onkelbeh/fwbuilder
1
0
Fork 0
mirror of https://github.com/fwbuilder/fwbuilder synced 2026-05-01 14:47:27 +02:00
Code Issues Releases Wiki Activity

bugs 1111267, 2463048

Browse Source
This commit is contained in:
Vadim Kurland 2008-12-28 07:12:12 +00:00
parent c2f2d928fe
commit a720640ffe
12 changed files with 608 additions and 112 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
build_num
View File

@ -1 +1 @@
#define BUILD_NUM 708
#define BUILD_NUM 711

21
doc/ChangeLog
View File

@ -1,3 +1,24 @@
2008-12-27 vadim <vadim@vk.crocodile.org>
* feature req. #1111267 "CustomService should specify protocol and
parameters for it". Support for protocol string in Custom Service
in compilers for iptables and PF.
* CustomServiceDialog.cpp (CustomServiceDialog::loadFWObject):
feature requests #1111267 "CustomService should specify protocol
and parameters for it" and #2463048 "custom services should have
IPv4/v6 setting". Added corresponding input elements to the
CustomService object dialog.
* CustomService.h (libfwbuilder): feature requests #1111267
"CustomService should specify protocol and parameters for it" and
#2463048 "custom services should have IPv4/v6 setting". Added
attributes "protocol" and "address_family" to the CustomService
object. Corresponding XML attributes are "#IMPLIED", this helps
avoid having to provide XSLT auto-upgrade script for this
version. Class CustomService returns "any" for the protocol and
"ipv4" for address family if these attributes are missing.
2008-12-25 vadim <vadim@vk.crocodile.org>
* All policy compilers: using FWObjectDatabase::createClass

108
src/gui/CustomServiceDialog.cpp
View File

@ -69,34 +69,71 @@ void CustomServiceDialog::loadFWObject(FWObject *o)
init=true;
m_dialog->protocol_string_label->setVisible (false); //!REM
m_dialog->protocol_string->setVisible (false); //!REM
m_dialog->obj_name->setText( QString::fromUtf8(s->getName().c_str()) );
m_dialog->comment->setText( QString::fromUtf8(s->getComment().c_str()) );
//!NEW m_dialog->protocl_string->setText(QString::fromUtf8(s->getProtocolStringForPlatform().c_str()));
/* fill in m_dialog->platform */
m_dialog->platform->clear();
int cp=0;
showPlatform=st->value(SETTINGS_PATH_PREFIX"/CustomService/Platform").toString();
QString default_platform =
st->value(SETTINGS_PATH_PREFIX"/CustomService/Platform").toString();
QMap<QString,QString> platforms = getAllPlatforms();
QMap<QString,QString>::iterator i;
for (i=platforms.begin(); i!=platforms.end(); i++,cp++)
{
// cerr << "m_dialog->platform: key=" << i.key() << " data=" << i.data() << endl;
// cerr << "m_dialog->platform: key=" << i.key()
// << " data=" << i.data() << endl;
/* here i.key is m_dialog->platform m_dialog->code ( "ipf", "ipfw", "iptables", "pf")
* while i.data is human readable name ("ipfilter", "PF" )
/*
* here i.key is m_dialog->platform m_dialog->code ( "ipf", "ipfw",
* "iptables", "pf") while i.data is human readable name ("ipfilter",
* "PF" )
*/
platformReverseMap[i.value()]=i.key();
platformReverseMap[i.value()] = i.key();
m_dialog->platform->addItem( i.value() );
if (showPlatform=="") showPlatform = i.key();
if (showPlatform==i.key()) m_dialog->platform->setCurrentIndex( cp );
allCodes[ i.key() ]=s->getCodeForPlatform( i.key().toLatin1().constData() ).c_str();
m_dialog->platform->addItem(i.value());
if (default_platform=="") default_platform = i.key();
if (default_platform==i.key()) m_dialog->platform->setCurrentIndex(cp);
const char *platform_cptr = i.key().toLatin1().constData();
allCodes[i.key()] = s->getCodeForPlatform(platform_cptr).c_str();
}
m_dialog->code->setText( allCodes[showPlatform] ); //fromUtf8
fillDialogInputFields();
QString protocol = s->getProtocol().c_str();
if (protocol == "") protocol = "any";
m_dialog->protocol->clear();
m_dialog->protocol->addItem("any");
m_dialog->protocol->addItem("tcp");
m_dialog->protocol->addItem("udp");
m_dialog->protocol->addItem("icmp");
bool standard_protocol = false;
int proto_index = 0;
for (; proto_index < m_dialog->protocol->count(); ++proto_index)
{
if (protocol == m_dialog->protocol->itemText(proto_index))
{
m_dialog->protocol->setCurrentIndex(proto_index);
standard_protocol = true;
break;
}
}
if (!standard_protocol)
{
m_dialog->protocol->addItem(protocol);
m_dialog->protocol->setCurrentIndex(proto_index);
}
int af = s->getAddressFamily();
if (af == AF_INET6)
m_dialog->ipv6->setChecked(true);
else
m_dialog->ipv4->setChecked(true);
//apply->setEnabled( false );
@ -132,7 +169,11 @@ void CustomServiceDialog::validate(bool *res)
{
*res=true;
if (!isTreeReadWrite(this,obj)) { *res=false; return; }
if (!validateName(this,obj,m_dialog->obj_name->text())) { *res=false; return; }
if (!validateName(this,obj,m_dialog->obj_name->text()))
{
*res=false;
return;
}
}
void CustomServiceDialog::isChanged(bool*)
@ -148,10 +189,7 @@ void CustomServiceDialog::libChanged()
void CustomServiceDialog::platformChanged()
{
init=true;
QString npl = platformReverseMap[m_dialog->platform->currentText()];
m_dialog->code->setText( allCodes[ npl ] ); //fromUtf8
showPlatform = npl;
st->setValue(SETTINGS_PATH_PREFIX"/CustomService/Platform",showPlatform);
fillDialogInputFields();
init=false;
// changed();
}
@ -163,18 +201,28 @@ void CustomServiceDialog::applyChanges()
string oldname=obj->getName();
obj->setName( string(m_dialog->obj_name->text().toUtf8().constData()) );
string commText = string(m_dialog->comment->toPlainText().toUtf8().constData());
string commText = string(
m_dialog->comment->toPlainText().toUtf8().constData());
obj->setComment( commText );
//!NEW s->setProtocolStringForPlatform(string(m_dialog->protocol_string->text().toUtf8().constData()));
QMap<QString,QString> platforms = getAllPlatforms();
QMap<QString,QString>::iterator i;
for (i=allCodes.begin(); i!=allCodes.end(); ++i)
for (i=platforms.begin(); i!=platforms.end(); i++)
{
string code = string(i.value().toUtf8().constData());
if (fwbdebug)
qDebug("Storing custom service m_dialog->code %s :: %s",
i.key().toLatin1().constData(),code.c_str());
s->setCodeForPlatform( i.key().toLatin1().constData(), code );
QString platform = i.key();
QString code = allCodes[platform];
s->setCodeForPlatform( platform.toUtf8().constData(),
string(code.toUtf8().constData()));
}
int protocol_index = m_dialog->protocol->currentIndex();
QString protocol;
if (protocol_index >= 0)
protocol = m_dialog->protocol->itemText(protocol_index).toUtf8().constData();
else
protocol = m_dialog->protocol->lineEdit()->text();
s->setProtocol(string(protocol.toUtf8().constData()));
int af = (m_dialog->ipv6->isChecked()) ? AF_INET6 : AF_INET;
s->setAddressFamily(af);
mw->updateObjName(obj,QString::fromUtf8(oldname.c_str()));
//apply->setEnabled( false );
@ -196,3 +244,11 @@ void CustomServiceDialog::closeEvent(QCloseEvent *e)
}
void CustomServiceDialog::fillDialogInputFields()
{
QString npl = platformReverseMap[m_dialog->platform->currentText()];
showPlatform = npl;
st->setValue(SETTINGS_PATH_PREFIX"/CustomService/Platform", showPlatform);
m_dialog->code->setText(allCodes[showPlatform]);
}

