onkelbeh/fwbuilder
1
0
Fork 0
mirror of https://github.com/fwbuilder/fwbuilder synced 2026-03-18 17:27:20 +01:00
Code Issues Releases Wiki Activity

see #2464 implemented import of PF "set timeout",

Browse Source 
"set limit" and other "set" commands. Known limitations:

 - commands "set ruleset-optimization", "set loginterface",
   "set block-policy", "set state-defaults", "set require-order",
   "set fingerprints", "set reassemble", "set hostid" are not supported.
This commit is contained in:
Vadim Kurland 2011-06-02 17:18:37 -07:00
parent 68a29785da
commit a0da65ddc9
15 changed files with 2070 additions and 2011 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
doc/ChangeLog
View File

@ -1,3 +1,11 @@
2011-06-02 Vadim Kurland <vadim@netcitadel.com>
* pf.g (set_rule): see #2464 implemented import of PF "set timeout",
"set limit" and other "set" commands. Known limitations:
- commands "set ruleset-optimization", "set loginterface",
"set block-policy", "set state-defaults", "set require-order",
"set fingerprints", "set reassemble", "set hostid" are not supported.
2011-05-30 vadim <vadim@netcitadel.com>
* pf.g (nat_rule): see #2449 Implementd import of PF "nat"

2
src/import/Importer.cpp
View File

@ -259,7 +259,7 @@ void Importer::newInterface(const std::string &name)
current_interface = Interface::cast(nobj);
current_interface->setUnnumbered(true);
all_interfaces[name] = current_interface;
addMessageToLog("New interface: " + name);
addMessageToLog(QObject::tr("New interface: %1").arg(name.c_str()));
}
/*

118
src/import/PFImporter.cpp
View File

@ -146,9 +146,9 @@ void PFImporter::clear()
nat_rule_opt_1 = "";
nat_rule_opt_2 = "";
// Do not clear list of timeout name-value pairs since it is filled
// when we parse "set timeout" commands and then used in finalize()
// timeouts.clear();
// Do not clear name-value pairs lists of timeout and limits since
// they is filled when we parse "set timeout", "set limit"
// commands and then used in finalize()
Importer::clear();
}
@ -961,6 +961,9 @@ Firewall* PFImporter::finalize()
iface->setDyn(true);
}
// Log lines from now on should not start with original file line numbers
setCurrentLineNumber(-1);
// configure timeouts
// mapping between PF timeout names and our option names
@ -1015,8 +1018,7 @@ Firewall* PFImporter::finalize()
if (timeouts.size() > 0)
{
setCurrentLineNumber(-1);
addMessageToLog(QObject::tr("Configuring timeouts:"));
addMessageToLog(QObject::tr("Configuring timeouts:\n"));
list<str_tuple>::iterator it;
for (it=timeouts.begin(); it!=timeouts.end(); ++it)
@ -1025,12 +1027,14 @@ Firewall* PFImporter::finalize()
bool ok = false;
int value = QString(it->second.c_str()).toInt(&ok);
addMessageToLog(QString("%1=%2").arg(name.c_str()).arg(value));
addMessageToLog(QString("set timeout %1 %2\n")
.arg(name.c_str()).arg(value));
if (timeout_activation_names.count(name) == 0)
{
addMessageToLog(
QObject::tr("Error: Unknown timeout name %1").arg(name.c_str()));
QObject::tr("Error: Unknown timeout name %1\n")
.arg(name.c_str()));
} else
{
options->setBool(timeout_activation_names[name], true);
@ -1039,6 +1043,106 @@ Firewall* PFImporter::finalize()
}
}
// configure limits
map<string, string> limit_option_names;
limit_option_names["frags"] = "pf_limit_frags";
limit_option_names["states"] = "pf_limit_states";
limit_option_names["src-nodes"] = "pf_limit_src_nodes";
limit_option_names["tables"] = "pf_limit_tables";
limit_option_names["tables-entries"] = "pf_limit_table_entries";
// mapping between PF limit names and boolean option names that
// activate setting of the corresponding limit
map<string, string> limit_activation_names;
limit_activation_names["frags"] = "pf_do_limit_frags";
limit_activation_names["states"] = "pf_do_limit_states";
limit_activation_names["src-nodes"] = "pf_do_limit_src_nodes";
limit_activation_names["tables"] = "pf_do_limit_tables";
limit_activation_names["tables-entries"] = "pf_do_limit_table_entries";
if (limits.size() > 0)
{
addMessageToLog(QObject::tr("Configuring limits:\n"));
list<str_tuple>::iterator it;
for (it=limits.begin(); it!=limits.end(); ++it)
{
string name = it->first;
bool ok = false;
int value = QString(it->second.c_str()).toInt(&ok);
addMessageToLog(QString("set limit %1 %2\n")
.arg(name.c_str()).arg(value));
if (limit_activation_names.count(name) == 0)
{
addMessageToLog(
QObject::tr("Error: Unknown limit name %1\n")
.arg(name.c_str()));
} else
{
options->setBool(limit_activation_names[name], true);
options->setInt(limit_option_names[name], value);
}
}
}
// cofigure other "set" commands
// addMessageToLog(QObject::tr("Configuring set commands:\n"));
if ( ! set_optimization.empty())
{
options->setStr("pf_optimization", set_optimization);
addMessageToLog(QString("set optimization %1\n")
.arg(set_optimization.c_str()));
}
if ( ! set_block_policy.empty())
{
options->setStr("pf_block_policy", set_block_policy);
addMessageToLog(QString("set block-policy %1\n")
.arg(set_block_policy.c_str()));
}
if ( ! set_state_policy.empty())
{
options->setStr("pf_state_policy", set_state_policy);
addMessageToLog(QString("set state-policy %1\n")
.arg(set_state_policy.c_str()));
}
if ( ! set_skip_on.empty())
{
interfaceProperties *int_prop =
interfacePropertiesObjectFactory::getInterfacePropertiesObject(
user_choice_host_os);
if (int_prop->looksLikeInterface(set_skip_on.c_str()))
{
Interface *intf = getInterfaceByName(set_skip_on);
if (intf == NULL)
{
// this interface was never used in "on <intf>" clause before
newInterface(set_skip_on);
intf = getInterfaceByName(set_skip_on);
intf->setUnprotected(true);
addMessageToLog(QString("set skip on %1\n")
.arg(intf->getName().c_str()));
}
} else
{
addMessageToLog(
QObject::tr("Error: In 'set skip on %1' '%1' does not look like an interface name\n").arg(set_skip_on.c_str()).arg(set_skip_on.c_str()));
}
}
if ( ! set_debug.empty())
{
options->setStr("pf_set_debug", set_debug);
addMessageToLog(QString("set debug %1\n").arg(set_debug.c_str()));
}
return fw;
}
else

9
src/import/PFImporter.h
View File

@ -119,9 +119,12 @@ public:
libfwbuilder::NATRule::NATRuleTypes rule_type;
std::list<str_tuple> timeouts;
std::list<str_tuple> limits;
std::string set_optimization;
std::string set_block_policy;
std::string set_state_policy;
std::string set_skip_on;
std::string set_debug;
PFImporter(libfwbuilder::FWObject *lib,
std::istringstream &input,

