onkelbeh/fwbuilder
1
0
Fork 0
mirror of https://github.com/fwbuilder/fwbuilder synced 2026-03-24 12:17:26 +01:00
Code Issues Releases Wiki Activity

Merge branch 'development' of ssh://ncgit/var/git/fwbuilder into development

Browse Source 
Conflicts:
	src/libfwbuilder/src/fwbuilder/fwbuilder.pro
This commit is contained in:
Theron Tock 2011-05-25 15:05:56 -07:00
commit b6f2d7d921
267 changed files with 12159 additions and 2722 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
VERSION
View File

@ -7,7 +7,7 @@ FWB_MICRO_VERSION=0
# build number is like "nano" version number. I am incrementing build
# number during development cycle
#
BUILD_NUM="3541"
BUILD_NUM="3544"
VERSION="$FWB_MAJOR_VERSION.$FWB_MINOR_VERSION.$FWB_MICRO_VERSION.$BUILD_NUM"

2
VERSION.h
View File

@ -1,2 +1,2 @@
#define VERSION "4.3.0.3541"
#define VERSION "4.3.0.3544"
#define GENERATION "4.3"

97
doc/ChangeLog
View File

@ -1,3 +1,100 @@
2011-05-17 vadim <vadim@netcitadel.com>
* FWObjectDatabase_tree_ops.cpp (merge): see #2420 "Crash when
selecting New Firewall and existing firewall has interface that is
locked". Fixed GUI crash that happened on some operations if an
object in the tree was locked. For example, if the user locked an
interface of one of the firewall objects that then proceeded to
create new firewall object, the GUI would crash. The problem was
not limited to locking specifically interface objects.
2011-05-15 vadim <vadim@netcitadel.com>
* IPTImporter.cpp (pushPolicyRule): see #2411 Implemented import
of iptables rules with target CLASSIFY.
2011-05-14 vadim <vadim@netcitadel.com>
* CompilerDriver_ipt.cpp (findBranchesInMangleTable): see #2405
"Tag and classify actions dont work properly with branches".
When branching rule points to a rule set that has rules with Tag
and Classify options, branching should occur in mangle table even
when checkbox "create branch in mangle table" is not checked. The
fix in this change is tentative as it creates branch in chains
PREROUTING, POSTROUTING and OUTPUT. Since target CLASSIFY is only
allowed in POSTROUTING, this may create conflict. Need to test
more.
* AttachedNetworks.cpp (AttachedNetworks): see #1580 New object
type: network object that automatically matches subnets an
interface is attached to. The object can be a child of an
interface. The object is optional and is not created automatically
for all interfaces; user can add it using context menu associated
with an interface. Dialog for this object allows editing of the
name and comment. List of network addresses represented by this
object is always generated automatically. Compiler for PF
translates this object to "en0:network" construct that is
supported by PF. Compiler for iptables expands it to the list of
ipv4 and ipv6 networks defined by the addresses of the parent
interface if interface has static addresses. If interface is
confgiured as "dynamic" and has no address in fwbuilder, then
compiler treats AttachedNetworks object as run-time and uses shell
function to determine network addresses during activation of the
firewall script. Compilers for other firewall platforms always
treat this object as compile-time and abort if it is used with
dynamic interface.
2011-05-13 vadim <vadim@netcitadel.com>
* PolicyCompiler_ipt.cpp (processNext): see #2402 "Tag action
should be done in PREROUTING so it can be acted on later". If a
rule has both tagging and classification options, the rule should
be split so that iptables command doing tagging goes in PREROUTING
and rule doing classification goes into POSTROUTING chain.
* PolicyCompiler_ipt.cpp (processNext): see #2401 "Deprecating
Route option for iptables". This target is not included in any of
the popular Linux distributions (checked in Ubuntu, Fedora and
CentOS). The GUI dialog and all support in the compiler will be
removed in future version of fwbuilder. Beginning with 4.3.0,
compiler aborts with an error when it encounters a rule using this
option. In older versions of fwbuilder (4.2.x and before) this
option was presented as an action "Route".
* CompilerDriver_ipt_run.cpp (run): see #2400 'Mixing Actions
"Accept" and "Classify" results in incorrect rules', see #2399
'Mixing Actions "Accept" and "Tag" results in incorrect ruleset'.
After we made Tag, Classify and Route rule options instead of
actions, rules that mix these options with actions "Accept" and
others, except for "Continue", should be treated differently. The
action are now implemented using iptables rules in the table
"filter" and additional rules in table "mangle" is used to
implement only tagging, classification or routing. Generated
script does not change default action in table "mangle" and
assumes it is "ACCEPT" so adding rules with target ACCEPT in
mangle table should not be necessary. Another change because of
this affects branching rules that use option "create branch in
mangle table in addition to the filter table". These rules used to
duplicate the same action and logging rules in mangle. Now they
dont do this and only create rules in mangle if branch rule set
performs tagging, classification or routing.
2011-05-11 vadim <vadim@netcitadel.com>
* v4.2.2 released
* newFirewallDialog.cpp (finishClicked): fixes #2395 "Crash when
setting installer directory location" and fixes #2396 "Crash when
changing firewall name". These two bug reports where the
manifestation of the same problem that was introduced by the fix
for #2380. When user hits OK in the newFirewallDialog and it
merges temporary object tree into the main object tree, it should
call fixTree() to fix all pointers to the root of the tree.
2011-05-10 vadim <vadim@netcitadel.com>
* v4.2.1 released
2011-05-10 Vadim Kurland <vadim@netcitadel.com>
* fwbuilder 4.2.1.3540 released; started v4.3.0

15
fwbuilder3.pro
View File

@ -7,24 +7,15 @@ SUBDIRS = src doc
DOLLAR = $
build_tests.commands = cd src/unit_tests; \
qmake -spec $${DOLLAR}$${DOLLAR}QMAKESPEC && \
./unit_tests.sh make build_tests; \
cd -
build_tests.commands = ./unit_tests.sh make build_tests
build_tests.depends = all
run_tests.commands = cd src/unit_tests; \
qmake -spec $${DOLLAR}$${DOLLAR}QMAKESPEC && \
./unit_tests.sh make run_tests; \
cd -
run_tests.commands = ./unit_tests.sh make run_tests
run_tests.depends = all
tests.depends = run_tests
clean_tests.commands = cd src/unit_tests; \
qmake -spec $${DOLLAR}$${DOLLAR}QMAKESPEC && \
./unit_tests.sh make clean_tests; \
cd -
clean_tests.commands = ./unit_tests.sh make clean_tests
QMAKE_EXTRA_TARGETS += build_tests run_tests clean_tests tests

2
packaging/fwbuilder-static-qt.spec
View File

@ -3,7 +3,7 @@
%define name fwbuilder
%define version 4.3.0.3541
%define version 4.3.0.3544
%define release 1
%if "%_vendor" == "MandrakeSoft"

2
packaging/fwbuilder.control
View File

@ -4,6 +4,6 @@ Replaces: fwbuilder (<=4.1.1-1), fwbuilder-common, fwbuilder-bsd, fwbuilder-linu
Priority: extra
Section: checkinstall
Maintainer: vadim@fwbuilder.org
Version: 4.3.0.3541-1
Version: 4.3.0.3544-1
Depends: libqt4-gui (>= 4.3.0), libxml2, libxslt1.1, libsnmp | libsnmp15
Description: Firewall Builder GUI and policy compilers

2
packaging/fwbuilder.spec
View File

@ -1,6 +1,6 @@
%define name fwbuilder
%define version 4.3.0.3541
%define version 4.3.0.3544
%define release 1
%if "%_vendor" == "MandrakeSoft"

2
src/cisco_lib/cisco_lib.pro
View File

@ -101,7 +101,7 @@ macx:LIBS += $$LIBS_FWCOMPILER
INCLUDEPATH += ../compiler_lib ../libfwbuilder/src
DEPENDPATH += ../compiler_lib ../libfwbuilder/src
win32:PRE_TARGETDEPS = ../compiler_lib/release/compilerdriver.lib
win32:PRE_TARGETDEPS = ../compiler_lib/release/libcompilerdriver.a
!win32:PRE_TARGETDEPS = ../compiler_lib/libcompilerdriver.a
CONFIG += staticlib

28
src/fwbedit/fwbedit.pro
View File

@ -22,28 +22,16 @@ TARGET = fwbedit
QMAKE_COPY = ../../install.sh -m 0755 -s
}
!win32:LIBS = ../common/libcommon.a \
../import/libimport.a \
../parsers/libfwbparser.a \
../compiler_lib/libcompilerdriver.a \
../libfwbuilder/src/fwbuilder/libfwbuilder.a \
../libgui/libgui.a \
$$ANTLR_LIBS \
$$LIBS
PRE_TARGETDEPS = ../common/$$BINARY_SUBDIR/libcommon.a \
../import/$$BINARY_SUBDIR/libimport.a \
../parsers/$$BINARY_SUBDIR/libfwbparser.a \
../compiler_lib/$$BINARY_SUBDIR/libcompilerdriver.a \
../libgui/$$BINARY_SUBDIR/libgui.a \
../libfwbuilder/src/fwcompiler/$$BINARY_SUBDIR/libfwcompiler.a \
../libfwbuilder/src/fwbuilder/$$BINARY_SUBDIR/libfwbuilder.a \
!win32:PRE_TARGETDEPS = ../common/libcommon.a \
../libfwbuilder/src/fwbuilder/libfwbuilder.a
LIBS += $$PRE_TARGETDEPS $$ANTLR_LIBS $$LIBS
win32:CONFIG += console
win32:LIBS += ../common/release/common.lib \
../import/release/import.lib \
../parsers/release/fwbparser.lib \
../compiler_lib/release/compilerdriver.lib \
../libfwbuilder/src/fwbuilder/release/fwbuilder.lib \
../libgui/release/gui.lib \
$$ANTLR_LIBS \
$$LIBS
win32:PRE_TARGETDEPS = ../common/release/common.lib \
../libfwbuilder/src/fwbuilder/release/fwbuilder.lib

67
src/gui/gui.pro
View File

@ -11,24 +11,17 @@ SOURCES += main.cpp
# Arrange static libraries before dynamic ones in the linker command
# line. libgui goes first
win32 {
IMPORT_LIB = ../import/release/import.lib
FWBPARSER_LIB = ../parsers/release/fwbparser.lib
FWTRANSFER_LIB = ../fwtransfer/release/fwtransfer.lib
STATIC_LIBS += ../libgui/release/gui.lib
}
!win32 {
IMPORT_LIB = ../import/libimport.a
FWBPARSER_LIB = ../parsers/libfwbparser.a
FWTRANSFER_LIB = ../fwtransfer/libfwtransfer.a
STATIC_LIBS += ../libgui/libgui.a
}
IMPORT_LIB = ../import/$$BINARY_SUBDIR/libimport.a
FWBPARSER_LIB = ../parsers/$$BINARY_SUBDIR/libfwbparser.a
FWTRANSFER_LIB = ../fwtransfer/$$BINARY_SUBDIR/libfwtransfer.a
INCLUDEPATH += $$ANTLR_INCLUDEPATH
STATIC_LIBS += $$IMPORT_LIB $$FWBPARSER_LIB $$ANTLR_LIBS
DEFINES += $$ANTLR_DEFINES
STATIC_LIBS += ../libgui/$$BINARY_SUBDIR/libgui.a \
$$IMPORT_LIB $$FWBPARSER_LIB $$ANTLR_LIBS
# fwtransfer lib. Add this before adding -lQtDBus to LIBS below
STATIC_LIBS += $$FWTRANSFER_LIB
contains( HAVE_QTDBUS, 1 ):unix {
@ -53,47 +46,17 @@ DEPENDPATH += \
../compiler_lib \
../libfwbuilder/src
win32:STATIC_LIBS += \
../common/release/common.lib \
../iptlib/release/iptlib.lib \
../pflib/release/fwbpf.lib \
../cisco_lib/release/fwbcisco.lib \
../compiler_lib/release/compilerdriver.lib \
../libfwbuilder/src/fwbuilder/release/fwbuilder.lib \
../libfwbuilder/src/fwcompiler/release/fwcompiler.lib
OTHER_LIBS = ../common/$$BINARY_SUBDIR/libcommon.a \
../iptlib/$$BINARY_SUBDIR/libiptlib.a \
../pflib/$$BINARY_SUBDIR/libfwbpf.a \
../cisco_lib/$$BINARY_SUBDIR/libfwbcisco.a \
../compiler_lib/$$BINARY_SUBDIR/libcompilerdriver.a \
../libfwbuilder/src/fwcompiler/$$BINARY_SUBDIR/libfwcompiler.a \
../libfwbuilder/src/fwbuilder/$$BINARY_SUBDIR/libfwbuilder.a
!win32:STATIC_LIBS += \
../common/libcommon.a \
../iptlib/libiptlib.a \
../pflib/libfwbpf.a \
../cisco_lib/libfwbcisco.a \
../compiler_lib/libcompilerdriver.a \
../libfwbuilder/src/fwcompiler/libfwcompiler.a \
../libfwbuilder/src/fwbuilder/libfwbuilder.a \
PRE_TARGETDEPS = $$OTHER_LIBS $$IMPORT_LIB $$FWBPARSER_LIB $$ANTLR_LIBS
win32:PRE_TARGETDEPS = \
../libgui/release/gui.lib \
../common/release/common.lib \
../iptlib/release/iptlib.lib \
../pflib/release/fwbpf.lib \
../cisco_lib/release/fwbcisco.lib \
../compiler_lib/release/compilerdriver.lib \
../libfwbuilder/src/fwbuilder/release/fwbuilder.lib \
../libfwbuilder/src/fwcompiler/release/fwcompiler.lib \
$$FWBPARSER_LIB \
$$IMPORT_LIB
!win32:PRE_TARGETDEPS = \
../libgui/libgui.a \
../common/libcommon.a \
../iptlib/libiptlib.a \
../pflib/libfwbpf.a \
../cisco_lib/libfwbcisco.a \
../compiler_lib/libcompilerdriver.a \
../libfwbuilder/src/fwbuilder/libfwbuilder.a \
../libfwbuilder/src/fwcompiler/libfwcompiler.a \
$$FWBPARSER_LIB \
$$IMPORT_LIB
STATIC_LIBS += $$OTHER_LIBS
macx:STATIC_LIBS += -framework \
Carbon

2
src/gui/main.cpp
View File

@ -109,6 +109,8 @@ void usage()
int main( int argc, char *argv[] )
{
cout << "Firewall Builder GUI " VERSION << endl << flush;
filename = "";
print_output_file_name = "";
fwbdebug = 0;

4
src/import/IPTImporter.cpp
View File

@ -730,6 +730,7 @@ void IPTImporter::pushPolicyRule()
{
action = PolicyRule::Continue;
rule->setClassification(true);
ropt->setStr("classify_str", action_params["set_class"]);
}
if (target=="LOG")
@ -1065,7 +1066,8 @@ void IPTImporter::pushPolicyRule()
if (current_table == "mangle")
{
if (current_chain == "POSTROUTING" || current_chain == "FORWARD")
if ( ! rule->getClassification() &&
(current_chain == "POSTROUTING" || current_chain == "FORWARD"))
{
QString err = QObject::tr(
"Fwbuilder can not reproduce iptables rule in "

3
src/import/import.pro
View File

@ -35,7 +35,8 @@ HEADERS = QStringListOperators.h \
CONFIG += staticlib
INCLUDEPATH += $$ANTLR_INCLUDEPATH ../libfwbuilder/src ../compiler_lib
# need to add "." for g++ on mingw
INCLUDEPATH += $$ANTLR_INCLUDEPATH ../libfwbuilder/src ../compiler_lib .
DEPENDPATH += $$ANTLR_INCLUDEPATH ../libfwbuilder/src ../compiler_lib
LIBS += $$ANTLR_LIBS

30
src/iosacl/iosacl.pro
View File

@ -21,31 +21,13 @@ win32:CONFIG += console
INCLUDEPATH += ../cisco_lib ../compiler_lib ../libfwbuilder/src
DEPENDPATH += ../cisco_lib ../compiler_lib ../libfwbuilder/src
win32:LIBS += ../common/release/common.lib \
../cisco_lib/release/fwbcisco.lib \
../compiler_lib/release/compilerdriver.lib \
../libfwbuilder/src/fwbuilder/release/fwbuilder.lib \
../libfwbuilder/src/fwcompiler/release/fwcompiler.lib
!win32:LIBS = ../common/libcommon.a \
../cisco_lib/libfwbcisco.a \
../compiler_lib/libcompilerdriver.a \
../libfwbuilder/src/fwcompiler/libfwcompiler.a \
../libfwbuilder/src/fwbuilder/libfwbuilder.a \
$$LIBS
win32:PRE_TARGETDEPS = ../common/release/common.lib \
../cisco_lib/release/fwbcisco.lib \
../compiler_lib/release/compilerdriver.lib \
../libfwbuilder/src/fwbuilder/release/fwbuilder.lib \
../libfwbuilder/src/fwcompiler/release/fwcompiler.lib
!win32:PRE_TARGETDEPS = ../common/libcommon.a \
../cisco_lib/libfwbcisco.a \
../compiler_lib/libcompilerdriver.a \
../libfwbuilder/src/fwcompiler/libfwcompiler.a \
../libfwbuilder/src/fwbuilder/libfwbuilder.a
PRE_TARGETDEPS = ../common/$$BINARY_SUBDIR/libcommon.a \
../cisco_lib/$$BINARY_SUBDIR/libfwbcisco.a \
../compiler_lib/$$BINARY_SUBDIR/libcompilerdriver.a \
../libfwbuilder/src/fwcompiler/$$BINARY_SUBDIR/libfwcompiler.a \
../libfwbuilder/src/fwbuilder/$$BINARY_SUBDIR/libfwbuilder.a \
LIBS += $$PRE_TARGETDEPS $$LIBS
TARGET = fwb_iosacl

29
src/ipf/ipf.pro
View File

@ -17,29 +17,12 @@ win32:CONFIG += console
INCLUDEPATH += ../pflib ../compiler_lib ../libfwbuilder/src
DEPENDPATH += ../pflib ../compiler_lib ../libfwbuilder/src
win32:LIBS += ../common/release/common.lib \
../pflib/release/fwbpf.lib \
../compiler_lib/release/compilerdriver.lib \
../libfwbuilder/src/fwbuilder/release/fwbuilder.lib \
../libfwbuilder/src/fwcompiler/release/fwcompiler.lib
PRE_TARGETDEPS = ../common/$$BINARY_SUBDIR/libcommon.a \
../pflib/$$BINARY_SUBDIR/libfwbpf.a \
../compiler_lib/$$BINARY_SUBDIR/libcompilerdriver.a \
../libfwbuilder/src/fwcompiler/$$BINARY_SUBDIR/libfwcompiler.a \
../libfwbuilder/src/fwbuilder/$$BINARY_SUBDIR/libfwbuilder.a \
!win32:LIBS = ../common/libcommon.a \
../pflib/libfwbpf.a \
../compiler_lib/libcompilerdriver.a \
../libfwbuilder/src/fwcompiler/libfwcompiler.a \
../libfwbuilder/src/fwbuilder/libfwbuilder.a \
$$LIBS
win32:PRE_TARGETDEPS = ../common/release/common.lib \
../pflib/release/fwbpf.lib \
../compiler_lib/release/compilerdriver.lib \
../libfwbuilder/src/fwbuilder/release/fwbuilder.lib \
../libfwbuilder/src/fwcompiler/release/fwcompiler.lib
!win32:PRE_TARGETDEPS = ../common/libcommon.a \
../pflib/libfwbpf.a \
../compiler_lib/libcompilerdriver.a \
../libfwbuilder/src/fwcompiler/libfwcompiler.a \
../libfwbuilder/src/fwbuilder/libfwbuilder.a
LIBS += $$PRE_TARGETDEPS $$LIBS
TARGET = fwb_ipf

