onkelbeh/fwbuilder
1
0
Fork 0
mirror of https://github.com/fwbuilder/fwbuilder synced 2026-03-19 09:47:20 +01:00
Code Issues Releases Wiki Activity

* src/pflib/PolicyCompiler_pf_writers.cpp (PrintRule::processNext):

Browse Source 
fixes #1210 "syntax error in PF rule - "modulate state" is
required".  Per bug reported in the mailing list (and according to
the pf.conf manual), pf.conf requires "keep state", "modulate
state" or "synproxy"if any of the stateful tracking options are
used in the rule. These include "max", "no-sync", "pflow",
"sloppy", "source-track" and others.
This commit is contained in:
Vadim Kurland 2010-02-07 05:24:21 +00:00
parent 8fae13fbd9
commit a0314a7d97
4 changed files with 131 additions and 11 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
build_num
View File

@ -1 +1 @@
#define BUILD_NUM 2502
#define BUILD_NUM 2503

8
doc/ChangeLog
View File

@ -1,5 +1,13 @@
2010-02-06 vadim <vadim@vk.crocodile.org>
* src/pflib/PolicyCompiler_pf_writers.cpp (PrintRule::processNext):
fixes #1210 "syntax error in PF rule - "modulate state" is
required". Per bug reported in the mailing list (and according to
the pf.conf manual), pf.conf requires "keep state", "modulate
state" or "synproxy"if any of the stateful tracking options are
used in the rule. These include "max", "no-sync", "pflow",
"sloppy", "source-track" and others.
* src/pflib/PolicyCompiler_pf_writers.cpp (PrintRule::processNext):
fixes #1209 "incorrect syntax in PF rules when only "Activate
source tracking" option is on". Compiler sometimes generated empty

50
src/pflib/PolicyCompiler_pf_writers.cpp
View File

@ -998,20 +998,31 @@ bool PolicyCompiler_pf::PrintRule::processNext()
}
}
// in PF "modulate state", "synproxy state", "keep state" are mutually
// exclusive
// "keep state" can be used with any protocol, while "modulate state"
// and "synproxy state" can only be used with tcp.
/*
* in PF "modulate state", "synproxy state", "keep state" are
* mutually exclusive "keep state" can be used with any
* protocol, while "modulate state" and "synproxy state" can
* only be used with tcp.
*/
bool have_state_option = false;
/*
* First, set explicit state tracking parameter, then add
* stateful tracking options.
*/
if (compiler->getCachedFwOpt()->getBool("pf_synproxy") && tcpsrv!=NULL)
{
compiler->output << "synproxy state ";
else
have_state_option = true;
} else
{
if ((ruleopt->getBool("pf_modulate_state") ||
compiler->getCachedFwOpt()->getBool("pf_modulate_state")) &&
tcpsrv!=NULL)
{
compiler->output << "modulate state ";
have_state_option = true;
} else
{
/*
@ -1035,43 +1046,63 @@ bool PolicyCompiler_pf::PrintRule::processNext()
* explicitly" to cope with this.
*/
if (XMLTools::version_compare(version, "4.0") < 0 ||
//if ( version != "4.x" ||
compiler->getCachedFwOpt()->getBool("pf_keep_state"))
{
compiler->output << "keep state ";
have_state_option = true;
}
}
}
/*
* Stateful tracking options. According to the pf.conf manual,
* one of keep state, modulate state, or synproxy state must
* be specified explicitly to apply these options to a rule.
* Using flags need_state_option and have_state_option for that.
*/
QStringList options;
bool need_state_option = false;
if (ruleopt->getInt("pf_rule_max_state")>0)
{
options.push_back(QString("max %1").arg(ruleopt->getInt("pf_rule_max_state")));
need_state_option = true;
}
if (ruleopt->getBool("pf_sloppy_tracker"))
{
options.push_back("sloppy");
need_state_option = true;
}
if (ruleopt->getBool("pf_no_sync"))
{
options.push_back("no-sync");
need_state_option = true;
}
if (ruleopt->getBool("pf_pflow"))
{
options.push_back("pflow");
need_state_option = true;
}
if (ruleopt->getBool("pf_source_tracking"))
{
if (ruleopt->getInt("pf_max_src_nodes") > 0)
{
options.push_back(QString("max-src-nodes %1").arg(
ruleopt->getInt("pf_max_src_nodes")));
need_state_option = true;
}
if (ruleopt->getInt("pf_max_src_states")>0)
{
options.push_back(QString("max-src-states %1").arg(
ruleopt->getInt("pf_max_src_states")));
need_state_option = true;
}
}
bool check_overload_opts = false;
@ -1080,6 +1111,7 @@ bool PolicyCompiler_pf::PrintRule::processNext()
options.push_back(QString("max-src-conn %1").arg(
ruleopt->getInt("pf_max_src_conn")));
check_overload_opts = true;
need_state_option = true;
}
if (ruleopt->getInt("pf_max_src_conn_rate_num")>0 &&
@ -1089,6 +1121,7 @@ bool PolicyCompiler_pf::PrintRule::processNext()
.arg(ruleopt->getInt("pf_max_src_conn_rate_num"))
.arg(ruleopt->getInt("pf_max_src_conn_rate_seconds")));
check_overload_opts = true;
need_state_option = true;
}
if (check_overload_opts)
@ -1106,6 +1139,11 @@ bool PolicyCompiler_pf::PrintRule::processNext()
options.push_back(overload_opts.join(" "));
}
if (need_state_option && !have_state_option)
{
compiler->output << "keep state ";
}
// looks like pf.conf syntax requires '(' ')' even if there is
// only one option
if (options.size() > 0) compiler->output << "( ";