612
src/parsers/PFCfgLexer.cpp
View File

@ -44,192 +44,205 @@ PFCfgLexer::PFCfgLexer(const ANTLR_USE_NAMESPACE(antlr)LexerSharedInputState& st
void PFCfgLexer::initLiterals()
{
literals["badhead"] = 175;
literals["notifications"] = 209;
literals["state-policy"] = 18;
literals["no"] = 65;
literals["esp"] = 110;
literals["routersol"] = 134;
literals["reply-to"] = 123;
literals["icmp.first"] = 34;
literals["string-key"] = 80;
literals["gre"] = 109;
literals["pass"] = 67;
literals["scrub"] = 48;
literals["warnings"] = 210;
literals["skip"] = 22;
literals["badhead"] = 188;
literals["notifications"] = 222;
literals["state-policy"] = 25;
literals["floating"] = 27;
literals["no"] = 81;
literals["esp"] = 123;
literals["routersol"] = 147;
literals["frags"] = 59;
literals["reply-to"] = 136;
literals["icmp.first"] = 45;
literals["string-key"] = 96;
literals["gre"] = 122;
literals["pass"] = 83;
literals["scrub"] = 64;
literals["warnings"] = 223;
literals["skip"] = 31;
literals["timeout"] = 12;
literals["eigrp"] = 112;
literals["icmp-type"] = 125;
literals["transit"] = 173;
literals["inet"] = 99;
literals["network"] = 59;
literals["photuris"] = 150;
literals["igmp"] = 104;
literals["unreach"] = 128;
literals["range"] = 202;
literals["rsvp"] = 108;
literals["debugging"] = 205;
literals["host-tos"] = 163;
literals["paramprob"] = 136;
literals["user"] = 95;
literals["interface"] = 191;
literals["adaptive.end"] = 43;
literals["limit"] = 15;
literals["state-defaults"] = 19;
literals["hex-key"] = 79;
literals["net-unk"] = 157;
literals["eigrp"] = 125;
literals["icmp-type"] = 138;
literals["transit"] = 186;
literals["inet"] = 112;
literals["network"] = 75;
literals["photuris"] = 163;
literals["igmp"] = 117;
literals["unreach"] = 141;
literals["range"] = 215;
literals["rsvp"] = 121;
literals["debugging"] = 218;
literals["host-tos"] = 176;
literals["paramprob"] = 149;
literals["user"] = 109;
literals["interface"] = 204;
literals["adaptive.end"] = 54;
literals["limit"] = 20;
literals["state-defaults"] = 28;
literals["hex-key"] = 95;
literals["net-unk"] = 170;
literals["antispoof"] = 8;
literals["udp.single"] = 32;
literals["inforeq"] = 139;
literals["ipv6-here"] = 147;
literals["redir"] = 130;
literals["static-port"] = 69;
literals["common-adv"] = 172;
literals["loginterface"] = 16;
literals["ip"] = 102;
literals["mobregreq"] = 148;
literals["ospf"] = 113;
literals["proto-unr"] = 153;
literals["peer"] = 61;
literals["inforep"] = 140;
literals["errors"] = 207;
literals["any"] = 120;
literals["mobregrep"] = 149;
literals["label"] = 188;
literals["pptp"] = 198;
literals["synproxy"] = 186;
literals["debug"] = 23;
literals["alerts"] = 203;
literals["all"] = 94;
literals["state"] = 187;
literals["tag"] = 183;
literals["in"] = 91;
literals["file"] = 55;
literals["nos"] = 195;
literals["ipv6-where"] = 146;
literals["require-order"] = 20;
literals["udp"] = 106;
literals["sticky-address"] = 82;
literals["return-icmp"] = 89;
literals["redir-tos-net"] = 169;
literals["pim"] = 197;
literals["emergencies"] = 206;
literals["squench"] = 129;
literals["disable"] = 211;
literals["flags"] = 124;
literals["tcp"] = 105;
literals["net-tos"] = 162;
literals["reassemble"] = 24;
literals["adaptive.start"] = 42;
literals["frag"] = 39;
literals["port"] = 73;
literals["icmp"] = 103;
literals["to"] = 96;
literals["return-rst"] = 87;
literals["normal-adv"] = 171;
literals["udp.single"] = 43;
literals["inforeq"] = 152;
literals["ipv6-here"] = 160;
literals["redir"] = 143;
literals["static-port"] = 85;
literals["common-adv"] = 185;
literals["loginterface"] = 21;
literals["ip"] = 115;
literals["mobregreq"] = 161;
literals["conservative"] = 16;
literals["ospf"] = 126;
literals["proto-unr"] = 166;
literals["peer"] = 77;
literals["inforep"] = 153;
literals["errors"] = 220;
literals["tables-entries"] = 63;
literals["any"] = 133;
literals["mobregrep"] = 162;
literals["label"] = 201;
literals["pptp"] = 211;
literals["synproxy"] = 199;
literals["debug"] = 33;
literals["alerts"] = 216;
literals["all"] = 108;
literals["state"] = 200;
literals["tag"] = 196;
literals["in"] = 105;
literals["tables"] = 62;
literals["file"] = 71;
literals["nos"] = 208;
literals["src-nodes"] = 61;
literals["ipv6-where"] = 159;
literals["require-order"] = 29;
literals["udp"] = 119;
literals["states"] = 60;
literals["sticky-address"] = 98;
literals["return-icmp"] = 103;
literals["redir-tos-net"] = 182;
literals["pim"] = 210;
literals["emergencies"] = 219;
literals["squench"] = 142;
literals["disable"] = 224;
literals["flags"] = 137;
literals["tcp"] = 118;
literals["net-tos"] = 175;
literals["reassemble"] = 34;
literals["adaptive.start"] = 53;
literals["frag"] = 50;
literals["port"] = 89;
literals["icmp"] = 116;
literals["to"] = 110;
literals["return-rst"] = 101;
literals["normal-adv"] = 184;
literals["optimization"] = 14;
literals["log"] = 93;
literals["snp"] = 200;
literals["broadcast"] = 60;
literals["icmp6-type"] = 181;
literals["code"] = 126;
literals["src.track"] = 41;
literals["routeradv"] = 133;
literals["other.single"] = 37;
literals["bitmask"] = 76;
literals["maskreq"] = 141;
literals["ipip"] = 114;
literals["tcp.closed"] = 30;
literals["block"] = 84;
literals["udp.first"] = 31;
literals["badlen"] = 177;
literals["tcp.first"] = 25;
literals["host-unr"] = 152;
literals["ah"] = 111;
literals["modulate"] = 185;
literals["interval"] = 40;
literals["maskrep"] = 142;
literals["log"] = 107;
literals["snp"] = 213;
literals["broadcast"] = 76;
literals["icmp6-type"] = 194;
literals["normal"] = 18;
literals["code"] = 139;
literals["if-bound"] = 26;
literals["src.track"] = 52;
literals["routeradv"] = 146;
literals["other.single"] = 48;
literals["bitmask"] = 92;
literals["maskreq"] = 154;
literals["ipip"] = 127;
literals["tcp.closed"] = 41;
literals["block"] = 100;
literals["high-latency"] = 17;
literals["udp.first"] = 42;
literals["badlen"] = 190;
literals["tcp.first"] = 36;
literals["host-unr"] = 165;
literals["ah"] = 124;
literals["modulate"] = 198;
literals["interval"] = 51;
literals["maskrep"] = 155;
literals["ruleset-optimization"] = 13;
literals["trace"] = 143;
literals["rip"] = 199;
literals["urpf-failed"] = 119;
literals["trace"] = 156;
literals["rip"] = 212;
literals["urpf-failed"] = 132;
literals["set"] = 11;
literals["source-hash"] = 78;
literals["critical"] = 204;
literals["quit"] = 190;
literals["icmp.error"] = 35;
literals["const"] = 53;
literals["source-hash"] = 94;
literals["critical"] = 217;
literals["quit"] = 203;
literals["icmp.error"] = 46;
literals["const"] = 69;
literals["altq"] = 9;
literals["tcp.closing"] = 28;
literals["port-unr"] = 154;
literals["table"] = 49;
literals["redir-tos-host"] = 170;
literals["fingerprints"] = 21;
literals["return"] = 86;
literals["optmiss"] = 176;
literals["keep"] = 184;
literals["net-prohib"] = 160;
literals["inet6"] = 100;
literals["from"] = 118;
literals["tcp.finwait"] = 29;
literals["proto"] = 101;
literals["vrrp"] = 115;
literals["drop"] = 85;
literals["l2tp"] = 116;
literals["isolate"] = 159;
literals["timereq"] = 137;
literals["icmp6"] = 192;
literals["echoreq"] = 132;
literals["tcp.established"] = 27;
literals["decrypt-fail"] = 180;
literals["mobredir"] = 145;
literals["other.first"] = 36;
literals["ipsec"] = 194;
literals["no-route"] = 121;
literals["random"] = 77;
literals["binat"] = 83;
literals["srcfail"] = 156;
literals["self"] = 62;
literals["timerep"] = 138;
literals["host-preced"] = 165;
literals["host"] = 201;
literals["echorep"] = 127;
literals["other.multiple"] = 38;
literals["althost"] = 131;
literals["udp.multiple"] = 33;
literals["cutoff-preced"] = 166;
literals["redir-host"] = 168;
literals["rdr"] = 70;
literals["tagged"] = 182;
literals["on"] = 98;
literals["round-robin"] = 81;
literals["pcp"] = 196;
literals["block-policy"] = 17;
literals["unknown-ind"] = 178;
literals["persist"] = 52;
literals["redir-net"] = 167;
literals["filter-prohib"] = 164;
literals["nat"] = 66;
literals["informational"] = 208;
literals["needfrag"] = 155;
literals["tcp.opening"] = 26;
literals["igrp"] = 193;
literals["quick"] = 97;
literals["timex"] = 135;
literals["host-unk"] = 158;
literals["route-to"] = 122;
literals["dataconv"] = 144;
literals["rdp"] = 107;
literals["net-unr"] = 151;
literals["tcp.closing"] = 39;
literals["port-unr"] = 167;
literals["table"] = 65;
literals["redir-tos-host"] = 183;
literals["fingerprints"] = 30;
literals["return"] = 24;
literals["optmiss"] = 189;
literals["keep"] = 197;
literals["net-prohib"] = 173;
literals["inet6"] = 113;
literals["from"] = 131;
literals["tcp.finwait"] = 40;
literals["hostid"] = 35;
literals["proto"] = 114;
literals["vrrp"] = 128;
literals["drop"] = 23;
literals["l2tp"] = 129;
literals["isolate"] = 172;
literals["timereq"] = 150;
literals["aggressive"] = 15;
literals["icmp6"] = 205;
literals["echoreq"] = 145;
literals["tcp.established"] = 38;
literals["decrypt-fail"] = 193;
literals["mobredir"] = 158;
literals["other.first"] = 47;
literals["ipsec"] = 207;
literals["no-route"] = 134;
literals["random"] = 93;
literals["binat"] = 99;
literals["srcfail"] = 169;
literals["self"] = 78;
literals["timerep"] = 151;
literals["host-preced"] = 178;
literals["host"] = 214;
literals["echorep"] = 140;
literals["other.multiple"] = 49;
literals["althost"] = 144;
literals["udp.multiple"] = 44;
literals["cutoff-preced"] = 179;
literals["redir-host"] = 181;
literals["rdr"] = 86;
literals["tagged"] = 195;
literals["on"] = 32;
literals["round-robin"] = 97;
literals["pcp"] = 209;
literals["block-policy"] = 22;
literals["persist"] = 68;
literals["unknown-ind"] = 191;
literals["redir-net"] = 180;
literals["filter-prohib"] = 177;
literals["nat"] = 82;
literals["satellite"] = 19;
literals["informational"] = 221;
literals["needfrag"] = 168;
literals["tcp.opening"] = 37;
literals["igrp"] = 206;
literals["quick"] = 111;
literals["timex"] = 148;
literals["host-unk"] = 171;
literals["route-to"] = 135;
literals["dataconv"] = 157;
literals["rdp"] = 120;
literals["net-unr"] = 164;
literals["queue"] = 10;
literals["isis"] = 117;
literals["reassemb"] = 174;
literals["inactive"] = 212;
literals["out"] = 92;
literals["auth-fail"] = 179;
literals["exit"] = 189;
literals["host-prohib"] = 161;
literals["isis"] = 130;
literals["reassemb"] = 187;
literals["inactive"] = 225;
literals["out"] = 106;
literals["auth-fail"] = 192;
literals["exit"] = 202;
literals["host-prohib"] = 174;
}
ANTLR_USE_NAMESPACE(antlr)RefToken PFCfgLexer::nextToken()
@ -537,11 +550,11 @@ void PFCfgLexer::mLINE_COMMENT(bool _createToken) {
}
}
else {
goto _loop226;
goto _loop237;
}
}
_loop226:;
_loop237:;
} // ( ... )*
mNEWLINE(false);
if ( _createToken && _token==ANTLR_USE_NAMESPACE(antlr)nullToken && _ttype!=ANTLR_USE_NAMESPACE(antlr)Token::SKIP ) {
@ -573,9 +586,9 @@ void PFCfgLexer::mNEWLINE(bool _createToken) {
}
if ( inputState->guessing==0 ) {
#line 1733 "pf.g"
#line 1787 "pf.g"
newline();
#line 579 "PFCfgLexer.cpp"
#line 592 "PFCfgLexer.cpp"
}
if ( _createToken && _token==ANTLR_USE_NAMESPACE(antlr)nullToken && _ttype!=ANTLR_USE_NAMESPACE(antlr)Token::SKIP ) {
_token = makeToken(_ttype);
@ -654,9 +667,9 @@ void PFCfgLexer::mWhitespace(bool _createToken) {
}
}
if ( inputState->guessing==0 ) {
#line 1728 "pf.g"
#line 1782 "pf.g"
_ttype = ANTLR_USE_NAMESPACE(antlr)Token::SKIP;
#line 660 "PFCfgLexer.cpp"
#line 673 "PFCfgLexer.cpp"
}
if ( _createToken && _token==ANTLR_USE_NAMESPACE(antlr)nullToken && _ttype!=ANTLR_USE_NAMESPACE(antlr)Token::SKIP ) {
_token = makeToken(_ttype);
@ -881,10 +894,10 @@ void PFCfgLexer::mNUMBER_ADDRESS_OR_WORD(bool _createToken) {
_ttype = NUMBER_ADDRESS_OR_WORD;
ANTLR_USE_NAMESPACE(std)string::size_type _saveIndex;
bool synPredMatched264 = false;
bool synPredMatched275 = false;
if (((_tokenSet_2.member(LA(1))) && (_tokenSet_3.member(LA(2))) && (_tokenSet_3.member(LA(3))))) {
int _m264 = mark();
synPredMatched264 = true;
int _m275 = mark();
synPredMatched275 = true;
inputState->guessing++;
try {
{
@ -893,60 +906,60 @@ void PFCfgLexer::mNUMBER_ADDRESS_OR_WORD(bool _createToken) {
}
}
catch (ANTLR_USE_NAMESPACE(antlr)RecognitionException& pe) {
synPredMatched264 = false;
synPredMatched275 = false;
}
rewind(_m264);
rewind(_m275);
inputState->guessing--;
}
if ( synPredMatched264 ) {
if ( synPredMatched275 ) {
{
bool synPredMatched269 = false;
bool synPredMatched280 = false;
if (((_tokenSet_2.member(LA(1))) && (_tokenSet_3.member(LA(2))) && (_tokenSet_3.member(LA(3))))) {
int _m269 = mark();
synPredMatched269 = true;
int _m280 = mark();
synPredMatched280 = true;
inputState->guessing++;
try {
{
{ // ( ... )+
int _cnt268=0;
int _cnt279=0;
for (;;) {
if ((_tokenSet_2.member(LA(1)))) {
mNUM_HEX_4DIGIT(false);
match(':' /* charlit */ );
}
else {
if ( _cnt268>=1 ) { goto _loop268; } else {throw ANTLR_USE_NAMESPACE(antlr)NoViableAltForCharException(LA(1), getFilename(), getLine(), getColumn());}
if ( _cnt279>=1 ) { goto _loop279; } else {throw ANTLR_USE_NAMESPACE(antlr)NoViableAltForCharException(LA(1), getFilename(), getLine(), getColumn());}
}
_cnt268++;
_cnt279++;
}
_loop268:;
_loop279:;
} // ( ... )+
match(':' /* charlit */ );
}
}
catch (ANTLR_USE_NAMESPACE(antlr)RecognitionException& pe) {
synPredMatched269 = false;
synPredMatched280 = false;
}
rewind(_m269);
rewind(_m280);
inputState->guessing--;
}
if ( synPredMatched269 ) {
if ( synPredMatched280 ) {
{
{ // ( ... )+
int _cnt272=0;
int _cnt283=0;
for (;;) {
if ((_tokenSet_2.member(LA(1)))) {
mNUM_HEX_4DIGIT(false);
match(':' /* charlit */ );
}
else {
if ( _cnt272>=1 ) { goto _loop272; } else {throw ANTLR_USE_NAMESPACE(antlr)NoViableAltForCharException(LA(1), getFilename(), getLine(), getColumn());}
if ( _cnt283>=1 ) { goto _loop283; } else {throw ANTLR_USE_NAMESPACE(antlr)NoViableAltForCharException(LA(1), getFilename(), getLine(), getColumn());}
}
_cnt272++;
_cnt283++;
}
_loop272:;
_loop283:;
} // ( ... )+
match(':' /* charlit */ );
{
@ -959,11 +972,11 @@ void PFCfgLexer::mNUMBER_ADDRESS_OR_WORD(bool _createToken) {
mNUM_HEX_4DIGIT(false);
}
else {
goto _loop275;
goto _loop286;
}
}
_loop275:;
_loop286:;
} // ( ... )*
}
else {
@ -972,34 +985,34 @@ void PFCfgLexer::mNUMBER_ADDRESS_OR_WORD(bool _createToken) {
}
}
if ( inputState->guessing==0 ) {
#line 1781 "pf.g"
#line 1835 "pf.g"
_ttype = IPV6;
#line 978 "PFCfgLexer.cpp"
#line 991 "PFCfgLexer.cpp"
}
}
else if ((_tokenSet_2.member(LA(1))) && (_tokenSet_3.member(LA(2))) && (_tokenSet_3.member(LA(3)))) {
{
mNUM_HEX_4DIGIT(false);
{ // ( ... )+
int _cnt278=0;
int _cnt289=0;
for (;;) {
if ((LA(1) == 0x3a /* ':' */ )) {
match(':' /* charlit */ );
mNUM_HEX_4DIGIT(false);
}
else {
if ( _cnt278>=1 ) { goto _loop278; } else {throw ANTLR_USE_NAMESPACE(antlr)NoViableAltForCharException(LA(1), getFilename(), getLine(), getColumn());}
if ( _cnt289>=1 ) { goto _loop289; } else {throw ANTLR_USE_NAMESPACE(antlr)NoViableAltForCharException(LA(1), getFilename(), getLine(), getColumn());}
}
_cnt278++;
_cnt289++;
}
_loop278:;
_loop289:;
} // ( ... )+
}
if ( inputState->guessing==0 ) {
#line 1783 "pf.g"
#line 1837 "pf.g"
_ttype = IPV6;
#line 1003 "PFCfgLexer.cpp"
#line 1016 "PFCfgLexer.cpp"
}
}
else {
@ -1009,10 +1022,10 @@ void PFCfgLexer::mNUMBER_ADDRESS_OR_WORD(bool _createToken) {
}
}
else {
bool synPredMatched280 = false;
bool synPredMatched291 = false;
if (((LA(1) == 0x3a /* ':' */ ) && (LA(2) == 0x3a /* ':' */ ) && (_tokenSet_2.member(LA(3))))) {
int _m280 = mark();
synPredMatched280 = true;
int _m291 = mark();
synPredMatched291 = true;
inputState->guessing++;
try {
{
@ -1022,12 +1035,12 @@ void PFCfgLexer::mNUMBER_ADDRESS_OR_WORD(bool _createToken) {
}
}
catch (ANTLR_USE_NAMESPACE(antlr)RecognitionException& pe) {
synPredMatched280 = false;
synPredMatched291 = false;
}
rewind(_m280);
rewind(_m291);
inputState->guessing--;
}
if ( synPredMatched280 ) {
if ( synPredMatched291 ) {
match(':' /* charlit */ );
match(':' /* charlit */ );
mNUM_HEX_4DIGIT(false);
@ -1038,23 +1051,23 @@ void PFCfgLexer::mNUMBER_ADDRESS_OR_WORD(bool _createToken) {
mNUM_HEX_4DIGIT(false);
}
else {
goto _loop282;
goto _loop293;
}
}
_loop282:;
_loop293:;
} // ( ... )*
if ( inputState->guessing==0 ) {
#line 1787 "pf.g"
#line 1841 "pf.g"
_ttype = IPV6;
#line 1051 "PFCfgLexer.cpp"
#line 1064 "PFCfgLexer.cpp"
}
}
else {
bool synPredMatched284 = false;
bool synPredMatched295 = false;
if ((((LA(1) >= 0x30 /* '0' */ && LA(1) <= 0x39 /* '9' */ )) && (_tokenSet_4.member(LA(2))) && (_tokenSet_4.member(LA(3))))) {
int _m284 = mark();
synPredMatched284 = true;
int _m295 = mark();
synPredMatched295 = true;
inputState->guessing++;
try {
{
@ -1065,12 +1078,12 @@ void PFCfgLexer::mNUMBER_ADDRESS_OR_WORD(bool _createToken) {
}
}
catch (ANTLR_USE_NAMESPACE(antlr)RecognitionException& pe) {
synPredMatched284 = false;
synPredMatched295 = false;
}
rewind(_m284);
rewind(_m295);
inputState->guessing--;
}
if ( synPredMatched284 ) {
if ( synPredMatched295 ) {
{
mNUM_3DIGIT(false);
match('.' /* charlit */ );
@ -1081,144 +1094,144 @@ void PFCfgLexer::mNUMBER_ADDRESS_OR_WORD(bool _createToken) {
mNUM_3DIGIT(false);
}
if ( inputState->guessing==0 ) {
#line 1805 "pf.g"
#line 1859 "pf.g"
_ttype = IPV4;
#line 1087 "PFCfgLexer.cpp"
#line 1100 "PFCfgLexer.cpp"
}
}
else {
bool synPredMatched291 = false;
bool synPredMatched302 = false;
if ((((LA(1) >= 0x30 /* '0' */ && LA(1) <= 0x39 /* '9' */ )) && (_tokenSet_4.member(LA(2))) && (_tokenSet_4.member(LA(3))))) {
int _m291 = mark();
synPredMatched291 = true;
int _m302 = mark();
synPredMatched302 = true;
inputState->guessing++;
try {
{
{ // ( ... )+
int _cnt288=0;
int _cnt299=0;
for (;;) {
if (((LA(1) >= 0x30 /* '0' */ && LA(1) <= 0x39 /* '9' */ ))) {
mDIGIT(false);
}
else {
if ( _cnt288>=1 ) { goto _loop288; } else {throw ANTLR_USE_NAMESPACE(antlr)NoViableAltForCharException(LA(1), getFilename(), getLine(), getColumn());}
if ( _cnt299>=1 ) { goto _loop299; } else {throw ANTLR_USE_NAMESPACE(antlr)NoViableAltForCharException(LA(1), getFilename(), getLine(), getColumn());}
}
_cnt288++;
_cnt299++;
}
_loop288:;
_loop299:;
} // ( ... )+
match('.' /* charlit */ );
{ // ( ... )+
int _cnt290=0;
int _cnt301=0;
for (;;) {
if (((LA(1) >= 0x30 /* '0' */ && LA(1) <= 0x39 /* '9' */ ))) {
mDIGIT(false);
}
else {
if ( _cnt290>=1 ) { goto _loop290; } else {throw ANTLR_USE_NAMESPACE(antlr)NoViableAltForCharException(LA(1), getFilename(), getLine(), getColumn());}
if ( _cnt301>=1 ) { goto _loop301; } else {throw ANTLR_USE_NAMESPACE(antlr)NoViableAltForCharException(LA(1), getFilename(), getLine(), getColumn());}
}
_cnt290++;
_cnt301++;
}
_loop290:;
_loop301:;
} // ( ... )+
}
}
catch (ANTLR_USE_NAMESPACE(antlr)RecognitionException& pe) {
synPredMatched291 = false;
synPredMatched302 = false;
}
rewind(_m291);
rewind(_m302);
inputState->guessing--;
}
if ( synPredMatched291 ) {
if ( synPredMatched302 ) {
{
{ // ( ... )+
int _cnt294=0;
int _cnt305=0;
for (;;) {
if (((LA(1) >= 0x30 /* '0' */ && LA(1) <= 0x39 /* '9' */ ))) {
mDIGIT(false);
}
else {
if ( _cnt294>=1 ) { goto _loop294; } else {throw ANTLR_USE_NAMESPACE(antlr)NoViableAltForCharException(LA(1), getFilename(), getLine(), getColumn());}
if ( _cnt305>=1 ) { goto _loop305; } else {throw ANTLR_USE_NAMESPACE(antlr)NoViableAltForCharException(LA(1), getFilename(), getLine(), getColumn());}
}
_cnt294++;
_cnt305++;
}
_loop294:;
_loop305:;
} // ( ... )+
match('.' /* charlit */ );
{ // ( ... )+
int _cnt296=0;
int _cnt307=0;
for (;;) {
if (((LA(1) >= 0x30 /* '0' */ && LA(1) <= 0x39 /* '9' */ ))) {
mDIGIT(false);
}
else {
if ( _cnt296>=1 ) { goto _loop296; } else {throw ANTLR_USE_NAMESPACE(antlr)NoViableAltForCharException(LA(1), getFilename(), getLine(), getColumn());}
if ( _cnt307>=1 ) { goto _loop307; } else {throw ANTLR_USE_NAMESPACE(antlr)NoViableAltForCharException(LA(1), getFilename(), getLine(), getColumn());}
}
_cnt296++;
_cnt307++;
}
_loop296:;
_loop307:;
} // ( ... )+
}
if ( inputState->guessing==0 ) {
#line 1808 "pf.g"
#line 1862 "pf.g"
_ttype = NUMBER;
#line 1170 "PFCfgLexer.cpp"
#line 1183 "PFCfgLexer.cpp"
}
}
else {
bool synPredMatched254 = false;
bool synPredMatched265 = false;
if (((_tokenSet_2.member(LA(1))) && (_tokenSet_3.member(LA(2))) && (true))) {
int _m254 = mark();
synPredMatched254 = true;
int _m265 = mark();
synPredMatched265 = true;
inputState->guessing++;
try {
{
{ // ( ... )+
int _cnt253=0;
int _cnt264=0;
for (;;) {
if ((_tokenSet_2.member(LA(1)))) {
mHEX_DIGIT(false);
}
else {
if ( _cnt253>=1 ) { goto _loop253; } else {throw ANTLR_USE_NAMESPACE(antlr)NoViableAltForCharException(LA(1), getFilename(), getLine(), getColumn());}
if ( _cnt264>=1 ) { goto _loop264; } else {throw ANTLR_USE_NAMESPACE(antlr)NoViableAltForCharException(LA(1), getFilename(), getLine(), getColumn());}
}
_cnt253++;
_cnt264++;
}
_loop253:;
_loop264:;
} // ( ... )+
match(':' /* charlit */ );
}
}
catch (ANTLR_USE_NAMESPACE(antlr)RecognitionException& pe) {
synPredMatched254 = false;
synPredMatched265 = false;
}
rewind(_m254);
rewind(_m265);
inputState->guessing--;
}
if ( synPredMatched254 ) {
if ( synPredMatched265 ) {
{
{
{ // ( ... )+
int _cnt258=0;
int _cnt269=0;
for (;;) {
if ((_tokenSet_2.member(LA(1)))) {
mHEX_DIGIT(false);
}
else {
if ( _cnt258>=1 ) { goto _loop258; } else {throw ANTLR_USE_NAMESPACE(antlr)NoViableAltForCharException(LA(1), getFilename(), getLine(), getColumn());}
if ( _cnt269>=1 ) { goto _loop269; } else {throw ANTLR_USE_NAMESPACE(antlr)NoViableAltForCharException(LA(1), getFilename(), getLine(), getColumn());}
}
_cnt258++;
_cnt269++;
}
_loop258:;
_loop269:;
} // ( ... )+
{ // ( ... )+
int _cnt262=0;
int _cnt273=0;
for (;;) {
if ((LA(1) == 0x3a /* ':' */ )) {
match(':' /* charlit */ );
@ -1228,26 +1241,26 @@ void PFCfgLexer::mNUMBER_ADDRESS_OR_WORD(bool _createToken) {
mHEX_DIGIT(false);
}
else {
goto _loop261;
goto _loop272;
}
}
_loop261:;
_loop272:;
} // ( ... )*
}
else {
if ( _cnt262>=1 ) { goto _loop262; } else {throw ANTLR_USE_NAMESPACE(antlr)NoViableAltForCharException(LA(1), getFilename(), getLine(), getColumn());}
if ( _cnt273>=1 ) { goto _loop273; } else {throw ANTLR_USE_NAMESPACE(antlr)NoViableAltForCharException(LA(1), getFilename(), getLine(), getColumn());}
}
_cnt262++;
_cnt273++;
}
_loop262:;
_loop273:;
} // ( ... )+
}
if ( inputState->guessing==0 ) {
#line 1772 "pf.g"
#line 1826 "pf.g"
_ttype = IPV6;
#line 1251 "PFCfgLexer.cpp"
#line 1264 "PFCfgLexer.cpp"
}
}
}
@ -1255,38 +1268,38 @@ void PFCfgLexer::mNUMBER_ADDRESS_OR_WORD(bool _createToken) {
match(':' /* charlit */ );
match(':' /* charlit */ );
if ( inputState->guessing==0 ) {
#line 1789 "pf.g"
#line 1843 "pf.g"
_ttype = IPV6;
#line 1261 "PFCfgLexer.cpp"
#line 1274 "PFCfgLexer.cpp"
}
}
else if ((LA(1) == 0x3a /* ':' */ ) && (true)) {
match(':' /* charlit */ );
if ( inputState->guessing==0 ) {
#line 1791 "pf.g"
#line 1845 "pf.g"
_ttype = COLON;
#line 1269 "PFCfgLexer.cpp"
#line 1282 "PFCfgLexer.cpp"
}
}
else if (((LA(1) >= 0x30 /* '0' */ && LA(1) <= 0x39 /* '9' */ )) && (true) && (true)) {
{ // ( ... )+
int _cnt298=0;
int _cnt309=0;
for (;;) {
if (((LA(1) >= 0x30 /* '0' */ && LA(1) <= 0x39 /* '9' */ ))) {
mDIGIT(false);
}
else {
if ( _cnt298>=1 ) { goto _loop298; } else {throw ANTLR_USE_NAMESPACE(antlr)NoViableAltForCharException(LA(1), getFilename(), getLine(), getColumn());}
if ( _cnt309>=1 ) { goto _loop309; } else {throw ANTLR_USE_NAMESPACE(antlr)NoViableAltForCharException(LA(1), getFilename(), getLine(), getColumn());}
}
_cnt298++;
_cnt309++;
}
_loop298:;
_loop309:;
} // ( ... )+
if ( inputState->guessing==0 ) {
#line 1810 "pf.g"
#line 1864 "pf.g"
_ttype = INT_CONST;
#line 1290 "PFCfgLexer.cpp"
#line 1303 "PFCfgLexer.cpp"
}
}
else if ((_tokenSet_5.member(LA(1))) && (true) && (true)) {
@ -1502,16 +1515,16 @@ void PFCfgLexer::mNUMBER_ADDRESS_OR_WORD(bool _createToken) {
}
default:
{
goto _loop301;
goto _loop312;
}
}
}
_loop301:;
_loop312:;
} // ( ... )*
if ( inputState->guessing==0 ) {
#line 1823 "pf.g"
#line 1877 "pf.g"
_ttype = WORD;
#line 1515 "PFCfgLexer.cpp"
#line 1528 "PFCfgLexer.cpp"
}
}
else {
@ -1539,11 +1552,11 @@ void PFCfgLexer::mSTRING(bool _createToken) {
matchNot('\"' /* charlit */ );
}
else {
goto _loop304;
goto _loop315;
}
}
_loop304:;
_loop315:;
} // ( ... )*
match('\"' /* charlit */ );
if ( _createToken && _token==ANTLR_USE_NAMESPACE(antlr)nullToken && _ttype!=ANTLR_USE_NAMESPACE(antlr)Token::SKIP ) {
@ -1957,7 +1970,8 @@ const unsigned long PFCfgLexer::_tokenSet_0_data_[] = { 4294958072UL, 1UL, 0UL,
// 0xba 0xbb 0xbc 0xbd 0xbe 0xbf 0xc0 0xc1 0xc2 0xc3 0xc4 0xc5 0xc6 0xc7
// 0xc8 0xc9 0xca 0xcb 0xcc 0xcd 0xce 0xcf 0xd0 0xd1 0xd2 0xd3 0xd4 0xd5
// 0xd6 0xd7 0xd8 0xd9 0xda 0xdb 0xdc 0xdd 0xde 0xdf 0xe0 0xe1 0xe2 0xe3
// 0xe4 0xe5 0xe6 0xe7 0xe8 0xe9 0xea 0xeb 0xec 0xed
// 0xe4 0xe5 0xe6 0xe7 0xe8 0xe9 0xea 0xeb 0xec 0xed 0xee 0xef 0xf0 0xf1
// 0xf2 0xf3 0xf4 0xf5 0xf6 0xf7 0xf8 0xf9 0xfa
const ANTLR_USE_NAMESPACE(antlr)BitSet PFCfgLexer::_tokenSet_0(_tokenSet_0_data_,16);
const unsigned long PFCfgLexer::_tokenSet_1_data_[] = { 4294958072UL, 4294967295UL, 4294967295UL, 4294967295UL, 4294967295UL, 4294967295UL, 4294967295UL, 4294967295UL, 0UL, 0UL, 0UL, 0UL, 0UL, 0UL, 0UL, 0UL };
// 0x3 0x4 0x5 0x6 0x7 0x8 0x9 0xb 0xc 0xe 0xf 0x10 0x11 0x12 0x13 0x14
@ -1972,7 +1986,8 @@ const unsigned long PFCfgLexer::_tokenSet_1_data_[] = { 4294958072UL, 4294967295
// 0xbc 0xbd 0xbe 0xbf 0xc0 0xc1 0xc2 0xc3 0xc4 0xc5 0xc6 0xc7 0xc8 0xc9
// 0xca 0xcb 0xcc 0xcd 0xce 0xcf 0xd0 0xd1 0xd2 0xd3 0xd4 0xd5 0xd6 0xd7
// 0xd8 0xd9 0xda 0xdb 0xdc 0xdd 0xde 0xdf 0xe0 0xe1 0xe2 0xe3 0xe4 0xe5
// 0xe6 0xe7 0xe8 0xe9 0xea 0xeb 0xec 0xed
// 0xe6 0xe7 0xe8 0xe9 0xea 0xeb 0xec 0xed 0xee 0xef 0xf0 0xf1 0xf2 0xf3
// 0xf4 0xf5 0xf6 0xf7 0xf8 0xf9 0xfa
const ANTLR_USE_NAMESPACE(antlr)BitSet PFCfgLexer::_tokenSet_1(_tokenSet_1_data_,16);
const unsigned long PFCfgLexer::_tokenSet_2_data_[] = { 0UL, 67043328UL, 126UL, 126UL, 0UL, 0UL, 0UL, 0UL, 0UL, 0UL };
// 0 1 2 3 4 5 6 7 8 9 A B C D E F a b c d e f
@ -2000,6 +2015,7 @@ const unsigned long PFCfgLexer::_tokenSet_6_data_[] = { 4294967288UL, 4294967291
// 0xbc 0xbd 0xbe 0xbf 0xc0 0xc1 0xc2 0xc3 0xc4 0xc5 0xc6 0xc7 0xc8 0xc9
// 0xca 0xcb 0xcc 0xcd 0xce 0xcf 0xd0 0xd1 0xd2 0xd3 0xd4 0xd5 0xd6 0xd7
// 0xd8 0xd9 0xda 0xdb 0xdc 0xdd 0xde 0xdf 0xe0 0xe1 0xe2 0xe3 0xe4 0xe5
// 0xe6 0xe7 0xe8 0xe9 0xea 0xeb 0xec 0xed
// 0xe6 0xe7 0xe8 0xe9 0xea 0xeb 0xec 0xed 0xee 0xef 0xf0 0xf1 0xf2 0xf3
// 0xf4 0xf5 0xf6 0xf7 0xf8 0xf9 0xfa
const ANTLR_USE_NAMESPACE(antlr)BitSet PFCfgLexer::_tokenSet_6(_tokenSet_6_data_,16);

