onkelbeh/fwbuilder
1
0
Fork 0
mirror of https://github.com/fwbuilder/fwbuilder synced 2026-03-23 03:37:15 +01:00
Code Issues Releases Wiki Activity

* PolicyCompiler_ipt.cpp (checkForStatefulICMP6Rules::processNext):

Browse Source 
fixed SF bug 3094273 "no state needed for ipv6-icmp in
ip6tables". Rules that match ICMPv6 objects should be
stateless. Compiler will check for this and reset "stateful" flag
of a rule and issue warning if the rule was built stateful in the
GUI.
This commit is contained in:
Vadim Kurland 2010-10-29 18:04:48 -07:00
parent db73c4b743
commit a76c1a21a1
4 changed files with 245 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
doc/ChangeLog
View File

@ -1,5 +1,15 @@
2010-10-29 Vadim Kurland <vadim@vk.crocodile.org>
* PolicyCompiler_ipt.cpp (checkForStatefulICMP6Rules::processNext):
fixed SF bug 3094273 "no state needed for ipv6-icmp in
ip6tables". Rules that match ICMPv6 objects should be
stateless. Compiler will check for this and reset "stateful" flag
of a rule and issue warning if the rule was built stateful in the
GUI. This could be version-dependent, we may need to revisit this
in the future when netfilter fixes the underlying issue. Some
resources: https://bugzilla.redhat.com/show_bug.cgi?id=243739
https://bugs.launchpad.net/ubuntu/+source/iptables/+bug/479105
* src/res/objects_init.xml.in: added ICMPv6 object "parameter
problem" (type 4, any code) per SF feature request 3094743. Also
added service group object "ipv6 unreachable messages" that

29
src/iptlib/PolicyCompiler_ipt.cpp
View File

@ -3672,6 +3672,34 @@ bool PolicyCompiler_ipt::splitRuleIfSrvAnyActionReject::processNext()
return true;
}
/**
* objects in Srv must be of the same type by the time when we call
* this rule processor
*/
bool PolicyCompiler_ipt::checkForStatefulICMP6Rules::processNext()
{
PolicyCompiler_ipt *ipt_comp=dynamic_cast<PolicyCompiler_ipt*>(compiler);
PolicyRule *rule = getNext(); if (rule==NULL) return false;
FWOptions *ruleopt = rule->getOptionsObject();
RuleElementSrv *srv = rule->getSrv();
if (!srv->isAny())
{
Service *s = Service::cast(FWReference::getObject(srv->front()));
assert(s);
if (ICMP6Service::isA(s) && ! ruleopt->getBool("stateless"))
{
compiler->warning(
rule,
"Making rule stateless because it matches ICMPv6");
ruleopt->setBool("stateless",true);
}
}
tmp_queue.push_back(rule);
return true;
}
/*
* I am adding subrule suffix here, which I then use to generate
* unique new chain name for this rule. The idea is to generate
@ -4535,6 +4563,7 @@ void PolicyCompiler_ipt::compile()
add( new separatePortRanges("separate port ranges"));
add( new separateUserServices("separate user services"));
add( new separateSrcPort("split on TCP and UDP with source ports"));
add( new checkForStatefulICMP6Rules("Make sure rules that match icmpv6 are stateless"));
// add( new optimize1( "optimization 1, pass 1" ) );
// add( new optimize1( "optimization 1, pass 2" ) );

13
src/iptlib/PolicyCompiler_ipt.h
View File

@ -749,6 +749,19 @@ protected:
};
friend class PolicyCompiler_ipt::splitServicesIfRejectWithTCPReset;
/**
* Rules that match icmpv6 should not be stateful. See SF bug 3094273
* Will reset "stateful" flag and issue warning.
* Call this processor after groups have been expanded in Srv
*/
class checkForStatefulICMP6Rules :public PolicyRuleProcessor
{
public:
checkForStatefulICMP6Rules(const std::string &name) : PolicyRuleProcessor(name) {}
virtual bool processNext();
};
friend class PolicyCompiler_ipt::checkForStatefulICMP6Rules;
/**
* This processor separates TCP/UDP services with port ranges
* (they can not be used with multiport). It also separates