7
src/gui/CustomServiceDialog.h
View File

@ -50,8 +50,11 @@ class CustomServiceDialog : public QWidget
QString showPlatform;
Ui::CustomServiceDialog_q *m_dialog;
ProjectPanel *m_project;
public:
protected:
void fillDialogInputFields();
public:
CustomServiceDialog(ProjectPanel *project, QWidget *parent);
~CustomServiceDialog();

164
src/gui/customservicedialog_q.ui
View File

@ -8,8 +8,8 @@
<rect>
<x>0</x>
<y>0</y>
<width>748</width>
<height>307</height>
<width>754</width>
<height>251</height>
</rect>
</property>
<property name="windowTitle" >
@ -27,9 +27,6 @@
<property name="spacing" >
<number>2</number>
</property>
<property name="margin" >
<number>0</number>
</property>
<item>
<widget class="QFrame" name="frame3" >
<property name="sizePolicy" >
@ -103,7 +100,7 @@
<property name="frameShadow" >
<enum>QFrame::Sunken</enum>
</property>
<layout class="QGridLayout" >
<layout class="QGridLayout" name="gridLayout_3" >
<item rowspan="2" row="0" column="0" >
<widget class="QFrame" name="frame13" >
<property name="frameShape" >
@ -112,7 +109,7 @@
<property name="frameShadow" >
<enum>QFrame::Sunken</enum>
</property>
<layout class="QGridLayout" >
<layout class="QGridLayout" name="gridLayout_2" >
<item row="0" column="0" >
<widget class="QLabel" name="textLabel1" >
<property name="text" >
@ -164,7 +161,8 @@
<item row="1" column="1" >
<widget class="QComboBox" name="platform" >
<property name="toolTip" >
<string>Custom service object has separate code string for each supported firewall platform.</string>
<string>Custom service object has separate code string for each
supported firewall platform.</string>
</property>
</widget>
</item>
@ -199,7 +197,8 @@
</size>
</property>
<property name="toolTip" >
<string>Custom service object has separate code string for each supported firewall platform.</string>
<string>Custom service object has separate code string for each
supported firewall platform.</string>
</property>
<property name="alignment" >
<set>Qt::AlignLeading</set>
@ -215,33 +214,87 @@
</sizepolicy>
</property>
<property name="text" >
<string>Protocol String:</string>
<string>Protocol Name:</string>
</property>
</widget>
</item>
<item row="3" column="1" >
<widget class="QLineEdit" name="protocol_string" >
<widget class="QComboBox" name="protocol" >
<property name="toolTip" >
<string>Choose one of the standard protocols from the menu or enter custom
protocol string. Policy compilers can use this information to add correct
protocol-specific parameters to the generated configuration. For example,
iptables compiler is allowed to add "--reject-with tcp-reset" to the target
REJECT only if service object belongs to protocol "tcp".
</string>
</property>
<property name="editable" >
<bool>true</bool>
</property>
</widget>
</item>
<item row="4" column="0" >
<widget class="QLabel" name="label_2" >
<property name="text" >
<string>Address Family:</string>
</property>
</widget>
</item>
<item row="4" column="1" >
<widget class="QGroupBox" name="groupBox" >
<property name="sizePolicy" >
<sizepolicy vsizetype="Fixed" hsizetype="Preferred" >
<horstretch>0</horstretch>
<verstretch>0</verstretch>
</sizepolicy>
</property>
<property name="toolTip" >
<string>Like with protocol, setting address family helps
policy compiler generate more accurate configuration
using this custom service object. For example, if
address family is set to ipv6, this custom service
will only be used in ipv6 policies.
</string>
</property>
<property name="title" >
<string/>
</property>
<property name="flat" >
<bool>true</bool>
</property>
<property name="checkable" >
<bool>false</bool>
</property>
<layout class="QGridLayout" name="gridLayout" >
<property name="topMargin" >
<number>4</number>
</property>
<property name="bottomMargin" >
<number>4</number>
</property>
<item row="0" column="0" >
<widget class="QRadioButton" name="ipv4" >
<property name="text" >
<string>IPv4</string>
</property>
<property name="checked" >
<bool>true</bool>
</property>
</widget>
</item>
<item row="0" column="1" >
<widget class="QRadioButton" name="ipv6" >
<property name="text" >
<string>IPv6</string>
</property>
<property name="checked" >
<bool>false</bool>
</property>
</widget>
</item>
</layout>
</widget>
</item>
<item row="4" column="1" >
<spacer>
<property name="orientation" >
<enum>Qt::Vertical</enum>
</property>
<property name="sizeHint" stdset="0" >
<size>
<width>20</width>
<height>40</height>
</size>
</property>
</spacer>
</item>
</layout>
</widget>
</item>
@ -363,20 +416,71 @@
</hints>
</connection>
<connection>
<sender>protocol_string</sender>
<signal>textChanged(QString)</signal>
<sender>protocol</sender>
<signal>editTextChanged(QString)</signal>
<receiver>CustomServiceDialog_q</receiver>
<slot>changed()</slot>
<hints>
<hint type="sourcelabel" >
<x>161</x>
<y>257</y>
<x>250</x>
<y>172</y>
</hint>
<hint type="destinationlabel" >
<x>384</x>
<y>155</y>
<x>376</x>
<y>125</y>
</hint>
</hints>
</connection>
<connection>
<sender>protocol</sender>
<signal>currentIndexChanged(int)</signal>
<receiver>CustomServiceDialog_q</receiver>
<slot>changed()</slot>
<hints>
<hint type="sourcelabel" >
<x>250</x>
<y>172</y>
</hint>
<hint type="destinationlabel" >
<x>376</x>
<y>125</y>
</hint>
</hints>
</connection>
<connection>
<sender>ipv4</sender>
<signal>toggled(bool)</signal>
<receiver>CustomServiceDialog_q</receiver>
<slot>changed()</slot>
<hints>
<hint type="sourcelabel" >
<x>200</x>
<y>210</y>
</hint>
<hint type="destinationlabel" >
<x>376</x>
<y>125</y>
</hint>
</hints>
</connection>
<connection>
<sender>ipv6</sender>
<signal>toggled(bool)</signal>
<receiver>CustomServiceDialog_q</receiver>
<slot>changed()</slot>
<hints>
<hint type="sourcelabel" >
<x>298</x>
<y>210</y>
</hint>
<hint type="destinationlabel" >
<x>376</x>
<y>125</y>
</hint>
</hints>
</connection>
</connections>
<slots>
<slot>changed()</slot>
</slots>
</ui>