30
src/ipfw/ipfw.pro
View File

@ -15,30 +15,12 @@ win32:CONFIG += console
INCLUDEPATH += ../pflib ../compiler_lib ../libfwbuilder/src
DEPENDPATH += ../pflib ../compiler_lib ../libfwbuilder/src
win32:LIBS += ../common/release/common.lib \
../pflib/release/fwbpf.lib \
../compiler_lib/release/compilerdriver.lib \
../libfwbuilder/src/fwbuilder/release/fwbuilder.lib \
../libfwbuilder/src/fwcompiler/release/fwcompiler.lib
!win32:LIBS = ../common/libcommon.a \
../pflib/libfwbpf.a \
../compiler_lib/libcompilerdriver.a \
../libfwbuilder/src/fwcompiler/libfwcompiler.a \
../libfwbuilder/src/fwbuilder/libfwbuilder.a \
$$LIBS
win32:PRE_TARGETDEPS = ../common/release/common.lib \
../pflib/release/fwbpf.lib \
../compiler_lib/release/compilerdriver.lib \
../libfwbuilder/src/fwbuilder/release/fwbuilder.lib \
../libfwbuilder/src/fwcompiler/release/fwcompiler.lib
!win32:PRE_TARGETDEPS = ../common/libcommon.a \
../pflib/libfwbpf.a \
../compiler_lib/libcompilerdriver.a \
../libfwbuilder/src/fwcompiler/libfwcompiler.a \
../libfwbuilder/src/fwbuilder/libfwbuilder.a
PRE_TARGETDEPS = ../common/$$BINARY_SUBDIR/libcommon.a \
../pflib/$$BINARY_SUBDIR/libfwbpf.a \
../compiler_lib/$$BINARY_SUBDIR/libcompilerdriver.a \
../libfwbuilder/src/fwcompiler/$$BINARY_SUBDIR/libfwcompiler.a \
../libfwbuilder/src/fwbuilder/$$BINARY_SUBDIR/libfwbuilder.a \
LIBS += $$PRE_TARGETDEPS $$LIBS
TARGET = fwb_ipfw

9
src/ipt/ipt.cpp
View File

@ -43,6 +43,8 @@
#include <QApplication>
#include <QStringList>
#include <QTextCodec>
#include <QTime>
#include "../common/init.cpp"
@ -76,6 +78,9 @@ int main(int argc, char **argv)
{
QApplication app(argc, argv, false);
QTime total_time_timer;
total_time_timer.start();
// compilers always write file names into manifest in Utf8
QTextCodec::setCodecForCStrings(QTextCodec::codecForName("Utf8"));
QTextCodec::setCodecForLocale(QTextCodec::codecForName("Utf8"));
@ -153,6 +158,10 @@ int main(int argc, char **argv)
driver->compile();
int ret = (driver->getStatus() == BaseCompiler::FWCOMPILER_SUCCESS) ? 0 : 1;
QTime time_spent = QTime().addMSecs(total_time_timer.elapsed());
cerr << "Compile time: "
<< time_spent.toString("hh:mm:ss").toStdString() << endl;
delete driver;
delete objdb;

29
src/ipt/ipt.pro
View File

@ -15,30 +15,13 @@ win32: CONFIG += console
INCLUDEPATH += ../iptlib ../compiler_lib ../libfwbuilder/src
DEPENDPATH += ../iptlib ../compiler_lib ../libfwbuilder/src
win32:LIBS += ../common/release/common.lib \
../iptlib/release/iptlib.lib \
../compiler_lib/release/compilerdriver.lib \
../libfwbuilder/src/fwbuilder/release/fwbuilder.lib \
../libfwbuilder/src/fwcompiler/release/fwcompiler.lib
PRE_TARGETDEPS = ../common/$$BINARY_SUBDIR/libcommon.a \
../iptlib/$$BINARY_SUBDIR/libiptlib.a \
../compiler_lib/$$BINARY_SUBDIR/libcompilerdriver.a \
../libfwbuilder/src/fwcompiler/$$BINARY_SUBDIR/libfwcompiler.a \
../libfwbuilder/src/fwbuilder/$$BINARY_SUBDIR/libfwbuilder.a \
!win32:LIBS = ../common/libcommon.a \
../iptlib/libiptlib.a \
../compiler_lib/libcompilerdriver.a \
../libfwbuilder/src/fwcompiler/libfwcompiler.a \
../libfwbuilder/src/fwbuilder/libfwbuilder.a \
$$LIBS
win32:PRE_TARGETDEPS = ../common/release/common.lib \
../iptlib/release/iptlib.lib \
../compiler_lib/release/compilerdriver.lib \
../libfwbuilder/src/fwbuilder/release/fwbuilder.lib \
../libfwbuilder/src/fwcompiler/release/fwcompiler.lib
!win32:PRE_TARGETDEPS = ../common/libcommon.a \
../iptlib/libiptlib.a \
../compiler_lib/libcompilerdriver.a \
../libfwbuilder/src/fwcompiler/libfwcompiler.a \
../libfwbuilder/src/fwbuilder/libfwbuilder.a
LIBS += $$PRE_TARGETDEPS $$LIBS
TARGET = fwb_ipt

20
src/iptlib/CompilerDriver_ipt.cpp
View File

@ -88,7 +88,6 @@ void CompilerDriver_ipt::assignRuleSetChain(RuleSet *ruleset)
// ???
// rule->setUniqueId( FWObjectDatabase::getStringId(rule->getId()) );
}
}
void CompilerDriver_ipt::findBranchesInMangleTable(Firewall *fw,
@ -109,7 +108,7 @@ void CompilerDriver_ipt::findBranchesInMangleTable(Firewall *fw,
if (rule == NULL) continue; // skip RuleSetOptions object
FWOptions *ruleopt = rule->getOptionsObject();
if (rule->getAction() == PolicyRule::Branch &&
ruleopt->getBool("ipt_branch_in_mangle"))
! ruleopt->getBool("ipt_branch_in_mangle"))
{
RuleSet *ruleset = rule->getBranch();
if (ruleset == NULL)
@ -121,10 +120,10 @@ void CompilerDriver_ipt::findBranchesInMangleTable(Firewall *fw,
for (list<FWObject*>::iterator br=ruleset->begin();
br!=ruleset->end(); ++br)
{
Rule *b_rule = Rule::cast(*br);
if (b_rule == NULL) continue; // skip RuleSetOptions object
ruleopt = b_rule->getOptionsObject();
ruleopt->setBool("put_in_mangle_table", true);
PolicyRule *b_rule = PolicyRule::cast(*br);
if (b_rule == NULL) continue;
if (b_rule->getTagging() || b_rule->getClassification())
ruleopt->setBool("ipt_branch_in_mangle", true);
}
}
}
@ -151,6 +150,10 @@ string CompilerDriver_ipt::dumpScript(Firewall *fw,
const string& filter_script,
bool ipv6_policy)
{
// cerr << "nat script" << endl;
// cerr << "\"" << nat_script << "\"" << endl;
ostringstream res;
ostringstream script;
string prolog_place = fw->getOptionsObject()->getStr("prolog_place");
@ -169,11 +172,14 @@ string CompilerDriver_ipt::dumpScript(Firewall *fw,
{
conf = new Configlet(fw, "linux24", "script_body_iptables_restore");
} else
conf = new Configlet(fw, "linux24", "script_body_single_rule");
conf = new Configlet(fw, "linux24", "script_body_iptables_shell");
}
conf->setVariable("auto", have_auto);
conf->setVariable("iptables_restore_format",
fw->getOptionsObject()->getBool("use_iptables_restore"));
conf->setVariable("filter", !filter_script.empty());
conf->setVariable("filter_or_auto", have_auto || !filter_script.empty());
conf->setVariable("filter_auto_script", automatic_rules_script.c_str());

4
src/iptlib/CompilerDriver_ipt_run.cpp
View File

@ -44,6 +44,7 @@
#include "PolicyCompiler_ipt.h"
#include "NATCompiler_ipt.h"
#include "RoutingCompiler_ipt.h"
#include "Preprocessor_ipt.h"
#include "OSConfigurator_linux24.h"
#include "OSConfigurator_secuwall.h"
#include "OSConfigurator_ipcop.h"
@ -52,7 +53,6 @@
#include "Configlet.h"
#include "fwcompiler/Preprocessor.h"
#include "fwbuilder/FWObjectDatabase.h"
#include "fwbuilder/FWException.h"
@ -310,7 +310,7 @@ QString CompilerDriver_ipt::run(const std::string &cluster_id,
if (nat_count || policy_count)
{
Preprocessor* prep = new Preprocessor(
Preprocessor_ipt* prep = new Preprocessor_ipt(
objdb , fw, ipv6_policy);
prep->setSingleRuleCompileMode(single_rule_id);
if (inTestMode()) prep->setTestMode();

29
src/iptlib/NATCompiler_PrintRuleIptRst.cpp
View File

@ -78,35 +78,6 @@ string NATCompiler_ipt::PrintRuleIptRst::_printRuleLabel(NATRule *rule)
Resources::os_res[compiler->fw->getStr("host_OS")]->Resources::getResourceBool("/FWBuilderResources/Target/options/suppress_comments");
return compiler->printComment(rule, current_rule_label, "#", nocomm);
#if 0
ostringstream res;
string rl=rule->getLabel();
if (rl!=current_rule_label)
{
if (!compiler->inSingleRuleCompileMode() && !nocomm)
{
res << "# " << endl;
res << "# Rule " << rl << endl;
res << "# " << endl;
}
/* do not put comment in the script if it is intended for linksys */
if (!nocomm || compiler->inSingleRuleCompileMode())
{
QStringList comm = QString(rule->getComment().c_str()).split("\n");
foreach(QString line, comm)
{
res << "# " << line.toStdString() << endl;
}
//res << "# " << endl;
}
current_rule_label=rl;
}
return res.str();
#endif
}
bool NATCompiler_ipt::PrintRuleIptRst::processNext()

5
src/iptlib/NATCompiler_ipt.cpp
View File

@ -2608,13 +2608,14 @@ void NATCompiler_ipt::compile()
add( new simplePrintProgress() );
runRuleProcessors();
}
void NATCompiler_ipt::epilog()
{
if (fwopt->getBool("use_iptables_restore"))
if (fwopt->getBool("use_iptables_restore") &&
getCompiledScriptLength()>0 &&
! inSingleRuleCompileMode())
{
output << "#" << endl;
}

27
src/iptlib/OSConfigurator_linux24_interfaces.cpp
View File

@ -502,15 +502,26 @@ string OSConfigurator_linux24::printDynamicAddressesConfigurationCommands()
if (iface->getName().find("*")==string::npos)
{
out << "getaddr "
<< iface->getName()
<< " "
<< getInterfaceVarName(iface, false)
<< endl;
<< iface->getName()
<< " "
<< getInterfaceVarName(iface, false)
<< endl;
out << "getaddr6 "
<< iface->getName()
<< " "
<< getInterfaceVarName(iface, true)
<< endl;
<< iface->getName()
<< " "
<< getInterfaceVarName(iface, true)
<< endl;
out << "getnet "
<< iface->getName()
<< " "
<< getInterfaceVarName(iface, false) << "_network"
<< endl;
out << "getnet6 "
<< iface->getName()
<< " "
<< getInterfaceVarName(iface, true) << "_network"
<< endl;
}
}
}

16
src/iptlib/PolicyCompiler_PrintRule.cpp
View File

@ -38,6 +38,7 @@
#include "fwbuilder/Network.h"
#include "fwbuilder/DNSName.h"
#include "fwbuilder/AddressRange.h"
#include "fwbuilder/AttachedNetworks.h"
#include "fwbuilder/FWObjectDatabase.h"
#include "fwbuilder/RuleElement.h"
@ -57,6 +58,7 @@
#include <QStringList>
#include <QRegExp>
#include <QtDebug>
#include <iostream>
#include <iomanip>
@ -616,9 +618,7 @@ string PolicyCompiler_ipt::PrintRule::_printLogPrefix(PolicyRule *rule,
{
FWObject *ruleset = rule->getParent();
char action[64];
strncpy(action,rule->getStr("stored_action").c_str(),sizeof(action));
for (char *cptr=action; *cptr; cptr++) *cptr=toupper(*cptr);
QString action = QString(rule->getStr("stored_action").c_str()).toUpper();
RuleElementItf *itf_re = rule->getItf(); assert(itf_re!=NULL);
FWObject *rule_iface = FWObjectReference::getObject(itf_re->front());
@ -637,7 +637,7 @@ string PolicyCompiler_ipt::PrintRule::_printLogPrefix(PolicyRule *rule,
s1 << pos;
return _printLogPrefix(s1.str(),
action,
action.toStdString(),
rule_iface_name,
rule->getStr("ipt_chain"),
ruleset->getName(),
@ -1247,6 +1247,14 @@ string PolicyCompiler_ipt::PrintRule::_printAddr(Address *o)
{
return atrt->getSourceName();
}
if (atrt->getSubstitutionTypeName()==AttachedNetworks::TYPENAME)
{
ostr << "$i_" << atrt->getSourceName() << "_network";
return ostr.str();
}
// at this time we only support two types of MultiAddress
// objects: AddressTable and DNSName. Both should be converted
// to MultiAddressRunTime at this point. If we get some other

