
<Option name="load_modules">True</Option>
@ -2206,14 +2206,14 @@
<Option name="mgmt_ssh">True</Option>
<Option name="modulate_state">False</Option>
<Option name="no_ipv6_default_policy">False</Option>
<Option name="openbsd_ip_directed_broadcast"></Option>
<Option name="openbsd_ip_directed_broadcast"/>
<Option name="openbsd_ip_forward">1</Option>
<Option name="openbsd_ip_redirect"></Option>
<Option name="openbsd_ip_sourceroute"></Option>
<Option name="openbsd_ip_redirect"/>
<Option name="openbsd_ip_sourceroute"/>
<Option name="openbsd_ipv6_forward">1</Option>
<Option name="openbsd_path_pfctl"></Option>
<Option name="openbsd_path_sysctl"></Option>
<Option name="output_file"></Option>
<Option name="openbsd_path_pfctl"/>
<Option name="openbsd_path_sysctl"/>
<Option name="output_file"/>
<Option name="pass_all_out">False</Option>
<Option name="pf_adaptive_end">0</Option>
<Option name="pf_adaptive_start">0</Option>
@ -2232,7 +2232,7 @@
<Option name="pf_limit_states">10000</Option>
<Option name="pf_limit_table_entries">0</Option>
<Option name="pf_limit_tables">0</Option>
<Option name="pf_optimization"></Option>
<Option name="pf_optimization"/>
<Option name="pf_other_first">0</Option>
<Option name="pf_other_multiple">0</Option>
<Option name="pf_other_single">0</Option>
@ -2284,12 +2284,12 @@
<Option name="pix_syslog_device_id_supported">false</Option>
<Option name="pix_use_acl_remarks">true</Option>
<Option name="prolog_place">fw_file</Option>
<Option name="prolog_script"></Option>
<Option name="prolog_script"/>
<Option name="prompt1">$ </Option>
<Option name="prompt2"> # </Option>
<Option name="scpArgs"></Option>
<Option name="scpArgs"/>
<Option name="solaris_ip_forward">1</Option>
<Option name="sshArgs"></Option>
<Option name="sshArgs"/>
<Option name="ulog_cprange">0</Option>
<Option name="ulog_nlgroup">1</Option>
<Option name="ulog_qthreshold">1</Option>
@ -2430,34 +2430,34 @@
<FirewallOptions>
<Option name="accept_established">True</Option>
<Option name="accept_new_tcp_with_no_syn">True</Option>
<Option name="action_on_reject"></Option>
<Option name="activationCmd"></Option>
<Option name="action_on_reject"/>
<Option name="activationCmd"/>
<Option name="add_check_state_rule">true</Option>
<Option name="admUser"></Option>
<Option name="altAddress"></Option>
<Option name="admUser"/>
<Option name="altAddress"/>
<Option name="bridging_fw">False</Option>
<Option name="check_shading">True</Option>
<Option name="clamp_mss_to_mtu">False</Option>
<Option name="classify_mark_terminating">False</Option>
<Option name="cmdline">-xt</Option>
<Option name="compiler"></Option>
<Option name="compiler"/>
<Option name="configure_interfaces">True</Option>
<Option name="debug">False</Option>
<Option name="drop_invalid">False</Option>
<Option name="eliminate_duplicates">true</Option>
<Option name="enable_ipv6">True</Option>
<Option name="epilog_script"></Option>
<Option name="epilog_script"/>
<Option name="fallback_log">False</Option>
<Option name="firewall_dir">/etc</Option>
<Option name="firewall_is_part_of_any_and_networks">True</Option>
<Option name="freebsd_ip_forward">1</Option>
<Option name="freebsd_ip_redirect"></Option>
<Option name="freebsd_ip_sourceroute"></Option>
<Option name="freebsd_ip_redirect"/>
<Option name="freebsd_ip_sourceroute"/>
<Option name="freebsd_ipv6_forward">1</Option>
<Option name="freebsd_path_ipf"></Option>
<Option name="freebsd_path_ipfw"></Option>
<Option name="freebsd_path_ipnat"></Option>
<Option name="freebsd_path_sysctl"></Option>
<Option name="freebsd_path_ipf"/>
<Option name="freebsd_path_ipfw"/>
<Option name="freebsd_path_ipnat"/>
<Option name="freebsd_path_sysctl"/>
<Option name="ignore_empty_groups">False</Option>
<Option name="in_out_code">True</Option>
<Option name="iosacl_acl_basic">False</Option>
@ -2466,7 +2466,7 @@
<Option name="iosacl_acl_temp_addr">fe80::21d:9ff:aaaa:bbbb/64</Option>
<Option name="iosacl_add_clear_statements">true</Option>
<Option name="iosacl_assume_fw_part_of_any">true</Option>