22
src/ipt/NATCompiler_PrintRule.cpp
View File

@ -32,6 +32,7 @@
#include "fwbuilder/ICMPService.h"
#include "fwbuilder/TCPService.h"
#include "fwbuilder/UDPService.h"
#include "fwbuilder/UserService.h"
#include "fwbuilder/CustomService.h"
#include "fwbuilder/TagService.h"
#include "fwbuilder/Policy.h"
@ -195,14 +196,27 @@ string NATCompiler_ipt::PrintRule::_printChainDirectionAndInterface(NATRule *rul
return ostr.str();
}
string NATCompiler_ipt::PrintRule::_printProtocol(Service *srv)
{
std::ostringstream ostr;
if (!srv->isAny() && !CustomService::isA(srv) && !TagService::isA(srv))
// CustomService returns protocol name starting with v3.0.4
// However CustomService can return protocol name "any", which we should
// just skip.
if (CustomService::isA(srv))
{
string pn=srv->getProtocolName();
// check if the code string for this custom service already includes
// "-p proto" fragment
string code = CustomService::cast(srv)->getCodeForPlatform(
compiler->myPlatformName());
std::size_t minus_p = code.find("-p ");
if (minus_p != string::npos) return "";
string pn = srv->getProtocolName();
if (pn == "any") return "";
}
if (!srv->isAny() && !TagService::isA(srv) && !UserService::isA(srv))
{
string pn = srv->getProtocolName();
if (pn=="ip") pn="all";
ostr << "-p " << pn << " ";
if (pn == "tcp") ostr << "-m tcp ";

33
src/ipt/PolicyCompiler_PrintRule.cpp
View File

@ -433,17 +433,18 @@ string PolicyCompiler_ipt::PrintRule::_printDirectionAndInterface(PolicyRule *ru
return ostr.str();
}
string PolicyCompiler_ipt::PrintRule::_printActionOnReject(libfwbuilder::PolicyRule *rule)
string PolicyCompiler_ipt::PrintRule::_printActionOnReject(PolicyRule *rule)
{
std::ostringstream str;
PolicyCompiler_ipt *ipt_comp=dynamic_cast<PolicyCompiler_ipt*>(compiler);
PolicyCompiler_ipt *ipt_comp = dynamic_cast<PolicyCompiler_ipt*>(compiler);
// RuleElementSrv *srvrel=rule->getSrv();
Service *srv =compiler->getFirstSrv(rule); assert(srv);
Service *srv = compiler->getFirstSrv(rule);
assert(srv);
string version=compiler->fw->getStr("version");
string s=ipt_comp->getActionOnReject(rule);
string version = compiler->fw->getStr("version");
string s = ipt_comp->getActionOnReject(rule);
if (!s.empty())
{
if (ipt_comp->isActionOnRejectTCPRST(rule))
@ -672,16 +673,30 @@ string PolicyCompiler_ipt::PrintRule::_printLimit(libfwbuilder::PolicyRule *rule
return str.str();
}
string PolicyCompiler_ipt::PrintRule::_printProtocol(libfwbuilder::Service *srv)
string PolicyCompiler_ipt::PrintRule::_printProtocol(Service *srv)
{
PolicyCompiler_ipt *ipt_comp = dynamic_cast<PolicyCompiler_ipt*>(compiler);
string version = compiler->fw->getStr("version");
string s;
if (! srv->isAny() && !CustomService::isA(srv) &&
!TagService::isA(srv) && !UserService::isA(srv))
// CustomService returns protocol name starting with v3.0.4
// However CustomService can return protocol name "any", which we should
// just skip.
if (CustomService::isA(srv))
{
// check if the code string for this custom service already includes
// "-p proto" fragment
string code = CustomService::cast(srv)->getCodeForPlatform(
compiler->myPlatformName());
std::size_t minus_p = code.find("-p ");
if (minus_p != string::npos) return "";
string pn = srv->getProtocolName();
if (pn == "any") return "";
}
if (!srv->isAny() && !TagService::isA(srv) && !UserService::isA(srv))
{
string pn = srv->getProtocolName();
if (pn=="ip") pn = "all";
if (pn=="ip" || pn=="any") pn = "all";
if (ipt_comp->ipv6)
{