1755
src/parsers/PFCfgParser.cpp
View File

File diff suppressed because it is too large Load Diff

11
src/parsers/PFCfgParser.hpp
View File

@ -117,8 +117,11 @@ public:
public: void set_skip();
public: void set_debug();
public: void set_reassemble();
public: void set_hostid();
public: void timeout_def();
public: void timeout_def_list();
public: void limit_def();
public: void limit_def_list();
public: void tableaddr_spec();
public: void logging();
public: void intrface();
@ -185,10 +188,10 @@ protected:
private:
static const char* tokenNames[];
#ifndef NO_STATIC_CONSTS
static const int NUM_TOKENS = 238;
static const int NUM_TOKENS = 251;
#else
enum {
NUM_TOKENS = 238
NUM_TOKENS = 251
};
#endif
@ -286,6 +289,10 @@ private:
static const ANTLR_USE_NAMESPACE(antlr)BitSet _tokenSet_45;
static const unsigned long _tokenSet_46_data_[];
static const ANTLR_USE_NAMESPACE(antlr)BitSet _tokenSet_46;
static const unsigned long _tokenSet_47_data_[];
static const ANTLR_USE_NAMESPACE(antlr)BitSet _tokenSet_47;
static const unsigned long _tokenSet_48_data_[];
static const ANTLR_USE_NAMESPACE(antlr)BitSet _tokenSet_48;
};
#endif /*INC_PFCfgParser_hpp_*/

459
src/parsers/PFCfgParserTokenTypes.hpp
View File

@ -23,229 +23,242 @@ struct CUSTOM_API PFCfgParserTokenTypes {
TIMEOUT = 12,
// "ruleset-optimization" = 13
LITERAL_optimization = 14,
LITERAL_limit = 15,
LITERAL_loginterface = 16,
// "block-policy" = 17
// "state-policy" = 18
// "state-defaults" = 19
// "require-order" = 20
LITERAL_fingerprints = 21,
LITERAL_skip = 22,
LITERAL_debug = 23,
LITERAL_reassemble = 24,
// "tcp.first" = 25
// "tcp.opening" = 26
// "tcp.established" = 27
// "tcp.closing" = 28
// "tcp.finwait" = 29
// "tcp.closed" = 30
// "udp.first" = 31
// "udp.single" = 32
// "udp.multiple" = 33
// "icmp.first" = 34
// "icmp.error" = 35
// "other.first" = 36
// "other.single" = 37
// "other.multiple" = 38
LITERAL_frag = 39,
LITERAL_interval = 40,
// "src.track" = 41
// "adaptive.start" = 42
// "adaptive.end" = 43
INT_CONST = 44,
OPENING_BRACE = 45,
COMMA = 46,
CLOSING_BRACE = 47,
SCRUB = 48,
TABLE = 49,
LESS_THAN = 50,
GREATER_THAN = 51,
PERSIST = 52,
CONST = 53,
COUNTERS = 54,
FILE = 55,
STRING = 56,
EXLAMATION = 57,
COLON = 58,
NETWORK = 59,
BROADCAST = 60,
PEER = 61,
SELF = 62,
IPV4 = 63,
SLASH = 64,
NO = 65,
NAT = 66,
PASS = 67,
MINUS = 68,
STATIC_PORT = 69,
RDR = 70,
OPENING_PAREN = 71,
CLOSING_PAREN = 72,
PORT = 73,
IPV6 = 74,
STAR = 75,
BITMASK = 76,
RANDOM = 77,
SOURCE_HASH = 78,
HEX_KEY = 79,
STRING_KEY = 80,
ROUND_ROBIN = 81,
STICKY_ADDRESS = 82,
BINAT = 83,
BLOCK = 84,
DROP = 85,
RETURN = 86,
RETURN_RST = 87,
TTL = 88,
RETURN_ICMP = 89,
RETURN_ICMP6 = 90,
IN = 91,
OUT = 92,
LOG = 93,
ALL = 94,
USER = 95,
TO = 96,
QUICK = 97,
ON = 98,
INET = 99,
INET6 = 100,
PROTO = 101,
IP = 102,
ICMP = 103,
IGMP = 104,
TCP = 105,
UDP = 106,
RDP = 107,
RSVP = 108,
GRE = 109,
ESP = 110,
AH = 111,
EIGRP = 112,
OSPF = 113,
IPIP = 114,
VRRP = 115,
L2TP = 116,
ISIS = 117,
FROM = 118,
URPF_FAILED = 119,
ANY = 120,
NO_ROUTE = 121,
ROUTE_TO = 122,
REPLY_TO = 123,
FLAGS = 124,
ICMP_TYPE = 125,
ICMP_CODE = 126,
LITERAL_echorep = 127,
LITERAL_unreach = 128,
LITERAL_squench = 129,
LITERAL_redir = 130,
LITERAL_althost = 131,
LITERAL_echoreq = 132,
LITERAL_routeradv = 133,
LITERAL_routersol = 134,
LITERAL_timex = 135,
LITERAL_paramprob = 136,
LITERAL_timereq = 137,
LITERAL_timerep = 138,
LITERAL_inforeq = 139,
LITERAL_inforep = 140,
LITERAL_maskreq = 141,
LITERAL_maskrep = 142,
LITERAL_trace = 143,
LITERAL_dataconv = 144,
LITERAL_mobredir = 145,
// "ipv6-where" = 146
// "ipv6-here" = 147
LITERAL_mobregreq = 148,
LITERAL_mobregrep = 149,
LITERAL_photuris = 150,
// "net-unr" = 151
// "host-unr" = 152
// "proto-unr" = 153
// "port-unr" = 154
LITERAL_needfrag = 155,
LITERAL_srcfail = 156,
// "net-unk" = 157
// "host-unk" = 158
LITERAL_isolate = 159,
// "net-prohib" = 160
// "host-prohib" = 161
// "net-tos" = 162
// "host-tos" = 163
// "filter-prohib" = 164
// "host-preced" = 165
// "cutoff-preced" = 166
// "redir-net" = 167
// "redir-host" = 168
// "redir-tos-net" = 169
// "redir-tos-host" = 170
// "normal-adv" = 171
// "common-adv" = 172
LITERAL_transit = 173,
LITERAL_reassemb = 174,
LITERAL_badhead = 175,
LITERAL_optmiss = 176,
LITERAL_badlen = 177,
// "unknown-ind" = 178
// "auth-fail" = 179
// "decrypt-fail" = 180
ICMP6_TYPE = 181,
TAGGED = 182,
TAG = 183,
KEEP = 184,
MODULATE = 185,
SYNPROXY = 186,
STATE = 187,
LABEL = 188,
EXIT = 189,
QUIT = 190,
INTRFACE = 191,
ICMP6 = 192,
IGRP = 193,
IPSEC = 194,
NOS = 195,
PCP = 196,
PIM = 197,
PPTP = 198,
RIP = 199,
SNP = 200,
HOST = 201,
RANGE = 202,
LOG_LEVEL_ALERTS = 203,
LOG_LEVEL_CRITICAL = 204,
LOG_LEVEL_DEBUGGING = 205,
LOG_LEVEL_EMERGENCIES = 206,
LOG_LEVEL_ERRORS = 207,
LOG_LEVEL_INFORMATIONAL = 208,
LOG_LEVEL_NOTIFICATIONS = 209,
LOG_LEVEL_WARNINGS = 210,
LOG_LEVEL_DISABLE = 211,
LOG_LEVEL_INACTIVE = 212,
Whitespace = 213,
HEX_CONST = 214,
NUMBER = 215,
NEG_INT_CONST = 216,
HEX_DIGIT = 217,
DIGIT = 218,
NUM_3DIGIT = 219,
NUM_HEX_4DIGIT = 220,
NUMBER_ADDRESS_OR_WORD = 221,
PIPE_CHAR = 222,
NUMBER_SIGN = 223,
PERCENT = 224,
AMPERSAND = 225,
APOSTROPHE = 226,
PLUS = 227,
DOT = 228,
SEMICOLON = 229,
QUESTION = 230,
COMMERCIAL_AT = 231,
OPENING_SQUARE = 232,
CLOSING_SQUARE = 233,
CARET = 234,
UNDERLINE = 235,
TILDE = 236,
DOUBLE_QUOTE = 237,
LITERAL_aggressive = 15,
LITERAL_conservative = 16,
// "high-latency" = 17
LITERAL_normal = 18,
LITERAL_satellite = 19,
LITERAL_limit = 20,
LITERAL_loginterface = 21,
// "block-policy" = 22
DROP = 23,
RETURN = 24,
// "state-policy" = 25
// "if-bound" = 26
LITERAL_floating = 27,
// "state-defaults" = 28
// "require-order" = 29
LITERAL_fingerprints = 30,
LITERAL_skip = 31,
ON = 32,
LITERAL_debug = 33,
LITERAL_reassemble = 34,
LITERAL_hostid = 35,
// "tcp.first" = 36
// "tcp.opening" = 37
// "tcp.established" = 38
// "tcp.closing" = 39
// "tcp.finwait" = 40
// "tcp.closed" = 41
// "udp.first" = 42
// "udp.single" = 43
// "udp.multiple" = 44
// "icmp.first" = 45
// "icmp.error" = 46
// "other.first" = 47
// "other.single" = 48
// "other.multiple" = 49
LITERAL_frag = 50,
LITERAL_interval = 51,
// "src.track" = 52
// "adaptive.start" = 53
// "adaptive.end" = 54
INT_CONST = 55,
OPENING_BRACE = 56,
COMMA = 57,
CLOSING_BRACE = 58,
LITERAL_frags = 59,
LITERAL_states = 60,
// "src-nodes" = 61
LITERAL_tables = 62,
// "tables-entries" = 63
SCRUB = 64,
TABLE = 65,
LESS_THAN = 66,
GREATER_THAN = 67,
PERSIST = 68,
CONST = 69,
COUNTERS = 70,
FILE = 71,
STRING = 72,
EXLAMATION = 73,
COLON = 74,
NETWORK = 75,
BROADCAST = 76,
PEER = 77,
SELF = 78,
IPV4 = 79,
SLASH = 80,
NO = 81,
NAT = 82,
PASS = 83,
MINUS = 84,
STATIC_PORT = 85,
RDR = 86,
OPENING_PAREN = 87,
CLOSING_PAREN = 88,
PORT = 89,
IPV6 = 90,
STAR = 91,
BITMASK = 92,
RANDOM = 93,
SOURCE_HASH = 94,
HEX_KEY = 95,
STRING_KEY = 96,
ROUND_ROBIN = 97,
STICKY_ADDRESS = 98,
BINAT = 99,
BLOCK = 100,
RETURN_RST = 101,
TTL = 102,
RETURN_ICMP = 103,
RETURN_ICMP6 = 104,
IN = 105,
OUT = 106,
LOG = 107,
ALL = 108,
USER = 109,
TO = 110,
QUICK = 111,
INET = 112,
INET6 = 113,
PROTO = 114,
IP = 115,
ICMP = 116,
IGMP = 117,
TCP = 118,
UDP = 119,
RDP = 120,
RSVP = 121,
GRE = 122,
ESP = 123,
AH = 124,
EIGRP = 125,
OSPF = 126,
IPIP = 127,
VRRP = 128,
L2TP = 129,
ISIS = 130,
FROM = 131,
URPF_FAILED = 132,
ANY = 133,
NO_ROUTE = 134,
ROUTE_TO = 135,
REPLY_TO = 136,
FLAGS = 137,
ICMP_TYPE = 138,
ICMP_CODE = 139,
LITERAL_echorep = 140,
LITERAL_unreach = 141,
LITERAL_squench = 142,
LITERAL_redir = 143,
LITERAL_althost = 144,
LITERAL_echoreq = 145,
LITERAL_routeradv = 146,
LITERAL_routersol = 147,
LITERAL_timex = 148,
LITERAL_paramprob = 149,
LITERAL_timereq = 150,
LITERAL_timerep = 151,
LITERAL_inforeq = 152,
LITERAL_inforep = 153,
LITERAL_maskreq = 154,
LITERAL_maskrep = 155,
LITERAL_trace = 156,
LITERAL_dataconv = 157,
LITERAL_mobredir = 158,
// "ipv6-where" = 159
// "ipv6-here" = 160
LITERAL_mobregreq = 161,
LITERAL_mobregrep = 162,
LITERAL_photuris = 163,
// "net-unr" = 164
// "host-unr" = 165
// "proto-unr" = 166
// "port-unr" = 167
LITERAL_needfrag = 168,
LITERAL_srcfail = 169,
// "net-unk" = 170
// "host-unk" = 171
LITERAL_isolate = 172,
// "net-prohib" = 173
// "host-prohib" = 174
// "net-tos" = 175
// "host-tos" = 176
// "filter-prohib" = 177
// "host-preced" = 178
// "cutoff-preced" = 179
// "redir-net" = 180
// "redir-host" = 181
// "redir-tos-net" = 182
// "redir-tos-host" = 183
// "normal-adv" = 184
// "common-adv" = 185
LITERAL_transit = 186,
LITERAL_reassemb = 187,
LITERAL_badhead = 188,
LITERAL_optmiss = 189,
LITERAL_badlen = 190,
// "unknown-ind" = 191
// "auth-fail" = 192
// "decrypt-fail" = 193
ICMP6_TYPE = 194,
TAGGED = 195,
TAG = 196,
KEEP = 197,
MODULATE = 198,
SYNPROXY = 199,
STATE = 200,
LABEL = 201,
EXIT = 202,
QUIT = 203,
INTRFACE = 204,
ICMP6 = 205,
IGRP = 206,
IPSEC = 207,
NOS = 208,
PCP = 209,
PIM = 210,
PPTP = 211,
RIP = 212,
SNP = 213,
HOST = 214,
RANGE = 215,
LOG_LEVEL_ALERTS = 216,
LOG_LEVEL_CRITICAL = 217,
LOG_LEVEL_DEBUGGING = 218,
LOG_LEVEL_EMERGENCIES = 219,
LOG_LEVEL_ERRORS = 220,
LOG_LEVEL_INFORMATIONAL = 221,
LOG_LEVEL_NOTIFICATIONS = 222,
LOG_LEVEL_WARNINGS = 223,
LOG_LEVEL_DISABLE = 224,
LOG_LEVEL_INACTIVE = 225,
Whitespace = 226,
HEX_CONST = 227,
NUMBER = 228,
NEG_INT_CONST = 229,
HEX_DIGIT = 230,
DIGIT = 231,
NUM_3DIGIT = 232,
NUM_HEX_4DIGIT = 233,
NUMBER_ADDRESS_OR_WORD = 234,
PIPE_CHAR = 235,
NUMBER_SIGN = 236,
PERCENT = 237,
AMPERSAND = 238,
APOSTROPHE = 239,
PLUS = 240,
DOT = 241,
SEMICOLON = 242,
QUESTION = 243,
COMMERCIAL_AT = 244,
OPENING_SQUARE = 245,
CLOSING_SQUARE = 246,
CARET = 247,
UNDERLINE = 248,
TILDE = 249,
DOUBLE_QUOTE = 250,
NULL_TREE_LOOKAHEAD = 3
};
#ifdef __cplusplus