374
src/iptlib/PolicyCompiler_ipt.cpp
View File

@ -298,9 +298,21 @@ string PolicyCompiler_ipt::getNewChainName(PolicyRule *rule,
string suffix = rule->getStr("subrule_suffix");
if (!suffix.empty()) str << "_" << suffix;
string chain_name = str.str();
int n = rule_chain_no[chain_name];
n++;
rule_chain_no[chain_name] = n;
// if (n > 1)
// {
// str << "_" << n;
// }
string full_chain_name = str.str();
chain_no++;
return str.str();
return full_chain_name;
}
void PolicyCompiler_ipt::_expand_interface(Rule *rule,
@ -507,28 +519,72 @@ bool PolicyCompiler_ipt::dropTerminatingTargets::processNext()
return true;
}
/*
* This rule processor converts non-terminating targets CLASSIFY and
* MARK to terminating targets (equivalent) by splitting the rule and
* adding one more rule with target ACCEPT.
*
* Note that target ROUTE is terminating unless parameter "--continue"
* is present. We add "--continue" if action is Continue, otherwise
* the rule does not need to be split and we carry action Accept further.
*
* Call this rule processor at the very end of the chain when all
* splits are done and target is set via "ipt_target"
*/
bool PolicyCompiler_ipt::splitTagClassifyOrRouteIfAction::processNext()
bool PolicyCompiler_ipt::clearTagClassifyInFilter::processNext()
{
PolicyCompiler_ipt *ipt_comp = dynamic_cast<PolicyCompiler_ipt*>(compiler);
PolicyRule *rule = getNext(); if (rule==NULL) return false;
string tgt = rule->getStr("ipt_target");
if (ipt_comp->my_table != "mangle")
{
rule->setClassification(false);
rule->setRouting(false);
rule->setTagging(false);
}
tmp_queue.push_back(rule);
return true;
}
bool PolicyCompiler_ipt::clearActionInTagClassifyIfMangle::processNext()
{
PolicyCompiler_ipt *ipt_comp = dynamic_cast<PolicyCompiler_ipt*>(compiler);
PolicyRule *rule = getNext(); if (rule==NULL) return false;
if (ipt_comp->my_table == "mangle" &&
(rule->getTagging() || rule->getClassification())
)
rule->setAction(PolicyRule::Continue);
tmp_queue.push_back(rule);
return true;
}
/*
* in a rule generates some code in both filter and mangle tables and
* has logging turned on, we should log only once. Will log in filter.
* However if the rule belongs to mangle-only rule set, we should log
* in mangle.
*/
bool PolicyCompiler_ipt::clearLogInMangle::processNext()
{
PolicyCompiler_ipt *ipt_comp = dynamic_cast<PolicyCompiler_ipt*>(compiler);
PolicyRule *rule = getNext(); if (rule==NULL) return false;
FWOptions *rulesetopts = ipt_comp->getSourceRuleSet()->getOptionsObject();
if (rulesetopts->getBool("mangle_only_rule_set"))
{
tmp_queue.push_back(rule);
return true;
}
if (ipt_comp->my_table == "mangle") rule->setLogging(false);
tmp_queue.push_back(rule);
return true;
}
bool PolicyCompiler_ipt::splitIfTagClassifyOrRoute::processNext()
{
PolicyRule *rule = getNext(); if (rule==NULL) return false;
FWOptions *ruleopt = rule->getOptionsObject();
if (ipt_comp->my_table=="mangle" &&
(rule->getTagging() || rule->getClassification()) &&
rule->getAction() != PolicyRule::Continue)
PolicyCompiler_ipt *ipt_comp = dynamic_cast<PolicyCompiler_ipt*>(compiler);
PolicyRule *r;
int number_of_options = 0;
if (rule->getTagging()) number_of_options++;
if (rule->getClassification()) number_of_options++;
if (rule->getRouting()) number_of_options++;
if (ipt_comp->my_table=="mangle" && number_of_options > 0)
{
RuleElementSrc *nsrc;
RuleElementDst *ndst;
@ -544,10 +600,10 @@ bool PolicyCompiler_ipt::splitTagClassifyOrRouteIfAction::processNext()
nsrv = rule->getSrv();
nitfre = rule->getItf();
if (!nsrc->isAny() ||
!ndst->isAny() ||
!nsrv->isAny() ||
!nitfre->isAny())
if (
(! nsrc->isAny() || ! ndst->isAny() ||
! nsrv->isAny() || ! nitfre->isAny()) && number_of_options > 1
)
{
new_chain = ipt_comp->getNewTmpChainName(rule);
r = compiler->dbcopy->createPolicyRule();
@ -561,59 +617,20 @@ bool PolicyCompiler_ipt::splitTagClassifyOrRouteIfAction::processNext()
r->setLogging(false);
r->setAction(PolicyRule::Continue);
tmp_queue.push_back(r);
nsrc = rule->getSrc(); nsrc->reset();
ndst = rule->getDst(); ndst->reset();
nsrv = rule->getSrv(); nsrv->reset();
nitfre = rule->getItf(); nitfre->reset();
ruleopt = rule->getOptionsObject();
ruleopt->setInt("limit_value",-1);
ruleopt->setInt("limit_value",-1);
ruleopt->setInt("connlimit_value",-1);
ruleopt->setInt("hashlimit_value",-1);
ruleopt->setBool("stateless",true);
rule->setLogging(false);
}
r = compiler->dbcopy->createPolicyRule();
compiler->temp_ruleset->add(r);
r->duplicate(rule);
nsrc = r->getSrc(); nsrc->reset();
ndst = r->getDst(); ndst->reset();
nsrv = r->getSrv(); nsrv->reset();
nitfre = r->getItf(); nitfre->reset();
ruleopt = r->getOptionsObject();
ruleopt->setInt("limit_value",-1);
ruleopt->setInt("limit_value",-1);
ruleopt->setInt("connlimit_value",-1);
ruleopt->setInt("hashlimit_value",-1);
ruleopt->setBool("stateless",true);
r->setLogging(false);
r->setStr("ipt_chain", new_chain);
r->setStr("upstream_rule_chain", this_chain);
r->setAction(PolicyRule::Continue);
ipt_comp->registerChain(new_chain);
ipt_comp->insertUpstreamChain(this_chain, new_chain);
tmp_queue.push_back(r);
r2 = compiler->dbcopy->createPolicyRule();
compiler->temp_ruleset->add(r2);
r2->duplicate(r);
r2->setClassification(false);
r2->setRouting(false);
r2->setTagging(false);
r2->setLogging(false);
r2->setAction( rule->getAction());
ruleopt = r2->getOptionsObject();
ruleopt->setBool("stateless", true);
tmp_queue.push_back(r2);
return true;
}
tmp_queue.push_back(rule);
return true;
}
bool PolicyCompiler_ipt::splitIfTagClassifyOrRoute::processNext()
{
PolicyRule *rule = getNext(); if (rule==NULL) return false;
FWOptions *ruleopt = rule->getOptionsObject();
PolicyCompiler_ipt *ipt_comp = dynamic_cast<PolicyCompiler_ipt*>(compiler);
PolicyRule *r;
if (ipt_comp->my_table=="mangle" &&
(rule->getTagging() || rule->getClassification() || rule->getRouting()))
{
if (rule->getTagging())
{
r = compiler->dbcopy->createPolicyRule();
@ -622,6 +639,9 @@ bool PolicyCompiler_ipt::splitIfTagClassifyOrRoute::processNext()
r->setClassification(false);
r->setRouting(false);
rule->setTagging(false);
r->setStr("ipt_chain", new_chain);
r->setStr("upstream_rule_chain", this_chain);
r->setAction(PolicyRule::Continue);
tmp_queue.push_back(r);
}
@ -633,20 +653,28 @@ bool PolicyCompiler_ipt::splitIfTagClassifyOrRoute::processNext()
rule->setClassification(false);
r->setRouting(false);
r->setTagging(false);
r->setStr("ipt_chain", new_chain);
r->setStr("upstream_rule_chain", this_chain);
r->setAction(PolicyRule::Continue);
tmp_queue.push_back(r);
}
if (rule->getRouting())
/*
* Target ROUTE is terminating unless parameter "--continue"
* is present. We add "--continue" if action is Continue,
* otherwise the rule does not need to be split and we carry
* action Accept further.
*/
if (rule->getRouting() || rule->getAction() != PolicyRule::Continue)
{
r = compiler->dbcopy->createPolicyRule();
compiler->temp_ruleset->add(r);
r->duplicate(rule);
r->setClassification(false);
rule->setRouting(false);
r->setTagging(false);
tmp_queue.push_back(r);
rule->setClassification(false);
rule->setTagging(false);
rule->setStr("ipt_chain", new_chain);
rule->setStr("upstream_rule_chain", this_chain);
tmp_queue.push_back(rule);
}
} else
tmp_queue.push_back(rule);
@ -686,6 +714,9 @@ bool PolicyCompiler_ipt::InterfacePolicyRulesWithOptimization::processNext()
return true;
}
/**
* Deprecated beginning with 4.3.0. To be removed in future versions.
*/
bool PolicyCompiler_ipt::Route::processNext()
{
PolicyCompiler_ipt *ipt_comp = dynamic_cast<PolicyCompiler_ipt*>(compiler);
@ -732,17 +763,6 @@ bool PolicyCompiler_ipt::Route::processNext()
return true;
}
/*
* A note about CLASSIFY target in iptables:
*
* CLASSIFY only works in mangle table in POSTROUTING chain.
* the man page does not mention this, but module documentation
* in p-o-m says so.
*
* per bug #1618329: "Wrong in-code comment" this comment is incorrect,
* CLASSIFY target is valid in POSTROUTING, OUTPUT and FORWARD chains.
*/
bool PolicyCompiler_ipt::dropMangleTableRules::processNext()
{
PolicyRule *rule=getNext(); if (rule==NULL) return false;
@ -753,9 +773,9 @@ bool PolicyCompiler_ipt::dropMangleTableRules::processNext()
FWOptions *rulesetopts = ipt_comp->getSourceRuleSet()->getOptionsObject();
if (rulesetopts->getBool("mangle_only_rule_set")) return true;
if (rule->getTagging() ||
rule->getRouting() ||
rule->getClassification()) return true;
if ( rule->getAction() == PolicyRule::Continue && ! rule->getLogging() &&
(rule->getTagging() || rule->getRouting() || rule->getClassification()))
return true;
// Another special case (while working on #1415, although not
// related directly): branching rule that has "branch in mangle table"
@ -821,10 +841,26 @@ bool PolicyCompiler_ipt::checkForUnsupportedCombinationsInMangle::processNext()
}
tmp_queue.push_back(rule);
return true;
}
bool PolicyCompiler_ipt::deprecateOptionRoute::processNext()
{
PolicyRule *rule=getNext(); if (rule==NULL) return false;
if (rule->getRouting())
{
compiler->abort(
rule,
"Option Route is deprecated. You can use Custom Action "
"to generate iptables command using '-j ROUTE' target "
"if it is supported by your firewall OS");
return true;
}
tmp_queue.push_back(rule);
return true;
}
bool PolicyCompiler_ipt::Logging1::processNext()
{
@ -1852,75 +1888,6 @@ bool PolicyCompiler_ipt::splitIfTagAndConnmark::processNext()
} else
tmp_queue.push_back(rule);
#if 0
RuleElementItf *itf_re = rule->getItf(); assert(itf_re!=NULL);
RuleElementSrc *nsrc;
RuleElementDst *ndst;
RuleElementSrv *nsrv;
RuleElementInterval *nint;
if (rule->getTagging() && ruleopt->getBool("ipt_mark_connections"))
{
PolicyRule *r, *r1;
string this_chain = rule->getStr("ipt_chain");
string new_chain = ipt_comp->getNewChainName(rule, NULL);
r = compiler->dbcopy->createPolicyRule();
compiler->temp_ruleset->add(r);
r->duplicate(rule);
r->setStr("ipt_target", new_chain);
r->setClassification(false);
r->setRouting(false);
r->setTagging(false);
r->setLogging(false);
r->setAction(PolicyRule::Continue);
r->setLogging(false);
ruleopt = r->getOptionsObject();
tmp_queue.push_back(r);
r= compiler->dbcopy->createPolicyRule();
compiler->temp_ruleset->add(r);
r->duplicate(rule);
r->setStr("ipt_chain",new_chain);
r->setStr("upstream_rule_chain",this_chain);
ipt_comp->registerChain(new_chain);
ipt_comp->insertUpstreamChain(this_chain, new_chain);
ruleopt =r->getOptionsObject();
ruleopt->setBool("stateless",true);
r->setBool("force_state_check",false);
ruleopt->setInt("limit_value",-1);
ruleopt->setInt("connlimit_value",-1);
ruleopt->setInt("hashlimit_value",-1);
nsrc=r->getSrc(); nsrc->reset();
ndst=r->getDst(); ndst->reset();
nsrv=r->getSrv(); nsrv->reset();
if ( (nint=r->getWhen())!=NULL ) nint->reset();
tmp_queue.push_back(r);
r1= compiler->dbcopy->createPolicyRule();
compiler->temp_ruleset->add(r1);
r1->duplicate(r);
r1->setStr("ipt_target", "CONNMARK");
r1->setAction(PolicyRule::Continue); // ###
r1->setClassification(false);
r1->setRouting(false);
r1->setTagging(false);
r1->setLogging(false);
ruleopt =r1->getOptionsObject();
ruleopt->setStr("CONNMARK_arg", "--save-mark");
tmp_queue.push_back(r1);
ipt_comp->have_connmark = true;
} else
tmp_queue.push_back(rule);
#endif
return true;
}
@ -2296,12 +2263,15 @@ bool PolicyCompiler_ipt::splitIfSrcAny::processNext()
r->setDirection( PolicyRule::Outbound );
tmp_queue.push_back(r);
// if this rule is for mangle table, need to put it into
// POSTROUTING chain as well because some targets that
// work with mangle table can only go into POSTROUTING chain
// such as CLASSIFY
if (ipt_comp->my_table=="mangle" &&
rule->getClassification())
/*
* A note about CLASSIFY target in iptables:
*
* CLASSIFY only works in mangle table in POSTROUTING chain.
* the man page does not mention this, but module
* documentation in p-o-m says so.
*/
if (ipt_comp->my_table=="mangle" && rule->getClassification())
{
r= compiler->dbcopy->createPolicyRule();
compiler->temp_ruleset->add(r);
@ -3263,7 +3233,9 @@ bool PolicyCompiler_ipt::decideOnChainIfLoopback::processNext()
}
/**
* target CLASSIFY is only valid in mangle table, chain POSTROUTING
* target CLASSIFY is only valid in mangle table, chain POSTROUTING.
* However if the same rule also has tagging option, it should be
* split because we want to tag in PREROUTING
*/
bool PolicyCompiler_ipt::decideOnChainForClassify::processNext()
{
@ -3277,7 +3249,22 @@ bool PolicyCompiler_ipt::decideOnChainForClassify::processNext()
}
if (rule->getStr("ipt_chain").empty())
ipt_comp->setChain(rule,"POSTROUTING");
{
if (rule->getTagging())
{
PolicyRule *r = compiler->dbcopy->createPolicyRule();
compiler->temp_ruleset->add(r);
r->duplicate(rule);
r->setClassification(false);
r->setRouting(false);
r->setAction(PolicyRule::Continue);
tmp_queue.push_back(r);
rule->setTagging(false);
}
ipt_comp->setChain(rule, "POSTROUTING");
}
tmp_queue.push_back(rule);
return true;
@ -4271,13 +4258,17 @@ void PolicyCompiler_ipt::compile()
add( new singleRuleFilter());
add( new deprecateOptionRoute("Deprecate option Route"));
add( new checkForUnsupportedCombinationsInMangle(
"Check for unsupported Tag+Route and Classify+Route combinations"));
add( new splitIfTagClassifyOrRoute(
"Split rule if it uses tagging, classification or routing options"));
add( new clearTagClassifyInFilter(
"Clear Tag and Classify options in filter table"));
add( new clearLogInMangle("clear logging in rules in mangle table"));
add( new clearActionInTagClassifyIfMangle(
"clear action in rules with Tag and Classify in mangle"));
add( new Route("process route rules"));
add( new storeAction("store original action of this rule"));
add( new Logging1("check global logging override option"));
@ -4347,6 +4338,13 @@ void PolicyCompiler_ipt::compile()
add( new Logging2("process logging"));
// #2367 #2397
add( new splitIfTagClassifyOrRoute(
"Split rule if it uses tagging, classification or routing options"));
add( new splitIfTagAndConnmark("Tag+CONNMARK combo"));
add( new Route("process route rules"));
/*
* this is just a patch for those who do not understand how does
* "assume firewall is part of any" work. It also eliminates redundant
@ -4366,14 +4364,8 @@ void PolicyCompiler_ipt::compile()
add( new swapMultiAddressObjectsInDst(
" swap MultiAddress -> MultiAddressRunTime in Dst"));
// #2367
add( new splitTagClassifyOrRouteIfAction(
"split rules with options Tag, Classify or Route when action "
"is not Continue" ) );
add( new splitIfTagAndConnmark("Tag+CONNMARK combo"));
add( new accounting("Accounting") );
add( new splitIfSrcAny("split rule if src is any") );
if (my_table == "mangle")
@ -4511,12 +4503,6 @@ void PolicyCompiler_ipt::compile()
add( new optimize2("optimization 2") );
// add( new splitTagClassifyOrRouteIfAction(
// "split rules with options Tag, Classify or Route when action "
// "is not Continue" ) );
// add( new splitIfTagAndConnmark("Tag+CONNMARK combo"));
// add( new accounting("Accounting") );
add( new prepareForMultiport("prepare for multiport") );
@ -4602,6 +4588,8 @@ string PolicyCompiler_ipt::debugPrintRule(Rule *r)
src << o->getName();
if (Group::cast(o)!=NULL)
src << "[" << o->size() << "]";
if ( MultiAddress::cast(o)!=NULL)
src << string((MultiAddress::cast(o)->isRunTime()) ? "(r)" : "(c)");
}
if (i2!=dstrel->end())
@ -4610,6 +4598,8 @@ string PolicyCompiler_ipt::debugPrintRule(Rule *r)
dst << o->getName();
if (Group::cast(o)!=NULL)
dst << "[" << o->size() << "]";
if ( MultiAddress::cast(o)!=NULL)
dst << string((MultiAddress::cast(o)->isRunTime()) ? "(r)" : "(c)");
}
if (i3!=srvrel->end())
@ -4709,7 +4699,9 @@ string PolicyCompiler_ipt::debugPrintRule(Rule *r)
void PolicyCompiler_ipt::epilog()
{
if (fwopt->getBool("use_iptables_restore") && getCompiledScriptLength()>0)
if (fwopt->getBool("use_iptables_restore") &&
getCompiledScriptLength()>0 &&
! inSingleRuleCompileMode())
{
output << "#" << endl;
}

33
src/iptlib/PolicyCompiler_ipt.h
View File

@ -75,6 +75,7 @@ protected:
std::string my_table;
std::map<std::string, int> tmp_chain_no;
std::map<std::string, int> rule_chain_no;
std::map<std::string, int> chain_usage_counter;
std::map<std::string, std::string> ipset_tables;
@ -177,6 +178,13 @@ protected:
*/
DECLARE_POLICY_RULE_PROCESSOR(checkForUnsupportedCombinationsInMangle);
/**
* See #2401 Option "Route" (used to be action "Route") is
* deprecated. Iptables target ROUTE is not included in major
* distributions (Debian, Ubuntu, Fedora, CentOS).
*/
DECLARE_POLICY_RULE_PROCESSOR(deprecateOptionRoute);
/**
* adds few predefined (or "builtin") rules on top of the policy
*/
@ -216,6 +224,7 @@ protected:
/**
* set target and chain in case of route rules
* Deprecated beginning with 4.3.0. To be removed in future versions.
*/
DECLARE_POLICY_RULE_PROCESSOR(Route);
@ -235,6 +244,24 @@ protected:
*/
DECLARE_POLICY_RULE_PROCESSOR(splitIfTagClassifyOrRoute);
/**
* clears options Tag and Classify in filter table
*/
DECLARE_POLICY_RULE_PROCESSOR(clearTagClassifyInFilter);
/**
* turns off logging in rules with options Tag, Classify or
* Route in table mangle
*/
DECLARE_POLICY_RULE_PROCESSOR(clearLogInMangle);
/**
* switches action to Continue in rules with options Tag,
* Classify in mangle table. We deal with other actions in
* table filter.
*/
DECLARE_POLICY_RULE_PROCESSOR(clearActionInTagClassifyIfMangle);
/**
* this processor checks if the rule is associated with an
@ -681,12 +708,6 @@ protected:
*/
DECLARE_POLICY_RULE_PROCESSOR(decideOnChainForClassify);
/**
* Split rules with options Tag, Classiyfy and Route if action
* is not Continue
*/
DECLARE_POLICY_RULE_PROCESSOR(splitTagClassifyOrRouteIfAction);
/**
* drop rules with terminating targets. Used as part of the
* shadowing detection for non-terminating rules in the mangle

5
src/iptlib/PolicyCompiler_ipt_optimizer.cpp
View File

@ -123,6 +123,11 @@ void PolicyCompiler_ipt::optimize1::optimizeForRuleElement(
}
}
r->setStr("ipt_target",new_chain);
r->setClassification(false);
r->setRouting(false);
r->setTagging(false);
tmp_queue.push_back(r);
FWOptions *ruleopt=rule->getOptionsObject();

50
src/iptlib/Preprocessor_ipt.cpp Normal file
View File

@ -0,0 +1,50 @@
/*
Firewall Builder
Copyright (C) 2011 NetCitadel, LLC
Author: Vadim Kurland vadim@fwbuilder.org
This program is free software which we release under the GNU General Public
License. You may redistribute and/or modify this program under the terms
of that license as published by the Free Software Foundation; either
version 2 of the License, or (at your option) any later version.
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
To get a copy of the GNU General Public License, write to the Free Software
Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
*/
#include "Preprocessor_ipt.h"
#include "fwbuilder/Interface.h"
#include "fwbuilder/AttachedNetworks.h"
using namespace libfwbuilder;
using namespace fwcompiler;
using namespace std;
void Preprocessor_ipt::convertObject(FWObject *obj)
{
if ( AttachedNetworks::isA(obj))
{
AttachedNetworks *att = AttachedNetworks::cast(obj);
Interface *intf = Interface::cast(att->getParent());
if (intf->isRegular())
{
att->setCompileTime(true);
att->loadFromSource(ipv6, inTestMode());
} else att->setRunTime(true);
} else
Preprocessor::convertObject(obj);
}

54
src/iptlib/Preprocessor_ipt.h Normal file
View File

@ -0,0 +1,54 @@
/*
Firewall Builder
Copyright (C) 2011 NetCitadel, LLC
Author: Vadim Kurland vadim@fwbuilder.org
This program is free software which we release under the GNU General Public
License. You may redistribute and/or modify this program under the terms
of that license as published by the Free Software Foundation; either
version 2 of the License, or (at your option) any later version.
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
To get a copy of the GNU General Public License, write to the Free Software
Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
*/
#ifndef __PREPROCESSOR_IPT_HH
#define __PREPROCESSOR_IPT_HH
#include <fwbuilder/libfwbuilder-config.h>
#include "fwcompiler/Preprocessor.h"
namespace libfwbuilder {
class FWObjectDatabase;
};
namespace fwcompiler {
class Preprocessor_ipt : public Preprocessor {
public:
Preprocessor_ipt(libfwbuilder::FWObjectDatabase *_db,
libfwbuilder::Firewall *fw,
bool ipv6_policy) :
Preprocessor(_db, fw, ipv6_policy)
{ }
virtual void convertObject(libfwbuilder::FWObject *obj);
};
}
#endif

8
src/iptlib/iptlib.pro
View File

@ -27,6 +27,7 @@ SOURCES = CompilerDriver_ipt.cpp \
PolicyCompiler_secuwall.cpp \
RoutingCompiler_ipt.cpp \
RoutingCompiler_ipt_writers.cpp \
Preprocessor_ipt.cpp \
combinedAddress.cpp \
AutomaticRules_ipt.cpp \
utils.cpp
@ -42,6 +43,7 @@ HEADERS = ../../config.h \
PolicyCompiler_ipt.h \
PolicyCompiler_secuwall.h \
RoutingCompiler_ipt.h \
Preprocessor_ipt.h \
combinedAddress.h \
AutomaticRules_ipt.h \
utils.h
@ -51,9 +53,9 @@ CONFIG += staticlib
INCLUDEPATH += ../compiler_lib ../libfwbuilder/src
DEPENDPATH += ../compiler_lib ../libfwbuilder/src
win32:PRE_TARGETDEPS = ../compiler_lib/release/compilerdriver.lib \
../libfwbuilder/src/fwcompiler/release/fwcompiler.lib \
../libfwbuilder/src/fwbuilder/release/fwbuilder.lib
win32:PRE_TARGETDEPS = ../compiler_lib/release/libcompilerdriver.a \
../libfwbuilder/src/fwcompiler/release/libfwcompiler.a \
../libfwbuilder/src/fwbuilder/release/libfwbuilder.a
!win32:PRE_TARGETDEPS = ../compiler_lib/libcompilerdriver.a \
../libfwbuilder/src/fwcompiler/libfwcompiler.a \