28
src/ipt/PolicyCompiler_ipt.cpp
View File

@ -375,7 +375,7 @@ string PolicyCompiler_ipt::getActionOnReject(PolicyRule *rule)
bool PolicyCompiler_ipt::isActionOnRejectTCPRST(PolicyRule *rule)
{
string s=getActionOnReject(rule);
string s = getActionOnReject(rule);
return ( ! s.empty() && s.find("TCP ")!=string::npos );
}
@ -396,19 +396,19 @@ bool PolicyCompiler_ipt::isActionOnRejectTCPRST(PolicyRule *rule)
void PolicyCompiler_ipt::resetActionOnReject(PolicyRule *rule)
{
FWOptions *ruleopt =rule->getOptionsObject();
string go=getCachedFwOpt()->getStr("action_on_reject");
string go = getCachedFwOpt()->getStr("action_on_reject");
if (!go.empty())
{
if ( go.find("TCP ")!=string::npos )
{
ruleopt->setStr("action_on_reject","NOP"); // hack.
ruleopt->setStr("action_on_reject", "NOP"); // hack.
} else
{
ruleopt->setStr("action_on_reject",go);
ruleopt->setStr("action_on_reject", go);
}
} else
ruleopt->setStr("action_on_reject","none"); // hack.
ruleopt->setStr("action_on_reject", "none"); // hack.
}
void PolicyCompiler_ipt::registerRuleSetChain(const std::string &chain_name)
@ -3400,27 +3400,27 @@ bool PolicyCompiler_ipt::splitServicesIfRejectWithTCPReset::processNext()
RuleElementSrv *srv= rule->getSrv();
if ( rule->getAction()==PolicyRule::Reject && ipt_comp->isActionOnRejectTCPRST(rule))
if ( rule->getAction()==PolicyRule::Reject &&
ipt_comp->isActionOnRejectTCPRST(rule))
{
list<Service*> tcp;
list<Service*> other;
for (FWObject::iterator i=srv->begin(); i!=srv->end(); ++i)
{
FWObject *o= *i;
if (FWReference::cast(o)!=NULL) o=FWReference::cast(o)->getPointer();
Service *s1=Service::cast( o );
Service *s1 = Service::cast(FWReference::getObject(*i));
assert(s1);
if ( TCPService::isA(s1) ) tcp.push_back(s1);
else other.push_back(s1);
// Protocol name is more reliable reference because CustomService
// allows user to set protocol name
if (s1->getProtocolName()=="tcp") tcp.push_back(s1);
else other.push_back(s1);
}
if ( !other.empty() && tcp.empty() )
{
if (seen_rules[rule->getPosition()]==false)
compiler->warning(_("Rule action 'Reject' with TCP RST can be used only with TCP services. Rule ")+rule->getLabel());
compiler->warning(
"Rule action 'Reject' with TCP RST can be used only with TCP services. Rule " + rule->getLabel());
ipt_comp->resetActionOnReject(rule);
tmp_queue.push_back(rule);
seen_rules[rule->getPosition()]=true;

6
src/pflib/NATCompiler_pf_writers.cpp
View File

@ -228,10 +228,10 @@ bool NATCompiler_pf::PrintRule::processNext()
void NATCompiler_pf::PrintRule::_printProtocol(Service *srv)
{
if ( ! CustomService::isA(srv) && ! TagService::isA(srv))
if ( !TagService::isA(srv))
{
string s=srv->getProtocolName();
if (s=="ip") s="{tcp udp icmp}";
string s = srv->getProtocolName();
if (s=="ip" || s=="any") s="{tcp udp icmp}";
compiler->output << "proto " << s << " ";
}
}

12
src/pflib/PolicyCompiler_pf_writers.cpp
View File

@ -410,11 +410,19 @@ void PolicyCompiler_pf::PrintRule::_printAF(PolicyRule*)
else compiler->output << "inet ";
}
void PolicyCompiler_pf::PrintRule::_printProtocol(libfwbuilder::Service *srv)
void PolicyCompiler_pf::PrintRule::_printProtocol(Service *srv)
{
// CustomService returns protocol name starting with v3.0.4
// However CustomService can return protocol name "any", which we should
// just skip.
if (CustomService::isA(srv))
{
string pn = srv->getProtocolName();
if (pn == "any") return;
}
if (!srv->isAny() &&
!CustomService::isA(srv) &&
!TagService::isA(srv) &&
!UserService::isA(srv) &&
srv->getProtocolName()!="ip")