<Option name="iosacl_epilog_script"></Option>
<Option name="iosacl_epilog_script"/>
<Option name="iosacl_generate_logging_commands">False</Option>
<Option name="iosacl_include_comments">True</Option>
<Option name="iosacl_logging_buffered">False</Option>
@ -2475,13 +2475,13 @@
<Option name="iosacl_logging_console_level">1</Option>
<Option name="iosacl_logging_timestamp">False</Option>
<Option name="iosacl_logging_trap_level">1</Option>
<Option name="iosacl_prolog_script"></Option>
<Option name="iosacl_prolog_script"/>
<Option name="iosacl_regroup_commands">False</Option>
<Option name="iosacl_syslog_facility"></Option>
<Option name="iosacl_syslog_host"></Option>
<Option name="ipt_mangle_only_rulesets"></Option>
<Option name="iosacl_syslog_facility"/>
<Option name="iosacl_syslog_host"/>
<Option name="ipt_mangle_only_rulesets"/>
<Option name="ipv4_6_order">ipv4_first</Option>
<Option name="limit_suffix"></Option>
<Option name="limit_suffix"/>
<Option name="limit_value">0</Option>
<Option name="linux24_ip_forward">1</Option>
<Option name="load_modules">True</Option>
@ -2496,18 +2496,18 @@
<Option name="loopback_interface">lo0</Option>
<Option name="macosx_ip_forward">1</Option>
<Option name="manage_virtual_addr">True</Option>
<Option name="mgmt_addr"></Option>
<Option name="mgmt_addr"/>
<Option name="mgmt_ssh">False</Option>
<Option name="modulate_state">False</Option>
<Option name="no_ipv6_default_policy">False</Option>
<Option name="openbsd_ip_directed_broadcast"></Option>
<Option name="openbsd_ip_directed_broadcast"/>
<Option name="openbsd_ip_forward">1</Option>
<Option name="openbsd_ip_redirect"></Option>
<Option name="openbsd_ip_sourceroute"></Option>
<Option name="openbsd_ip_redirect"/>
<Option name="openbsd_ip_sourceroute"/>
<Option name="openbsd_ipv6_forward">1</Option>
<Option name="openbsd_path_pfctl"></Option>
<Option name="openbsd_path_sysctl"></Option>
<Option name="output_file"></Option>
<Option name="openbsd_path_pfctl"/>
<Option name="openbsd_path_sysctl"/>
<Option name="output_file"/>
<Option name="pass_all_out">False</Option>
<Option name="pf_adaptive_end">0</Option>
<Option name="pf_adaptive_start">0</Option>
@ -2526,7 +2526,7 @@
<Option name="pf_limit_states">10000</Option>
<Option name="pf_limit_table_entries">0</Option>
<Option name="pf_limit_tables">0</Option>
<Option name="pf_optimization"></Option>
<Option name="pf_optimization"/>
<Option name="pf_other_first">0</Option>
<Option name="pf_other_multiple">0</Option>
<Option name="pf_other_single">0</Option>
@ -2578,12 +2578,12 @@
<Option name="pix_syslog_device_id_supported">false</Option>
<Option name="pix_use_acl_remarks">true</Option>
<Option name="prolog_place">fw_file</Option>
<Option name="prolog_script"></Option>
<Option name="prolog_script"/>
<Option name="prompt1">$ </Option>
<Option name="prompt2"> # </Option>
<Option name="scpArgs"></Option>
<Option name="scpArgs"/>
<Option name="solaris_ip_forward">1</Option>
<Option name="sshArgs"></Option>
<Option name="sshArgs"/>
<Option name="ulog_cprange">0</Option>
<Option name="ulog_nlgroup">1</Option>
<Option name="ulog_qthreshold">1</Option>
@ -3106,10 +3106,10 @@
<Option name="accept_established">true</Option>
<Option name="accept_new_tcp_with_no_syn">true</Option>
<Option name="add_check_state_rule">true</Option>
<Option name="admUser"></Option>
<Option name="altAddress"></Option>
<Option name="admUser"/>
<Option name="altAddress"/>
<Option name="check_shading">False</Option>
<Option name="compiler"></Option>
<Option name="compiler"/>
<Option name="configure_interfaces">true</Option>
<Option name="eliminate_duplicates">true</Option>
<Option name="filesystem">/etc</Option>
@ -3138,8 +3138,8 @@
<Option name="iosacl_logging_trap_level">3</Option>
<Option name="iosacl_prolog_script">! This is prolog</Option>
<Option name="iosacl_regroup_commands">False</Option>
<Option name="iosacl_syslog_facility"></Option>
<Option name="iosacl_syslog_host"></Option>
<Option name="iosacl_syslog_facility"/>