10
src/libfwbuilder/etc/fwbuilder.dtd
View File

@ -85,7 +85,7 @@
>
<!ELEMENT Library
((AnyNetwork|AnyIPService|AnyInterval|ObjectGroup|StateSyncClusterGroup|FailoverClusterGroup|Host|Firewall|Cluster|Network|NetworkIPv6|IPv4|IPv6|DNSName|AddressTable|physAddress|AddressRange|ObjectRef|ServiceGroup|IPService|ICMPService|ICMP6Service|TCPService|UDPService|CustomService|ServiceRef|IntervalGroup|Interval|IntervalRef|Interface|Policy|NAT|PolicyRule|NATRule|Library|TagService|UserService)*)>
((AnyNetwork|AnyIPService|AnyInterval|ObjectGroup|StateSyncClusterGroup|FailoverClusterGroup|Host|Firewall|Cluster|Network|NetworkIPv6|AttachedNetworks|IPv4|IPv6|DNSName|AddressTable|physAddress|AddressRange|ObjectRef|ServiceGroup|IPService|ICMPService|ICMP6Service|TCPService|UDPService|CustomService|ServiceRef|IntervalGroup|Interval|IntervalRef|Interface|Policy|NAT|PolicyRule|NATRule|Library|TagService|UserService)*)>
<!ATTLIST Library
%STD_ATTRIBUTES;
color %STRING; #IMPLIED
@ -355,7 +355,7 @@ Interface can have the following attributes:
- label human-readable label of this interface
-->
<!ELEMENT Interface (IPv4*, IPv6*, physAddress?, InterfaceOptions?, Interface*, FailoverClusterGroup?)>
<!ELEMENT Interface (IPv4*, IPv6*, physAddress?, InterfaceOptions?, Interface*, FailoverClusterGroup?, AttachedNetworks?)>
<!ATTLIST Interface
%STD_ATTRIBUTES;
dyn %BOOLEAN; #REQUIRED
@ -369,7 +369,6 @@ Interface can have the following attributes:
label %STRING; #IMPLIED
>
<!-- Remote management information for Firewall, Host, Gateway -->
<!ELEMENT Management (SNMPManagement? , FWBDManagement?, PolicyInstallScript?)>
<!ATTLIST Management
@ -431,6 +430,11 @@ Interface can have the following attributes:
netmask %NETMASK; #REQUIRED
>
<!ELEMENT AttachedNetworks EMPTY>
<!ATTLIST AttachedNetworks
%STD_ATTRIBUTES;
>
<!ELEMENT AddressRange EMPTY>
<!ATTLIST AddressRange
%STD_ATTRIBUTES;

10
src/libfwbuilder/etc/fwbuilder.dtd.in
View File

@ -85,7 +85,7 @@
>
<!ELEMENT Library
((AnyNetwork|AnyIPService|AnyInterval|ObjectGroup|StateSyncClusterGroup|FailoverClusterGroup|Host|Firewall|Cluster|Network|NetworkIPv6|IPv4|IPv6|DNSName|AddressTable|physAddress|AddressRange|ObjectRef|ServiceGroup|IPService|ICMPService|ICMP6Service|TCPService|UDPService|CustomService|ServiceRef|IntervalGroup|Interval|IntervalRef|Interface|Policy|NAT|PolicyRule|NATRule|Library|TagService|UserService)*)>
((AnyNetwork|AnyIPService|AnyInterval|ObjectGroup|StateSyncClusterGroup|FailoverClusterGroup|Host|Firewall|Cluster|Network|NetworkIPv6|AttachedNetworks|IPv4|IPv6|DNSName|AddressTable|physAddress|AddressRange|ObjectRef|ServiceGroup|IPService|ICMPService|ICMP6Service|TCPService|UDPService|CustomService|ServiceRef|IntervalGroup|Interval|IntervalRef|Interface|Policy|NAT|PolicyRule|NATRule|Library|TagService|UserService)*)>
<!ATTLIST Library
%STD_ATTRIBUTES;
color %STRING; #IMPLIED
@ -355,7 +355,7 @@ Interface can have the following attributes:
- label human-readable label of this interface
-->
<!ELEMENT Interface (IPv4*, IPv6*, physAddress?, InterfaceOptions?, Interface*, FailoverClusterGroup?)>
<!ELEMENT Interface (IPv4*, IPv6*, physAddress?, InterfaceOptions?, Interface*, FailoverClusterGroup?, AttachedNetworks?)>
<!ATTLIST Interface
%STD_ATTRIBUTES;
dyn %BOOLEAN; #REQUIRED
@ -369,7 +369,6 @@ Interface can have the following attributes:
label %STRING; #IMPLIED
>
<!-- Remote management information for Firewall, Host, Gateway -->
<!ELEMENT Management (SNMPManagement? , FWBDManagement?, PolicyInstallScript?)>
<!ATTLIST Management
@ -431,6 +430,11 @@ Interface can have the following attributes:
netmask %NETMASK; #REQUIRED
>
<!ELEMENT AttachedNetworks EMPTY>
<!ATTLIST AttachedNetworks
%STD_ATTRIBUTES;
>
<!ELEMENT AddressRange EMPTY>
<!ATTLIST AddressRange
%STD_ATTRIBUTES;

134
src/libfwbuilder/src/fwbuilder/AttachedNetworks.cpp Normal file
View File

@ -0,0 +1,134 @@
/*
Firewall Builder
Copyright (C) 2011 NetCitadel, LLC
Author: Vadim Kurland vadim@fwbuilder.org
This program is free software which we release under the GNU General Public
License. You may redistribute and/or modify this program under the terms
of that license as published by the Free Software Foundation; either
version 2 of the License, or (at your option) any later version.
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
To get a copy of the GNU General Public License, write to the Free Software
Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
*/
#include <assert.h>
#include <fwbuilder/libfwbuilder-config.h>
#include <fwbuilder/AttachedNetworks.h>
#include <fwbuilder/FWException.h>
#include <fwbuilder/FWObjectReference.h>
#include <fwbuilder/FWObjectDatabase.h>
#include <fwbuilder/Interface.h>
#include <fwbuilder/IPv4.h>
#include <fwbuilder/IPv6.h>
#include <fwbuilder/Network.h>
#include <fwbuilder/NetworkIPv6.h>
#include <iostream>
#include <fstream>
#include <string>
#include <sstream>
using namespace libfwbuilder;
using namespace std;
const char *AttachedNetworks::TYPENAME={"AttachedNetworks"};
AttachedNetworks::AttachedNetworks() : MultiAddress()
{
}
void AttachedNetworks::fromXML(xmlNodePtr root) throw(FWException)
{
FWObject::fromXML(root);
}
xmlNodePtr AttachedNetworks::toXML(xmlNodePtr parent) throw(FWException)
{
remStr("run_time");
xmlNodePtr me = FWObject::toXML(parent, false);
xmlNewProp(me, TOXMLCAST("name"), STRTOXMLCAST(getName()));
xmlNewProp(me, TOXMLCAST("comment"), STRTOXMLCAST(getComment()));
xmlNewProp(me, TOXMLCAST("ro"), TOXMLCAST(((getRO()) ? "True" : "False")));
return me;
}
void AttachedNetworks::addNetworkObject(const InetAddr *ip_addr,
const InetAddr *ip_netm)
{
FWObject *new_obj;
if (ip_addr->isV4())
{
Network *net = getRoot()->createNetwork();
net->setAddress(*ip_addr);
net->setNetmask(*ip_netm);
ostringstream str;
str << "net-" << ip_addr->toString() << "/" << ip_netm->toString();
net->setName(str.str());
new_obj = net;
}
if (ip_addr->isV6())
{
NetworkIPv6 *net = getRoot()->createNetworkIPv6();
net->setAddress(*ip_addr);
net->setNetmask(*ip_netm);
ostringstream str;
str << "net-" << ip_addr->toString() << "/" << ip_netm->getLength();
net->setName(str.str());
new_obj = net;
}
if (validateChild(new_obj))
{
getRoot()->add(new_obj);
addRef(new_obj);
}
}
/*
* Read addresses of the parent interface and build a group of
* corresponding networks.
*/
void AttachedNetworks::loadFromSource(bool ipv6, bool ) throw(FWException)
{
Interface *parent_intf = Interface::cast(getParent());
assert(parent_intf);
string c_type = (ipv6) ? IPv6::TYPENAME : IPv4::TYPENAME;
FWObjectTypedChildIterator k = parent_intf->findByType(c_type);
for ( ; k!=k.end(); ++k)
{
Address *addr = Address::cast(*k);
const InetAddr *ip_netm = addr->getNetmaskPtr();
const InetAddr *ip_net_addr = addr->getNetworkAddressPtr();
addNetworkObject(ip_net_addr, ip_netm);
}
}
string AttachedNetworks::getSourceName()
{
Interface *parent = Interface::cast(getParent());
assert(parent!=NULL);
return parent->getName();
}

58
src/libfwbuilder/src/fwbuilder/AttachedNetworks.h Normal file
View File

@ -0,0 +1,58 @@
/*
Firewall Builder
Copyright (C) 2011 NetCitadel, LLC
Author: Vadim Kurland vadim@fwbuilder.org
This program is free software which we release under the GNU General Public
License. You may redistribute and/or modify this program under the terms
of that license as published by the Free Software Foundation; either
version 2 of the License, or (at your option) any later version.
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
To get a copy of the GNU General Public License, write to the Free Software
Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
*/
#ifndef _ATTACHEDNETWORKS_HH_
#define _ATTACHEDNETWORKS_HH_
#include <fwbuilder/MultiAddress.h>
namespace libfwbuilder
{
class AttachedNetworks : public MultiAddress
{
private:
void addNetworkObject(const InetAddr *ip_addr, const InetAddr *ip_netm);
public:
DECLARE_FWOBJECT_SUBTYPE(AttachedNetworks);
DECLARE_DISPATCH_METHODS(AttachedNetworks);
AttachedNetworks();
virtual void fromXML(xmlNodePtr parent) throw(FWException);
virtual xmlNodePtr toXML(xmlNodePtr xml_parent_node) throw(FWException);
virtual void loadFromSource(bool ipv6, bool test_mode=false) throw(FWException);
virtual std::string getSourceName();
};
}
#endif

8
src/libfwbuilder/src/fwbuilder/FWObject.cpp
View File

@ -96,7 +96,7 @@ void FWObject::fromXML(xmlNodePtr root) throw(FWException)
FREEXMLBUFF(n);
}
ref_counter = 0;
// ref_counter = 0;
FWObjectDatabase *dbr = getRoot();
for (xmlNodePtr cur=root->xmlChildrenNode; cur; cur=cur->next)
@ -108,6 +108,7 @@ void FWObject::fromXML(xmlNodePtr root) throw(FWException)
{
/* Add w/o validation. Trust XML to do that */
add(o, false);
try
{
o->fromXML(cur);
@ -408,6 +409,7 @@ FWObject* FWObject::addCopyOf(const FWObject *x, bool preserve_id)
if(!o1)
throw FWException(string("Error creating object with type: ")+
x->getTypeName());
// This adds with validation
add(o1);
@ -1344,8 +1346,8 @@ bool FWObject::isReadOnly()
void FWObject::checkReadOnly() throw(FWException)
{
if (isReadOnly()) throw FWException(
string("Attempt to modify read-only object ")+getName());
if (isReadOnly() && ! getRoot()->getIgnoreReadOnlyFlag())
throw FWException(string("Attempt to modify read-only object ")+getName());
}
FWObjectTypedChildIterator::FWObjectTypedChildIterator(

5
src/libfwbuilder/src/fwbuilder/FWObjectDatabase.cpp
View File

@ -40,6 +40,7 @@
#include <fwbuilder/FWObject.h>
#include <fwbuilder/FWObjectDatabase.h>
#include <fwbuilder/AttachedNetworks.h>
#include <fwbuilder/Library.h>
#include <fwbuilder/Interval.h>
#include <fwbuilder/ICMPService.h>
@ -99,7 +100,9 @@ using namespace libfwbuilder;
int id_seed = 1000;
#ifdef _WIN32
static int cached_pid = _getpid();
# ifndef __GNUC__
#define snprintf sprintf_s
# endif
#else
static int cached_pid = getpid();
#endif
@ -122,6 +125,7 @@ FWObjectDatabase::FWObjectDatabase() : FWObject(false), data_file(), obj_index()
index_hits = index_misses = 0;
init_id_dict();
predictable_id_tracker = 0;
ignore_read_only = false;
searchId =0;
lastModified = 0;
@ -141,6 +145,7 @@ FWObjectDatabase::FWObjectDatabase(FWObjectDatabase& d) :
index_hits = index_misses = 0;
init_id_dict();
predictable_id_tracker = 0;
ignore_read_only = false;
data_file = d.data_file;

24
src/libfwbuilder/src/fwbuilder/FWObjectDatabase.h
View File

@ -56,6 +56,7 @@ namespace libfwbuilder
// forward declarations for specialized create() methods
class AddressRange;
class AddressTable;
class AttachedNetworks;
class Cluster;
class StateSyncClusterGroup;
class FailoverClusterGroup;
@ -123,6 +124,7 @@ namespace libfwbuilder
DECLARE_CREATE_OBJ_METHOD(AddressRange);
DECLARE_CREATE_OBJ_METHOD(AddressTable);
DECLARE_CREATE_OBJ_METHOD(AttachedNetworks);
DECLARE_CREATE_OBJ_METHOD(Cluster);
DECLARE_CREATE_OBJ_METHOD(StateSyncClusterGroup);
DECLARE_CREATE_OBJ_METHOD(FailoverClusterGroup);
@ -249,7 +251,8 @@ protected:
std::map<int, FWObject*> obj_index;
int searchId;
int predictable_id_tracker;
bool ignore_read_only;
void init_create_methods_table();
void init_id_dict();
@ -330,6 +333,13 @@ public:
*/
void getIndexStats(int &index_size, int &hit_counter, int &miss_counter);
/**
* Some operations, such as object tree merging, should ignore
* read-only flag on individual objects.
*/
bool getIgnoreReadOnlyFlag() { return ignore_read_only; }
void setIgnoreReadOnlyFlag(bool f) { ignore_read_only = f; }
// --- XML import/export ---
virtual void fromXML(xmlNodePtr xml_parent_node) throw(FWException);
@ -378,7 +388,15 @@ public:
void findObjectsInGroup(
libfwbuilder::Group *g,
std::set<libfwbuilder::FWObject *> &resset);
/**
* We ignore read-only flag on individual objects when whole object
* tree is duplicated
*/
virtual FWObject& duplicate(const FWObject *obj,
bool preserve_id = true) throw(FWException);
void recursivelyRemoveObjFromTree(FWObject* obj, bool remove_ref=false);
/**
@ -398,7 +416,6 @@ public:
* This means returned object can be a parent for the copy of <source>.
*/
FWObject* reproduceRelativePath(FWObject *lib, const FWObject *source);
/**
* fix references in children of obj according to the map_ids which
@ -474,6 +491,7 @@ public:
DECLARE_CREATE_OBJ_CLASS_METHOD(AddressRange);
DECLARE_CREATE_OBJ_CLASS_METHOD(AddressTable);
DECLARE_CREATE_OBJ_CLASS_METHOD(AttachedNetworks);
DECLARE_CREATE_OBJ_CLASS_METHOD(Cluster);
DECLARE_CREATE_OBJ_CLASS_METHOD(StateSyncClusterGroup);
DECLARE_CREATE_OBJ_CLASS_METHOD(FailoverClusterGroup);

5
src/libfwbuilder/src/fwbuilder/FWObjectDatabase_create_object.cpp
View File

@ -54,6 +54,7 @@
#include <fwbuilder/StateSyncClusterGroup.h>
#include <fwbuilder/FailoverClusterGroup.h>
#include <fwbuilder/AttachedNetworks.h>
#include <fwbuilder/Group.h>
#include <fwbuilder/Host.h>
#include <fwbuilder/ICMP6Service.h>
@ -127,6 +128,8 @@ void FWObjectDatabase::init_create_methods_table()
registerObjectType("AddressTable",
&create_AddressTable);
registerObjectType("AttachedNetworks",
&create_AttachedNetworks);
registerObjectType("Cluster",
&create_Cluster);
registerObjectType("StateSyncClusterGroup",
@ -302,6 +305,7 @@ FWObject *FWObjectDatabase::create(const string &type_name, int id, bool init)
}
FWObject *nobj = (*fn)(id);
addToIndex(nobj);
if (init) nobj->init(this);
return nobj;
@ -331,6 +335,7 @@ FWObject *FWObjectDatabase::createFromXML(xmlNodePtr data)
CREATE_OBJ_METHOD(AddressRange);
CREATE_OBJ_METHOD(AddressTable);
CREATE_OBJ_METHOD(AttachedNetworks);
CREATE_OBJ_METHOD(Cluster);
CREATE_OBJ_METHOD(StateSyncClusterGroup);
CREATE_OBJ_METHOD(FailoverClusterGroup);

20
src/libfwbuilder/src/fwbuilder/FWObjectDatabase_tree_ops.cpp
View File

@ -48,9 +48,6 @@
using namespace std;
using namespace libfwbuilder;
#ifdef _WIN32
#define snprintf sprintf_s
#endif
class FWObjectTreeScanner {
@ -222,9 +219,10 @@ void FWObjectTreeScanner::scanAndAdd(FWObject *dst,FWObject *source)
}
}
}
}
//#define DEBUG_MERGE 1
// #define DEBUG_MERGE 1
void FWObjectTreeScanner::merge(FWObject *dst, FWObject *src)
{
@ -293,7 +291,7 @@ void FWObjectTreeScanner::merge(FWObject *dst, FWObject *src)
if (dobj==NULL)
{
sobj = *i;
FWObject *o1=treeRoot->create( sobj->getTypeName());
FWObject *o1 = treeRoot->create( sobj->getTypeName());
FWObject *pdst = dstMap[ src->getId() ];
assert(pdst!=NULL);
@ -313,6 +311,7 @@ void FWObjectTreeScanner::merge(FWObject *dst, FWObject *src)
o1->duplicate( sobj, false); // copy IDs as well
#ifdef DEBUG_MERGE
cerr << "duplicate #1 done" << endl;
#endif
@ -477,10 +476,12 @@ void FWObjectDatabase::merge( FWObjectDatabase *ndb,
ConflictResolutionPredicate *crp)
{
busy = true;
setIgnoreReadOnlyFlag(true);
FWObjectTreeScanner scanner(this, crp);
scanner.merge(NULL, ndb);
setIgnoreReadOnlyFlag(false);
busy = false;
}
@ -699,3 +700,12 @@ FWObject* FWObjectDatabase::reproduceRelativePath(FWObject *lib,
return target;
}
FWObject& FWObjectDatabase::duplicate(const FWObject *obj,
bool preserve_id) throw(FWException)
{
setIgnoreReadOnlyFlag(true);
FWObject &o = FWObject::duplicate(obj, preserve_id);
setIgnoreReadOnlyFlag(false);
return o;
}