265
test/ipt/objects-for-regression-tests.fwb
View File

@ -791,8 +791,7 @@
</PolicyRule>
</Policy>
<ObjectRef ref="id3CEBFF26"/>
<ObjectRef ref="sysid0"/>
<ObjectRef ref="sysid0"/>
<ServiceRef ref="tcp-HTTP"/>
</Library>
<Library id="syslib001" color="#d2ffd0" name="User" comment="User defined objects" ro="False">
<ObjectGroup id="stdid01_1" name="Objects" comment="" ro="False">
@ -1794,9 +1793,10 @@
<UDPService id="id3ED59BF1" name="udp-src-67" comment="" ro="False" src_range_start="67" src_range_end="67" dst_range_start="0" dst_range_end="0"/>
</ServiceGroup>
<ServiceGroup id="stdid13_1" name="Custom" comment="" ro="False">
<CustomService id="id3B64FE22" name="talk" comment="Talk support" ro="False">
<CustomService id="id3B64FE22" name="talk" comment="Talk support" ro="False" protocol="any" address_family="ipv4">
<CustomServiceCommand platform="Undefined"></CustomServiceCommand>
<CustomServiceCommand platform="fwsm"></CustomServiceCommand>
<CustomServiceCommand platform="iosacl"></CustomServiceCommand>
<CustomServiceCommand platform="ipf"></CustomServiceCommand>
<CustomServiceCommand platform="ipfilter"></CustomServiceCommand>
<CustomServiceCommand platform="ipfw"></CustomServiceCommand>
@ -1805,7 +1805,9 @@
<CustomServiceCommand platform="pix"></CustomServiceCommand>
<CustomServiceCommand platform="unknown"></CustomServiceCommand>
</CustomService>
<CustomService id="id3D34B329" name="test-custom-1" comment="" ro="False">
<CustomService id="id3D34B329" name="test-custom-1" comment="" ro="False" protocol="any" address_family="ipv4">
<CustomServiceCommand platform="fwsm"></CustomServiceCommand>
<CustomServiceCommand platform="iosacl"></CustomServiceCommand>
<CustomServiceCommand platform="ipf"></CustomServiceCommand>
<CustomServiceCommand platform="ipfw"></CustomServiceCommand>
<CustomServiceCommand platform="iptables">-p tcp -m state --state ESTABLISHED --tcp-flags SYN,ACK,RST,URG ACK</CustomServiceCommand>
@ -1813,7 +1815,9 @@
<CustomServiceCommand platform="pix"></CustomServiceCommand>
<CustomServiceCommand platform="unknown"></CustomServiceCommand>
</CustomService>
<CustomService id="id3D34B32A" name="test-custom-2" comment="" ro="False">
<CustomService id="id3D34B32A" name="test-custom-2" comment="" ro="False" protocol="any" address_family="ipv4">
<CustomServiceCommand platform="fwsm"></CustomServiceCommand>
<CustomServiceCommand platform="iosacl"></CustomServiceCommand>
<CustomServiceCommand platform="ipf"></CustomServiceCommand>
<CustomServiceCommand platform="ipfw"></CustomServiceCommand>
<CustomServiceCommand platform="iptables">-p tcp -m state --state ESTABLISHED --tcp-flags SYN,FIN,RST,URG,PSH RST</CustomServiceCommand>
@ -1821,7 +1825,9 @@
<CustomServiceCommand platform="pix"></CustomServiceCommand>
<CustomServiceCommand platform="unknown"></CustomServiceCommand>
</CustomService>
<CustomService id="id3FADE3CC" name="string" comment="" ro="False">
<CustomService id="id3FADE3CC" name="string" comment="" ro="False" protocol="any" address_family="ipv4">
<CustomServiceCommand platform="fwsm"></CustomServiceCommand>
<CustomServiceCommand platform="iosacl"></CustomServiceCommand>
<CustomServiceCommand platform="ipf">-m string --string test_pattern</CustomServiceCommand>
<CustomServiceCommand platform="ipfw"></CustomServiceCommand>
<CustomServiceCommand platform="iptables">-m string --string test_pattern</CustomServiceCommand>
@ -1829,7 +1835,9 @@
<CustomServiceCommand platform="pix"></CustomServiceCommand>
<CustomServiceCommand platform="unknown"></CustomServiceCommand>
</CustomService>
<CustomService id="id4003B1AC" name="old AIM session" comment="" ro="False">
<CustomService id="id4003B1AC" name="old AIM session" comment="" ro="False" protocol="any" address_family="ipv4">
<CustomServiceCommand platform="fwsm"></CustomServiceCommand>
<CustomServiceCommand platform="iosacl"></CustomServiceCommand>
<CustomServiceCommand platform="ipf"></CustomServiceCommand>
<CustomServiceCommand platform="ipfw"></CustomServiceCommand>
<CustomServiceCommand platform="iptables">-p tcp ! --syn -dport 5190 -m state --state NEW</CustomServiceCommand>
@ -1837,6 +1845,26 @@
<CustomServiceCommand platform="pix"></CustomServiceCommand>
<CustomServiceCommand platform="unknown"></CustomServiceCommand>
</CustomService>
<CustomService id="id45862X16372" name="ipv6 source route" comment="" ro="False" protocol="any" address_family="ipv6">
<CustomServiceCommand platform="fwsm"></CustomServiceCommand>
<CustomServiceCommand platform="iosacl"></CustomServiceCommand>
<CustomServiceCommand platform="ipf"></CustomServiceCommand>
<CustomServiceCommand platform="ipfw"></CustomServiceCommand>
<CustomServiceCommand platform="iptables">-m rt --rt-type 0</CustomServiceCommand>
<CustomServiceCommand platform="pf"></CustomServiceCommand>
<CustomServiceCommand platform="pix"></CustomServiceCommand>
<CustomServiceCommand platform="unknown"></CustomServiceCommand>
</CustomService>
<CustomService id="id45863X16372" name="reject syn-ack" comment="" ro="False" protocol="tcp" address_family="ipv4">
<CustomServiceCommand platform="fwsm"></CustomServiceCommand>
<CustomServiceCommand platform="iosacl"></CustomServiceCommand>
<CustomServiceCommand platform="ipf"></CustomServiceCommand>
<CustomServiceCommand platform="ipfw"></CustomServiceCommand>
<CustomServiceCommand platform="iptables">-m tcp --tcp-flags SYN,ACK SYN,ACK -m state --state NEW</CustomServiceCommand>
<CustomServiceCommand platform="pf"></CustomServiceCommand>
<CustomServiceCommand platform="pix"></CustomServiceCommand>
<CustomServiceCommand platform="unknown"></CustomServiceCommand>
</CustomService>
</ServiceGroup>
</ServiceGroup>
<ObjectGroup id="stdid12_1" name="Firewalls" comment="" ro="False">
@ -9825,7 +9853,7 @@
<Option name="verify_interfaces">False</Option>
</FirewallOptions>
</Firewall>
<Firewall id="id3D4DF34B" host_OS="linux24" lastCompiled="1215360300" lastInstalled="1142003872" lastModified="1219534909" platform="iptables" name="firewall9" comment="testing rules with action-on-reject &quot;TCP reset&quot;&#10;" ro="False">
<Firewall id="id3D4DF34B" host_OS="linux24" lastCompiled="1230445350" lastInstalled="1142003872" lastModified="1230445726" platform="iptables" name="firewall9" comment="testing rules with action-on-reject &quot;TCP reset&quot;&#10;" ro="False">
<NAT id="id3D4DF34C" name="NAT" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True"/>
<Policy id="id3D4DF34D" name="Policy" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
<PolicyRule id="id3D4DF362" disabled="False" log="True" position="0" action="Reject" direction="Both" comment="">
@ -10145,6 +10173,153 @@
<Option name="ulog_nlgroup">1</Option>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id77415X37109" disabled="False" group="" log="False" position="12" action="Reject" direction="Both" comment="">
<Src neg="False">
<ObjectRef ref="net-Internal_net"/>
</Src>
<Dst neg="False">
<ObjectRef ref="sysid0"/>
</Dst>
<Srv neg="False">
<ServiceRef ref="id45863X16372"/>
</Srv>
<Itf neg="False">
<ObjectRef ref="sysid0"/>
</Itf>
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions>
<Option name="action_on_reject">TCP RST</Option>
<Option name="classify_str"></Option>
<Option name="custom_str"></Option>
<Option name="firewall_is_part_of_any_and_networks">False</Option>