197
test/ipt/objects-for-regression-tests.fwb
View File

@ -143,6 +143,12 @@
<ServiceRef ref="icmp-ping_reply"/>
<ServiceRef ref="icmp-Unreachables"/>
</ServiceGroup>
<ServiceGroup id="id1569X4889" name="Ipv6 unreachable messages" comment="" ro="False">
<ServiceRef ref="idE0D27650"/>
<ServiceRef ref="idCFE27650"/>
<ServiceRef ref="idE0B27650"/>
<ServiceRef ref="id1519Z388"/>
</ServiceGroup>
<ServiceGroup id="id3B4FEDD9" name="kerberos" comment="" ro="False">
<ServiceRef ref="id3B4FEDA5"/>
<ServiceRef ref="id3B4FEDA9"/>
@ -205,6 +211,7 @@
<ICMP6Service id="ipv6-icmp-neighbrsol" code="0" type="135" name="ipv6 neighbrsol" comment="IPv6 neighbor solicitation" ro="False"/>
<ICMP6Service id="ipv6-icmp-neighbradv" code="0" type="136" name="ipv6 neighbradv" comment="IPv6 neighbor advertisement" ro="False"/>
<ICMP6Service id="ipv6-icmp-redir" code="0" type="137" name="ipv6 redir" comment="IPv6 redirect: shorter route exists" ro="False"/>
<ICMP6Service id="id1519Z388" code="-1" type="4" name="ipv6 parameter problem" comment="IPv6 Parameter Problem: RFC4443" ro="False"/>
<ICMP6Service id="idCFE27650" code="0" type="3" name="ipv6 time exceeded" comment="Time exceeded in transit" ro="False"/>
<ICMP6Service id="idCFF27650" code="1" type="3" name="ipv6 time exceeded in reassembly" comment="Time exceeded in reassembly" ro="False"/>
<ICMP6Service id="idE0B27650" code="-1" type="2" name="ipv6 packet too big" comment="" ro="False"/>
@ -31859,7 +31866,7 @@ echo '%FWBPROMPT%'; sh /tmp/%FWSCRIPT%
<Option name="verify_interfaces">False</Option>
</FirewallOptions>
</Firewall>
<Firewall id="id4833F62B6131" host_OS="linux24" inactive="False" lastCompiled="1280268015" lastInstalled="0" lastModified="1280267960" platform="iptables" version="" name="firewall-ipv6-1" comment="Using ULOG globally, but ipv6 rules&#10;should fall back to LOG because&#10;there is no ULOG for ip6tables yet&#10;Bug 2141911&#10;" ro="False">
<Firewall id="id4833F62B6131" host_OS="linux24" inactive="False" lastCompiled="1280268015" lastInstalled="0" lastModified="1288399354" platform="iptables" version="" name="firewall-ipv6-1" comment="Using ULOG globally, but ipv6 rules&#10;should fall back to LOG because&#10;there is no ULOG for ip6tables yet&#10;Bug 2141911&#10;" ro="False">
<NAT id="id4833F62F6131" name="NAT" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
<RuleSetOptions/>
</NAT>
@ -32003,6 +32010,7 @@ echo '%FWBPROMPT%'; sh /tmp/%FWSCRIPT%
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions>
<Option name="color">#C0BA44</Option>
<Option name="stateless">False</Option>
</PolicyRuleOptions>
</PolicyRule>
@ -32023,6 +32031,7 @@ echo '%FWBPROMPT%'; sh /tmp/%FWSCRIPT%
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions>
<Option name="color">#C0BA44</Option>
<Option name="stateless">False</Option>
</PolicyRuleOptions>
</PolicyRule>
@ -32043,10 +32052,190 @@ echo '%FWBPROMPT%'; sh /tmp/%FWSCRIPT%
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions>
<Option name="color">#C0BA44</Option>
<Option name="stateless">False</Option>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id43597X31704" disabled="False" log="False" position="9" action="Accept" direction="Outbound" comment="">
<PolicyRule id="id2237207X9812" disabled="False" group="" log="False" position="9" action="Accept" direction="Inbound" comment="">
<Src neg="False">
<ObjectRef ref="sysid0"/>
</Src>
<Dst neg="False">