<Option name="iosacl_syslog_host"/>
<Option name="iosacl_use_acl_remarks">False</Option>
<Option name="ipv4_6_order">ipv4_first</Option>
<Option name="limit_value">0</Option>
@ -3154,7 +3154,7 @@
<Option name="mgmt_addr">10.10.11.10</Option>
<Option name="mgmt_ssh">True</Option>
<Option name="openbsd_ip_forward">1</Option>
<Option name="output_file"></Option>
<Option name="output_file"/>
<Option name="pass_all_out">false</Option>
<Option name="pf_limit_frags">5000</Option>
<Option name="pf_limit_states">10000</Option>
@ -3176,10 +3176,10 @@
<Option name="procurve_acl_acl_basic">False</Option>
<Option name="procurve_acl_acl_no_clear">True</Option>
<Option name="procurve_acl_acl_substitution">False</Option>
<Option name="procurve_acl_acl_temp_addr"></Option>
<Option name="procurve_acl_acl_temp_addr"/>
<Option name="procurve_acl_add_clear_statements">true</Option>
<Option name="procurve_acl_assume_fw_part_of_any">true</Option>
<Option name="procurve_acl_epilog_script"></Option>
<Option name="procurve_acl_epilog_script"/>
<Option name="procurve_acl_generate_logging_commands">False</Option>
<Option name="procurve_acl_include_comments">False</Option>
<Option name="procurve_acl_logging_buffered">False</Option>
@ -3188,15 +3188,15 @@
<Option name="procurve_acl_logging_console_level">4</Option>
<Option name="procurve_acl_logging_timestamp">False</Option>
<Option name="procurve_acl_logging_trap_level">4</Option>
<Option name="procurve_acl_prolog_script"></Option>
<Option name="procurve_acl_syslog_facility"></Option>
<Option name="procurve_acl_syslog_host"></Option>
<Option name="procurve_acl_prolog_script"/>
<Option name="procurve_acl_syslog_facility"/>
<Option name="procurve_acl_syslog_host"/>
<Option name="procurve_acl_use_acl_remarks">False</Option>
<Option name="prompt1">$ </Option>
<Option name="prompt2"> # </Option>
<Option name="scpArgs"></Option>
<Option name="scpArgs"/>
<Option name="solaris_ip_forward">1</Option>
<Option name="sshArgs"></Option>
<Option name="sshArgs"/>
<Option name="ulog_nlgroup">1</Option>
<Option name="use_scp">False</Option>
<Option name="verify_interfaces">true</Option>
@ -3715,14 +3715,14 @@
<Option name="accept_established">true</Option>
<Option name="accept_new_tcp_with_no_syn">true</Option>
<Option name="add_check_state_rule">true</Option>
<Option name="admUser"></Option>
<Option name="altAddress"></Option>
<Option name="admUser"/>
<Option name="altAddress"/>
<Option name="check_shading">False</Option>
<Option name="compiler"></Option>
<Option name="compiler"/>
<Option name="configure_interfaces">true</Option>
<Option name="eliminate_duplicates">true</Option>
<Option name="filesystem"></Option>
<Option name="firewall_dir"></Option>
<Option name="filesystem"/>
<Option name="firewall_dir"/>
<Option name="firewall_is_part_of_any_and_networks">true</Option>
<Option name="freebsd_ip_forward">1</Option>
<Option name="ignore_empty_groups">False</Option>
@ -3747,8 +3747,8 @@
<Option name="iosacl_logging_trap_level">3</Option>
<Option name="iosacl_prolog_script">! This is prolog</Option>
<Option name="iosacl_regroup_commands">False</Option>
<Option name="iosacl_syslog_facility"></Option>
<Option name="iosacl_syslog_host"></Option>
<Option name="iosacl_syslog_facility"/>
<Option name="iosacl_syslog_host"/>
<Option name="iosacl_use_acl_remarks">False</Option>
<Option name="ipv4_6_order">ipv4_first</Option>
<Option name="limit_value">0</Option>
@ -3763,7 +3763,7 @@
<Option name="mgmt_addr">10.10.11.10</Option>
<Option name="mgmt_ssh">True</Option>
<Option name="openbsd_ip_forward">1</Option>
<Option name="output_file"></Option>
<Option name="output_file"/>
<Option name="pass_all_out">false</Option>
<Option name="pf_limit_frags">5000</Option>
<Option name="pf_limit_states">10000</Option>
@ -3788,7 +3788,7 @@
<Option name="procurve_acl_acl_temp_addr">10.10.11.10</Option>
<Option name="procurve_acl_add_clear_statements">true</Option>
<Option name="procurve_acl_assume_fw_part_of_any">true</Option>