<Option name="ipf_route_opt_addr"></Option>
<Option name="ipf_route_opt_if"></Option>
<Option name="ipf_route_option">route_through</Option>
<Option name="ipfw_classify_method">2</Option>
<Option name="ipfw_pipe_port_num">0</Option>
<Option name="ipfw_pipe_queue_num">0</Option>
<Option name="ipt_continue">False</Option>
<Option name="ipt_gw"></Option>
<Option name="ipt_iif"></Option>
<Option name="ipt_mark_connections">False</Option>
<Option name="ipt_oif"></Option>
<Option name="ipt_tee">False</Option>
<Option name="limit_burst">0</Option>
<Option name="limit_suffix"></Option>
<Option name="limit_value">0</Option>
<Option name="log_level"></Option>
<Option name="log_prefix"></Option>
<Option name="pf_fastroute">False</Option>
<Option name="pf_route_load_option">none</Option>
<Option name="pf_route_opt_addr"></Option>
<Option name="pf_route_opt_if"></Option>
<Option name="pf_route_option">route_through</Option>
<Option name="rule_name_accounting"></Option>
<Option name="stateless">True</Option>
<Option name="ulog_nlgroup">1</Option>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id206275X37109" disabled="False" group="" log="False" position="13" action="Reject" direction="Both" comment="">
<Src neg="False">
<ObjectRef ref="net-Internal_net"/>
</Src>
<Dst neg="False">
<ObjectRef ref="sysid0"/>
</Dst>
<Srv neg="False">
<ServiceRef ref="id45863X16372"/>
<ServiceRef ref="tcp-HTTP"/>
</Srv>
<Itf neg="False">
<ObjectRef ref="sysid0"/>
</Itf>
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions>
<Option name="action_on_reject">TCP RST</Option>
<Option name="classify_str"></Option>
<Option name="custom_str"></Option>
<Option name="firewall_is_part_of_any_and_networks">False</Option>
<Option name="ipf_route_opt_addr"></Option>
<Option name="ipf_route_opt_if"></Option>
<Option name="ipf_route_option">route_through</Option>
<Option name="ipfw_classify_method">2</Option>
<Option name="ipfw_pipe_port_num">0</Option>
<Option name="ipfw_pipe_queue_num">0</Option>
<Option name="ipt_continue">False</Option>
<Option name="ipt_gw"></Option>
<Option name="ipt_iif"></Option>
<Option name="ipt_mark_connections">False</Option>
<Option name="ipt_oif"></Option>
<Option name="ipt_tee">False</Option>
<Option name="limit_burst">0</Option>
<Option name="limit_suffix"></Option>
<Option name="limit_value">0</Option>
<Option name="log_level"></Option>
<Option name="log_prefix"></Option>
<Option name="pf_fastroute">False</Option>
<Option name="pf_route_load_option">none</Option>
<Option name="pf_route_opt_addr"></Option>
<Option name="pf_route_opt_if"></Option>
<Option name="pf_route_option">route_through</Option>
<Option name="rule_name_accounting"></Option>
<Option name="stateless">True</Option>
<Option name="ulog_nlgroup">1</Option>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id206293X37109" disabled="False" group="" log="False" position="14" action="Reject" direction="Both" comment="">
<Src neg="False">
<ObjectRef ref="net-Internal_net"/>
</Src>
<Dst neg="False">
<ObjectRef ref="sysid0"/>
</Dst>
<Srv neg="False">
<ServiceRef ref="id45863X16372"/>
<ServiceRef ref="tcp-HTTP"/>
<ServiceRef ref="udp-DNS"/>
</Srv>
<Itf neg="False">
<ObjectRef ref="sysid0"/>
</Itf>
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions>
<Option name="action_on_reject">TCP RST</Option>
<Option name="classify_str"></Option>
<Option name="custom_str"></Option>
<Option name="firewall_is_part_of_any_and_networks">False</Option>
<Option name="ipf_route_opt_addr"></Option>
<Option name="ipf_route_opt_if"></Option>
<Option name="ipf_route_option">route_through</Option>
<Option name="ipfw_classify_method">2</Option>
<Option name="ipfw_pipe_port_num">0</Option>
<Option name="ipfw_pipe_queue_num">0</Option>
<Option name="ipt_continue">False</Option>
<Option name="ipt_gw"></Option>
<Option name="ipt_iif"></Option>
<Option name="ipt_mark_connections">False</Option>
<Option name="ipt_oif"></Option>
<Option name="ipt_tee">False</Option>
<Option name="limit_burst">0</Option>
<Option name="limit_suffix"></Option>
<Option name="limit_value">0</Option>
<Option name="log_level"></Option>
<Option name="log_prefix"></Option>
<Option name="pf_fastroute">False</Option>
<Option name="pf_route_load_option">none</Option>
<Option name="pf_route_opt_addr"></Option>
<Option name="pf_route_opt_if"></Option>
<Option name="pf_route_option">route_through</Option>
<Option name="rule_name_accounting"></Option>
<Option name="stateless">True</Option>
<Option name="ulog_nlgroup">1</Option>
</PolicyRuleOptions>
</PolicyRule>
</Policy>
<Routing id="id3D4DF34B-routing" name="Routing" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True"/>
<Interface id="id3D4DF3B2" bridgeport="False" dyn="False" label="" mgmt="True" security_level="100" unnum="False" unprotected="False" name="eth0" comment="" ro="False">
@ -13354,7 +13529,7 @@
<Option name="verify_interfaces">True</Option>
</FirewallOptions>
</Firewall>
<Firewall id="id3EFBC648" host_OS="linux24" lastCompiled="1215360888" lastInstalled="1142003872" lastModified="1142003913" platform="iptables" version="" name="firewall20" comment="testing firewall_is_part_of_any_and_networks&#10;also testing SNAT and DNAT rules when external interface&#10;has dynamic address&#10;&#10;dynamic interface ppp0 has an address object attached to it&#10;(interface used to be static and had an address, then got&#10;converted to dynamic but address object is still there). Compiler&#10;should ignore this address object and issue a warning.&#10;" ro="False">
<Firewall id="id3EFBC648" host_OS="linux24" lastCompiled="1215360888" lastInstalled="1142003872" lastModified="1230444061" platform="iptables" version="" name="firewall20" comment="testing firewall_is_part_of_any_and_networks&#10;also testing SNAT and DNAT rules when external interface&#10;has dynamic address&#10;&#10;dynamic interface ppp0 has an address object attached to it&#10;(interface used to be static and had an address, then got&#10;converted to dynamic but address object is still there). Compiler&#10;should ignore this address object and issue a warning.&#10;" ro="False">
<NAT id="id3EFBC649" name="NAT" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
<NATRule id="id3EFBC64A" disabled="False" position="0" comment="">
<OSrc neg="False">
@ -13784,7 +13959,27 @@
</When>
<PolicyRuleOptions/>
</PolicyRule>
<PolicyRule id="id3EFBC6E7" disabled="False" log="True" position="18" action="Deny" direction="Both" comment="Automatically generated 'catch all' rule">
<PolicyRule id="id40551X29621" disabled="False" group="" log="True" position="18" action="Deny" direction="Both" comment="">
<Src neg="False">
<ObjectRef ref="sysid0"/>
</Src>
<Dst neg="False">
<ObjectRef ref="sysid0"/>
</Dst>
<Srv neg="False">
<ServiceRef ref="id45862X16372"/>
</Srv>
<Itf neg="False">
<ObjectRef ref="sysid0"/>
</Itf>
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions>
<Option name="stateless">True</Option>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id3EFBC6E7" disabled="False" log="True" position="19" action="Deny" direction="Both" comment="Automatically generated 'catch all' rule">
<Src neg="False">
<ObjectRef ref="sysid0"/>
</Src>
@ -29185,7 +29380,7 @@ echo '%FWBPROMPT%'; sh /tmp/%FWSCRIPT%
<Option name="verify_interfaces">True</Option>
</FirewallOptions>
</Firewall>