459
src/parsers/PFCfgParserTokenTypes.txt
View File

@ -11,226 +11,239 @@ SET="set"=11
TIMEOUT="timeout"=12
"ruleset-optimization"=13
LITERAL_optimization="optimization"=14
LITERAL_limit="limit"=15
LITERAL_loginterface="loginterface"=16
"block-policy"=17
"state-policy"=18
"state-defaults"=19
"require-order"=20
LITERAL_fingerprints="fingerprints"=21
LITERAL_skip="skip"=22
LITERAL_debug="debug"=23
LITERAL_reassemble="reassemble"=24
"tcp.first"=25
"tcp.opening"=26
"tcp.established"=27
"tcp.closing"=28
"tcp.finwait"=29
"tcp.closed"=30
"udp.first"=31
"udp.single"=32
"udp.multiple"=33
"icmp.first"=34
"icmp.error"=35
"other.first"=36
"other.single"=37
"other.multiple"=38
LITERAL_frag="frag"=39
LITERAL_interval="interval"=40
"src.track"=41
"adaptive.start"=42
"adaptive.end"=43
INT_CONST=44
OPENING_BRACE=45
COMMA=46
CLOSING_BRACE=47
SCRUB="scrub"=48
TABLE="table"=49
LESS_THAN=50
GREATER_THAN=51
PERSIST="persist"=52
CONST="const"=53
COUNTERS=54
FILE="file"=55
STRING=56
EXLAMATION=57
COLON=58
NETWORK="network"=59
BROADCAST="broadcast"=60
PEER="peer"=61
SELF="self"=62
IPV4=63
SLASH=64
NO="no"=65
NAT="nat"=66
PASS="pass"=67
MINUS=68
STATIC_PORT="static-port"=69
RDR="rdr"=70
OPENING_PAREN=71
CLOSING_PAREN=72
PORT="port"=73
IPV6=74
STAR=75
BITMASK="bitmask"=76
RANDOM="random"=77
SOURCE_HASH="source-hash"=78
HEX_KEY="hex-key"=79
STRING_KEY="string-key"=80
ROUND_ROBIN="round-robin"=81
STICKY_ADDRESS="sticky-address"=82
BINAT="binat"=83
BLOCK="block"=84
DROP="drop"=85
RETURN="return"=86
RETURN_RST="return-rst"=87
TTL=88
RETURN_ICMP="return-icmp"=89
RETURN_ICMP6=90
IN="in"=91
OUT="out"=92
LOG="log"=93
ALL="all"=94
USER="user"=95
TO="to"=96
QUICK="quick"=97
ON="on"=98
INET="inet"=99
INET6="inet6"=100
PROTO="proto"=101
IP="ip"=102
ICMP="icmp"=103
IGMP="igmp"=104
TCP="tcp"=105
UDP="udp"=106
RDP="rdp"=107
RSVP="rsvp"=108
GRE="gre"=109
ESP="esp"=110
AH="ah"=111
EIGRP="eigrp"=112
OSPF="ospf"=113
IPIP="ipip"=114
VRRP="vrrp"=115
L2TP="l2tp"=116
ISIS="isis"=117
FROM="from"=118
URPF_FAILED="urpf-failed"=119
ANY="any"=120
NO_ROUTE="no-route"=121
ROUTE_TO="route-to"=122
REPLY_TO="reply-to"=123
FLAGS="flags"=124
ICMP_TYPE="icmp-type"=125
ICMP_CODE="code"=126
LITERAL_echorep="echorep"=127
LITERAL_unreach="unreach"=128
LITERAL_squench="squench"=129
LITERAL_redir="redir"=130
LITERAL_althost="althost"=131
LITERAL_echoreq="echoreq"=132
LITERAL_routeradv="routeradv"=133
LITERAL_routersol="routersol"=134
LITERAL_timex="timex"=135
LITERAL_paramprob="paramprob"=136
LITERAL_timereq="timereq"=137
LITERAL_timerep="timerep"=138
LITERAL_inforeq="inforeq"=139
LITERAL_inforep="inforep"=140
LITERAL_maskreq="maskreq"=141
LITERAL_maskrep="maskrep"=142
LITERAL_trace="trace"=143
LITERAL_dataconv="dataconv"=144
LITERAL_mobredir="mobredir"=145
"ipv6-where"=146
"ipv6-here"=147
LITERAL_mobregreq="mobregreq"=148
LITERAL_mobregrep="mobregrep"=149
LITERAL_photuris="photuris"=150
"net-unr"=151
"host-unr"=152
"proto-unr"=153
"port-unr"=154
LITERAL_needfrag="needfrag"=155
LITERAL_srcfail="srcfail"=156
"net-unk"=157
"host-unk"=158
LITERAL_isolate="isolate"=159
"net-prohib"=160
"host-prohib"=161
"net-tos"=162
"host-tos"=163
"filter-prohib"=164
"host-preced"=165
"cutoff-preced"=166
"redir-net"=167
"redir-host"=168
"redir-tos-net"=169
"redir-tos-host"=170
"normal-adv"=171
"common-adv"=172
LITERAL_transit="transit"=173
LITERAL_reassemb="reassemb"=174
LITERAL_badhead="badhead"=175
LITERAL_optmiss="optmiss"=176
LITERAL_badlen="badlen"=177
"unknown-ind"=178
"auth-fail"=179
"decrypt-fail"=180
ICMP6_TYPE="icmp6-type"=181
TAGGED="tagged"=182
TAG="tag"=183
KEEP="keep"=184
MODULATE="modulate"=185
SYNPROXY="synproxy"=186
STATE="state"=187
LABEL="label"=188
EXIT="exit"=189
QUIT="quit"=190
INTRFACE="interface"=191
ICMP6="icmp6"=192
IGRP="igrp"=193
IPSEC="ipsec"=194
NOS="nos"=195
PCP="pcp"=196
PIM="pim"=197
PPTP="pptp"=198
RIP="rip"=199
SNP="snp"=200
HOST="host"=201
RANGE="range"=202
LOG_LEVEL_ALERTS="alerts"=203
LOG_LEVEL_CRITICAL="critical"=204
LOG_LEVEL_DEBUGGING="debugging"=205
LOG_LEVEL_EMERGENCIES="emergencies"=206
LOG_LEVEL_ERRORS="errors"=207
LOG_LEVEL_INFORMATIONAL="informational"=208
LOG_LEVEL_NOTIFICATIONS="notifications"=209
LOG_LEVEL_WARNINGS="warnings"=210
LOG_LEVEL_DISABLE="disable"=211
LOG_LEVEL_INACTIVE="inactive"=212
Whitespace=213
HEX_CONST=214
NUMBER=215
NEG_INT_CONST=216
HEX_DIGIT=217
DIGIT=218
NUM_3DIGIT=219
NUM_HEX_4DIGIT=220
NUMBER_ADDRESS_OR_WORD=221
PIPE_CHAR=222
NUMBER_SIGN=223
PERCENT=224
AMPERSAND=225
APOSTROPHE=226
PLUS=227
DOT=228
SEMICOLON=229
QUESTION=230
COMMERCIAL_AT=231
OPENING_SQUARE=232
CLOSING_SQUARE=233
CARET=234
UNDERLINE=235
TILDE=236
DOUBLE_QUOTE=237
LITERAL_aggressive="aggressive"=15
LITERAL_conservative="conservative"=16
"high-latency"=17
LITERAL_normal="normal"=18
LITERAL_satellite="satellite"=19
LITERAL_limit="limit"=20
LITERAL_loginterface="loginterface"=21
"block-policy"=22
DROP="drop"=23
RETURN="return"=24
"state-policy"=25
"if-bound"=26
LITERAL_floating="floating"=27
"state-defaults"=28
"require-order"=29
LITERAL_fingerprints="fingerprints"=30
LITERAL_skip="skip"=31
ON="on"=32
LITERAL_debug="debug"=33
LITERAL_reassemble="reassemble"=34
LITERAL_hostid="hostid"=35
"tcp.first"=36
"tcp.opening"=37
"tcp.established"=38
"tcp.closing"=39
"tcp.finwait"=40
"tcp.closed"=41
"udp.first"=42
"udp.single"=43
"udp.multiple"=44
"icmp.first"=45
"icmp.error"=46
"other.first"=47
"other.single"=48
"other.multiple"=49
LITERAL_frag="frag"=50
LITERAL_interval="interval"=51
"src.track"=52
"adaptive.start"=53
"adaptive.end"=54
INT_CONST=55
OPENING_BRACE=56
COMMA=57
CLOSING_BRACE=58
LITERAL_frags="frags"=59
LITERAL_states="states"=60
"src-nodes"=61
LITERAL_tables="tables"=62
"tables-entries"=63
SCRUB="scrub"=64
TABLE="table"=65
LESS_THAN=66
GREATER_THAN=67
PERSIST="persist"=68
CONST="const"=69
COUNTERS=70
FILE="file"=71
STRING=72
EXLAMATION=73
COLON=74
NETWORK="network"=75
BROADCAST="broadcast"=76
PEER="peer"=77
SELF="self"=78
IPV4=79
SLASH=80
NO="no"=81
NAT="nat"=82
PASS="pass"=83
MINUS=84
STATIC_PORT="static-port"=85
RDR="rdr"=86
OPENING_PAREN=87
CLOSING_PAREN=88
PORT="port"=89
IPV6=90
STAR=91
BITMASK="bitmask"=92
RANDOM="random"=93
SOURCE_HASH="source-hash"=94
HEX_KEY="hex-key"=95
STRING_KEY="string-key"=96
ROUND_ROBIN="round-robin"=97
STICKY_ADDRESS="sticky-address"=98
BINAT="binat"=99
BLOCK="block"=100
RETURN_RST="return-rst"=101
TTL=102
RETURN_ICMP="return-icmp"=103
RETURN_ICMP6=104
IN="in"=105
OUT="out"=106
LOG="log"=107
ALL="all"=108
USER="user"=109
TO="to"=110
QUICK="quick"=111
INET="inet"=112
INET6="inet6"=113
PROTO="proto"=114
IP="ip"=115
ICMP="icmp"=116
IGMP="igmp"=117
TCP="tcp"=118
UDP="udp"=119
RDP="rdp"=120
RSVP="rsvp"=121
GRE="gre"=122
ESP="esp"=123
AH="ah"=124
EIGRP="eigrp"=125
OSPF="ospf"=126
IPIP="ipip"=127
VRRP="vrrp"=128
L2TP="l2tp"=129
ISIS="isis"=130
FROM="from"=131
URPF_FAILED="urpf-failed"=132
ANY="any"=133
NO_ROUTE="no-route"=134
ROUTE_TO="route-to"=135
REPLY_TO="reply-to"=136
FLAGS="flags"=137
ICMP_TYPE="icmp-type"=138
ICMP_CODE="code"=139
LITERAL_echorep="echorep"=140
LITERAL_unreach="unreach"=141
LITERAL_squench="squench"=142
LITERAL_redir="redir"=143
LITERAL_althost="althost"=144
LITERAL_echoreq="echoreq"=145
LITERAL_routeradv="routeradv"=146
LITERAL_routersol="routersol"=147
LITERAL_timex="timex"=148
LITERAL_paramprob="paramprob"=149
LITERAL_timereq="timereq"=150
LITERAL_timerep="timerep"=151
LITERAL_inforeq="inforeq"=152
LITERAL_inforep="inforep"=153
LITERAL_maskreq="maskreq"=154
LITERAL_maskrep="maskrep"=155
LITERAL_trace="trace"=156
LITERAL_dataconv="dataconv"=157
LITERAL_mobredir="mobredir"=158
"ipv6-where"=159
"ipv6-here"=160
LITERAL_mobregreq="mobregreq"=161
LITERAL_mobregrep="mobregrep"=162
LITERAL_photuris="photuris"=163
"net-unr"=164
"host-unr"=165
"proto-unr"=166
"port-unr"=167
LITERAL_needfrag="needfrag"=168
LITERAL_srcfail="srcfail"=169
"net-unk"=170
"host-unk"=171
LITERAL_isolate="isolate"=172
"net-prohib"=173
"host-prohib"=174
"net-tos"=175
"host-tos"=176
"filter-prohib"=177
"host-preced"=178
"cutoff-preced"=179
"redir-net"=180
"redir-host"=181
"redir-tos-net"=182
"redir-tos-host"=183
"normal-adv"=184
"common-adv"=185
LITERAL_transit="transit"=186
LITERAL_reassemb="reassemb"=187
LITERAL_badhead="badhead"=188
LITERAL_optmiss="optmiss"=189
LITERAL_badlen="badlen"=190
"unknown-ind"=191
"auth-fail"=192
"decrypt-fail"=193
ICMP6_TYPE="icmp6-type"=194
TAGGED="tagged"=195
TAG="tag"=196
KEEP="keep"=197
MODULATE="modulate"=198
SYNPROXY="synproxy"=199
STATE="state"=200
LABEL="label"=201
EXIT="exit"=202
QUIT="quit"=203
INTRFACE="interface"=204
ICMP6="icmp6"=205
IGRP="igrp"=206
IPSEC="ipsec"=207
NOS="nos"=208
PCP="pcp"=209
PIM="pim"=210
PPTP="pptp"=211
RIP="rip"=212
SNP="snp"=213
HOST="host"=214
RANGE="range"=215
LOG_LEVEL_ALERTS="alerts"=216
LOG_LEVEL_CRITICAL="critical"=217
LOG_LEVEL_DEBUGGING="debugging"=218
LOG_LEVEL_EMERGENCIES="emergencies"=219
LOG_LEVEL_ERRORS="errors"=220
LOG_LEVEL_INFORMATIONAL="informational"=221
LOG_LEVEL_NOTIFICATIONS="notifications"=222
LOG_LEVEL_WARNINGS="warnings"=223
LOG_LEVEL_DISABLE="disable"=224
LOG_LEVEL_INACTIVE="inactive"=225
Whitespace=226
HEX_CONST=227
NUMBER=228
NEG_INT_CONST=229
HEX_DIGIT=230
DIGIT=231
NUM_3DIGIT=232
NUM_HEX_4DIGIT=233
NUMBER_ADDRESS_OR_WORD=234
PIPE_CHAR=235
NUMBER_SIGN=236
PERCENT=237
AMPERSAND=238
APOSTROPHE=239
PLUS=240
DOT=241
SEMICOLON=242
QUESTION=243
COMMERCIAL_AT=244
OPENING_SQUARE=245
CLOSING_SQUARE=246
CARET=247
UNDERLINE=248
TILDE=249
DOUBLE_QUOTE=250