53
src/libfwbuilder/src/fwbuilder/Firewall.cpp
View File

@ -227,52 +227,16 @@ void Firewall::duplicateInterfaces(FWObject *target, const FWObject *source,
for (FWObjectTypedChildIterator m = source->findByType(Interface::TYPENAME);
m!=m.end(); ++m )
{
FWObject *src_interface = *m;
FWObject *dst_interface_copy = target->addCopyOf(src_interface, preserve_id);
FWObject *src_interface = *m;
FWObject *dst_interface_copy =
target->addCopyOf(src_interface, preserve_id);
id_mapping[src_interface->getId()] = dst_interface_copy->getId();
dst_interface_copy->destroyChildren();
for (FWObjectTypedChildIterator k=src_interface->findByType(IPv4::TYPENAME);
k!=k.end(); ++k )
{
FWObject *src_obj = *k;
FWObject *dst_obj_copy= dst_interface_copy->addCopyOf(src_obj,preserve_id);
if (src_obj!=NULL && dst_obj_copy!=NULL)
id_mapping[src_obj->getId()] = dst_obj_copy->getId();
}
for (FWObjectTypedChildIterator k=src_interface->findByType(IPv6::TYPENAME);
k!=k.end(); ++k )
{
FWObject *src_obj = *k;
FWObject *dst_obj_copy= dst_interface_copy->addCopyOf(src_obj,preserve_id);
if (src_obj!=NULL && dst_obj_copy!=NULL)
id_mapping[src_obj->getId()] = dst_obj_copy->getId();
}
for (FWObjectTypedChildIterator k = src_interface->findByType(physAddress::TYPENAME);
k!=k.end(); ++k )
{
FWObject *src_obj = *k;
FWObject *dst_obj_copy= dst_interface_copy->addCopyOf(src_obj,preserve_id);
if (src_obj!=NULL && dst_obj_copy!=NULL)
id_mapping[src_obj->getId()] = dst_obj_copy->getId();
}
for (FWObjectTypedChildIterator k = src_interface->findByType(InterfaceOptions::TYPENAME);
k!=k.end(); ++k )
{
FWObject *src_obj = *k;
FWObject *dst_obj_copy= dst_interface_copy->addCopyOf(src_obj,preserve_id);
if (src_obj!=NULL && dst_obj_copy!=NULL)
id_mapping[src_obj->getId()] = dst_obj_copy->getId();
}
Interface::cast(dst_interface_copy)->duplicateWithIdMapping(
src_interface, id_mapping, preserve_id);
#if 0
if (Firewall::cast(target))
{
/*
@ -288,7 +252,8 @@ void Firewall::duplicateInterfaces(FWObject *target, const FWObject *source,
k!=k.end(); ++k )
{
FWObject *src_subinterface = *k;
FWObject *dst_subinterface_copy = dst_interface_copy->addCopyOf(src_subinterface, preserve_id);
FWObject *dst_subinterface_copy =
dst_interface_copy->addCopyOf(src_subinterface, preserve_id);
if (src_subinterface!=NULL && dst_subinterface_copy!=NULL)
id_mapping[src_subinterface->getId()] = dst_subinterface_copy->getId();
@ -297,6 +262,8 @@ void Firewall::duplicateInterfaces(FWObject *target, const FWObject *source,
duplicateInterfaces(dst_interface_copy, src_interface,
id_mapping, preserve_id);
}
#endif
}
}

32
src/libfwbuilder/src/fwbuilder/Interface.cpp
View File

@ -6,9 +6,6 @@
Author: Vadim Kurland vadim@fwbuilder.org
$Id$
This program is free software which we release under the GNU General Public
License. You may redistribute and/or modify this program under the terms
of that license as published by the Free Software Foundation; either
@ -34,6 +31,7 @@
#include <fwbuilder/XMLTools.h>
#include <fwbuilder/IPv4.h>
#include <fwbuilder/IPv6.h>
#include <fwbuilder/AttachedNetworks.h>
#include <fwbuilder/FWObjectDatabase.h>
#include <fwbuilder/Resources.h>
@ -118,6 +116,28 @@ FWObject& Interface::duplicate(const FWObject *x, bool preserve_id)
return *this;
}
void Interface::duplicateWithIdMapping(const FWObject *src,
map<int,int> &id_mapping, bool preserve_id)
{
assert(src->getTypeName() == Interface::TYPENAME);
checkReadOnly();
shallowDuplicate(src, preserve_id);
destroyChildren();
for(list<FWObject*>::const_iterator m=src->begin(); m!=src->end(); ++m)
{
FWObject *src_obj = *m;
FWObject *dst_obj_copy = addCopyOf(src_obj, preserve_id);
if (src_obj!=NULL && dst_obj_copy!=NULL)
id_mapping[src_obj->getId()] = dst_obj_copy->getId();
}
setDirty(true);
}
bool Interface::cmp(const FWObject *obj, bool recursive) throw(FWException)
{
const Interface *rx = Interface::constcast(obj);
@ -247,6 +267,9 @@ xmlNodePtr Interface::toXML(xmlNodePtr parent) throw(FWException)
o = getFirstByType(FailoverClusterGroup::TYPENAME);
if (o) o->toXML(me);
o = getFirstByType(AttachedNetworks::TYPENAME);
if (o) o->toXML(me);
return me;
}
@ -341,7 +364,8 @@ bool Interface::validateChild(FWObject *o)
otype==IPv6::TYPENAME ||
otype==physAddress::TYPENAME ||
otype==InterfaceOptions::TYPENAME ||
otype==FailoverClusterGroup::TYPENAME);
otype==FailoverClusterGroup::TYPENAME ||
otype==AttachedNetworks::TYPENAME);
}
/*

10
src/libfwbuilder/src/fwbuilder/Interface.h
View File

@ -195,13 +195,15 @@ public:
virtual FWObject& shallowDuplicate(const FWObject *obj,
bool preserve_id = true)
throw(FWException);
bool preserve_id = true) throw(FWException);
virtual FWObject& duplicate(const FWObject *obj,
bool preserve_id = true)
throw(FWException);
bool preserve_id = true) throw(FWException);
virtual bool cmp(const FWObject *obj, bool recursive=false) throw(FWException);
void duplicateWithIdMapping(const FWObject *src,
std::map<int,int> &id_mapping, bool preserve_id);
const std::string &getLabel() const;
void setLabel(const std::string& n);

10
src/libfwbuilder/src/fwbuilder/MultiAddress.h
View File

@ -54,8 +54,14 @@ class MultiAddress : public ObjectGroup
virtual void setSourceName(const std::string& source_name);
virtual void loadFromSource(bool ipv6, bool test_mode=false) throw(FWException);
bool isCompileTime() const;
bool isRunTime() const;
/*
* functions isCompileTime() and isRunTime() are virtual because
* some multi-address objects allow the user to set these flags,
* while other object types behave as run-time or compile-time
* depending on attributes of other objects (e.g. AttachedNetworks)
*/
virtual bool isCompileTime() const;
virtual bool isRunTime() const;
void setCompileTime(const bool b);
void setRunTime(const bool b);

5
src/libfwbuilder/src/fwbuilder/RuleElement.h
View File

@ -36,11 +36,6 @@
#include <fwbuilder/ServiceGroup.h>
#include <fwbuilder/IntervalGroup.h>
#ifdef _WIN32
// disable "warning C4250: 'libfwbuilder::RuleElementTDst' : inherits 'libfwbuilder::RuleElement::addRef' via dominance"
# pragma warning(disable:4250)
#endif
namespace libfwbuilder
{

3
src/libfwbuilder/src/fwbuilder/TCPUDPService.cpp
View File

@ -33,9 +33,6 @@
using namespace libfwbuilder;
using namespace std;
#ifdef _WIN32
#define snprintf sprintf_s
#endif
const char *TCPUDPService::TYPENAME={"TCPUDPService"};

3
src/libfwbuilder/src/fwbuilder/dns.cpp
View File

@ -40,8 +40,7 @@
# include <arpa/nameser.h>
# include <unistd.h>
#else
# include <winsock2.h>
# pragma warning(disable:4101)
# include <windows.h>
#endif
#include <pthread.h>

18
src/libfwbuilder/src/fwbuilder/fwbuilder.pro
View File

@ -6,7 +6,7 @@ TEMPLATE = lib
CONFIG += staticlib
#
SOURCES = InetAddr.cpp \
SOURCES = InetAddr.cpp \
InetAddrMask.cpp \
Inet6AddrMask.cpp \
IPRoute.cpp \
@ -50,10 +50,11 @@ SOURCES = InetAddr.cpp \
NAT.cpp \
Network.cpp \
NetworkIPv6.cpp \
AttachbedNetworks.cpp \
ObjectGroup.cpp \
physAddress.cpp \
DNSName.cpp\
AddressTable.cpp\
DNSName.cpp\
AddressTable.cpp\
Policy.cpp \
Resources.cpp \
Routing.cpp \
@ -70,7 +71,7 @@ SOURCES = InetAddr.cpp \
TCPUDPService.cpp \
UDPService.cpp \
UserService.cpp \
TagService.cpp \
TagService.cpp \
XMLTools.cpp \
ObjectMatcher.cpp \
ObjectMirror.cpp \
@ -78,7 +79,7 @@ SOURCES = InetAddr.cpp \
inet_net_pton.c \
uint128.cpp
HEADERS = inet_net.h \
HEADERS = inet_net.h \
uint128.h \
InetAddr.h \
InetAddrMask.h \
@ -124,10 +125,11 @@ HEADERS = inet_net.h \
NAT.h \
Network.h \
NetworkIPv6.h \
AttachedNetworks.h \
ObjectGroup.h \
physAddress.h \
DNSName.h\
AddressTable.h\
DNSName.h\
AddressTable.h\
Policy.h \
Pool.h \
Resources.h \
@ -146,7 +148,7 @@ HEADERS = inet_net.h \
TCPUDPService.h \
UDPService.h \
UserService.h \
TagService.h \
TagService.h \
ObjectMatcher.h \
ObjectMirror.h \
XMLTools.h

7
src/libfwbuilder/src/fwbuilder/uint128.h
View File

@ -36,6 +36,9 @@
#include <stdio.h>
#define __STDC_FORMAT_MACROS
#include <inttypes.h> // for sprintf formats for "long long"
// convinience macro
#define U128_C(s) uint128(#s)
@ -463,9 +466,9 @@ public:
{
char buf[33];
if (hi)
sprintf(buf,"%llX%08llX",(unsigned long long)hi,(unsigned long long)lo);
sprintf(buf, "%"PRIX64"%08"PRIX64, (unsigned long long)hi,(unsigned long long)lo);
else
sprintf(buf,"%llX",(unsigned long long)lo);
sprintf(buf,"%"PRIX64,(unsigned long long)lo);
return buf;
}

3
src/libfwbuilder/src/fwcompiler/Compiler.cpp
View File

@ -6,8 +6,6 @@
Author: Vadim Kurland vadim@fwbuilder.org
$Id$
This program is free software which we release under the GNU General Public
License. You may redistribute and/or modify this program under the terms
of that license as published by the Free Software Foundation; either
@ -1117,6 +1115,7 @@ bool Compiler::emptyGroupsInRE::processNext()
for (FWObject::iterator i=re->begin(); i!=re->end(); i++)
{
FWObject *o = FWReference::getObject(*i);
if ( MultiAddress::cast(o)!=NULL && MultiAddress::cast(o)->isRunTime())
continue;

167
src/libgui/AttachedNetworksDialog.cpp Normal file
View File

@ -0,0 +1,167 @@
/*
Firewall Builder
Copyright (C) 201 NetCitadel, LLC
Author: Vadim Kurland vadim@fwbuilder.org
This program is free software which we release under the GNU General Public
License. You may redistribute and/or modify this program under the terms
of that license as published by the Free Software Foundation; either
version 2 of the License, or (at your option) any later version.
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
To get a copy of the GNU General Public License, write to the Free Software
Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
*/
#include "../../config.h"
#include "global.h"
#include "utils.h"
#include "FWBTree.h"
#include "AttachedNetworksDialog.h"
#include "ProjectPanel.h"
#include "FWBSettings.h"
#include "FWCmdChange.h"
#include "fwbuilder/Library.h"
#include "fwbuilder/AttachedNetworks.h"
#include "fwbuilder/Interface.h"
#include "fwbuilder/IPv4.h"
#include "fwbuilder/IPv6.h"
#include "fwbuilder/FWException.h"
#include "fwbuilder/Inet6AddrMask.h"
#include <memory>
#include <qlineedit.h>
#include <qspinbox.h>
#include <qcheckbox.h>
#include <qtextedit.h>
#include <qcombobox.h>
#include <qmessagebox.h>
#include <qpushbutton.h>
#include <QUndoStack>
#include <QtDebug>
#include <QApplication>
using namespace std;
using namespace libfwbuilder;
AttachedNetworksDialog::AttachedNetworksDialog(QWidget *parent) : BaseObjectDialog(parent)
{
m_dialog = new Ui::AttachedNetworksDialog_q;
m_dialog->setupUi(this);
obj=NULL;
}
AttachedNetworksDialog::~AttachedNetworksDialog() { delete m_dialog; }
void AttachedNetworksDialog::getHelpName(QString *str)
{
*str = "AttachedNetworksDialog";
}
void AttachedNetworksDialog::loadFWObject(FWObject *o)
{
obj=o;
AttachedNetworks *s = dynamic_cast<AttachedNetworks*>(obj);
assert(s!=NULL);
init=true;
m_dialog->obj_name->setText( QString::fromUtf8(s->getName().c_str()) );
m_dialog->comment->setText( QString::fromUtf8(s->getComment().c_str()) );
m_dialog->obj_name->setEnabled(!o->isReadOnly());
setDisabledPalette(m_dialog->obj_name);
m_dialog->addresses->setEnabled(false); // always read-only
setDisabledPalette(m_dialog->addresses);
m_dialog->comment->setReadOnly(o->isReadOnly());
setDisabledPalette(m_dialog->comment);
Interface *parent_intf = Interface::cast(obj->getParent());
assert(parent_intf);
m_dialog->addresses->clear();
FWObjectTypedChildIterator k = parent_intf->findByType(IPv4::TYPENAME);
for ( ; k!=k.end(); ++k)
{
Address *addr = Address::cast(*k);
addAddressToList(addr->getNetworkAddressPtr(), addr->getNetmaskPtr());
}
k = parent_intf->findByType(IPv6::TYPENAME);
for ( ; k!=k.end(); ++k)
{
Address *addr = Address::cast(*k);
addAddressToList(addr->getNetworkAddressPtr(), addr->getNetmaskPtr());
}
init=false;
}
void AttachedNetworksDialog::addAddressToList(const InetAddr *ip_addr,
const InetAddr *ip_netm)
{
QString name("%1/%2");
if (ip_addr->isV6())
{
m_dialog->addresses->addItem(
name.arg(ip_addr->toString().c_str()).arg(ip_netm->getLength()));
} else
{
m_dialog->addresses->addItem(
name.arg(ip_addr->toString().c_str()).arg(ip_netm->toString().c_str()));
}
}
void AttachedNetworksDialog::validate(bool *result)
{
if (fwbdebug) qDebug() << "AttachedNetworksDialog::validate";
*result = true;
AttachedNetworks *s = dynamic_cast<AttachedNetworks*>(obj);
assert(s!=NULL);
if (!validateName(this, obj, m_dialog->obj_name->text()))
{
*result = false;
}
}
void AttachedNetworksDialog::applyChanges()
{
std::auto_ptr<FWCmdChange> cmd( new FWCmdChange(m_project, obj));
FWObject* new_state = cmd->getNewState();
AttachedNetworks *s = dynamic_cast<AttachedNetworks*>(new_state);
assert(s!=NULL);
string oldname = obj->getName();
new_state->setName(string(m_dialog->obj_name->text().toUtf8().constData()));
new_state->setComment(string(
m_dialog->comment->toPlainText().toUtf8().constData()));
if (!cmd->getOldState()->cmp(new_state, true))
{
if (fwbdebug)
qDebug() << "Pushing FWCmdChange to undo stack";
if (obj->isReadOnly()) return;
m_project->undoStack->push(cmd.release());
}
}

65
src/libgui/AttachedNetworksDialog.h Normal file
View File

@ -0,0 +1,65 @@
/*
Firewall Builder
Copyright (C) 2011 NetCitadel, LLC
Author: Vadim Kurland vadim@fwbuilder.org
This program is free software which we release under the GNU General Public
License. You may redistribute and/or modify this program under the terms
of that license as published by the Free Software Foundation; either
version 2 of the License, or (at your option) any later version.
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
To get a copy of the GNU General Public License, write to the Free Software
Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
*/
#ifndef __ATTACHEDNETWORKSDIALOG_H_
#define __ATTACHEDNETWORKSDIALOG_H_
#include "../../config.h"
#include <ui_attachednetworksdialog_q.h>
#include "BaseObjectDialog.h"
#include <QWidget>
#include "fwbuilder/FWObject.h"
class ProjectPanel;
namespace libfwbuilder
{
class InetAddr;
};
class AttachedNetworksDialog : public BaseObjectDialog
{
Q_OBJECT;
Ui::AttachedNetworksDialog_q *m_dialog;
void addAddressToList(const libfwbuilder::InetAddr *ip_addr,
const libfwbuilder::InetAddr *ip_netm);
public:
AttachedNetworksDialog(QWidget *parent);
~AttachedNetworksDialog();
public slots:
virtual void applyChanges();
virtual void loadFWObject(libfwbuilder::FWObject *obj);
virtual void validate(bool*);
virtual void getHelpName(QString*);
};
#endif // ATTACHEDNETWORKSDIALOG_H

4
src/libgui/DialogFactory.cpp
View File

@ -40,6 +40,7 @@
#include "PhysicalAddressDialog.h"
#include "DNSNameDialog.h"
#include "AddressTableDialog.h"
#include "AttachedNetworksDialog.h"
#include "NetworkDialog.h"
#include "NetworkDialogIPv6.h"
#include "UserDialog.h"
@ -98,6 +99,7 @@
#include "openaisOptionsDialog.h"
#include "pfsyncOptionsDialog.h"
#include "fwbuilder/AttachedNetworks.h"
#include "fwbuilder/Library.h"
#include "fwbuilder/Firewall.h"
#include "fwbuilder/Cluster.h"
@ -172,6 +174,8 @@ BaseObjectDialog *DialogFactory::createDialog(QWidget *parent, const QString &ob
if (objType==Interface::TYPENAME) return new InterfaceDialog(parent);
if (objType==AttachedNetworks::TYPENAME) return new AttachedNetworksDialog(parent);
if (objType==Network::TYPENAME) return new NetworkDialog(parent);
if (objType==NetworkIPv6::TYPENAME) return new NetworkDialogIPv6(parent);

27
src/libgui/FWBApplication.cpp
View File

@ -30,9 +30,14 @@
#include "FWBApplication.h"
#include "FWWindow.h"
#include "fwbuilder/FWException.h"
#include <QtDebug>
#include <QTimer>
using namespace libfwbuilder;
using namespace std;
void FWBApplication::quit()
{
@ -63,3 +68,25 @@ void FWBApplication::delayedQuit()
QApplication::quit();
}
bool FWBApplication::notify(QObject *receiver, QEvent *event)
{
try
{
return QApplication::notify(receiver, event);
} catch (const libfwbuilder::FWException &ex)
{
cerr << "Caught FWException: " << ex.toString() << std::endl;
QCoreApplication::exit(1);
} catch (const std::string &s) {
cerr << s << std::endl;
QCoreApplication::exit(1);
} catch (const std::exception &ex) {
cerr << ex.what() << std::endl;
QCoreApplication::exit(1);
}
catch (...) {
cerr << "Caught unsupported exception" << std::endl;
QCoreApplication::exit(1);
}
return false;
}

5
src/libgui/FWBApplication.h
View File

@ -29,7 +29,8 @@
#include <QApplication>
class FWBApplication : public QApplication {
class FWBApplication : public QApplication
{
Q_OBJECT;
int timeout;
@ -37,6 +38,8 @@ class FWBApplication : public QApplication {
public:
FWBApplication(int &argc, char **argv) : QApplication(argc, argv) {}
virtual bool notify(QObject *receiver, QEvent *event);
public slots:
void quit();

13
src/libgui/FWBMainWindow_q.ui
View File

@ -683,6 +683,13 @@
</item>
</layout>
</widget>
<widget class="QWidget" name="page_38">
<layout class="QGridLayout" name="gridLayout_45">
<item row="0" column="0">
<widget class="AttachedNetworksDialog" name="w_AttachedNetworksDialog" native="true"/>
</item>
</layout>
</widget>
<widget class="QWidget" name="page_37">
<layout class="QGridLayout" name="gridLayout_42">
<property name="margin">
@ -1591,6 +1598,12 @@
<header>BlankDialog.h</header>
<container>1</container>
</customwidget>
<customwidget>
<class>AttachedNetworksDialog</class>
<extends>QWidget</extends>
<header>AttachedNetworksDialog.h</header>
<container>1</container>
</customwidget>
</customwidgets>
<resources>
<include location="MainRes.qrc"/>