<Firewall id="id30191X26784" host_OS="linux24" inactive="False" lastCompiled="1218679089" lastInstalled="1142003872" lastModified="1229388198" platform="iptables" version="" name="firewall20-ipv6" comment="testing firewall_is_part_of_any_and_networks&#10;also testing SNAT and DNAT rules when external interface has dynamic address&#10;&#10;dynamic interface ppp0 has an address object attached to it (interface used to be static and had an address, then got converted to dynamic but address object is still there). Compiler should ignore this address object and issue a warning.&#10;" ro="False">
<Firewall id="id30191X26784" host_OS="linux24" inactive="False" lastCompiled="1218679089" lastInstalled="1142003872" lastModified="1230444087" platform="iptables" version="" name="firewall20-ipv6" comment="testing firewall_is_part_of_any_and_networks&#10;also testing SNAT and DNAT rules when external interface has dynamic address&#10;&#10;dynamic interface ppp0 has an address object attached to it (interface used to be static and had an address, then got converted to dynamic but address object is still there). Compiler should ignore this address object and issue a warning.&#10;" ro="False">
<NAT id="id30432X26784" name="NAT" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="True" top_rule_set="True">
<NATRule id="id30433X26784" disabled="False" position="0" comment="">
<OSrc neg="False">
@ -29615,7 +29810,27 @@ echo '%FWBPROMPT%'; sh /tmp/%FWSCRIPT%
</When>
<PolicyRuleOptions/>
</PolicyRule>
<PolicyRule id="id30420X26784" disabled="False" log="True" position="18" action="Deny" direction="Both" comment="Automatically generated 'catch all' rule">
<PolicyRule id="id58934X29621" disabled="False" group="" log="True" position="18" action="Deny" direction="Both" comment="">
<Src neg="False">
<ObjectRef ref="sysid0"/>
</Src>
<Dst neg="False">
<ObjectRef ref="sysid0"/>
</Dst>
<Srv neg="False">
<ServiceRef ref="id45862X16372"/>
</Srv>
<Itf neg="False">
<ObjectRef ref="sysid0"/>
</Itf>
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions>
<Option name="stateless">True</Option>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id30420X26784" disabled="False" log="True" position="19" action="Deny" direction="Both" comment="Automatically generated 'catch all' rule">
<Src neg="False">
<ObjectRef ref="sysid0"/>
</Src>
@ -35431,7 +35646,7 @@ echo '%FWBPROMPT%'; sh /tmp/%FWSCRIPT%
<Option name="verify_interfaces">True</Option>
</FirewallOptions>
</Firewall>
<Firewall id="id55972X87590" host_OS="linux24" inactive="False" lastCompiled="1229388489" lastInstalled="0" lastModified="1229390432" platform="iptables" version="" name="firewall-ipv6-2" comment="Using ULOG globally, but ipv6 rules&#10;should fall back to LOG because&#10;there is no ULOG for ip6tables yet&#10;Bug 2141911&#10;" ro="False">
<Firewall id="id55972X87590" host_OS="linux24" inactive="False" lastCompiled="1230445064" lastInstalled="0" lastModified="1230444846" platform="iptables" version="" name="firewall-ipv6-2" comment="Using ULOG globally, but ipv6 rules&#10;should fall back to LOG because&#10;there is no ULOG for ip6tables yet&#10;Bug 2141911&#10;" ro="False">
<NAT id="id56353X87590" name="NAT" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True"/>
<Policy id="id56087X87590" name="Policy" comment="" ro="False" ipv4_rule_set="True" ipv6_rule_set="True" top_rule_set="True">
<PolicyRule id="id56088X87590" disabled="False" group="" log="False" position="0" action="Accept" direction="Both" comment="this rule shadows the next.&#10;Note that we add command line&#10;flag -xt to the compiler">
@ -36015,7 +36230,27 @@ echo '%FWBPROMPT%'; sh /tmp/%FWSCRIPT%
<Option name="stateless">False</Option>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id111075X88392" disabled="False" group="" log="True" position="29" action="Deny" direction="Both" comment="">
<PolicyRule id="id77330X29621" disabled="False" group="" log="True" position="29" action="Deny" direction="Both" comment="test for bug 2463048 &#10;&quot;custom services should have IPv4/v6 setting&quot;&#10;&#10;rule should compile for ipv6 b/c custom service&#10;object &quot;ipv6 source route&quot; is configured as &quot;ipv6&quot;&#10;&#10;">
<Src neg="False">
<ObjectRef ref="sysid0"/>
</Src>
<Dst neg="False">
<ObjectRef ref="sysid0"/>
</Dst>
<Srv neg="False">
<ServiceRef ref="id45862X16372"/>
</Srv>
<Itf neg="False">
<ObjectRef ref="sysid0"/>
</Itf>
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions>
<Option name="stateless">True</Option>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id111075X88392" disabled="False" group="" log="True" position="30" action="Deny" direction="Both" comment="">
<Src neg="False">
<ObjectRef ref="sysid0"/>
</Src>
@ -36546,10 +36781,10 @@ echo '%FWBPROMPT%'; sh /tmp/%FWSCRIPT%
<TCPService id="id3B4FF09A" ack_flag="False" ack_flag_mask="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" name="squid" comment="" ro="False" src_range_start="0" src_range_end="0" dst_range_start="3128" dst_range_end="3128"/>
<TCPService id="tcp-SSH" ack_flag="False" ack_flag_mask="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" name="ssh" comment="" ro="False" src_range_start="0" src_range_end="0" dst_range_start="22" dst_range_end="22"/>
<TCPService id="tcp-Telnet" ack_flag="False" ack_flag_mask="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" name="telnet" comment="" ro="False" src_range_start="0" src_range_end="0" dst_range_start="23" dst_range_end="23"/>
<TCPService id="tcp-HTTP" ack_flag="False" ack_flag_mask="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" name="http" comment="" ro="False" src_range_start="0" src_range_end="0" dst_range_start="80" dst_range_end="80"/>
<TCPService id="tcp-Auth" ack_flag="False" ack_flag_mask="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" name="auth" comment="" ro="False" src_range_start="0" src_range_end="0" dst_range_start="113" dst_range_end="113"/>
<TCPService id="tcp-DNS_zone_transf" ack_flag="False" ack_flag_mask="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" name="dns-tcp" comment="" ro="False" src_range_start="0" src_range_end="0" dst_range_start="53" dst_range_end="53"/>
<TCPService id="tcp-FTP" ack_flag="False" ack_flag_mask="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" name="ftp" comment="" ro="False" src_range_start="0" src_range_end="0" dst_range_start="21" dst_range_end="21"/>
<TCPService id="tcp-HTTP" ack_flag="False" ack_flag_mask="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" name="http" comment="" ro="False" src_range_start="0" src_range_end="0" dst_range_start="80" dst_range_end="80"/>
<TCPService id="tcp-NNTP" ack_flag="False" ack_flag_mask="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" name="nntp" comment="" ro="False" src_range_start="0" src_range_end="0" dst_range_start="119" dst_range_end="119"/>
<TCPService id="tcp-uucp" ack_flag="False" ack_flag_mask="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" name="uucp" comment="" ro="False" src_range_start="0" src_range_end="0" dst_range_start="540" dst_range_end="540"/>
<TCPService id="id3AEDBE6E" ack_flag="False" ack_flag_mask="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" name="daytime" comment="" ro="False" src_range_start="0" src_range_end="0" dst_range_start="13" dst_range_end="13"/>