108
src/parsers/pf.g
View File

@ -223,6 +223,8 @@ set_rule : SET
set_debug
|
set_reassemble
|
set_hostid
)
;
@ -237,8 +239,8 @@ set_ruleset_optimization
{
importer->clear();
importer->setCurrentLineNumber(LT(0)->getLine());
importer->error_tracker->registerError(
QString("import of 'set ruleset-optimization' commands is not supported."));
importer->addMessageToLog(
QString("Error: import of 'set ruleset-optimization' commands is not supported."));
consumeUntil(NEWLINE);
}
;
@ -246,11 +248,22 @@ set_ruleset_optimization
set_optimization
:
"optimization"
(
"aggressive"
|
"conservative"
|
"high-latency"
|
"normal"
|
"satellite"
) { importer->set_optimization = LT(0)->getText(); }
;
set_limit
:
"limit"
"limit" ( limit_def | limit_def_list )
;
set_loginterface
@ -259,8 +272,8 @@ set_loginterface
{
importer->clear();
importer->setCurrentLineNumber(LT(0)->getLine());
importer->error_tracker->registerError(
QString("import of 'set loginterface' commands is not supported."));
importer->addMessageToLog(
QString("Error: import of 'set loginterface' commands is not supported."));
consumeUntil(NEWLINE);
}
;
@ -268,18 +281,13 @@ set_loginterface
set_block_policy
:
"block-policy"
{
importer->clear();
importer->setCurrentLineNumber(LT(0)->getLine());
importer->error_tracker->registerError(
QString("import of 'set block-policy' commands is not supported."));
consumeUntil(NEWLINE);
}
(DROP | RETURN) { importer->set_block_policy = LT(0)->getText(); }
;
set_state_policy
:
"state-policy"
("if-bound" | "floating") { importer->set_state_policy = LT(0)->getText(); }
;
set_state_defaults
@ -288,8 +296,8 @@ set_state_defaults
{
importer->clear();
importer->setCurrentLineNumber(LT(0)->getLine());
importer->error_tracker->registerError(
QString("import of 'set state-defaults' commands is not supported."));
importer->addMessageToLog(
QString("Error: import of 'set state-defaults' commands is not supported."));
consumeUntil(NEWLINE);
}
;
@ -300,8 +308,8 @@ set_require_order
{
importer->clear();
importer->setCurrentLineNumber(LT(0)->getLine());
importer->error_tracker->registerError(
QString("import of 'set require-order' commands is not supported."));
importer->addMessageToLog(
QString("Error: import of 'set require-order' commands is not supported."));
consumeUntil(NEWLINE);
}
;
@ -312,26 +320,25 @@ set_fingerprints
{
importer->clear();
importer->setCurrentLineNumber(LT(0)->getLine());
importer->error_tracker->registerError(
QString("import of 'set fingerprints' commands is not supported."));
importer->addMessageToLog(
QString("Error: import of 'set fingerprints' commands is not supported."));
consumeUntil(NEWLINE);
}
;
set_skip
:
"skip"
"skip" ON WORD
{
importer->set_skip_on = LT(0)->getText();
}
;
set_debug
:
"debug"
"debug" WORD
{
importer->clear();
importer->setCurrentLineNumber(LT(0)->getLine());
importer->error_tracker->registerError(
QString("import of 'set debug' commands is not supported."));
consumeUntil(NEWLINE);
importer->set_debug = LT(0)->getText();
}
;
@ -341,8 +348,20 @@ set_reassemble
{
importer->clear();
importer->setCurrentLineNumber(LT(0)->getLine());
importer->error_tracker->registerError(
QString("import of 'set reassemble' commands is not supported."));
importer->addMessageToLog(
QString("Error: import of 'set reassemble' commands is not supported."));
consumeUntil(NEWLINE);
}
;
set_hostid
:
"hostid"
{
importer->clear();
importer->setCurrentLineNumber(LT(0)->getLine());
importer->addMessageToLog(
QString("Error: import of 'set hostid' commands is not supported."));
consumeUntil(NEWLINE);
}
;
@ -419,6 +438,41 @@ timeout_def_list
CLOSING_BRACE
;
limit_def { std::string limit_name, limit_value; }
:
(
"frags"
|
"states"
|
"src-nodes"
|
"tables"
|
"tables-entries"
)
{
limit_name = LT(0)->getText();
}
INT_CONST
{
limit_value = LT(0)->getText();
importer->limits.push_back(
std::pair<std::string, std::string>(limit_name, limit_value));
}
;
limit_def_list
:
OPENING_BRACE
limit_def
(
( COMMA )?
limit_def
)*
CLOSING_BRACE
;
//****************************************************************
scrub_rule : SCRUB

8
src/unit_tests/PFImporterTest/PFImporterTest.cpp
View File

@ -320,14 +320,14 @@ void PFImporterTest::setCommandsTest()
CPPUNIT_ASSERT_NO_THROW( imp->run() );
imp->finalize();
db->setPredictableIds();
db->saveFile("pf-set-commands.fwb");
//db->setPredictableIds();
//db->saveFile("pf-set-commands.fwb");
compareResults(logger,
"test_data/pf-set-commands.output",
"pf-set-commands.output");
compareFwbFiles("test_data/pf-set-commands.fwb",
"pf-set-commands.fwb");
//compareFwbFiles("test_data/pf-set-commands.fwb",
// "pf-set-commands.fwb");
}
void PFImporterTest::stateMatchTest()

30
src/unit_tests/PFImporterTest/test_data/pf-set-commands.conf
View File

@ -1,11 +1,27 @@
# supported set commands
set debug crit
set state-policy if-bound
set block-policy return
set limit { frags 5000, states 10000 }
set optimization aggressive
set timeout interval 10
set timeout frag 30
set timeout adaptive.start 10
set timeout adaptive.end 100
set block-policy drop
set block-policy return
set limit { frags 5000, states 10000, src-nodes 100000, tables 100000, tables-entries 100000 }
set optimization normal
set optimization aggressive
set optimization conservative
set optimization high-latency
set skip on lo0
# unsupported set commands
set fingerprints
set hostid 1234567890
set loginterface dc0
set reassemble
set require-order
set ruleset-optimization basic
set state-defaults pflow, no-sync
block log all