<Option name="procurve_acl_epilog_script"></Option>
<Option name="procurve_acl_epilog_script"/>
<Option name="procurve_acl_generate_logging_commands">False</Option>
<Option name="procurve_acl_include_comments">True</Option>
<Option name="procurve_acl_logging_buffered">False</Option>
@ -3797,15 +3797,15 @@
<Option name="procurve_acl_logging_console_level">6</Option>
<Option name="procurve_acl_logging_timestamp">False</Option>
<Option name="procurve_acl_logging_trap_level">6</Option>
<Option name="procurve_acl_prolog_script"></Option>
<Option name="procurve_acl_syslog_facility"></Option>
<Option name="procurve_acl_syslog_host"></Option>
<Option name="procurve_acl_prolog_script"/>
<Option name="procurve_acl_syslog_facility"/>
<Option name="procurve_acl_syslog_host"/>
<Option name="procurve_acl_use_acl_remarks">False</Option>
<Option name="prompt1">$ </Option>
<Option name="prompt2"> # </Option>
<Option name="scpArgs"></Option>
<Option name="scpArgs"/>
<Option name="solaris_ip_forward">1</Option>
<Option name="sshArgs"></Option>
<Option name="sshArgs"/>
<Option name="ulog_nlgroup">1</Option>
<Option name="use_scp">True</Option>
<Option name="verify_interfaces">true</Option>
@ -4330,10 +4330,10 @@
<Option name="accept_established">true</Option>
<Option name="accept_new_tcp_with_no_syn">true</Option>
<Option name="add_check_state_rule">true</Option>
<Option name="admUser"></Option>
<Option name="altAddress"></Option>
<Option name="admUser"/>
<Option name="altAddress"/>
<Option name="check_shading">False</Option>
<Option name="compiler"></Option>
<Option name="compiler"/>
<Option name="configure_interfaces">true</Option>
<Option name="eliminate_duplicates">true</Option>
<Option name="filesystem">/etc</Option>
@ -4362,8 +4362,8 @@
<Option name="iosacl_logging_trap_level">3</Option>
<Option name="iosacl_prolog_script">! This is prolog</Option>
<Option name="iosacl_regroup_commands">False</Option>
<Option name="iosacl_syslog_facility"></Option>
<Option name="iosacl_syslog_host"></Option>
<Option name="iosacl_syslog_facility"/>
<Option name="iosacl_syslog_host"/>
<Option name="iosacl_use_acl_remarks">False</Option>
<Option name="ipv4_6_order">ipv4_first</Option>
<Option name="limit_value">0</Option>
@ -4378,7 +4378,7 @@
<Option name="mgmt_addr">10.10.11.10</Option>
<Option name="mgmt_ssh">True</Option>
<Option name="openbsd_ip_forward">1</Option>
<Option name="output_file"></Option>
<Option name="output_file"/>
<Option name="pass_all_out">false</Option>
<Option name="pf_limit_frags">5000</Option>
<Option name="pf_limit_states">10000</Option>
@ -4403,7 +4403,7 @@
<Option name="procurve_acl_acl_temp_addr">10.10.11.10</Option>
<Option name="procurve_acl_add_clear_statements">true</Option>
<Option name="procurve_acl_assume_fw_part_of_any">true</Option>
<Option name="procurve_acl_epilog_script"></Option>
<Option name="procurve_acl_epilog_script"/>
<Option name="procurve_acl_generate_logging_commands">False</Option>
<Option name="procurve_acl_include_comments">True</Option>
<Option name="procurve_acl_logging_buffered">False</Option>
@ -4412,15 +4412,15 @@
<Option name="procurve_acl_logging_console_level">5</Option>
<Option name="procurve_acl_logging_timestamp">False</Option>
<Option name="procurve_acl_logging_trap_level">5</Option>
<Option name="procurve_acl_prolog_script"></Option>
<Option name="procurve_acl_syslog_facility"></Option>
<Option name="procurve_acl_syslog_host"></Option>
<Option name="procurve_acl_prolog_script"/>
<Option name="procurve_acl_syslog_facility"/>
<Option name="procurve_acl_syslog_host"/>
<Option name="procurve_acl_use_acl_remarks">True</Option>
<Option name="prompt1">$ </Option>
<Option name="prompt2"> # </Option>
<Option name="scpArgs"></Option>
<Option name="scpArgs"/>
<Option name="solaris_ip_forward">1</Option>
<Option name="sshArgs"></Option>
<Option name="sshArgs"/>
<Option name="ulog_nlgroup">1</Option>
<Option name="use_scp">False</Option>
<Option name="verify_interfaces">true</Option>