52
test/pf/objects-for-regression-tests.fwb
View File

@ -352,6 +352,7 @@
</PolicyRuleOptions>
</PolicyRule>
</Policy>
<ServiceRef ref="sysid1"/>
</Library>
<Library id="syslib001" color="#d2ffd0" name="User" comment="User defined objects" ro="False">
<ObjectGroup id="stdid01_1" name="Objects" comment="" ro="False">
@ -858,16 +859,35 @@
</ServiceGroup>
<ServiceGroup id="stdid08_1" name="UDP" comment="" ro="False"/>
<ServiceGroup id="stdid13_1" name="Custom" comment="" ro="False">
<CustomService id="id3B64FE22" name="talk" comment="Talk support" ro="False">
<CustomService id="id3B64FE22" name="talk" comment="Talk support" ro="False" protocol="any" address_family="ipv4">
<CustomServiceCommand platform="Undefined"></CustomServiceCommand>
<CustomServiceCommand platform="fwsm"></CustomServiceCommand>
<CustomServiceCommand platform="iosacl"></CustomServiceCommand>
<CustomServiceCommand platform="ipf"></CustomServiceCommand>
<CustomServiceCommand platform="ipfilter"></CustomServiceCommand>
<CustomServiceCommand platform="ipfw"></CustomServiceCommand>
<CustomServiceCommand platform="iptables">-m ip_conntrack_talk -m ip_nat_talk</CustomServiceCommand>
<CustomServiceCommand platform="pf"></CustomServiceCommand>
<CustomServiceCommand platform="pix"></CustomServiceCommand>
<CustomServiceCommand platform="unknown"></CustomServiceCommand>
</CustomService>
<CustomService id="id41F9FFBA" name="natproto" comment="" ro="False">
<CustomService id="id41F9FFBA" name="natproto" comment="" ro="False" protocol=" {tcp udp icmp gre}" address_family="ipv4">
<CustomServiceCommand platform="fwsm"></CustomServiceCommand>
<CustomServiceCommand platform="iosacl"></CustomServiceCommand>
<CustomServiceCommand platform="ipf"></CustomServiceCommand>
<CustomServiceCommand platform="ipfw"></CustomServiceCommand>
<CustomServiceCommand platform="iptables"></CustomServiceCommand>
<CustomServiceCommand platform="pf">proto {tcp udp icmp gre}</CustomServiceCommand>
<CustomServiceCommand platform="pf"> </CustomServiceCommand>
<CustomServiceCommand platform="pix"></CustomServiceCommand>
<CustomServiceCommand platform="unknown"></CustomServiceCommand>
</CustomService>
<CustomService id="id78051X16372" name="all protocols pf" comment="" ro="False" protocol="{tcp udp icmp gre}" address_family="ipv4">
<CustomServiceCommand platform="fwsm"></CustomServiceCommand>
<CustomServiceCommand platform="iosacl"></CustomServiceCommand>
<CustomServiceCommand platform="ipf"></CustomServiceCommand>
<CustomServiceCommand platform="ipfw"></CustomServiceCommand>
<CustomServiceCommand platform="iptables"></CustomServiceCommand>
<CustomServiceCommand platform="pf"> </CustomServiceCommand>
<CustomServiceCommand platform="pix"></CustomServiceCommand>
<CustomServiceCommand platform="unknown"></CustomServiceCommand>
</CustomService>
@ -879,7 +899,7 @@
</ServiceGroup>
</ServiceGroup>
<ObjectGroup id="stdid12_1" name="Firewalls" comment="" ro="False">
<Firewall id="fw-firewall2" host_OS="openbsd" inactive="False" lastCompiled="1157930800" lastInstalled="0" lastModified="1202682308" platform="pf" version="" name="firewall" comment="this is simple firewall with two interfaces. Test regular policy rules, including IP_fragments rule" ro="False">
<Firewall id="fw-firewall2" host_OS="openbsd" inactive="False" lastCompiled="1157930800" lastInstalled="0" lastModified="1230447370" platform="pf" version="" name="firewall" comment="this is simple firewall with two interfaces. Test regular policy rules, including IP_fragments rule" ro="False">
<NAT id="nat-firewall2" name="NAT" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
<NATRule id="nat-firewall2-0" disabled="False" position="0" comment="">
<OSrc neg="False">
@ -1411,7 +1431,27 @@
<Option name="log_prefix"></Option>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="pol-firewall2-7" disabled="False" log="True" position="19" action="Deny" direction="Both" comment="Automatically generated 'catch all' rule">
<PolicyRule id="id15806X38936" disabled="False" group="" log="False" position="19" action="Accept" direction="Both" comment="test for bug 1111267: &quot;CustomService should specify protocol and parameters for it&quot;&#10;Should generate &quot;proto { tcp udp icmp gre}&quot;&#10;">
<Src neg="False">
<ObjectRef ref="sysid0"/>
</Src>
<Dst neg="False">
<ObjectRef ref="sysid0"/>
</Dst>
<Srv neg="False">
<ServiceRef ref="id78051X16372"/>
</Srv>
<Itf neg="False">
<ObjectRef ref="sysid0"/>
</Itf>
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions>
<Option name="stateless">False</Option>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="pol-firewall2-7" disabled="False" log="True" position="20" action="Deny" direction="Both" comment="Automatically generated 'catch all' rule">
<Src neg="False">
<ObjectRef ref="sysid0"/>
</Src>
@ -2665,7 +2705,7 @@
<Option name="use_tables">True</Option>
</FirewallOptions>
</Firewall>
<Firewall id="id3AFB66C6" host_OS="openbsd" inactive="False" lastCompiled="1157930805" lastInstalled="0" lastModified="1215407591" platform="pf" version="" name="firewall2" comment="this object has several interfaces and shows different rules for NAT. Also testing policy rule options " ro="False">
<Firewall id="id3AFB66C6" host_OS="openbsd" inactive="False" lastCompiled="1157930805" lastInstalled="0" lastModified="1230447763" platform="pf" version="" name="firewall2" comment="this object has several interfaces and shows different rules for NAT. Also testing policy rule options " ro="False">
<NAT id="id3AFB66C7" name="NAT" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
<NATRule id="id3AFB66C8" disabled="False" position="0" comment="">
<OSrc neg="False">