456
src/unit_tests/PFImporterTest/test_data/pf-set-commands.fwb
View File

@ -1,456 +0,0 @@
<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE FWObjectDatabase SYSTEM "fwbuilder.dtd">
<FWObjectDatabase xmlns="http://www.fwbuilder.org/1.0/" version="21" lastModified="1307055157" id="root">
<Library id="syslib000" color="#d4f8ff" name="Standard" comment="Standard objects" ro="True">
<AnyNetwork id="sysid0" name="Any" comment="Any Network" ro="False" address="0.0.0.0" netmask="0.0.0.0"/>
<AnyIPService id="sysid1" protocol_num="0" name="Any" comment="Any IP Service" ro="False"/>
<AnyInterval id="sysid2" days_of_week="0,1,2,3,4,5,6" from_day="-1" from_hour="-1" from_minute="-1" from_month="-1" from_weekday="-1" from_year="-1" to_day="-1" to_hour="-1" to_minute="-1" to_month="-1" to_weekday="-1" to_year="-1" name="Any" comment="Any Interval" ro="False"/>
<ObjectGroup id="stdid01" name="Objects" comment="" ro="False">
<ObjectGroup id="stdid16" name="Addresses" comment="" ro="False">
<IPv4 id="id2001X88798" name="all-hosts" comment="" ro="False" address="224.0.0.1" netmask="0.0.0.0"/>
<IPv4 id="id2002X88798" name="all-routers" comment="" ro="False" address="224.0.0.2" netmask="0.0.0.0"/>
<IPv4 id="id2003X88798" name="all DVMRP" comment="" ro="False" address="224.0.0.4" netmask="0.0.0.0"/>
<IPv4 id="id2117X88798" name="OSPF (all routers)" comment="RFC2328" ro="False" address="224.0.0.5" netmask="0.0.0.0"/>
<IPv4 id="id2128X88798" name="OSPF (designated routers)" comment="RFC2328" ro="False" address="224.0.0.6" netmask="0.0.0.0"/>
<IPv4 id="id2430X88798" name="RIP" comment="RFC1723" ro="False" address="224.0.0.9" netmask="0.0.0.0"/>
<IPv4 id="id2439X88798" name="EIGRP" comment="" ro="False" address="224.0.0.10" netmask="0.0.0.0"/>
<IPv4 id="id2446X88798" name="DHCP server, relay agent" comment="RFC 1884" ro="False" address="224.0.0.12" netmask="0.0.0.0"/>
<IPv4 id="id2455X88798" name="PIM" comment="" ro="False" address="224.0.0.13" netmask="0.0.0.0"/>
<IPv4 id="id2462X88798" name="RSVP" comment="" ro="False" address="224.0.0.14" netmask="0.0.0.0"/>
<IPv4 id="id2469X88798" name="VRRP" comment="RFC3768" ro="False" address="224.0.0.18" netmask="0.0.0.0"/>
<IPv4 id="id2777X88798" name="IGMP" comment="" ro="False" address="224.0.0.22" netmask="0.0.0.0"/>
<IPv4 id="id2784X88798" name="OSPFIGP-TE" comment="RFC4973" ro="False" address="224.0.0.24" netmask="0.0.0.0"/>
<IPv4 id="id3094X88798" name="HSRP" comment="" ro="False" address="224.0.0.102" netmask="0.0.0.0"/>
<IPv4 id="id3403X88798" name="mDNS" comment="" ro="False" address="224.0.0.251" netmask="0.0.0.0"/>
<IPv4 id="id3410X88798" name="LLMNR" comment="Link-Local Multicast Name Resolution, RFC4795" ro="False" address="224.0.0.252" netmask="0.0.0.0"/>
<IPv4 id="id3411X88798" name="Teredo" comment="" ro="False" address="224.0.0.253" netmask="0.0.0.0"/>
</ObjectGroup>
<ObjectGroup id="stdid17" name="DNS Names" comment="" ro="False"/>
<ObjectGroup id="stdid18" name="Address Tables" comment="" ro="False"/>
<ObjectGroup id="stdid04" name="Groups" comment="" ro="False">
<ObjectGroup id="id3DC75CE8" name="rfc1918-nets" comment="" ro="False">
<ObjectRef ref="id3DC75CE5"/>
<ObjectRef ref="id3DC75CE6"/>
<ObjectRef ref="id3DC75CE7"/>
</ObjectGroup>
<ObjectGroup id="id3292X75851" name="ipv6 private" comment="These are various ipv6 networks that should not be routed on the Internet&#10;" ro="False">
<ObjectRef ref="id2088X75851"/>
<ObjectRef ref="id2986X75851"/>
<ObjectRef ref="id2383X75851"/>
</ObjectGroup>
</ObjectGroup>
<ObjectGroup id="stdid02" name="Hosts" comment="" ro="False">
<Host id="id3D84EECE" name="internal server" comment="This host is used in examples and template objects" ro="False">
<Interface id="id3D84EED2" dedicated_failover="False" dyn="False" security_level="0" unnum="False" unprotected="False" name="eth0" comment="" ro="False">
<IPv4 id="id3D84EED3" name="ip" comment="" ro="False" address="192.168.1.10" netmask="255.255.255.0"/>
<InterfaceOptions/>
</Interface>
<Management address="192.168.1.10">
<SNMPManagement enabled="False" snmp_read_community="" snmp_write_community=""/>
<FWBDManagement enabled="False" identity="" port="-1"/>
<PolicyInstallScript arguments="" command="" enabled="False"/>
</Management>
<HostOptions>
<Option name="snmp_contact"></Option>
<Option name="snmp_description"></Option>
<Option name="snmp_location"></Option>
<Option name="use_mac_addr">false</Option>
<Option name="use_mac_addr_filter">False</Option>
</HostOptions>
</Host>
<Host id="id3D84EECF" name="server on dmz" comment="This host is used in examples and template objects" ro="False">
<Interface id="id3D84EEE3" dedicated_failover="False" dyn="False" security_level="0" unnum="False" unprotected="False" name="eth0" comment="" ro="False">
<IPv4 id="id3D84EEE4" name="ip" comment="" ro="False" address="192.168.2.10" netmask="255.255.255.0"/>
<InterfaceOptions/>
</Interface>
<Management address="192.168.2.10">
<SNMPManagement enabled="False" snmp_read_community="" snmp_write_community=""/>
<FWBDManagement enabled="False" identity="" port="-1"/>
<PolicyInstallScript arguments="" command="" enabled="False"/>
</Management>
<HostOptions>
<Option name="snmp_contact"></Option>
<Option name="snmp_description"></Option>
<Option name="snmp_location"></Option>
<Option name="use_mac_addr">false</Option>
<Option name="use_mac_addr_filter">False</Option>
</HostOptions>
</Host>
</ObjectGroup>
<ObjectGroup id="stdid03" name="Networks" comment="" ro="False">
<Network id="id3DC75CEC" name="all multicasts" comment="224.0.0.0/4 - This block, formerly known as the Class D address&#10;space, is allocated for use in IPv4 multicast address assignments.&#10;The IANA guidelines for assignments from this space are described in&#10;[RFC3171].&#10;" ro="False" address="224.0.0.0" netmask="240.0.0.0"/>
<Network id="id3F4ECE3E" name="link-local" comment="169.254.0.0/16 - This is the &quot;link local&quot; block. It is allocated for&#10;communication between hosts on a single link. Hosts obtain these&#10;addresses by auto-configuration, such as when a DHCP server may not&#10;be found.&#10;" ro="False" address="169.254.0.0" netmask="255.255.0.0"/>
<Network id="id3F4ECE3D" name="loopback-net" comment="127.0.0.0/8 - This block is assigned for use as the Internet host&#10;loopback address. A datagram sent by a higher level protocol to an&#10;address anywhere within this block should loop back inside the host.&#10;This is ordinarily implemented using only 127.0.0.1/32 for loopback,&#10;but no addresses within this block should ever appear on any network&#10;anywhere [RFC1700, page 5].&#10;" ro="False" address="127.0.0.0" netmask="255.0.0.0"/>
<Network id="id3DC75CE5" name="net-10.0.0.0" comment="10.0.0.0/8 - This block is set aside for use in private networks.&#10;Its intended use is documented in [RFC1918]. Addresses within this&#10;block should not appear on the public Internet." ro="False" address="10.0.0.0" netmask="255.0.0.0"/>
<Network id="id3DC75CE7" name="net-172.16.0.0" comment="172.16.0.0/12 - This block is set aside for use in private networks.&#10;Its intended use is documented in [RFC1918]. Addresses within this&#10;block should not appear on the public Internet.&#10;" ro="False" address="172.16.0.0" netmask="255.240.0.0"/>
<Network id="id3DC75CE6" name="net-192.168.0.0" comment="192.168.0.0/16 - This block is set aside for use in private networks.&#10;Its intended use is documented in [RFC1918]. Addresses within this&#10;block should not appear on the public Internet.&#10;" ro="False" address="192.168.0.0" netmask="255.255.0.0"/>
<Network id="id3F4ECE3F" name="test-net" comment="192.0.2.0/24 - This block is assigned as &quot;TEST-NET&quot; for use in&#10;documentation and example code. It is often used in conjunction with&#10;domain names example.com or example.net in vendor and protocol&#10;documentation. Addresses within this block should not appear on the&#10;public Internet.&#10;" ro="False" address="192.0.2.0" netmask="255.255.255.0"/>
<Network id="id3F4ECE40" name="this-net" comment="0.0.0.0/8 - Addresses in this block refer to source hosts on &quot;this&quot;&#10;network. Address 0.0.0.0/32 may be used as a source address for this&#10;host on this network; other addresses within 0.0.0.0/8 may be used to&#10;refer to specified hosts on this network [RFC1700, page 4]." ro="False" address="0.0.0.0" netmask="255.0.0.0"/>
<Network id="id3DC75CE7-1" name="net-192.168.1.0" comment="192.168.1.0/24 - Address often used for home and small office networks.&#10;" ro="False" address="192.168.1.0" netmask="255.255.255.0"/>
<Network id="id3DC75CE7-2" name="net-192.168.2.0" comment="192.168.2.0/24 - Address often used for home and small office networks.&#10;" ro="False" address="192.168.2.0" netmask="255.255.255.0"/>
<NetworkIPv6 id="id2088X75851" name="documentation net" comment="RFC3849" ro="False" address="2001:db8::" netmask="32"/>
<NetworkIPv6 id="id2383X75851" name="link-local ipv6" comment="RFC4291 Link-local unicast net" ro="False" address="fe80::" netmask="10"/>
<NetworkIPv6 id="id2685X75851" name="multicast ipv6" comment="RFC4291 ipv6 multicast addresses" ro="False" address="ff00::" netmask="8"/>
<NetworkIPv6 id="id2986X75851" name="experimental ipv6" comment="RFC2928, RFC4773 &#10;&#10;&quot;The block of Sub-TLA IDs assigned to the IANA&#10;(i.e., 2001:0000::/29 - 2001:01F8::/29) is for&#10;assignment for testing and experimental usage to&#10;support activities such as the 6bone, and&#10;for new approaches like exchanges.&quot; [RFC2928]&#10;&#10;" ro="False" address="2001::" netmask="23"/>
</ObjectGroup>
<ObjectGroup id="stdid15" name="Address Ranges" comment="" ro="False">
<AddressRange id="id3F6D115C" name="broadcast" comment="" ro="False" start_address="255.255.255.255" end_address="255.255.255.255"/>
<AddressRange id="id3F6D115D" name="old-broadcast" comment="" ro="False" start_address="0.0.0.0" end_address="0.0.0.0"/>
</ObjectGroup>
</ObjectGroup>
<ServiceGroup id="stdid05" name="Services" comment="" ro="False">
<CustomService id="stdid14_1" name="ESTABLISHED" comment="This service matches all packets which are part of network connections established through the firewall, or connections 'related' to those established through the firewall. Term 'established' refers to the state tracking mechanism which exists inside iptables and other stateful firewalls and does not mean any particular combination of packet header options. Packet is considered to correspond to the state 'ESTABLISHED' if it belongs to the network session, for which proper initiation has been seen by the firewall, so its stateful inspection module made appropriate record in the state table. Usually stateful firewalls keep track of network connections using not only tcp protocol, but also udp and sometimes even icmp protocols. 'RELATED' describes packet belonging to a separate network connection, related to the session firewall is keeping track of. One example is FTP command and FTP data sessions." ro="False" protocol="any" address_family="ipv4">
<CustomServiceCommand platform="Undefined"></CustomServiceCommand>
<CustomServiceCommand platform="iosacl">established</CustomServiceCommand>
<CustomServiceCommand platform="ipfilter"></CustomServiceCommand>
<CustomServiceCommand platform="ipfw">established</CustomServiceCommand>
<CustomServiceCommand platform="iptables">-m state --state ESTABLISHED,RELATED</CustomServiceCommand>
<CustomServiceCommand platform="procurve_acl">established</CustomServiceCommand>
</CustomService>
<CustomService id="stdid14_2" name="ESTABLISHED ipv6" comment="This service matches all packets which are part of network connections established through the firewall, or connections 'related' to those established through the firewall. Term 'established' refers to the state tracking mechanism which exists inside iptables and other stateful firewalls and does not mean any particular combination of packet header options. Packet is considered to correspond to the state 'ESTABLISHED' if it belongs to the network session, for which proper initiation has been seen by the firewall, so its stateful inspection module made appropriate record in the state table. Usually stateful firewalls keep track of network connections using not only tcp protocol, but also udp and sometimes even icmp protocols. 'RELATED' describes packet belonging to a separate network connection, related to the session firewall is keeping track of. One example is FTP command and FTP data sessions." ro="False" protocol="any" address_family="ipv6">
<CustomServiceCommand platform="Undefined"></CustomServiceCommand>
<CustomServiceCommand platform="iosacl">established</CustomServiceCommand>
<CustomServiceCommand platform="ipfilter"></CustomServiceCommand>
<CustomServiceCommand platform="ipfw">established</CustomServiceCommand>
<CustomServiceCommand platform="iptables">-m state --state ESTABLISHED,RELATED</CustomServiceCommand>
<CustomServiceCommand platform="procurve_acl">established</CustomServiceCommand>
</CustomService>
<ServiceGroup id="stdid10" name="Groups" comment="" ro="False">
<ServiceGroup id="sg-DHCP" name="DHCP" comment="" ro="False">
<ServiceRef ref="udp-bootpc"/>
<ServiceRef ref="udp-bootps"/>
</ServiceGroup>
<ServiceGroup id="id3F530CC8" name="DNS" comment="" ro="False">
<ServiceRef ref="udp-DNS"/>
<ServiceRef ref="tcp-DNS"/>
</ServiceGroup>
<ServiceGroup id="id3CB1279B" name="IPSEC" comment="" ro="False">
<ServiceRef ref="id3CB12797"/>
<ServiceRef ref="ip-IPSEC"/>
</ServiceGroup>
<ServiceGroup id="sg-NETBIOS" name="NETBIOS" comment="" ro="False">
<ServiceRef ref="udp-netbios-dgm"/>
<ServiceRef ref="udp-netbios-ns"/>
<ServiceRef ref="id3E755609"/>
</ServiceGroup>
<ServiceGroup id="id3CB131CC" name="PCAnywhere" comment="" ro="False">
<ServiceRef ref="id3CB131CA"/>
<ServiceRef ref="id3CB131C8"/>
</ServiceGroup>
<ServiceGroup id="sg-Useful_ICMP" name="Useful_ICMP" comment="" ro="False">
<ServiceRef ref="icmp-Time_exceeded"/>
<ServiceRef ref="icmp-Time_exceeded_in_transit"/>
<ServiceRef ref="icmp-ping_reply"/>
<ServiceRef ref="icmp-Unreachables"/>
</ServiceGroup>
<ServiceGroup id="id1569X4889" name="Ipv6 unreachable messages" comment="" ro="False">
<ServiceRef ref="idE0D27650"/>
<ServiceRef ref="idCFE27650"/>
<ServiceRef ref="idE0B27650"/>
<ServiceRef ref="id1519Z388"/>
</ServiceGroup>
<ServiceGroup id="id3B4FEDD9" name="kerberos" comment="" ro="False">
<ServiceRef ref="id3B4FEDA5"/>
<ServiceRef ref="id3B4FEDA9"/>
<ServiceRef ref="id3B4FEDA7"/>
<ServiceRef ref="id3B4FEDAB"/>
<ServiceRef ref="id3B4FEDA3"/>
<ServiceRef ref="id3B4FEE21"/>
<ServiceRef ref="id3B4FEE23"/>
<ServiceRef ref="id3E7E3EA2"/>
</ServiceGroup>
<ServiceGroup id="id3B4FF35E" name="nfs" comment="" ro="False">
<ServiceRef ref="id3B4FEE7A"/>
<ServiceRef ref="id3B4FEE78"/>
</ServiceGroup>
<ServiceGroup id="id3B4FEFFA" name="quake" comment="" ro="False">
<ServiceRef ref="id3B4FEF7C"/>
<ServiceRef ref="id3B4FEF7E"/>
</ServiceGroup>
<ServiceGroup id="id3D703C9A" name="Real Player" comment="" ro="False">
<ServiceRef ref="id3D703C99"/>
<ServiceRef ref="id3D703C8B"/>
</ServiceGroup>
<ServiceGroup id="id3E7E3E95" name="WinNT" comment="" ro="False">
<ServiceRef ref="sg-NETBIOS"/>
<ServiceRef ref="id3DC8C8BB"/>
<ServiceRef ref="id3E7E3D58"/>
</ServiceGroup>
<ServiceGroup id="id3E7E3E9A" name="Win2000" comment="" ro="False">
<ServiceRef ref="id3E7E3E95"/>
<ServiceRef ref="udp-DNS"/>
<ServiceRef ref="id3DC8C8BC"/>
<ServiceRef ref="id3E7E3EA2"/>
<ServiceRef ref="id3AECF778"/>
<ServiceRef ref="id3D703C90"/>
<ServiceRef ref="id3E7E4039"/>
<ServiceRef ref="id3E7E403A"/>
<ServiceRef ref="id3B4FEDA5"/>
<ServiceRef ref="tcp-DNS"/>
</ServiceGroup>
<ServiceGroup id="id41291786" name="UPnP" comment="" ro="False">
<ServiceRef ref="id41291784"/>
<ServiceRef ref="id41291785"/>
<ServiceRef ref="id41291783"/>
<ServiceRef ref="id412Z18A9"/>
</ServiceGroup>
</ServiceGroup>
<ServiceGroup id="stdid07" name="ICMP" comment="" ro="False">
<ICMPService id="icmp-Unreachables" code="-1" type="3" name="all ICMP unreachables" comment="" ro="False"/>
<ICMPService id="id3C20EEB5" code="-1" type="-1" name="any ICMP" comment="" ro="False"/>
<ICMPService id="icmp-Host_unreach" code="1" type="3" name="host_unreach" comment="" ro="False"/>
<ICMPService id="icmp-ping_reply" code="0" type="0" name="ping reply" comment="" ro="False"/>
<ICMPService id="icmp-ping_request" code="0" type="8" name="ping request" comment="" ro="False"/>
<ICMPService id="icmp-Port_unreach" code="3" type="3" name="port unreach" comment="Port unreachable" ro="False"/>
<ICMPService id="icmp-Time_exceeded" code="0" type="11" name="time exceeded" comment="ICMP messages of this type are needed for traceroute" ro="False"/>
<ICMPService id="icmp-Time_exceeded_in_transit" code="1" type="11" name="time exceeded in transit" comment="" ro="False"/>
<ICMP6Service id="ipv6-icmp-ping_request" code="0" type="128" name="ipv6 ping request" comment="IPv6 ping request" ro="False"/>
<ICMP6Service id="ipv6-icmp-ping_reply" code="0" type="129" name="ipv6 ping reply" comment="IPv6 ping reply" ro="False"/>
<ICMP6Service id="ipv6-icmp-routersol" code="0" type="133" name="ipv6 routersol" comment="IPv6 router solicitation" ro="False"/>
<ICMP6Service id="ipv6-icmp-routeradv" code="0" type="134" name="ipv6 routeradv" comment="IPv6 router advertisement" ro="False"/>
<ICMP6Service id="ipv6-icmp-neighbrsol" code="0" type="135" name="ipv6 neighbrsol" comment="IPv6 neighbor solicitation" ro="False"/>
<ICMP6Service id="ipv6-icmp-neighbradv" code="0" type="136" name="ipv6 neighbradv" comment="IPv6 neighbor advertisement" ro="False"/>
<ICMP6Service id="ipv6-icmp-redir" code="0" type="137" name="ipv6 redir" comment="IPv6 redirect: shorter route exists" ro="False"/>
<ICMP6Service id="id1519Z388" code="-1" type="4" name="ipv6 parameter problem" comment="IPv6 Parameter Problem: RFC4443" ro="False"/>
<ICMP6Service id="idCFE27650" code="0" type="3" name="ipv6 time exceeded" comment="Time exceeded in transit" ro="False"/>
<ICMP6Service id="idCFF27650" code="1" type="3" name="ipv6 time exceeded in reassembly" comment="Time exceeded in reassembly" ro="False"/>
<ICMP6Service id="idE0B27650" code="-1" type="2" name="ipv6 packet too big" comment="" ro="False"/>
<ICMP6Service id="idE0D27650" code="-1" type="1" name="ipv6 all dest unreachable" comment="All icmpv6 codes for type &quot;destination unreachable&quot;&#10;" ro="False"/>
<ICMP6Service id="idCFE27660" code="-1" type="-1" name="ipv6 any ICMP6" comment="any ICMPv6" ro="False"/>
</ServiceGroup>
<ServiceGroup id="stdid06" name="IP" comment="" ro="False">
<IPService id="id3CB12797" fragm="False" lsrr="False" protocol_num="51" rr="False" short_fragm="False" ssrr="False" ts="False" name="AH" comment="IPSEC Authentication Header Protocol" ro="False"/>
<IPService id="ip-IPSEC" fragm="False" lsrr="False" protocol_num="50" rr="False" short_fragm="False" ssrr="False" ts="False" name="ESP" comment="IPSEC Encapsulating Security Payload Protocol" ro="False"/>
<IPService id="ip-RR" fragm="False" lsrr="False" protocol_num="0" rr="True" short_fragm="False" ssrr="False" ts="False" name="RR" comment="Route recording packets" ro="False"/>
<IPService id="ip-SRR" fragm="False" lsrr="True" protocol_num="0" rr="False" short_fragm="False" ssrr="True" ts="False" name="SRR" comment="All sorts of Source Routing Packets" ro="False"/>
<IPService id="ip-IP_Fragments" fragm="False" lsrr="False" protocol_num="0" rr="False" short_fragm="True" ssrr="False" ts="False" name="ip_fragments" comment="'Short' fragments" ro="False"/>
<IPService id="id3D703C8E" fragm="False" lsrr="False" protocol_num="57" rr="False" short_fragm="False" ssrr="False" ts="False" name="SKIP" comment="IPSEC Simple Key Management for Internet Protocols" ro="False"/>
<IPService id="id3D703C8F" fragm="False" lsrr="False" protocol_num="47" rr="False" short_fragm="False" ssrr="False" ts="False" name="GRE" comment="Generic Routing Encapsulation&#10;" ro="False"/>
<IPService id="id3D703C95" fragm="False" lsrr="False" protocol_num="112" rr="False" short_fragm="False" ssrr="False" ts="False" name="vrrp" comment="Virtual Router Redundancy Protocol" ro="False"/>
<IPService id="ip-IGMP" fragm="False" lsrr="False" protocol_num="2" rr="False" rtralt="True" rtralt_value="0" short_fragm="False" ssrr="False" ts="False" name="IGMP" comment="Internet Group Management Protocol, Version 3, RFC 3376" ro="False"/>
<IPService id="ip-PIM" fragm="False" lsrr="False" protocol_num="103" rr="False" rtralt="False" rtralt_value="0" short_fragm="False" ssrr="False" ts="False" name="PIM" comment="Protocol Independent Multicast - Dense Mode (PIM-DM), RFC 3973, or Protocol Independent Multicast-Sparse Mode (PIM-SM) RFC 2362" ro="False"/>
</ServiceGroup>
<ServiceGroup id="stdid09" name="TCP" comment="" ro="False">
<TCPService id="tcp-ALL_TCP_Masqueraded" ack_flag="False" ack_flag_mask="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" name="ALL TCP Masqueraded" comment="ipchains used to use this range of port numbers for masquerading. " ro="False" src_range_start="61000" src_range_end="65095" dst_range_start="0" dst_range_end="0"/>
<TCPService id="id3D703C94" ack_flag="False" ack_flag_mask="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" name="AOL" comment="" ro="False" src_range_start="0" src_range_end="0" dst_range_start="5190" dst_range_end="5190"/>
<TCPService id="tcp-All_TCP" ack_flag="False" ack_flag_mask="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" name="All TCP" comment="" ro="False" src_range_start="0" src_range_end="0" dst_range_start="0" dst_range_end="0"/>
<TCPService id="id3CB131C4" ack_flag="False" ack_flag_mask="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" name="Citrix-ICA" comment="" ro="False" src_range_start="0" src_range_end="0" dst_range_start="1494" dst_range_end="1494"/>
<TCPService id="id3D703C91" ack_flag="False" ack_flag_mask="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" name="Entrust-Admin" comment="Entrust CA Administration Service" ro="False" src_range_start="0" src_range_end="0" dst_range_start="709" dst_range_end="709"/>
<TCPService id="id3D703C92" ack_flag="False" ack_flag_mask="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" name="Entrust-KeyMgmt" comment="Entrust CA Key Management Service" ro="False" src_range_start="0" src_range_end="0" dst_range_start="710" dst_range_end="710"/>
<TCPService id="id3AEDBEAC" ack_flag="False" ack_flag_mask="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" name="H323" comment="" ro="False" src_range_start="0" src_range_end="0" dst_range_start="1720" dst_range_end="1720"/>
<TCPService id="id412Z18A9" ack_flag="False" ack_flag_mask="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" name="icslap" comment="Sometimes this protocol is called icslap, but Microsoft does not call it that and just says that DSPP uses port 2869 in Windows XP SP2" ro="False" src_range_start="0" src_range_end="0" dst_range_start="2869" dst_range_end="2869"/>
<TCPService id="id3E7E4039" ack_flag="False" ack_flag_mask="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" name="LDAP GC" comment="" ro="False" src_range_start="0" src_range_end="0" dst_range_start="3268" dst_range_end="3268"/>
<TCPService id="id3E7E403A" ack_flag="False" ack_flag_mask="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" name="LDAP GC SSL" comment="" ro="False" src_range_start="0" src_range_end="0" dst_range_start="3269" dst_range_end="3269"/>
<TCPService id="id3D703C83" ack_flag="False" ack_flag_mask="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" name="OpenWindows" comment="Open Windows" ro="False" src_range_start="0" src_range_end="0" dst_range_start="2000" dst_range_end="2000"/>
<TCPService id="id3CB131C8" ack_flag="False" ack_flag_mask="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" name="PCAnywhere-data" comment="data channel for PCAnywhere v7.52 and later " ro="False" src_range_start="0" src_range_end="0" dst_range_start="5631" dst_range_end="5631"/>
<TCPService id="id3D703C8B" ack_flag="False" ack_flag_mask="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" name="Real-Audio" comment="RealNetworks PNA Protocol" ro="False" src_range_start="0" src_range_end="0" dst_range_start="7070" dst_range_end="7070"/>
<TCPService id="id3D703C93" ack_flag="False" ack_flag_mask="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" name="RealSecure" comment="" ro="False" src_range_start="0" src_range_end="0" dst_range_start="2998" dst_range_end="2998"/>
<TCPService id="id3DC8C8BC" ack_flag="False" ack_flag_mask="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" name="SMB" comment="SMB over TCP (without NETBIOS)&#10;" ro="False" src_range_start="0" src_range_end="0" dst_range_start="445" dst_range_end="445"/>
<TCPService id="id3D703C8D" ack_flag="False" ack_flag_mask="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" name="TACACSplus" comment="" ro="False" src_range_start="0" src_range_end="0" dst_range_start="49" dst_range_end="49"/>
<TCPService id="id3D703C84" ack_flag="False" ack_flag_mask="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" name="TCP high ports" comment="TCP high ports" ro="False" src_range_start="0" src_range_end="0" dst_range_start="1024" dst_range_end="65535"/>
<TCPService id="id3E7E3D58" ack_flag="False" ack_flag_mask="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" name="WINS replication" comment="" ro="False" src_range_start="0" src_range_end="0" dst_range_start="42" dst_range_end="42"/>
<TCPService id="id3D703C82" ack_flag="False" ack_flag_mask="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" name="X11" comment="X Window System" ro="False" src_range_start="0" src_range_end="0" dst_range_start="6000" dst_range_end="6063"/>
<TCPService id="tcp-Auth" ack_flag="False" ack_flag_mask="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" name="auth" comment="" ro="False" src_range_start="0" src_range_end="0" dst_range_start="113" dst_range_end="113"/>
<TCPService id="id3AEDBE6E" ack_flag="False" ack_flag_mask="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" name="daytime" comment="" ro="False" src_range_start="0" src_range_end="0" dst_range_start="13" dst_range_end="13"/>
<TCPService id="tcp-DNS" ack_flag="False" ack_flag_mask="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" name="domain" comment="" ro="False" src_range_start="0" src_range_end="0" dst_range_start="53" dst_range_end="53"/>
<TCPService id="id3B4FEDA3" ack_flag="False" ack_flag_mask="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" name="eklogin" comment="" ro="False" src_range_start="0" src_range_end="0" dst_range_start="2105" dst_range_end="2105"/>
<TCPService id="id3AECF774" ack_flag="False" ack_flag_mask="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" name="finger" comment="" ro="False" src_range_start="0" src_range_end="0" dst_range_start="79" dst_range_end="79"/>
<TCPService id="tcp-FTP" ack_flag="False" ack_flag_mask="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" name="ftp" comment="" ro="False" src_range_start="0" src_range_end="0" dst_range_start="21" dst_range_end="21"/>
<TCPService id="tcp-FTP_data" ack_flag="False" ack_flag_mask="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" name="ftp data" comment="FTP data channel.&#10; Note: FTP protocol does not really require server to use source port 20 for the data channel, &#10; but many ftp server implementations do so." ro="False" src_range_start="20" src_range_end="20" dst_range_start="1024" dst_range_end="65535"/>
<TCPService id="id3E7553BC" ack_flag="False" ack_flag_mask="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" name="ftp data passive" comment="FTP data channel for passive mode transfers&#10;" ro="False" src_range_start="0" src_range_end="0" dst_range_start="20" dst_range_end="20"/>
<TCPService id="tcp-HTTP" ack_flag="False" ack_flag_mask="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" name="http" comment="" ro="False" src_range_start="0" src_range_end="0" dst_range_start="80" dst_range_end="80"/>
<TCPService id="id3B4FED69" ack_flag="False" ack_flag_mask="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" name="https" comment="" ro="False" src_range_start="0" src_range_end="0" dst_range_start="443" dst_range_end="443"/>
<TCPService id="id3AECF776" ack_flag="False" ack_flag_mask="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" name="imap" comment="" ro="False" src_range_start="0" src_range_end="0" dst_range_start="143" dst_range_end="143"/>
<TCPService id="id3B4FED9F" ack_flag="False" ack_flag_mask="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" name="imaps" comment="" ro="False" src_range_start="0" src_range_end="0" dst_range_start="993" dst_range_end="993"/>
<TCPService id="id3B4FF13C" ack_flag="False" ack_flag_mask="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" name="irc" comment="" ro="False" src_range_start="0" src_range_end="0" dst_range_start="6667" dst_range_end="6667"/>
<TCPService id="id3E7E3EA2" ack_flag="False" ack_flag_mask="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" name="kerberos" comment="" ro="False" src_range_start="0" src_range_end="0" dst_range_start="88" dst_range_end="88"/>