5
src/libgui/FWBTree.cpp
View File

@ -6,8 +6,6 @@
Author: Vadim Kurland vadim@fwbuilder.org
$Id$
This program is free software which we release under the GNU General Public
License. You may redistribute and/or modify this program under the terms
of that license as published by the Free Software Foundation; either
@ -53,6 +51,7 @@
#include "fwbuilder/IntervalGroup.h"
#include "fwbuilder/Library.h"
#include "fwbuilder/NAT.h"
#include "fwbuilder/AttachedNetworks.h"
#include "fwbuilder/Network.h"
#include "fwbuilder/NetworkIPv6.h"
#include "fwbuilder/ObjectGroup.h"
@ -606,6 +605,7 @@ QString FWBTree::getTranslatableObjectTypeName(const QString &type_name)
if (type_name == Cluster::TYPENAME) return QObject::tr("Cluster");
if (type_name == Host::TYPENAME) return QObject::tr("Host");
if (type_name == Interface::TYPENAME) return QObject::tr("Interface");
if (type_name == AttachedNetworks::TYPENAME) return QObject::tr("Attached Networks");
if (type_name == Network::TYPENAME) return QObject::tr("Network");
if (type_name == NetworkIPv6::TYPENAME) return QObject::tr("Network IPv6");
if (type_name == IPv4::TYPENAME) return QObject::tr("Address");
@ -643,6 +643,7 @@ QString FWBTree::getTranslatableNewObjectMenuText(const QString &type_name)
if (type_name == Cluster::TYPENAME) return QObject::tr("New Cluster");
if (type_name == Host::TYPENAME) return QObject::tr("New Host");
if (type_name == Interface::TYPENAME) return QObject::tr("New Interface");
if (type_name == AttachedNetworks::TYPENAME) return QObject::tr("New Attached Networks Object");
if (type_name == Network::TYPENAME) return QObject::tr("New Network");
if (type_name == NetworkIPv6::TYPENAME) return QObject::tr("New Network IPv6");
if (type_name == IPv4::TYPENAME) return QObject::tr("New Address");

5
src/libgui/FWCmdRule.cpp
View File

@ -366,7 +366,7 @@ FWCmdRuleRenameGroup::FWCmdRuleRenameGroup(
ProjectPanel *project, RuleSet* ruleset, QString oldName, QString newName) :
FWCmdRule(project, ruleset), oldName(oldName), newName(newName)
{
setText(QObject::tr("negate rule element"));
setText(QObject::tr("Rename group of rules"));
}
void FWCmdRuleRenameGroup::redoOnModel(RuleSetModel *md)
@ -519,7 +519,6 @@ void FWCmdRuleChange::redo()
prepareRuleSetView();
FWCmdChange::redo();
selectAffectedRule();
}
void FWCmdRuleChange::undo()
@ -682,6 +681,7 @@ void FWCmdRuleNegateRE::redo()
md->rowChanged(md->index(getRule(), 0));
selectAffectedRule();
notify();
}
void FWCmdRuleNegateRE::undo()
@ -695,5 +695,6 @@ void FWCmdRuleNegateRE::undo()
md->rowChanged(md->index(getRule(), 0));
selectAffectedRule();
notify();
}

9
src/libgui/FirewallInstaller.cpp
View File

@ -28,15 +28,15 @@
#include "utils.h"
#include "utils_no_qt.h"
#include "compiler_lib/CompilerDriver.h"
#include "FirewallInstaller.h"
#include "instDialog.h"
#include "CompilerDriver.h"
#include "Configlet.h"
#include "FWBSettings.h"
#include "FWWindow.h"
#include "FirewallInstaller.h"
#include "SSHSession.h"
#include "SSHUnx.h"
#include "Configlet.h"
#include "UserWorkflow.h"
#include "instDialog.h"
#include "fwbuilder/Resources.h"
#include "fwbuilder/FWObjectDatabase.h"
@ -193,7 +193,6 @@ not root.
*/
#include "CompilerDriver.h"
bool FirewallInstaller::readManifest(const QString &script,
QMap<QString, QString> *all_files)

6
src/libgui/MainRes.qrc
View File

@ -28,6 +28,12 @@
<file alias="Icons/AddressTable/icon-neg-tree" >Icons/addresstable-neg_16.png</file>
<file alias="Icons/AddressTable/icon-ref" >Icons/addresstable-ref_25.png</file>
<file alias="Icons/AddressTable/icon-tree" >Icons/addresstable_16.png</file>
<file alias="Icons/AttachedNetworks/icon" >Icons/network_25.png</file>
<file alias="Icons/AttachedNetworks/icon-big" >Icons/network_64.png</file>
<file alias="Icons/AttachedNetworks/icon-neg" >Icons/network-neg_25.png</file>
<file alias="Icons/AttachedNetworks/icon-neg-tree" >Icons/network-neg_16.png</file>
<file alias="Icons/AttachedNetworks/icon-ref" >Icons/network-ref_25.png</file>
<file alias="Icons/AttachedNetworks/icon-tree" >Icons/network_16.png</file>
<file alias="Icons/Blank/icon" >Icons/blank.png</file>
<file alias="Icons/Blank/icon-big" >Icons/blank.png</file>
<file alias="Icons/Both/icon" >Icons/both_25.png</file>

2
src/libgui/ObjectEditor.cpp
View File

@ -63,6 +63,7 @@
#include "fwbuilder/StateSyncClusterGroup.h"
#include "fwbuilder/FailoverClusterGroup.h"
#include "fwbuilder/Host.h"
#include "fwbuilder/AttachedNetworks.h"
#include "fwbuilder/Network.h"
#include "fwbuilder/NetworkIPv6.h"
#include "fwbuilder/IPv4.h"
@ -140,6 +141,7 @@ ObjectEditor::ObjectEditor( QWidget *parent):
registerObjectDialog(editorStack, StateSyncClusterGroup::TYPENAME,
"w_StateSyncClusterGroupDialog");
registerObjectDialog(editorStack, Host::TYPENAME, "w_HostDialog");
registerObjectDialog(editorStack, AttachedNetworks::TYPENAME, "w_AttachedNetworksDialog");
registerObjectDialog(editorStack, Network::TYPENAME, "w_NetworkDialog");
registerObjectDialog(editorStack, NetworkIPv6::TYPENAME, "w_NetworkDialogIPv6");
registerObjectDialog(editorStack, CustomService::TYPENAME, "w_CustomServiceDialog");

31
src/libgui/ObjectManipulator.cpp
View File

@ -52,6 +52,7 @@
#include "fwbuilder/AddressRange.h"
#include "fwbuilder/AddressTable.h"
#include "fwbuilder/AttachedNetworks.h"
#include "fwbuilder/Cluster.h"
#include "fwbuilder/CustomService.h"
#include "fwbuilder/DNSName.h"
@ -524,6 +525,20 @@ void ObjectManipulator::contextMenuRequested(const QPoint &pos)
AddObjectActions.append(
addNewObjectMenuItem(popup_menu, physAddress::TYPENAME));
/*
* Add menu item to let user add AttachedNetworks object
* to an interface, but only if this object does not exist yet.
*
* Actions added to AddObjectActions are
* enabled and disabled all together based on the decision
* made in getMenuState() (argument newMenuItem). But we
* should always allow the user to add AttachedNetworks
* object to an interface.
*/
FWObject *att = currentObj->getFirstByType(AttachedNetworks::TYPENAME);
if (att == NULL)
addNewObjectMenuItem(popup_menu, AttachedNetworks::TYPENAME);
// Check if we should add menu item that creates failover
// group. if parent is a cluster, allow one vrrp type
@ -850,6 +865,16 @@ void ObjectManipulator::getMenuState(bool haveMoveTargets,
}
}
if (AttachedNetworks::isA(obj))
{
dupMenuItem = false;
moveMenuItem = false;
copyMenuItem = false;
pasteMenuItem = false;
newMenuItem = false;
continue;
}
copyMenuItem = copyMenuItem && FWBTree().getCopyMenuState(object_path);
pasteMenuItem = pasteMenuItem &&
FWBTree().getPasteMenuState(object_path) &&
@ -1224,8 +1249,12 @@ void ObjectManipulator::openLibForObject(FWObject *obj)
m_objectManipulator->libs->setCurrentIndex(
libs_model->getIdxForLib(obj->getLibrary()).row());
else
{
FWObject *parent = obj->getParent();
FWObject *lib = parent->getLibrary();
m_objectManipulator->libs->setCurrentIndex(
libs_model->getIdxForLib(obj->getParent()->getLibrary()).row());
libs_model->getIdxForLib(lib).row());
}
}
void ObjectManipulator::showObjectInTree(ObjectTreeViewItem *otvi)

1
src/libgui/ObjectManipulator.h
View File

@ -172,6 +172,7 @@ class ObjectManipulator : public QWidget
libfwbuilder::FWObject* newPhysicalAddress(QUndoCommand* macro);
libfwbuilder::FWObject* newPolicyRuleSet (QUndoCommand* macro);
libfwbuilder::FWObject* newNATRuleSet (QUndoCommand* macro);
libfwbuilder::FWObject* newAttachedNetworks(QUndoCommand* macro);
public slots:

27
src/libgui/ObjectManipulator_create_new.cpp
View File

@ -45,6 +45,7 @@
#include "fwbuilder/AddressRange.h"
#include "fwbuilder/AddressTable.h"
#include "fwbuilder/AttachedNetworks.h"
#include "fwbuilder/Cluster.h"
#include "fwbuilder/CustomService.h"
#include "fwbuilder/DNSName.h"
@ -212,6 +213,7 @@ void ObjectManipulator::createNewObject()
if (type_name == Policy::TYPENAME) new_obj = newPolicyRuleSet(macro);
if (type_name == NAT::TYPENAME) new_obj = newNATRuleSet(macro);
//if (type_name == Routing::TYPENAME) new_obj = newRoutingRuleSet();
if (type_name == AttachedNetworks::TYPENAME) new_obj = newAttachedNetworks(macro);
if (new_obj == NULL) new_obj = createObject(type_name, descr, NULL, macro);
@ -504,6 +506,7 @@ FWObject* ObjectManipulator::newFirewall(QUndoCommand* macro)
FWCmdAddObject *cmd = new FWCmdAddObject(
m_project, parent, NULL, QObject::tr("Create new Firewall"), macro);
FWObject *new_state = cmd->getNewState();
parent->remove(nfw, false);
new_state->add(nfw);
}
@ -651,6 +654,30 @@ FWObject* ObjectManipulator::newFailoverClusterGroup(QUndoCommand* macro)
return o;
}
/*
* Creates new AttachedNetworks object; this method is called by
* context menu item associated with Interface object
*/
FWObject* ObjectManipulator::newAttachedNetworks(QUndoCommand* macro)
{
FWObject *currentObj = getSelectedObject();
if ( currentObj->isReadOnly() ) return NULL;
if (Interface::isA(currentObj))
{
FWObject *no = createObject(currentObj, AttachedNetworks::TYPENAME,
tr("Attached Networks"), NULL, macro);
string name = Interface::cast(currentObj)->getParentHost()->getName() +
":" + currentObj->getName() + ":attached";
no->setName(name);
return no;
} else
{
qWarning("newAttachedNetworks: invalid currentObj");
return NULL;
}
}
FWObject* ObjectManipulator::newHost(QUndoCommand* macro)
{
FWObject *parent =

13
src/libgui/ObjectManipulator_ops.cpp
View File

@ -48,6 +48,7 @@
#include "ProjectPanel.h"
#include "ConfirmDeleteObjectDialog.h"
#include "fwbuilder/AttachedNetworks.h"
#include "fwbuilder/Cluster.h"
#include "fwbuilder/FWObject.h"
#include "fwbuilder/IPv6.h"
@ -214,6 +215,12 @@ FWObject* ObjectManipulator::duplicateObject(FWObject *targetLib, FWObject *obj)
{
if (!isTreeReadWrite(this, targetLib)) return NULL;
// we disable copy/cut/paste/duplicate menu items for objects that
// can't be copied or duplicated in
// ObjectManipulator::getMenuState() but will check here just in
// case
if (AttachedNetworks::isA(obj)) return NULL;
openLib(targetLib);
FWObject *new_parent = FWBTree().getStandardSlotForObject(
targetLib, obj->getTypeName().c_str());
@ -295,6 +302,12 @@ FWObject* ObjectManipulator::actuallyPasteTo(FWObject *target,
if (!isObjectAllowed(ta, obj)) return NULL;
// we disable copy/cut/paste/duplicate menu items for objects that
// can't be copied or duplicated in
// ObjectManipulator::getMenuState() but will check here just in
// case
if (AttachedNetworks::isA(obj)) return NULL;
if (fwbdebug)
qDebug() << "ObjectManipulator::actuallyPasteTo"
<< "target=" << target->getPath().c_str()

4
src/libgui/ObjectManipulator_tree_ops.cpp
View File

@ -99,6 +99,7 @@
#include "fwbuilder/StateSyncClusterGroup.h"
#include "fwbuilder/FailoverClusterGroup.h"
#include "fwbuilder/Host.h"
#include "fwbuilder/AttachedNetworks.h"
#include "fwbuilder/Network.h"
#include "fwbuilder/NetworkIPv6.h"
#include "fwbuilder/IPv4.h"
@ -306,6 +307,9 @@ void ObjectManipulator::insertSubtree(ObjectTreeViewItem *itm, FWObject *obj)
for (FWObjectTypedChildIterator it = obj->findByType(FailoverClusterGroup::TYPENAME);
it != it.end(); ++it) insertSubtree( nitm, *it );
for (FWObjectTypedChildIterator it = obj->findByType(AttachedNetworks::TYPENAME);
it != it.end(); ++it) insertSubtree( nitm, *it );
return;
}

2
src/libgui/ProjectPanel_file_ops.cpp
View File

@ -1062,7 +1062,7 @@ bool ProjectPanel::loadFromRCS(RCS *_rcs)
}
mw->showStatusBarMessage(tr("Merging with system objects...") );
MergeConflictRes mcr(mainW);
objdb->merge(ndb, &mcr);

246
src/libgui/attachednetworksdialog_q.ui Normal file
View File

@ -0,0 +1,246 @@
<?xml version="1.0" encoding="UTF-8"?>
<ui version="4.0">
<class>AttachedNetworksDialog_q</class>
<widget class="QWidget" name="AttachedNetworksDialog_q">
<property name="enabled">
<bool>true</bool>
</property>
<property name="geometry">
<rect>
<x>0</x>
<y>0</y>
<width>949</width>
<height>258</height>
</rect>
</property>
<property name="sizePolicy">
<sizepolicy hsizetype="Minimum" vsizetype="Minimum">
<horstretch>0</horstretch>
<verstretch>0</verstretch>
</sizepolicy>
</property>
<property name="windowTitle">
<string>Network</string>
</property>
<layout class="QGridLayout" name="gridLayout">
<item row="0" column="0">
<widget class="QFrame" name="frame7">
<property name="sizePolicy">
<sizepolicy hsizetype="Expanding" vsizetype="Expanding">
<horstretch>0</horstretch>
<verstretch>0</verstretch>
</sizepolicy>
</property>
<property name="frameShape">
<enum>QFrame::Box</enum>
</property>
<property name="frameShadow">
<enum>QFrame::Sunken</enum>
</property>
<layout class="QGridLayout" name="gridLayout_3">
<item row="0" column="0" rowspan="2">
<widget class="QFrame" name="object_attributes">
<property name="sizePolicy">
<sizepolicy hsizetype="Fixed" vsizetype="Expanding">
<horstretch>0</horstretch>
<verstretch>0</verstretch>
</sizepolicy>
</property>
<property name="minimumSize">
<size>
<width>350</width>
<height>0</height>
</size>
</property>
<property name="maximumSize">
<size>
<width>350</width>
<height>16777215</height>
</size>
</property>
<property name="frameShape">
<enum>QFrame::Box</enum>
</property>
<property name="frameShadow">
<enum>QFrame::Sunken</enum>
</property>
<layout class="QGridLayout" name="gridLayout_4">
<item row="0" column="0">
<widget class="QLabel" name="textLabel1">
<property name="text">
<string>Name:</string>
</property>
<property name="wordWrap">
<bool>false</bool>
</property>
</widget>
</item>
<item row="0" column="1">
<widget class="QLineEdit" name="obj_name">
<property name="sizePolicy">
<sizepolicy hsizetype="Preferred" vsizetype="Fixed">
<horstretch>200</horstretch>
<verstretch>0</verstretch>
</sizepolicy>
</property>
<property name="minimumSize">
<size>
<width>0</width>
<height>0</height>
</size>
</property>
</widget>
</item>
<item row="1" column="1">
<spacer>
<property name="orientation">
<enum>Qt::Vertical</enum>
</property>
<property name="sizeType">
<enum>QSizePolicy::Expanding</enum>
</property>
<property name="sizeHint" stdset="0">
<size>
<width>20</width>
<height>5</height>
</size>
</property>
</spacer>
</item>
<item row="2" column="0" colspan="2">
<widget class="QLabel" name="label">
<property name="text">
<string>The list of addresses in this object is updated automatically and represents subnets attached to the parent interface.</string>
</property>
<property name="wordWrap">
<bool>true</bool>
</property>
</widget>
</item>
<item row="3" column="1">
<spacer name="verticalSpacer">
<property name="orientation">
<enum>Qt::Vertical</enum>
</property>
<property name="sizeHint" stdset="0">
<size>
<width>20</width>
<height>48</height>
</size>
</property>
</spacer>
</item>
</layout>
</widget>
</item>
<item row="0" column="1" rowspan="2">
<widget class="QFrame" name="frame">
<property name="frameShape">
<enum>QFrame::StyledPanel</enum>
</property>
<property name="frameShadow">
<enum>QFrame::Raised</enum>
</property>
<layout class="QGridLayout" name="gridLayout_2">
<item row="0" column="0">
<widget class="QListWidget" name="addresses">
<property name="frameShape">
<enum>QFrame::NoFrame</enum>
</property>
<property name="frameShadow">
<enum>QFrame::Plain</enum>
</property>
</widget>
</item>
</layout>
</widget>
</item>
<item row="0" column="2">
<widget class="QLabel" name="textLabel2">
<property name="text">
<string>Comment:</string>
</property>
<property name="wordWrap">
<bool>false</bool>
</property>
</widget>
</item>
<item row="1" column="2">
<widget class="TextEditWidget" name="comment">
<property name="sizePolicy">
<sizepolicy hsizetype="Expanding" vsizetype="Expanding">
<horstretch>0</horstretch>
<verstretch>0</verstretch>
</sizepolicy>
</property>
<property name="minimumSize">
<size>
<width>200</width>
<height>0</height>
</size>
</property>
<property name="maximumSize">
<size>
<width>16777215</width>
<height>180</height>
</size>
</property>
<property name="tabChangesFocus">
<bool>true</bool>
</property>
</widget>
</item>
</layout>
</widget>
</item>
</layout>
</widget>
<customwidgets>
<customwidget>
<class>TextEditWidget</class>
<extends>QTextEdit</extends>
<header>TextEditWidget.h</header>
</customwidget>
</customwidgets>
<tabstops>
<tabstop>obj_name</tabstop>
<tabstop>comment</tabstop>
</tabstops>
<resources>
<include location="MainRes.qrc"/>
</resources>
<connections>
<connection>
<sender>obj_name</sender>
<signal>editingFinished()</signal>
<receiver>AttachedNetworksDialog_q</receiver>
<slot>changed()</slot>
<hints>
<hint type="sourcelabel">
<x>20</x>
<y>20</y>
</hint>
<hint type="destinationlabel">
<x>20</x>
<y>20</y>
</hint>
</hints>
</connection>
<connection>
<sender>comment</sender>
<signal>textChanged()</signal>
<receiver>AttachedNetworksDialog_q</receiver>
<slot>changed()</slot>
<hints>
<hint type="sourcelabel">
<x>20</x>
<y>20</y>
</hint>
<hint type="destinationlabel">
<x>20</x>
<y>20</y>
</hint>
</hints>
</connection>
</connections>
</ui>