<ObjectRef ref="id4833F62B6131"/>
</Dst>
<Srv neg="False">
<ServiceRef ref="idCFE27660"/>
<ServiceRef ref="id3B4FED9F"/>
</Srv>
<Itf neg="False">
<ObjectRef ref="sysid0"/>
</Itf>
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions>
<Option name="color">#C08B5A</Option>
<Option name="stateless">False</Option>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id2782843X9812" disabled="False" group="" log="False" position="10" action="Accept" direction="Inbound" comment="">
<Src neg="False">
<ObjectRef ref="sysid0"/>
</Src>
<Dst neg="False">
<ObjectRef ref="id4833F62B6131"/>
</Dst>
<Srv neg="False">
<ServiceRef ref="idCFE27660"/>
<ServiceRef ref="id3E7E3E9A"/>
</Srv>
<Itf neg="False">
<ObjectRef ref="sysid0"/>
</Itf>
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions>
<Option name="color">#C08B5A</Option>
<Option name="stateless">False</Option>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id1419191X9812" disabled="False" group="" log="False" position="11" action="Accept" direction="Both" comment="">
<Src neg="False">
<ObjectRef ref="sysid0"/>
</Src>
<Dst neg="False">
<ObjectRef ref="id4833F62B6131"/>
</Dst>
<Srv neg="False">
<ServiceRef ref="idCFE27660"/>
</Srv>
<Itf neg="False">
<ObjectRef ref="sysid0"/>
</Itf>
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions>
<Option name="color">#8BC065</Option>
<Option name="connlimit_above_not">False</Option>
<Option name="connlimit_masklen">0</Option>
<Option name="connlimit_value">0</Option>
<Option name="firewall_is_part_of_any_and_networks"></Option>
<Option name="hashlimit_burst">0</Option>
<Option name="hashlimit_dstlimit">False</Option>
<Option name="hashlimit_expire">0</Option>
<Option name="hashlimit_gcinterval">0</Option>
<Option name="hashlimit_max">0</Option>
<Option name="hashlimit_mode_dstip">False</Option>
<Option name="hashlimit_mode_dstport">False</Option>
<Option name="hashlimit_mode_srcip">False</Option>
<Option name="hashlimit_mode_srcport">False</Option>
<Option name="hashlimit_name"></Option>
<Option name="hashlimit_size">0</Option>
<Option name="hashlimit_suffix"></Option>
<Option name="hashlimit_value">0</Option>
<Option name="limit_burst">0</Option>
<Option name="limit_suffix"></Option>
<Option name="limit_value">0</Option>
<Option name="limit_value_not">False</Option>
<Option name="log_level"></Option>
<Option name="log_prefix"></Option>
<Option name="stateless">True</Option>
<Option name="ulog_nlgroup">1</Option>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id1419145X9812" disabled="False" group="" log="False" position="12" action="Accept" direction="Inbound" comment="">
<Src neg="False">
<ObjectRef ref="sysid0"/>
</Src>
<Dst neg="False">
<ObjectRef ref="id4833F62B6131"/>
</Dst>
<Srv neg="False">
<ServiceRef ref="idCFE27660"/>
</Srv>
<Itf neg="False">
<ObjectRef ref="sysid0"/>
</Itf>
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions>
<Option name="color">#8BC065</Option>
<Option name="connlimit_above_not">False</Option>
<Option name="connlimit_masklen">0</Option>
<Option name="connlimit_value">0</Option>
<Option name="firewall_is_part_of_any_and_networks"></Option>
<Option name="hashlimit_burst">0</Option>
<Option name="hashlimit_dstlimit">False</Option>
<Option name="hashlimit_expire">0</Option>
<Option name="hashlimit_gcinterval">0</Option>
<Option name="hashlimit_max">0</Option>
<Option name="hashlimit_mode_dstip">False</Option>