<TCPService id="id3B4FEE21" ack_flag="False" ack_flag_mask="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" name="klogin" comment="" ro="False" src_range_start="0" src_range_end="0" dst_range_start="543" dst_range_end="543"/>
<TCPService id="id3B4FEE23" ack_flag="False" ack_flag_mask="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" name="ksh" comment="" ro="False" src_range_start="0" src_range_end="0" dst_range_start="544" dst_range_end="544"/>
<TCPService id="id3AECF778" ack_flag="False" ack_flag_mask="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" name="ldap" comment="" ro="False" src_range_start="0" src_range_end="0" dst_range_start="389" dst_range_end="389"/>
<TCPService id="id3D703C90" ack_flag="False" ack_flag_mask="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" name="ldaps" comment="Lightweight Directory Access Protocol over TLS/SSL" ro="False" src_range_start="0" src_range_end="0" dst_range_start="636" dst_range_end="636"/>
<TCPService id="id3B4FF000" ack_flag="False" ack_flag_mask="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" name="linuxconf" comment="" ro="False" src_range_start="0" src_range_end="0" dst_range_start="98" dst_range_end="98"/>
<TCPService id="id3D703C97" ack_flag="False" ack_flag_mask="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" name="lpr" comment="" ro="False" src_range_start="0" src_range_end="0" dst_range_start="515" dst_range_end="515"/>
<TCPService id="id3DC8C8BB" ack_flag="False" ack_flag_mask="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" name="microsoft-rpc" comment="" ro="False" src_range_start="0" src_range_end="0" dst_range_start="135" dst_range_end="135"/>
<TCPService id="id3D703C98" ack_flag="False" ack_flag_mask="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" name="ms-sql" comment="Microsoft SQL Server" ro="False" src_range_start="0" src_range_end="0" dst_range_start="1433" dst_range_end="1433"/>
<TCPService id="id3B4FEEEE" ack_flag="False" ack_flag_mask="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" name="mysql" comment="" ro="False" src_range_start="0" src_range_end="0" dst_range_start="3306" dst_range_end="3306"/>
<TCPService id="id3E755609" ack_flag="False" ack_flag_mask="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" name="netbios-ssn" comment="" ro="False" src_range_start="0" src_range_end="0" dst_range_start="139" dst_range_end="139"/>
<TCPService id="id3B4FEE7A" ack_flag="False" ack_flag_mask="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" name="nfs" comment="" ro="False" src_range_start="0" src_range_end="0" dst_range_start="2049" dst_range_end="2049"/>
<TCPService id="tcp-NNTP" ack_flag="False" ack_flag_mask="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" name="nntp" comment="" ro="False" src_range_start="0" src_range_end="0" dst_range_start="119" dst_range_end="119"/>
<TCPService id="id3E7553BB" ack_flag="False" ack_flag_mask="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" name="nntps" comment="NNTP over SSL" ro="False" src_range_start="0" src_range_end="0" dst_range_start="563" dst_range_end="563"/>
<TCPService id="id3B4FEE1D" ack_flag="False" ack_flag_mask="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" name="pop3" comment="" ro="False" src_range_start="0" src_range_end="0" dst_range_start="110" dst_range_end="110"/>
<TCPService id="id3E7553BA" ack_flag="False" ack_flag_mask="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" name="pop3s" comment="POP-3 over SSL" ro="False" src_range_start="0" src_range_end="0" dst_range_start="995" dst_range_end="995"/>
<TCPService id="id3B4FF0EA" ack_flag="False" ack_flag_mask="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" name="postgres" comment="" ro="False" src_range_start="0" src_range_end="0" dst_range_start="5432" dst_range_end="5432"/>
<TCPService id="id3AECF782" ack_flag="False" ack_flag_mask="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" name="printer" comment="" ro="False" src_range_start="0" src_range_end="0" dst_range_start="515" dst_range_end="515"/>
<TCPService id="id3B4FEF7C" ack_flag="False" ack_flag_mask="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" name="quake" comment="" ro="False" src_range_start="0" src_range_end="0" dst_range_start="26000" dst_range_end="26000"/>
<TCPService id="id3AECF77A" ack_flag="False" ack_flag_mask="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" name="rexec" comment="" ro="False" src_range_start="0" src_range_end="0" dst_range_start="512" dst_range_end="512"/>
<TCPService id="id3AECF77C" ack_flag="False" ack_flag_mask="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" name="rlogin" comment="" ro="False" src_range_start="0" src_range_end="0" dst_range_start="513" dst_range_end="513"/>
<TCPService id="id3AECF77E" ack_flag="False" ack_flag_mask="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" name="rshell" comment="" ro="False" src_range_start="0" src_range_end="0" dst_range_start="514" dst_range_end="514"/>
<TCPService id="id3D703C99" ack_flag="False" ack_flag_mask="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" name="rtsp" comment="Real Time Streaming Protocol" ro="False" src_range_start="0" src_range_end="0" dst_range_start="554" dst_range_end="554"/>
<TCPService id="id3B4FEF34" ack_flag="False" ack_flag_mask="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" name="rwhois" comment="" ro="False" src_range_start="0" src_range_end="0" dst_range_start="4321" dst_range_end="4321"/>
<TCPService id="id3D703C89" ack_flag="False" ack_flag_mask="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" name="securidprop" comment="" ro="False" src_range_start="0" src_range_end="0" dst_range_start="5510" dst_range_end="5510"/>
<TCPService id="tcp-SMTP" ack_flag="False" ack_flag_mask="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" name="smtp" comment="" ro="False" src_range_start="0" src_range_end="0" dst_range_start="25" dst_range_end="25"/>
<TCPService id="id3B4FF04C" ack_flag="False" ack_flag_mask="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" name="smtps" comment="" ro="False" src_range_start="0" src_range_end="0" dst_range_start="465" dst_range_end="465"/>
<TCPService id="id3B4FEE76" ack_flag="False" ack_flag_mask="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" name="socks" comment="" ro="False" src_range_start="0" src_range_end="0" dst_range_start="1080" dst_range_end="1080"/>
<TCPService id="id3D703C87" ack_flag="False" ack_flag_mask="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" name="sqlnet1" comment="" ro="False" src_range_start="0" src_range_end="0" dst_range_start="1521" dst_range_end="1521"/>
<TCPService id="id3B4FF09A" ack_flag="False" ack_flag_mask="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" name="squid" comment="" ro="False" src_range_start="0" src_range_end="0" dst_range_start="3128" dst_range_end="3128"/>
<TCPService id="tcp-SSH" ack_flag="False" ack_flag_mask="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" name="ssh" comment="" ro="False" src_range_start="0" src_range_end="0" dst_range_start="22" dst_range_end="22"/>
<TCPService id="id3AEDBE00" ack_flag="False" ack_flag_mask="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" name="sunrpc" comment="" ro="False" src_range_start="0" src_range_end="0" dst_range_start="111" dst_range_end="111"/>
<TCPService id="tcp-TCP-SYN" ack_flag="False" ack_flag_mask="True" fin_flag="False" fin_flag_mask="True" psh_flag="False" psh_flag_mask="True" rst_flag="False" rst_flag_mask="True" syn_flag="True" syn_flag_mask="True" urg_flag="False" urg_flag_mask="True" name="tcp-syn" comment="" ro="False" src_range_start="0" src_range_end="0" dst_range_start="0" dst_range_end="0"/>
<TCPService id="tcp-Telnet" ack_flag="False" ack_flag_mask="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" name="telnet" comment="" ro="False" src_range_start="0" src_range_end="0" dst_range_start="23" dst_range_end="23"/>
<TCPService id="tcp-uucp" ack_flag="False" ack_flag_mask="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" name="uucp" comment="" ro="False" src_range_start="0" src_range_end="0" dst_range_start="540" dst_range_end="540"/>
<TCPService id="id3CB131C6" ack_flag="False" ack_flag_mask="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" name="winterm" comment="Windows Terminal Services" ro="False" src_range_start="0" src_range_end="0" dst_range_start="3389" dst_range_end="3389"/>
<TCPService id="id3B4FF1B8" ack_flag="False" ack_flag_mask="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" name="xfs" comment="" ro="False" src_range_start="0" src_range_end="0" dst_range_start="7100" dst_range_end="7100"/>
<TCPService id="id3C685B2B" ack_flag="True" ack_flag_mask="True" fin_flag="True" fin_flag_mask="True" psh_flag="True" psh_flag_mask="True" rst_flag="True" rst_flag_mask="True" syn_flag="True" syn_flag_mask="True" urg_flag="True" urg_flag_mask="True" name="xmas scan - full" comment="This service object matches TCP packet with all six flags set." ro="False" src_range_start="0" src_range_end="0" dst_range_start="0" dst_range_end="0"/>
<TCPService id="id4127E949" ack_flag="False" ack_flag_mask="True" fin_flag="True" fin_flag_mask="True" psh_flag="True" psh_flag_mask="True" rst_flag="False" rst_flag_mask="True" syn_flag="False" syn_flag_mask="True" urg_flag="True" urg_flag_mask="True" name="xmas scan" comment="This service object matches TCP packet with flags FIN, PSH and URG set and other flags cleared. This is a &quot;christmas scan&quot; as defined in snort rules. Nmap can generate this scan, too." ro="False" src_range_start="0" src_range_end="0" dst_range_start="0" dst_range_end="0"/>
<TCPService id="id4127EA72" ack_flag="False" ack_flag_mask="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" name="rsync" comment="" ro="False" src_range_start="0" src_range_end="0" dst_range_start="873" dst_range_end="873"/>
<TCPService id="id4127EBAC" ack_flag="False" ack_flag_mask="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" name="distcc" comment="distributed compiler" ro="False" src_range_start="0" src_range_end="0" dst_range_start="3632" dst_range_end="3632"/>
<TCPService id="id4127ECF1" ack_flag="False" ack_flag_mask="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" name="cvspserver" comment="CVS client/server operations" ro="False" src_range_start="0" src_range_end="0" dst_range_start="2401" dst_range_end="2401"/>
<TCPService id="id4127ECF2" ack_flag="False" ack_flag_mask="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" name="cvsup" comment="CVSup file transfer/John Polstra/FreeBSD" ro="False" src_range_start="0" src_range_end="0" dst_range_start="5999" dst_range_end="5999"/>
<TCPService id="id4127ED5E" ack_flag="False" ack_flag_mask="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" name="afp" comment="AFP (Apple file sharing) over TCP" ro="False" src_range_start="0" src_range_end="0" dst_range_start="548" dst_range_end="548"/>
<TCPService id="id4127EDF6" ack_flag="False" ack_flag_mask="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" name="whois" comment="" ro="False" src_range_start="0" src_range_end="0" dst_range_start="43" dst_range_end="43"/>
<TCPService id="id4127F04F" ack_flag="False" ack_flag_mask="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" name="bgp" comment="" ro="False" src_range_start="0" src_range_end="0" dst_range_start="179" dst_range_end="179"/>
<TCPService id="id4127F146" ack_flag="False" ack_flag_mask="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" name="radius" comment="Radius protocol" ro="False" src_range_start="0" src_range_end="0" dst_range_start="1812" dst_range_end="1812"/>
<TCPService id="id4127F147" ack_flag="False" ack_flag_mask="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" name="radius acct" comment="Radius Accounting" ro="False" src_range_start="0" src_range_end="0" dst_range_start="1813" dst_range_end="1813"/>
<TCPService id="id41291784" ack_flag="False" ack_flag_mask="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" name="upnp" comment="" ro="False" src_range_start="0" src_range_end="0" dst_range_start="5000" dst_range_end="5000"/>
<TCPService id="id41291785" ack_flag="False" ack_flag_mask="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" name="upnp-5431" comment="Although UPnP specification say it should use TCP port 5000, Linksys running Sveasoft firmware listens on port 5431" ro="False" src_range_start="0" src_range_end="0" dst_range_start="5431" dst_range_end="5431"/>
<TCPService id="id41291787" ack_flag="False" ack_flag_mask="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" name="vnc-java-0" comment="Java VNC viewer, display 0" ro="False" src_range_start="0" src_range_end="0" dst_range_start="5800" dst_range_end="5800"/>
<TCPService id="id41291788" ack_flag="False" ack_flag_mask="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" name="vnc-0" comment="Regular VNC viewer, display 0" ro="False" src_range_start="0" src_range_end="0" dst_range_start="5900" dst_range_end="5900"/>
<TCPService id="id41291887" ack_flag="False" ack_flag_mask="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" name="vnc-java-1" comment="Java VNC viewer, display 1" ro="False" src_range_start="0" src_range_end="0" dst_range_start="5801" dst_range_end="5801"/>
<TCPService id="id41291888" ack_flag="False" ack_flag_mask="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" name="vnc-1" comment="Regular VNC viewer, display 1" ro="False" src_range_start="0" src_range_end="0" dst_range_start="5901" dst_range_end="5901"/>
<TCPService id="id463FE5FE11008" ack_flag="False" ack_flag_mask="False" established="True" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" name="All TCP established" comment="Some firewall platforms can match TCP packets with flags ACK or RST set; the option is usually called &quot;established&quot;.&#10;&#10;Note that you can use this object only in the policy rules of the firewall that supports this option.&#10;&#10;If you need to match reply packets for a specific TCP service and wish to use option &quot;established&quot;, make a copy of this object and set source port range to match the service.&#10;" ro="False" src_range_start="0" src_range_end="0" dst_range_start="0" dst_range_end="0"/>
<TCPService id="id1577X28030" ack_flag="False" ack_flag_mask="False" established="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" name="rtmp" comment="Real Time Messaging Protocol" ro="False" src_range_start="0" src_range_end="0" dst_range_start="1935" dst_range_end="1935"/>
<TCPService id="id1590X28030" ack_flag="False" ack_flag_mask="False" established="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" name="xmpp-client" comment="Extensible Messaging and Presence Protocol (XMPP) RFC3920&#10;" ro="False" src_range_start="0" src_range_end="0" dst_range_start="5222" dst_range_end="5222"/>
<TCPService id="id1609X28030" ack_flag="False" ack_flag_mask="False" established="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" name="xmpp-server" comment="Extensible Messaging and Presence Protocol (XMPP) RFC3920&#10;" ro="False" src_range_start="0" src_range_end="0" dst_range_start="5269" dst_range_end="5269"/>
<TCPService id="id1622X28030" ack_flag="False" ack_flag_mask="False" established="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" name="xmpp-client-ssl" comment="Extensible Messaging and Presence Protocol (XMPP) RFC3920&#10;" ro="False" src_range_start="0" src_range_end="0" dst_range_start="5223" dst_range_end="5223"/>
<TCPService id="id1631X28030" ack_flag="False" ack_flag_mask="False" established="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" name="xmpp-server-ssl" comment="Extensible Messaging and Presence Protocol (XMPP) RFC3920&#10;" ro="False" src_range_start="0" src_range_end="0" dst_range_start="5270" dst_range_end="5270"/>
<TCPService id="id1644X28030" ack_flag="False" ack_flag_mask="False" established="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" name="nrpe" comment="NRPE add-on for Nagios http://www.nagios.org/&#10;" ro="False" src_range_start="0" src_range_end="0" dst_range_start="5666" dst_range_end="5666"/>
</ServiceGroup>
<ServiceGroup id="stdid08" name="UDP" comment="" ro="False">
<UDPService id="udp-ALL_UDP_Masqueraded" name="ALL UDP Masqueraded" comment="ipchains used to use this port range for masqueraded packets" ro="False" src_range_start="61000" src_range_end="65095" dst_range_start="0" dst_range_end="0"/>
<UDPService id="udp-All_UDP" name="All UDP" comment="" ro="False" src_range_start="0" src_range_end="0" dst_range_start="0" dst_range_end="0"/>
<UDPService id="id3D703C96" name="ICQ" comment="" ro="False" src_range_start="0" src_range_end="0" dst_range_start="4000" dst_range_end="4000"/>
<UDPService id="id3CB129D2" name="IKE" comment="" ro="False" src_range_start="0" src_range_end="0" dst_range_start="500" dst_range_end="500"/>
<UDPService id="id3CB131CA" name="PCAnywhere-status" comment="status channel for PCAnywhere v7.52 and later" ro="False" src_range_start="0" src_range_end="0" dst_range_start="5632" dst_range_end="5632"/>
<UDPService id="id3AED0D6B" name="RIP" comment="routing protocol RIP" ro="False" src_range_start="0" src_range_end="0" dst_range_start="520" dst_range_end="520"/>
<UDPService id="id3D703C8C" name="Radius" comment="" ro="False" src_range_start="0" src_range_end="0" dst_range_start="1645" dst_range_end="1645"/>
<UDPService id="id3D703C85" name="UDP high ports" comment="" ro="False" src_range_start="0" src_range_end="0" dst_range_start="1024" dst_range_end="65535"/>
<UDPService id="id3D703C86" name="Who" comment="" ro="False" src_range_start="0" src_range_end="0" dst_range_start="513" dst_range_end="513"/>
<UDPService id="id3B4FEDA1" name="afs" comment="" ro="False" src_range_start="0" src_range_end="0" dst_range_start="7000" dst_range_end="7009"/>
<UDPService id="udp-bootpc" name="bootpc" comment="" ro="False" src_range_start="0" src_range_end="0" dst_range_start="68" dst_range_end="68"/>
<UDPService id="udp-bootps" name="bootps" comment="" ro="False" src_range_start="0" src_range_end="0" dst_range_start="67" dst_range_end="67"/>
<UDPService id="id3AEDBE70" name="daytime" comment="" ro="False" src_range_start="0" src_range_end="0" dst_range_start="13" dst_range_end="13"/>
<UDPService id="udp-DNS" name="domain" comment="" ro="False" src_range_start="0" src_range_end="0" dst_range_start="53" dst_range_end="53"/>
<UDPService id="id3D703C8A" name="interphone" comment="VocalTec Internet Phone" ro="False" src_range_start="0" src_range_end="0" dst_range_start="22555" dst_range_end="22555"/>
<UDPService id="id3B4FEDA5" name="kerberos" comment="" ro="False" src_range_start="0" src_range_end="0" dst_range_start="88" dst_range_end="88"/>
<UDPService id="id3B4FEDA9" name="kerberos-adm" comment="" ro="False" src_range_start="0" src_range_end="0" dst_range_start="749" dst_range_end="750"/>
<UDPService id="id3B4FEDA7" name="kpasswd" comment="" ro="False" src_range_start="0" src_range_end="0" dst_range_start="464" dst_range_end="464"/>
<UDPService id="id3B4FEDAB" name="krb524" comment="" ro="False" src_range_start="0" src_range_end="0" dst_range_start="4444" dst_range_end="4444"/>
<UDPService id="id3F865B0D" name="microsoft-rpc" comment="" ro="False" src_range_start="0" src_range_end="0" dst_range_start="135" dst_range_end="135"/>
<UDPService id="udp-netbios-dgm" name="netbios-dgm" comment="" ro="False" src_range_start="0" src_range_end="0" dst_range_start="138" dst_range_end="138"/>
<UDPService id="udp-netbios-ns" name="netbios-ns" comment="" ro="False" src_range_start="0" src_range_end="0" dst_range_start="137" dst_range_end="137"/>
<UDPService id="udp-netbios-ssn" name="netbios-ssn" comment="" ro="False" src_range_start="0" src_range_end="0" dst_range_start="139" dst_range_end="139"/>
<UDPService id="id3B4FEE78" name="nfs" comment="" ro="False" src_range_start="0" src_range_end="0" dst_range_start="2049" dst_range_end="2049"/>
<UDPService id="udp-ntp" name="ntp" comment="" ro="False" src_range_start="0" src_range_end="0" dst_range_start="123" dst_range_end="123"/>
<UDPService id="id3B4FEF7E" name="quake" comment="" ro="False" src_range_start="0" src_range_end="0" dst_range_start="26000" dst_range_end="26000"/>
<UDPService id="id3D703C88" name="secureid-udp" comment="" ro="False" src_range_start="0" src_range_end="0" dst_range_start="1024" dst_range_end="1024"/>
<UDPService id="udp-SNMP" name="snmp" comment="" ro="False" src_range_start="0" src_range_end="0" dst_range_start="161" dst_range_end="161"/>
<UDPService id="id3AED0D69" name="snmp-trap" comment="" ro="False" src_range_start="0" src_range_end="0" dst_range_start="162" dst_range_end="162"/>
<UDPService id="id3AEDBE19" name="sunrpc" comment="" ro="False" src_range_start="0" src_range_end="0" dst_range_start="111" dst_range_end="111"/>
<UDPService id="id3AECF780" name="syslog" comment="" ro="False" src_range_start="0" src_range_end="0" dst_range_start="514" dst_range_end="514"/>
<UDPService id="id3AED0D67" name="tftp" comment="" ro="False" src_range_start="0" src_range_end="0" dst_range_start="69" dst_range_end="69"/>
<UDPService id="id3AED0D8C" name="traceroute" comment="" ro="False" src_range_start="0" src_range_end="0" dst_range_start="33434" dst_range_end="33524"/>
<UDPService id="id4127EA73" name="rsync" comment="" ro="False" src_range_start="0" src_range_end="0" dst_range_start="873" dst_range_end="873"/>
<UDPService id="id41291783" name="SSDP" comment="Simple Service Discovery Protocol (used for UPnP)" ro="False" src_range_start="0" src_range_end="0" dst_range_start="1900" dst_range_end="1900"/>
<UDPService id="id41291883" name="OpenVPN" comment="" ro="False" src_range_start="0" src_range_end="0" dst_range_start="1194" dst_range_end="1194"/>
</ServiceGroup>
<ServiceGroup id="stdid13" name="Custom" comment="" ro="False">
<CustomService id="id3B64EEA8" name="rpc" comment="works in iptables and requires patch-o-matic.&#10;For more information look for patch-o-matic on http://www.netfilter.org/" ro="False" protocol="any" address_family="ipv4">
<CustomServiceCommand platform="Undefined"></CustomServiceCommand>
<CustomServiceCommand platform="ipf"></CustomServiceCommand>
<CustomServiceCommand platform="ipfilter"></CustomServiceCommand>
<CustomServiceCommand platform="ipfw"></CustomServiceCommand>
<CustomServiceCommand platform="iptables">-m record_rpc</CustomServiceCommand>
<CustomServiceCommand platform="pf"></CustomServiceCommand>
<CustomServiceCommand platform="pix"></CustomServiceCommand>
<CustomServiceCommand platform="unknown"></CustomServiceCommand>
</CustomService>
<CustomService id="id3B64EF4E" name="irc-conn" comment="IRC connection tracker, supports DCC.&#10;Works on iptables and requires patch-o-matic.&#10;For more information look for patch-o-matic on http://www.netfilter.org/&#10;" ro="False" protocol="any" address_family="ipv4">
<CustomServiceCommand platform="Undefined"></CustomServiceCommand>
<CustomServiceCommand platform="ipf"></CustomServiceCommand>
<CustomServiceCommand platform="ipfilter"></CustomServiceCommand>
<CustomServiceCommand platform="ipfw"></CustomServiceCommand>
<CustomServiceCommand platform="iptables">-m irc</CustomServiceCommand>
<CustomServiceCommand platform="pf"></CustomServiceCommand>
<CustomServiceCommand platform="pix"></CustomServiceCommand>
<CustomServiceCommand platform="unknown"></CustomServiceCommand>
</CustomService>
<CustomService id="id3B64EF50" name="psd" comment="Port scan detector, works only on iptables and requires patch-o-matic &#10;For more information look for patch-o-matic on http://www.netfilter.org/" ro="False" protocol="any" address_family="ipv4">
<CustomServiceCommand platform="Undefined"></CustomServiceCommand>
<CustomServiceCommand platform="ipf"></CustomServiceCommand>
<CustomServiceCommand platform="ipfilter"></CustomServiceCommand>
<CustomServiceCommand platform="ipfw"></CustomServiceCommand>
<CustomServiceCommand platform="iptables">-m psd --psd-weight-threshold 5 --psd-delay-threshold 10000</CustomServiceCommand>
<CustomServiceCommand platform="pf"></CustomServiceCommand>
<CustomServiceCommand platform="pix"></CustomServiceCommand>
<CustomServiceCommand platform="unknown"></CustomServiceCommand>
</CustomService>
<CustomService id="id3B64EF52" name="string" comment="Matches a string in a whole packet, works in iptables and requires patch-o-matic.&#10;For more information look for patch-o-matic on http://www.netfilter.org/" ro="False" protocol="any" address_family="ipv4">
<CustomServiceCommand platform="Undefined"></CustomServiceCommand>
<CustomServiceCommand platform="ipf"></CustomServiceCommand>
<CustomServiceCommand platform="ipfilter"></CustomServiceCommand>
<CustomServiceCommand platform="ipfw"></CustomServiceCommand>
<CustomServiceCommand platform="iptables">-m string --string test_pattern</CustomServiceCommand>
<CustomServiceCommand platform="pf"></CustomServiceCommand>
<CustomServiceCommand platform="pix"></CustomServiceCommand>
<CustomServiceCommand platform="unknown"></CustomServiceCommand>
</CustomService>
<CustomService id="id3B64EF54" name="talk" comment="Talk protocol support. Works in iptables and requires patch-o-matic.&#10;For more information look for patch-o-matic on http://www.netfilter.org/" ro="False" protocol="any" address_family="ipv4">
<CustomServiceCommand platform="Undefined"></CustomServiceCommand>
<CustomServiceCommand platform="ipf"></CustomServiceCommand>
<CustomServiceCommand platform="ipfilter"></CustomServiceCommand>
<CustomServiceCommand platform="ipfw"></CustomServiceCommand>
<CustomServiceCommand platform="iptables">-m talk</CustomServiceCommand>
<CustomServiceCommand platform="pf"></CustomServiceCommand>
<CustomServiceCommand platform="pix"></CustomServiceCommand>
<CustomServiceCommand platform="unknown"></CustomServiceCommand>
</CustomService>
</ServiceGroup>
<ServiceGroup id="stdid19" name="TagServices" comment="" ro="False"/>
<ServiceGroup id="stdid20" name="UserServices" comment="" ro="False"/>
</ServiceGroup>
<ObjectGroup id="stdid12" name="Firewalls" comment="" ro="False"/>
<ObjectGroup id="stdid21" name="Clusters" comment="" ro="False"/>
<IntervalGroup id="stdid11" name="Time" comment="" ro="False">
<Interval id="int-workhours" days_of_week="1,2,3,4,5" from_day="-1" from_hour="9" from_minute="0" from_month="-1" from_weekday="1" from_year="-1" to_day="-1" to_hour="17" to_minute="0" to_month="-1" to_weekday="5" to_year="-1" name="workhours" comment="any day, 9:00am through 5:00pm" ro="False"/>
<Interval id="int-weekends" days_of_week="6,0" from_day="-1" from_hour="0" from_minute="0" from_month="-1" from_weekday="6" from_year="-1" to_day="-1" to_hour="23" to_minute="59" to_month="-1" to_weekday="0" to_year="-1" name="weekends" comment="weekends: Saturday 0:00 through Sunday 23:59 " ro="False"/>
<Interval id="int-afterhours" days_of_week="0,1,2,3,4,5,6" from_day="-1" from_hour="18" from_minute="0" from_month="-1" from_weekday="-1" from_year="-1" to_day="-1" to_hour="23" to_minute="59" to_month="-1" to_weekday="-1" to_year="-1" name="afterhours" comment="any day 6:00pm - 12:00am" ro="False"/>
<Interval id="id3C63479C" days_of_week="6" from_day="-1" from_hour="0" from_minute="0" from_month="-1" from_weekday="6" from_year="-1" to_day="-1" to_hour="23" to_minute="59" to_month="-1" to_weekday="6" to_year="-1" name="Sat" comment="" ro="False"/>
<Interval id="id3C63479E" days_of_week="0" from_day="-1" from_hour="0" from_minute="0" from_month="-1" from_weekday="0" from_year="-1" to_day="-1" to_hour="23" to_minute="59" to_month="-1" to_weekday="0" to_year="-1" name="Sun" comment="" ro="False"/>
</IntervalGroup>
</Library>
<Library id="sysid99" name="Deleted Objects" comment="" ro="False"/>
<Library id="id0" name="User" comment="" ro="False">
<ObjectGroup id="id1" name="Objects" comment="" ro="False">
<ObjectGroup id="id2" name="Addresses" comment="" ro="False"/>
<ObjectGroup id="id3" name="DNS Names" comment="" ro="False"/>
<ObjectGroup id="id4" name="Address Tables" comment="" ro="False"/>
<ObjectGroup id="id5" name="Groups" comment="" ro="False"/>
<ObjectGroup id="id6" name="Hosts" comment="" ro="False"/>
<ObjectGroup id="id7" name="Networks" comment="" ro="False"/>
<ObjectGroup id="id8" name="Address Ranges" comment="" ro="False"/>
</ObjectGroup>
<ServiceGroup id="id9" name="Services" comment="" ro="False">
<ServiceGroup id="id10" name="Groups" comment="" ro="False"/>
<ServiceGroup id="id11" name="ICMP" comment="" ro="False"/>
<ServiceGroup id="id12" name="IP" comment="" ro="False"/>
<ServiceGroup id="id13" name="TCP" comment="" ro="False"/>
<ServiceGroup id="id14" name="UDP" comment="" ro="False"/>
<ServiceGroup id="id15" name="Users" comment="" ro="False"/>
<ServiceGroup id="id16" name="Custom" comment="" ro="False"/>
<ServiceGroup id="id17" name="TagServices" comment="" ro="False"/>
</ServiceGroup>
<ObjectGroup id="id18" name="Firewalls" comment="" ro="False"/>
<ObjectGroup id="id19" name="Clusters" comment="" ro="False"/>
<IntervalGroup id="id20" name="Time" comment="" ro="False"/>
</Library>
</FWObjectDatabase>