2
src/libgui/ipcopAdvancedDialog.cpp
View File

@ -129,8 +129,6 @@ ipcopAdvancedDialog::ipcopAdvancedDialog(QWidget *parent,FWObject *o)
data.registerOption(m_dialog->emptyGroups, fwoptions,
"ignore_empty_groups");
data.registerOption(m_dialog->localNAT, fwoptions, "local_nat");
data.registerOption(m_dialog->makeTagClassifyTerminating,
fwoptions, "classify_mark_terminating");
slm=getActionsOnReject( platform.c_str());
m_dialog->actionOnReject->clear();
m_dialog->actionOnReject->addItems(getScreenNames(slm));

10
src/libgui/ipcopadvanceddialog_q.ui
View File

@ -12,7 +12,7 @@
<rect>
<x>0</x>
<y>0</y>
<width>674</width>
<width>726</width>
<height>710</height>
</rect>
</property>
@ -250,13 +250,6 @@
</property>
</widget>
</item>
<item>
<widget class="QCheckBox" name="makeTagClassifyTerminating">
<property name="text">
<string>Make Tag and Classify actions terminating</string>
</property>
</widget>
</item>
<item>
<layout class="QHBoxLayout" name="horizontalLayout_3">
<item>
@ -1289,7 +1282,6 @@ with this address:</string>
<tabstop>shadowing</tabstop>
<tabstop>emptyGroups</tabstop>
<tabstop>localNAT</tabstop>
<tabstop>makeTagClassifyTerminating</tabstop>
<tabstop>actionOnReject</tabstop>
<tabstop>mgmt_ssh</tabstop>
<tabstop>mgmt_addr</tabstop>

2
src/libgui/iptAdvancedDialog.cpp
View File

@ -126,8 +126,6 @@ iptAdvancedDialog::iptAdvancedDialog(QWidget *parent,FWObject *o)
"ignore_empty_groups");
data.registerOption(m_dialog->localNAT, fwoptions, "local_nat");
data.registerOption(m_dialog->clampMSStoMTU, fwoptions, "clamp_mss_to_mtu");
data.registerOption(m_dialog->makeTagClassifyTerminating,
fwoptions, "classify_mark_terminating");
data.registerOption(m_dialog->ipv6NeighborDiscovery,
fwoptions, "add_rules_for_ipv6_neighbor_discovery");

22
src/libgui/iptadvanceddialog_q.ui
View File

@ -12,8 +12,8 @@
<rect>
<x>0</x>
<y>0</y>
<width>842</width>
<height>602</height>
<width>1054</width>
<height>628</height>
</rect>
</property>
<property name="sizePolicy">
@ -428,13 +428,6 @@ in host settings dialog.
</property>
</widget>
</item>
<item row="4" column="1">
<widget class="QCheckBox" name="makeTagClassifyTerminating">
<property name="text">
<string>Make Tag and Classify actions terminating</string>
</property>
</widget>
</item>
<item row="5" column="0">
<layout class="QHBoxLayout" name="horizontalLayout_4">
<item>
@ -874,10 +867,10 @@ packets to IPv6 policies</string>
<string>Prolog/Epilog</string>
</attribute>
<layout class="QGridLayout">
<property name="margin">
<property name="verticalSpacing">
<number>6</number>
</property>
<property name="verticalSpacing">
<property name="margin">
<number>6</number>
</property>
<item row="1" column="0">
@ -1008,12 +1001,12 @@ packets to IPv6 policies</string>
<string>Logging</string>
</attribute>
<layout class="QGridLayout">
<property name="margin">
<number>20</number>
</property>
<property name="verticalSpacing">
<number>6</number>
</property>
<property name="margin">
<number>20</number>
</property>
<item row="0" column="0" rowspan="5">
<widget class="QGroupBox" name="buttonGroup1">
<property name="title">
@ -1607,7 +1600,6 @@ packets to IPv6 policies</string>
<tabstop>emptyGroups</tabstop>
<tabstop>localNAT</tabstop>
<tabstop>clampMSStoMTU</tabstop>
<tabstop>makeTagClassifyTerminating</tabstop>
<tabstop>ipv6NeighborDiscovery</tabstop>
<tabstop>mgmt_ssh</tabstop>
<tabstop>mgmt_addr</tabstop>

4
src/libgui/libgui.pro
View File

@ -78,6 +78,7 @@ HEADERS += ../../config.h \
IPv4Dialog.h \
IPv6Dialog.h \
PhysicalAddressDialog.h \
AttachedNetworksDialog.h \
NetworkDialog.h \
NetworkDialogIPv6.h \
UserDialog.h \
@ -287,6 +288,7 @@ SOURCES += ProjectPanel.cpp \
IPv4Dialog.cpp \
IPv6Dialog.cpp \
PhysicalAddressDialog.cpp \
AttachedNetworksDialog.cpp \
NetworkDialog.cpp \
NetworkDialogIPv6.cpp \
UserDialog.cpp \
@ -450,6 +452,7 @@ FORMS = FWBMainWindow_q.ui \
rulesetdialog_q.ui \
addressrangedialog_q.ui \
addresstabledialog_q.ui \
attachednetworksdialog_q.ui \
networkdialog_q.ui \
networkdialogipv6_q.ui \
userdialog_q.ui \
@ -578,6 +581,7 @@ INCLUDEPATH += \
../pflib \
../cisco_lib \
../compiler_lib \
../fwtransfer \
../libfwbuilder/src
DEPENDPATH += \
../import \

3
src/libgui/newFirewallDialog.cpp
View File

@ -1276,6 +1276,9 @@ void newFirewallDialog::finishClicked()
CompareObjectsDialog cod(this);
db_orig->merge(db_copy, &cod);
db_orig->fixTree();
nfw = Firewall::cast(db_orig->findInIndex(nfw->getId()));
if (tmpldb!=NULL)

206
src/libgui/ruleoptionsdialog_q.ui
View File

@ -6,7 +6,7 @@
<rect>
<x>0</x>
<y>0</y>
<width>1580</width>
<width>1412</width>
<height>357</height>
</rect>
</property>
@ -41,7 +41,7 @@
<number>0</number>
</property>
<property name="currentIndex">
<number>3</number>
<number>0</number>
</property>
<widget class="QWidget" name="ipt">
<layout class="QGridLayout">
@ -1213,96 +1213,180 @@
<attribute name="title">
<string>Route</string>
</attribute>
<layout class="QGridLayout" name="gridLayout_13">
<layout class="QGridLayout" name="gridLayout_21">
<property name="margin">
<number>12</number>
</property>
<property name="spacing">
<number>12</number>
</property>
<item row="0" column="0">
<widget class="QLabel" name="textLabel4_5">
<property name="text">
<string>Change inbound interface to</string>
<item row="0" column="0" colspan="3">
<layout class="QGridLayout" name="gridLayout_20">
<property name="spacing">
<number>12</number>
</property>
<property name="wordWrap">
<bool>false</bool>
</property>
</widget>
<item row="0" column="1">
<spacer name="verticalSpacer_7">
<property name="orientation">
<enum>Qt::Vertical</enum>
</property>
<property name="sizeHint" stdset="0">
<size>
<width>20</width>
<height>17</height>
</size>
</property>
</spacer>
</item>
<item row="0" column="2" rowspan="3" colspan="2">
<widget class="QFrame" name="frame_2">
<property name="sizePolicy">
<sizepolicy hsizetype="Minimum" vsizetype="Preferred">
<horstretch>0</horstretch>
<verstretch>0</verstretch>
</sizepolicy>
</property>
<property name="maximumSize">
<size>
<width>500</width>
<height>16777215</height>
</size>
</property>
<property name="sizeIncrement">
<size>
<width>0</width>
<height>0</height>
</size>
</property>
<property name="frameShape">
<enum>QFrame::StyledPanel</enum>
</property>
<property name="frameShadow">
<enum>QFrame::Raised</enum>
</property>
<layout class="QGridLayout" name="gridLayout_13">
<item row="0" column="0">
<widget class="QLabel" name="label_5">
<property name="minimumSize">
<size>
<width>600</width>
<height>0</height>
</size>
</property>
<property name="text">
<string>&lt;!DOCTYPE HTML PUBLIC &quot;-//W3C//DTD HTML 4.0//EN&quot; &quot;http://www.w3.org/TR/REC-html40/strict.dtd&quot;&gt;
&lt;html&gt;&lt;head&gt;&lt;meta name=&quot;qrichtext&quot; content=&quot;1&quot; /&gt;&lt;style type=&quot;text/css&quot;&gt;
p, li { white-space: pre-wrap; }
&lt;/style&gt;&lt;/head&gt;&lt;body style=&quot; font-family:'Sans Serif'; font-size:9pt; font-weight:400; font-style:normal;&quot;&gt;
&lt;p style=&quot; margin-top:0px; margin-bottom:0px; margin-left:0px; margin-right:0px; -qt-block-indent:0; text-indent:0px;&quot;&gt;&lt;span style=&quot; font-weight:600;&quot;&gt;Option Route has been deprecated.&lt;/span&gt;&lt;/p&gt;&lt;/body&gt;&lt;/html&gt;</string>
</property>
<property name="wordWrap">
<bool>true</bool>
</property>
</widget>
</item>
<item row="1" column="0">
<widget class="QLabel" name="label_6">
<property name="text">
<string>Use Custom Action in combination with branching rule to create iptables command with '-j ROUTE' target. This works only if the OS running on your firewall supports this iptables target.</string>
</property>
<property name="wordWrap">
<bool>true</bool>
</property>
</widget>
</item>
</layout>
</widget>
</item>
<item row="1" column="0">
<widget class="QLabel" name="textLabel4_5">
<property name="text">
<string>Change inbound interface to</string>
</property>
<property name="wordWrap">
<bool>false</bool>
</property>
</widget>
</item>
<item row="1" column="1">
<widget class="QComboBox" name="ipt_iif"/>
</item>
<item row="2" column="0">
<widget class="QLabel" name="textLabel5_6">
<property name="text">
<string>Change outbound interface to</string>
</property>
<property name="wordWrap">
<bool>false</bool>
</property>
</widget>
</item>
<item row="2" column="1">
<widget class="QComboBox" name="ipt_oif"/>
</item>
<item row="3" column="0">
<widget class="QLabel" name="textLabel6_4">
<property name="text">
<string>Route through gateway</string>
</property>
<property name="wordWrap">
<bool>false</bool>
</property>
</widget>
</item>
<item row="3" column="1" colspan="2">
<widget class="QLineEdit" name="ipt_gw">
<property name="minimumSize">
<size>
<width>250</width>
<height>0</height>
</size>
</property>
</widget>
</item>
<item row="3" column="3">
<spacer name="horizontalSpacer_7">
<property name="orientation">
<enum>Qt::Horizontal</enum>
</property>
<property name="sizeHint" stdset="0">
<size>
<width>328</width>
<height>17</height>
</size>
</property>
</spacer>
</item>
</layout>
</item>
<item row="0" column="1" colspan="2">
<widget class="QComboBox" name="ipt_iif"/>
</item>
<item row="0" column="3" colspan="2">
<spacer name="spacer_4">
<item row="0" column="3">
<spacer name="horizontalSpacer_16">
<property name="orientation">
<enum>Qt::Horizontal</enum>
</property>
<property name="sizeType">
<enum>QSizePolicy::Expanding</enum>
</property>
<property name="sizeHint" stdset="0">
<size>
<width>809</width>
<width>373</width>
<height>20</height>
</size>
</property>
</spacer>
</item>
<item row="1" column="0">
<widget class="QLabel" name="textLabel5_6">
<property name="text">
<string>Change outbound interface to</string>
</property>
<property name="wordWrap">
<bool>false</bool>
</property>
</widget>
</item>
<item row="1" column="1" colspan="2">
<widget class="QComboBox" name="ipt_oif"/>
</item>
<item row="2" column="0">
<widget class="QLabel" name="textLabel6_4">
<property name="text">
<string>Route through gateway</string>
</property>
<property name="wordWrap">
<bool>false</bool>
</property>
</widget>
</item>
<item row="2" column="1" colspan="3">
<widget class="QLineEdit" name="ipt_gw"/>
</item>
<item row="2" column="4">
<spacer name="horizontalSpacer_7">
<property name="orientation">
<enum>Qt::Horizontal</enum>
</property>
<property name="sizeHint" stdset="0">
<size>
<width>754</width>
<height>20</height>
</size>
</property>
</spacer>
</item>
<item row="3" column="0" colspan="2">
<widget class="QCheckBox" name="ipt_continue">
<property name="text">
<string>Continue packet inspection</string>
</property>
</widget>
</item>
<item row="3" column="2" colspan="2">
<item row="1" column="1">
<widget class="QCheckBox" name="ipt_tee">
<property name="text">
<string>Make a copy</string>
</property>
</widget>
</item>
<item row="4" column="0">
<item row="2" column="2">
<spacer name="verticalSpacer_4">
<property name="orientation">
<enum>Qt::Vertical</enum>

2
src/libgui/secuwallAdvancedDialog.cpp
View File

@ -109,8 +109,6 @@ secuwallAdvancedDialog::secuwallAdvancedDialog(QWidget *parent, FWObject *o)
"ignore_empty_groups");
data.registerOption(m_dialog->localNAT, fwoptions, "local_nat");
data.registerOption(m_dialog->clampMSStoMTU, fwoptions, "clamp_mss_to_mtu");
data.registerOption(m_dialog->makeTagClassifyTerminating,
fwoptions, "classify_mark_terminating");
slm = getActionsOnReject(obj->getStr("platform").c_str());
m_dialog->actionOnReject->clear();

28
src/libgui/secuwalladvanceddialog_q.ui
View File

@ -12,7 +12,7 @@
<rect>
<x>0</x>
<y>0</y>
<width>674</width>
<width>762</width>
<height>665</height>
</rect>
</property>
@ -340,14 +340,7 @@ in host settings dialog.
</property>
</widget>
</item>
<item row="13" column="1" colspan="4">
<widget class="QCheckBox" name="makeTagClassifyTerminating">
<property name="text">
<string>Make Tag and Classify actions terminating</string>
</property>
</widget>
</item>
<item row="14" column="1">
<item row="13" column="1">
<widget class="QLabel" name="textLabel9">
<property name="text">
<string>Default action on 'Reject':</string>
@ -357,10 +350,10 @@ in host settings dialog.
</property>
</widget>
</item>
<item row="14" column="2" colspan="2">
<item row="13" column="2" colspan="2">
<widget class="QComboBox" name="actionOnReject"/>
</item>
<item row="14" column="4">
<item row="13" column="4">
<spacer>
<property name="orientation">
<enum>Qt::Horizontal</enum>
@ -376,7 +369,7 @@ in host settings dialog.
</property>
</spacer>
</item>
<item row="15" column="0" colspan="5">
<item row="14" column="0" colspan="5">
<widget class="Line" name="line4">
<property name="frameShape">
<enum>QFrame::HLine</enum>
@ -389,7 +382,7 @@ in host settings dialog.
</property>
</widget>
</item>
<item row="16" column="0" rowspan="2">
<item row="15" column="0" rowspan="2">
<spacer>
<property name="orientation">
<enum>Qt::Horizontal</enum>
@ -405,14 +398,14 @@ in host settings dialog.
</property>
</spacer>
</item>
<item row="16" column="1" colspan="4">
<item row="15" column="1" colspan="4">
<widget class="QCheckBox" name="mgmt_ssh">
<property name="text">
<string>Always permit ssh access from the management workstation with this address:</string>
</property>
</widget>
</item>
<item row="17" column="1" colspan="4">
<item row="16" column="1" colspan="4">
<widget class="QLineEdit" name="mgmt_addr">
<property name="sizePolicy">
<sizepolicy hsizetype="Expanding" vsizetype="Fixed">
@ -428,7 +421,7 @@ in host settings dialog.
</property>
</widget>
</item>
<item row="18" column="1" colspan="4">
<item row="17" column="1" colspan="4">
<widget class="QCheckBox" name="add_mgmt_ssh_rule_when_stoped">
<property name="text">
<string>Install the rule for ssh access from the management workstation when the firewall
@ -436,7 +429,7 @@ is stopped</string>
</property>
</widget>
</item>
<item row="19" column="1">
<item row="18" column="1">
<spacer>
<property name="orientation">
<enum>Qt::Vertical</enum>
@ -1340,7 +1333,6 @@ is stopped</string>
<tabstop>emptyGroups</tabstop>
<tabstop>localNAT</tabstop>
<tabstop>clampMSStoMTU</tabstop>
<tabstop>makeTagClassifyTerminating</tabstop>
<tabstop>actionOnReject</tabstop>
<tabstop>mgmt_ssh</tabstop>
<tabstop>mgmt_addr</tabstop>

2
src/libgui/transferDialog.cpp
View File

@ -27,7 +27,7 @@
#include "fwbuilder/Resources.h"
#include "fwbuilder/Cluster.h"
#include "fwtransfer/TransferDevice.h"
#include "TransferDevice.h"
#include "FWWindow.h"
#include "FWBSettings.h"