<Option name="hashlimit_mode_dstport">False</Option>
<Option name="hashlimit_mode_srcip">False</Option>
<Option name="hashlimit_mode_srcport">False</Option>
<Option name="hashlimit_name"></Option>
<Option name="hashlimit_size">0</Option>
<Option name="hashlimit_suffix"></Option>
<Option name="hashlimit_value">0</Option>
<Option name="limit_burst">0</Option>
<Option name="limit_suffix"></Option>
<Option name="limit_value">0</Option>
<Option name="limit_value_not">False</Option>
<Option name="log_level"></Option>
<Option name="log_prefix"></Option>
<Option name="stateless">True</Option>
<Option name="ulog_nlgroup">1</Option>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id1419099X9812" disabled="False" group="" log="False" position="13" action="Accept" direction="Both" comment="">
<Src neg="False">
<ObjectRef ref="sysid0"/>
</Src>
<Dst neg="False">
<ObjectRef ref="sysid0"/>
</Dst>
<Srv neg="False">
<ServiceRef ref="idCFE27660"/>
</Srv>
<Itf neg="False">
<ObjectRef ref="sysid0"/>
</Itf>
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions>
<Option name="color">#8BC065</Option>
<Option name="connlimit_above_not">False</Option>
<Option name="connlimit_masklen">0</Option>
<Option name="connlimit_value">0</Option>
<Option name="firewall_is_part_of_any_and_networks"></Option>
<Option name="hashlimit_burst">0</Option>
<Option name="hashlimit_dstlimit">False</Option>
<Option name="hashlimit_expire">0</Option>
<Option name="hashlimit_gcinterval">0</Option>
<Option name="hashlimit_max">0</Option>
<Option name="hashlimit_mode_dstip">False</Option>
<Option name="hashlimit_mode_dstport">False</Option>
<Option name="hashlimit_mode_srcip">False</Option>
<Option name="hashlimit_mode_srcport">False</Option>
<Option name="hashlimit_name"></Option>
<Option name="hashlimit_size">0</Option>
<Option name="hashlimit_suffix"></Option>
<Option name="hashlimit_value">0</Option>
<Option name="limit_burst">0</Option>
<Option name="limit_suffix"></Option>
<Option name="limit_value">0</Option>
<Option name="limit_value_not">False</Option>
<Option name="log_level"></Option>
<Option name="log_prefix"></Option>
<Option name="stateless">True</Option>
<Option name="ulog_nlgroup">1</Option>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id43597X31704" disabled="False" log="False" position="14" action="Accept" direction="Outbound" comment="">
<Src neg="False">
<ObjectRef ref="id4833F6316131"/>
</Src>
@ -32066,7 +32255,7 @@ echo '%FWBPROMPT%'; sh /tmp/%FWSCRIPT%
<Option name="stateless">False</Option>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id43963X63240" disabled="False" group="" log="True" position="10" action="Deny" direction="Both" comment="ipv4 address range for bug 2820152">
<PolicyRule id="id43963X63240" disabled="False" group="" log="True" position="15" action="Deny" direction="Both" comment="ipv4 address range for bug 2820152">
<Src neg="False">
<ObjectRef ref="sysid0"/>
</Src>
@ -32086,7 +32275,7 @@ echo '%FWBPROMPT%'; sh /tmp/%FWSCRIPT%
<Option name="stateless">True</Option>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id43989X63637" disabled="False" group="" log="True" position="11" action="Deny" direction="Both" comment="ipv4 address range for bug 2820152&#10;">
<PolicyRule id="id43989X63637" disabled="False" group="" log="True" position="16" action="Deny" direction="Both" comment="ipv4 address range for bug 2820152&#10;">
<Src neg="False">
<ObjectRef ref="sysid0"/>
</Src>