82
test/pf/objects-for-regression-tests.fwb
View File

@ -17433,7 +17433,7 @@
<Option name="use_tables">True</Option>
</FirewallOptions>
</Firewall>
<Firewall id="id20420X57591" host_OS="openbsd" inactive="False" lastCompiled="1157930823" lastInstalled="0" lastModified="1263499340" platform="pf" version="4.5" name="firewall80-4.5" comment="Testin state tracking options&#10;" ro="False">
<Firewall id="id20420X57591" host_OS="openbsd" inactive="False" lastCompiled="1157930823" lastInstalled="0" lastModified="1265520219" platform="pf" version="4.5" name="firewall80-4.5" comment="Testin state tracking options&#10;" ro="False">
<NAT id="id20508X57591" name="NAT" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
<RuleSetOptions/>
</NAT>
@ -17549,7 +17549,7 @@
<Option name="stateless">False</Option>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id20483X57591" disabled="False" log="False" position="3" action="Accept" direction="Both" comment="">
<PolicyRule id="id20483X57591" disabled="False" log="False" position="3" action="Accept" direction="Both" comment="activate source tracking">
<Src neg="False">
<ObjectRef ref="sysid0"/>
</Src>
@ -17586,7 +17586,81 @@
<Option name="stateless">False</Option>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id20602X57591" disabled="False" group="" log="False" position="4" action="Accept" direction="Both" comment="">
<PolicyRule id="id21396X29287" disabled="False" group="" log="False" position="4" action="Accept" direction="Both" comment="modulate state">
<Src neg="False">
<ObjectRef ref="sysid0"/>
</Src>
<Dst neg="False">
<ObjectRef ref="id20431X57591"/>
</Dst>
<Srv neg="False">
<ServiceRef ref="tcp-SSH"/>
</Srv>
<Itf neg="False">
<ObjectRef ref="sysid0"/>
</Itf>
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions>
<Option name="log_prefix"></Option>
<Option name="pf_keep_state">False</Option>
<Option name="pf_max_src_conn">0</Option>
<Option name="pf_max_src_conn_flush">False</Option>
<Option name="pf_max_src_conn_global">False</Option>
<Option name="pf_max_src_conn_overload_table"></Option>
<Option name="pf_max_src_conn_rate_num">0</Option>
<Option name="pf_max_src_conn_rate_seconds">0</Option>
<Option name="pf_max_src_nodes">10</Option>
<Option name="pf_max_src_states">0</Option>
<Option name="pf_modulate_state">True</Option>
<Option name="pf_no_sync">False</Option>
<Option name="pf_pflow">False</Option>
<Option name="pf_rule_max_state">0</Option>
<Option name="pf_sloppy_tracker">False</Option>
<Option name="pf_source_tracking">True</Option>
<Option name="pf_synproxy">False</Option>
<Option name="stateless">False</Option>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id21466X29287" disabled="False" group="" log="False" position="5" action="Accept" direction="Both" comment="synproxy">
<Src neg="False">
<ObjectRef ref="sysid0"/>
</Src>
<Dst neg="False">
<ObjectRef ref="id20431X57591"/>
</Dst>
<Srv neg="False">
<ServiceRef ref="tcp-SSH"/>
</Srv>
<Itf neg="False">
<ObjectRef ref="sysid0"/>
</Itf>
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions>
<Option name="log_prefix"></Option>
<Option name="pf_keep_state">False</Option>
<Option name="pf_max_src_conn">0</Option>
<Option name="pf_max_src_conn_flush">False</Option>
<Option name="pf_max_src_conn_global">False</Option>
<Option name="pf_max_src_conn_overload_table"></Option>
<Option name="pf_max_src_conn_rate_num">0</Option>
<Option name="pf_max_src_conn_rate_seconds">0</Option>
<Option name="pf_max_src_nodes">10</Option>
<Option name="pf_max_src_states">0</Option>
<Option name="pf_modulate_state">False</Option>
<Option name="pf_no_sync">False</Option>
<Option name="pf_pflow">False</Option>
<Option name="pf_rule_max_state">0</Option>
<Option name="pf_sloppy_tracker">False</Option>
<Option name="pf_source_tracking">True</Option>
<Option name="pf_synproxy">True</Option>
<Option name="stateless">False</Option>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id20602X57591" disabled="False" group="" log="False" position="6" action="Accept" direction="Both" comment="">
<Src neg="False">
<ObjectRef ref="sysid0"/>
</Src>
@ -17623,7 +17697,7 @@
<Option name="stateless">False</Option>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id20495X57591" disabled="False" log="True" position="5" action="Deny" direction="Both" comment="">
<PolicyRule id="id20495X57591" disabled="False" log="True" position="7" action="Deny" direction="Both" comment="">
<Src neg="False">
<ObjectRef ref="sysid0"/>
</Src>