26
src/unit_tests/PFImporterTest/test_data/pf-set-commands.output
View File

@ -1,7 +1,21 @@
3: Parser error: line 3:26: expecting EQUAL, found '
'
Parser error:
Could not find enough information in the data file to create firewall object.
19: Error: import of 'set fingerprints' commands is not supported.
20: Error: import of 'set hostid' commands is not supported.
21: Error: import of 'set loginterface' commands is not supported.
22: Error: import of 'set reassemble' commands is not supported.
23: Error: import of 'set require-order' commands is not supported.
24: Error: import of 'set ruleset-optimization' commands is not supported.
25: Error: import of 'set state-defaults' commands is not supported.
27: filtering rule: action block; interfaces:
Could not find enough information in the data file to create firewall interface objects.
Please check that the file you are trying to import is in one of supported formats. Currently fwbuilder can only import iptables configuration saved with 'iptables-restore' command, Cisco routers (IOS), Cisco ASA, FWSM and PIX configurations saved with 'show run' command and PF configuration from a pf.conf file.
Configuring limits:
set limit frags 5000
set limit states 10000
set limit src-nodes 100000
set limit tables 100000
set limit tables-entries 100000
set optimization high-latency
set block-policy return
set state-policy if-bound
New interface: lo0set skip on lo0
set debug crit

20
src/unit_tests/PFImporterTest/test_data/pf-timeouts.output
View File

@ -2,4 +2,22 @@
14: filtering rule: action block; interfaces:
Could not find enough information in the data file to create firewall interface objects.
Configuring timeouts:interval=10frag=30tcp.first=60tcp.opening=30tcp.established=3600tcp.closing=30tcp.finwait=2tcp.closed=10udp.first=20udp.single=10udp.multiple=15icmp.first=11icmp.error=6other.first=40other.single=20other.multiple=30adaptive.start=10adaptive.end=5
Configuring timeouts:
set timeout interval 10
set timeout frag 30
set timeout tcp.first 60
set timeout tcp.opening 30
set timeout tcp.established 3600
set timeout tcp.closing 30
set timeout tcp.finwait 2
set timeout tcp.closed 10
set timeout udp.first 20
set timeout udp.single 10
set timeout udp.multiple 15
set timeout icmp.first 11
set timeout icmp.error 6
set timeout other.first 40
set timeout other.single 20
set timeout other.multiple 30
set timeout adaptive.start 10
set timeout adaptive.end 5