110
src/parsers/IPTCfgLexer.cpp
View File

@ -49,36 +49,36 @@ IPTCfgLexer::IPTCfgLexer(const ANTLR_USE_NAMESPACE(antlr)LexerSharedInputState&
void IPTCfgLexer::initLiterals()
{
literals["FIN"] = 108;
literals["RST"] = 109;
literals["NEW"] = 62;
literals["comment"] = 95;
literals["ESTABLISHED"] = 63;
literals["recent"] = 73;
literals["limit"] = 70;
literals["FIN"] = 109;
literals["RST"] = 110;
literals["NEW"] = 63;
literals["comment"] = 96;
literals["ESTABLISHED"] = 64;
literals["recent"] = 74;
literals["limit"] = 71;
literals["POSTROUTING"] = 16;
literals["INPUT"] = 12;
literals["ACK"] = 107;
literals["URG"] = 110;
literals["mark"] = 68;
literals["iprange"] = 74;
literals["multiport"] = 94;
literals["pkttype"] = 89;
literals["broadcast"] = 91;
literals["NONE"] = 113;
literals["multicast"] = 92;
literals["ALL"] = 112;
literals["length"] = 87;
literals["PSH"] = 111;
literals["SYN"] = 106;
literals["ACK"] = 108;
literals["URG"] = 111;
literals["mark"] = 69;
literals["iprange"] = 75;
literals["multiport"] = 95;
literals["pkttype"] = 90;
literals["broadcast"] = 92;
literals["NONE"] = 114;
literals["multicast"] = 93;
literals["ALL"] = 113;
literals["length"] = 88;
literals["PSH"] = 112;
literals["SYN"] = 107;
literals["udp"] = 33;
literals["PREROUTING"] = 15;
literals["FORWARD"] = 13;
literals["INVALID"] = 61;
literals["INVALID"] = 62;
literals["OUTPUT"] = 14;
literals["state"] = 65;
literals["unicast"] = 93;
literals["RELATED"] = 64;
literals["state"] = 66;
literals["unicast"] = 94;
literals["RELATED"] = 65;
literals["icmp"] = 34;
literals["tcp"] = 32;
literals["COMMIT"] = 9;
@ -392,6 +392,10 @@ ANTLR_USE_NAMESPACE(antlr)RefToken IPTCfgLexer::nextToken()
mMATCH_LIMIT(true);
theRetToken=_returnToken;
}
else if ((LA(1) == 0x2d /* '-' */ ) && (LA(2) == 0x2d /* '-' */ ) && (LA(3) == 0x73 /* 's' */ ) && (LA(4) == 0x65 /* 'e' */ ) && (LA(5) == 0x74 /* 't' */ ) && (LA(6) == 0x2d /* '-' */ ) && (LA(7) == 0x63 /* 'c' */ )) {
mSET_CLASS(true);
theRetToken=_returnToken;
}
else if ((LA(1) == 0x2d /* '-' */ ) && (LA(2) == 0x2d /* '-' */ ) && (LA(3) == 0x73 /* 's' */ ) && (LA(4) == 0x65 /* 'e' */ ) && (LA(5) == 0x74 /* 't' */ ) && (LA(6) == 0x2d /* '-' */ ) && (LA(7) == 0x6d /* 'm' */ )) {
mSET_MARK(true);
theRetToken=_returnToken;
@ -713,9 +717,9 @@ void IPTCfgLexer::mWhitespace(bool _createToken) {
}
}
if ( inputState->guessing==0 ) {
#line 1243 "iptables.g"
#line 1250 "iptables.g"
_ttype = ANTLR_USE_NAMESPACE(antlr)Token::SKIP;
#line 719 "IPTCfgLexer.cpp"
#line 723 "IPTCfgLexer.cpp"
}
if ( _createToken && _token==ANTLR_USE_NAMESPACE(antlr)nullToken && _ttype!=ANTLR_USE_NAMESPACE(antlr)Token::SKIP ) {
_token = makeToken(_ttype);
@ -746,9 +750,9 @@ void IPTCfgLexer::mNEWLINE(bool _createToken) {
}
if ( inputState->guessing==0 ) {
#line 1245 "iptables.g"
#line 1252 "iptables.g"
newline(); resetText();
#line 752 "IPTCfgLexer.cpp"
#line 756 "IPTCfgLexer.cpp"
}
if ( _createToken && _token==ANTLR_USE_NAMESPACE(antlr)nullToken && _ttype!=ANTLR_USE_NAMESPACE(antlr)Token::SKIP ) {
_token = makeToken(_ttype);
@ -1026,9 +1030,9 @@ void IPTCfgLexer::mNUMBER(bool _createToken) {
match('.' /* charlit */ );
mNUM_3DIGIT(false);
if ( inputState->guessing==0 ) {
#line 1312 "iptables.g"
#line 1319 "iptables.g"
_ttype = IPV4;
#line 1032 "IPTCfgLexer.cpp"
#line 1036 "IPTCfgLexer.cpp"
}
}
}
@ -1060,9 +1064,9 @@ void IPTCfgLexer::mNUMBER(bool _createToken) {
match('.' /* charlit */ );
mNUM_3DIGIT(false);
if ( inputState->guessing==0 ) {
#line 1316 "iptables.g"
#line 1323 "iptables.g"
_ttype = THREE_COMPONENT_VERSION;
#line 1066 "IPTCfgLexer.cpp"
#line 1070 "IPTCfgLexer.cpp"
}
}
}
@ -1086,9 +1090,9 @@ void IPTCfgLexer::mNUMBER(bool _createToken) {
} // ( ... )+
}
if ( inputState->guessing==0 ) {
#line 1320 "iptables.g"
#line 1327 "iptables.g"
_ttype = HEX_CONST;
#line 1092 "IPTCfgLexer.cpp"
#line 1096 "IPTCfgLexer.cpp"
}
}
else if (((LA(1) >= 0x30 /* '0' */ && LA(1) <= 0x39 /* '9' */ )) && (true) && (true) && (true) && (true) && (true) && (true) && (true) && (true) && (true) && (true) && (true) && (true) && (true) && (true) && (true) && (true) && (true) && (true) && (true)) {
@ -1107,9 +1111,9 @@ void IPTCfgLexer::mNUMBER(bool _createToken) {
_loop195:;
} // ( ... )+
if ( inputState->guessing==0 ) {
#line 1322 "iptables.g"
#line 1329 "iptables.g"
_ttype = INT_CONST;
#line 1113 "IPTCfgLexer.cpp"
#line 1117 "IPTCfgLexer.cpp"
}
}
else {
@ -1423,9 +1427,9 @@ void IPTCfgLexer::mRSOURCE(bool _createToken) {
match("--rsource");
if ( inputState->guessing==0 ) {
#line 1346 "iptables.g"
#line 1353 "iptables.g"
_ttype = UNSUPPORTED_OPTION;
#line 1429 "IPTCfgLexer.cpp"
#line 1433 "IPTCfgLexer.cpp"
}
if ( _createToken && _token==ANTLR_USE_NAMESPACE(antlr)nullToken && _ttype!=ANTLR_USE_NAMESPACE(antlr)Token::SKIP ) {
_token = makeToken(_ttype);
@ -1869,6 +1873,20 @@ void IPTCfgLexer::mREJECT_WITH(bool _createToken) {
_saveIndex=0;
}
void IPTCfgLexer::mSET_CLASS(bool _createToken) {
int _ttype; ANTLR_USE_NAMESPACE(antlr)RefToken _token; ANTLR_USE_NAMESPACE(std)string::size_type _begin = text.length();
_ttype = SET_CLASS;
ANTLR_USE_NAMESPACE(std)string::size_type _saveIndex;
match("--set-class");
if ( _createToken && _token==ANTLR_USE_NAMESPACE(antlr)nullToken && _ttype!=ANTLR_USE_NAMESPACE(antlr)Token::SKIP ) {
_token = makeToken(_ttype);
_token->setText(text.substr(_begin, text.length()-_begin));
}
_returnToken = _token;
_saveIndex=0;
}
void IPTCfgLexer::mSET_MARK(bool _createToken) {
int _ttype; ANTLR_USE_NAMESPACE(antlr)RefToken _token; ANTLR_USE_NAMESPACE(std)string::size_type _begin = text.length();
_ttype = SET_MARK;
@ -2086,9 +2104,9 @@ void IPTCfgLexer::mULOG_QTHR(bool _createToken) {
match("--ulog-qthreshold");
if ( inputState->guessing==0 ) {
#line 1413 "iptables.g"
#line 1421 "iptables.g"
_ttype = UNSUPPORTED_OPTION;
#line 2092 "IPTCfgLexer.cpp"
#line 2110 "IPTCfgLexer.cpp"
}
if ( _createToken && _token==ANTLR_USE_NAMESPACE(antlr)nullToken && _ttype!=ANTLR_USE_NAMESPACE(antlr)Token::SKIP ) {
_token = makeToken(_ttype);
@ -2105,9 +2123,9 @@ void IPTCfgLexer::mULOG_NLG(bool _createToken) {
match("--ulog-nlgroup");
if ( inputState->guessing==0 ) {
#line 1414 "iptables.g"
#line 1422 "iptables.g"
_ttype = UNSUPPORTED_OPTION;
#line 2111 "IPTCfgLexer.cpp"
#line 2129 "IPTCfgLexer.cpp"
}
if ( _createToken && _token==ANTLR_USE_NAMESPACE(antlr)nullToken && _ttype!=ANTLR_USE_NAMESPACE(antlr)Token::SKIP ) {
_token = makeToken(_ttype);
@ -2124,9 +2142,9 @@ void IPTCfgLexer::mULOG_CPR(bool _createToken) {
match("--ulog-cprange");
if ( inputState->guessing==0 ) {
#line 1415 "iptables.g"
#line 1423 "iptables.g"
_ttype = UNSUPPORTED_OPTION;
#line 2130 "IPTCfgLexer.cpp"
#line 2148 "IPTCfgLexer.cpp"
}
if ( _createToken && _token==ANTLR_USE_NAMESPACE(antlr)nullToken && _ttype!=ANTLR_USE_NAMESPACE(antlr)Token::SKIP ) {
_token = makeToken(_ttype);
@ -2701,7 +2719,7 @@ const unsigned long IPTCfgLexer::_tokenSet_0_data_[] = { 4294958072UL, 1UL, 0UL,
// 0x3 0x4 0x5 0x6 0x7 0x8 0x9 0xb 0xc 0xe 0xf 0x10 0x11 0x12 0x13 0x14
// 0x15 0x16 0x17 0x18 0x19 0x1a 0x1b 0x1c 0x1d 0x1e 0x1f 0x7f 0x80 0x81
// 0x82 0x83 0x84 0x85 0x86 0x87 0x88 0x89 0x8a 0x8b 0x8c 0x8d 0x8e 0x8f
// 0x90
// 0x90 0x91
const ANTLR_USE_NAMESPACE(antlr)BitSet IPTCfgLexer::_tokenSet_0(_tokenSet_0_data_,16);
const unsigned long IPTCfgLexer::_tokenSet_1_data_[] = { 0UL, 67043328UL, 126UL, 126UL, 0UL, 0UL, 0UL, 0UL, 0UL, 0UL };
// 0 1 2 3 4 5 6 7 8 9 A B C D E F a b c d e f
@ -2715,6 +2733,6 @@ const unsigned long IPTCfgLexer::_tokenSet_3_data_[] = { 4294967288UL, 429496729
// % & \' ( ) * + , - . / 0 1 2 3 4 5 6 7 8 9 : ; < = > ? @ A B C D E F
// G H I J K L M N O P Q R S T U V W X Y Z [ 0x5c ] ^ _ ` a b c d e f g
// h i j k l m n o p q r s t u v w x y z { | } ~ 0x7f 0x80 0x81 0x82 0x83
// 0x84 0x85 0x86 0x87 0x88 0x89 0x8a 0x8b 0x8c 0x8d 0x8e 0x8f 0x90
// 0x84 0x85 0x86 0x87 0x88 0x89 0x8a 0x8b 0x8c 0x8d 0x8e 0x8f 0x90 0x91
const ANTLR_USE_NAMESPACE(antlr)BitSet IPTCfgLexer::_tokenSet_3(_tokenSet_3_data_,16);

1
src/parsers/IPTCfgLexer.hpp
View File

@ -97,6 +97,7 @@ public:
public: void mMATCH_COMMENT(bool _createToken);
public: void mMATCH_PKT_TYPE(bool _createToken);
public: void mREJECT_WITH(bool _createToken);
public: void mSET_CLASS(bool _createToken);
public: void mSET_MARK(bool _createToken);
public: void mSAVE_MARK(bool _createToken);
public: void mRESTORE_MARK(bool _createToken);

385
src/parsers/IPTCfgParser.cpp
View File

@ -659,7 +659,7 @@ void IPTCfgParser::match_mark() {
{
match(EXCLAMATION);
if ( inputState->guessing==0 ) {
#line 724 "iptables.g"
#line 731 "iptables.g"
importer->neg_match_mark = true;
#line 665 "IPTCfgParser.cpp"
}
@ -695,7 +695,7 @@ void IPTCfgParser::match_mark() {
}
}
if ( inputState->guessing==0 ) {
#line 726 "iptables.g"
#line 733 "iptables.g"
importer->tmp_neg = false;
importer->match_mark = LT(0)->getText();
@ -1132,7 +1132,7 @@ void IPTCfgParser::fragm() {
try { // for error handling
match(OPT_FRAGM);
if ( inputState->guessing==0 ) {
#line 673 "iptables.g"
#line 680 "iptables.g"
importer->fragments = true;
*dbg << " FRAGM";
@ -1160,7 +1160,7 @@ void IPTCfgParser::icmp_type_spec() {
{
match(WORD);
if ( inputState->guessing==0 ) {
#line 963 "iptables.g"
#line 970 "iptables.g"
importer->icmp_spec = LT(0)->getText();
*dbg << " ICMP_SPEC=" << LT(0)->getText();
@ -1174,7 +1174,7 @@ void IPTCfgParser::icmp_type_spec() {
{
match(INT_CONST);
if ( inputState->guessing==0 ) {
#line 970 "iptables.g"
#line 977 "iptables.g"
importer->icmp_type = LT(0)->getText();
importer->icmp_code = "-1";
@ -1189,7 +1189,7 @@ void IPTCfgParser::icmp_type_spec() {
match(SLASH);
match(INT_CONST);
if ( inputState->guessing==0 ) {
#line 977 "iptables.g"
#line 984 "iptables.g"
importer->icmp_code = LT(0)->getText();
*dbg << " ICMP_CODE=" << LT(0)->getText();
@ -1281,7 +1281,7 @@ void IPTCfgParser::basic_tcp_udp_port_spec() {
}
}
if ( inputState->guessing==0 ) {
#line 1059 "iptables.g"
#line 1066 "iptables.g"
importer->srv_neg = importer->tmp_neg;
importer->tmp_neg = false;
@ -1308,7 +1308,7 @@ void IPTCfgParser::basic_tcp_udp_port_spec() {
}
}
if ( inputState->guessing==0 ) {
#line 1064 "iptables.g"
#line 1071 "iptables.g"
importer->pushTmpPortSpecToSrcPortList();
@ -1338,7 +1338,7 @@ void IPTCfgParser::basic_tcp_udp_port_spec() {
}
}
if ( inputState->guessing==0 ) {
#line 1069 "iptables.g"
#line 1076 "iptables.g"
importer->srv_neg = importer->tmp_neg;
importer->tmp_neg = false;
@ -1365,7 +1365,7 @@ void IPTCfgParser::basic_tcp_udp_port_spec() {
}
}
if ( inputState->guessing==0 ) {
#line 1074 "iptables.g"
#line 1081 "iptables.g"
importer->pushTmpPortSpecToDstPortList();
@ -1399,7 +1399,7 @@ void IPTCfgParser::multiport_tcp_udp_port_spec() {
{
match(MATCH_SRC_MULTIPORT);
if ( inputState->guessing==0 ) {
#line 894 "iptables.g"
#line 901 "iptables.g"
importer->srv_neg = importer->tmp_neg;
importer->tmp_neg = false;
@ -1410,7 +1410,7 @@ void IPTCfgParser::multiport_tcp_udp_port_spec() {
}
port_def_with_range();
if ( inputState->guessing==0 ) {
#line 901 "iptables.g"
#line 908 "iptables.g"
importer->pushTmpPortSpecToSrcPortList();
@ -1422,7 +1422,7 @@ void IPTCfgParser::multiport_tcp_udp_port_spec() {
match(COMMA);
port_def_with_range();
if ( inputState->guessing==0 ) {
#line 905 "iptables.g"
#line 912 "iptables.g"
importer->pushTmpPortSpecToSrcPortList();
@ -1444,7 +1444,7 @@ void IPTCfgParser::multiport_tcp_udp_port_spec() {
{
match(MATCH_DST_MULTIPORT);
if ( inputState->guessing==0 ) {
#line 912 "iptables.g"
#line 919 "iptables.g"
importer->srv_neg = importer->tmp_neg;
importer->tmp_neg = false;
@ -1455,7 +1455,7 @@ void IPTCfgParser::multiport_tcp_udp_port_spec() {
}
port_def_with_range();
if ( inputState->guessing==0 ) {
#line 919 "iptables.g"
#line 926 "iptables.g"
importer->pushTmpPortSpecToDstPortList();
@ -1467,7 +1467,7 @@ void IPTCfgParser::multiport_tcp_udp_port_spec() {
match(COMMA);
port_def_with_range();
if ( inputState->guessing==0 ) {
#line 923 "iptables.g"
#line 930 "iptables.g"
importer->pushTmpPortSpecToDstPortList();
@ -1489,7 +1489,7 @@ void IPTCfgParser::multiport_tcp_udp_port_spec() {
{
match(MATCH_BOTH_MULTIPORT);
if ( inputState->guessing==0 ) {
#line 930 "iptables.g"
#line 937 "iptables.g"
importer->srv_neg = importer->tmp_neg;
importer->tmp_neg = false;
@ -1500,7 +1500,7 @@ void IPTCfgParser::multiport_tcp_udp_port_spec() {
}
port_def_with_range();
if ( inputState->guessing==0 ) {
#line 937 "iptables.g"
#line 944 "iptables.g"
importer->pushTmpPortSpecToBothPortList();
@ -1512,7 +1512,7 @@ void IPTCfgParser::multiport_tcp_udp_port_spec() {
match(COMMA);
port_def_with_range();
if ( inputState->guessing==0 ) {
#line 941 "iptables.g"
#line 948 "iptables.g"
importer->pushTmpPortSpecToBothPortList();
@ -1573,7 +1573,7 @@ void IPTCfgParser::tcp_options() {
}
}
if ( inputState->guessing==0 ) {
#line 1104 "iptables.g"
#line 1111 "iptables.g"
importer->srv_neg = importer->tmp_neg;
importer->tmp_neg = false;
@ -1613,7 +1613,7 @@ void IPTCfgParser::match_limit_burst() {
match(MATCH_LIMIT_BURST);
match(INT_CONST);
if ( inputState->guessing==0 ) {
#line 758 "iptables.g"
#line 765 "iptables.g"
importer->limit_burst = LT(0)->getText();
*dbg << " LIMIT BURST " << LT(0)->getText();
@ -1670,7 +1670,7 @@ void IPTCfgParser::match_iprange_src() {
}
}
if ( inputState->guessing==0 ) {
#line 781 "iptables.g"
#line 788 "iptables.g"
importer->iprange_src_from = LT(0)->getText();
importer->using_iprange_src = true;
@ -1697,7 +1697,7 @@ void IPTCfgParser::match_iprange_src() {
}
}
if ( inputState->guessing==0 ) {
#line 786 "iptables.g"
#line 793 "iptables.g"
importer->iprange_src_to = LT(0)->getText();
@ -1737,7 +1737,7 @@ void IPTCfgParser::match_iprange_dst() {
}
}
if ( inputState->guessing==0 ) {
#line 792 "iptables.g"
#line 799 "iptables.g"
importer->iprange_dst_from = LT(0)->getText();
importer->using_iprange_dst = true;
@ -1764,7 +1764,7 @@ void IPTCfgParser::match_iprange_dst() {
}
}
if ( inputState->guessing==0 ) {
#line 797 "iptables.g"
#line 804 "iptables.g"
importer->iprange_dst_to = LT(0)->getText();
@ -2102,7 +2102,7 @@ void IPTCfgParser::m_state() {
match(M_STATE);
match(MATCH_STATE);
if ( inputState->guessing==0 ) {
#line 694 "iptables.g"
#line 701 "iptables.g"
importer->current_state = "";
@ -2110,7 +2110,7 @@ void IPTCfgParser::m_state() {
}
state_word();
if ( inputState->guessing==0 ) {
#line 698 "iptables.g"
#line 705 "iptables.g"
importer->current_state += LT(0)->getText();
@ -2122,7 +2122,7 @@ void IPTCfgParser::m_state() {
match(COMMA);
state_word();
if ( inputState->guessing==0 ) {
#line 703 "iptables.g"
#line 710 "iptables.g"
importer->current_state += std::string(",") + LT(0)->getText();
@ -2137,7 +2137,7 @@ void IPTCfgParser::m_state() {
_loop76:;
} // ( ... )*
if ( inputState->guessing==0 ) {
#line 707 "iptables.g"
#line 714 "iptables.g"
*dbg << " STATE MATCH=" << importer->current_state;
@ -2159,7 +2159,7 @@ void IPTCfgParser::m_mport() {
try { // for error handling
match(M_MPORT);
if ( inputState->guessing==0 ) {
#line 866 "iptables.g"
#line 873 "iptables.g"
*dbg << " MULTIPORT";
@ -2181,7 +2181,7 @@ void IPTCfgParser::m_icmp() {
try { // for error handling
match(ICMP);
if ( inputState->guessing==0 ) {
#line 953 "iptables.g"
#line 960 "iptables.g"
importer->protocol = "icmp";
*dbg << " ICMP";
@ -2204,7 +2204,7 @@ void IPTCfgParser::m_tcp() {
try { // for error handling
match(TCP);
if ( inputState->guessing==0 ) {
#line 1092 "iptables.g"
#line 1099 "iptables.g"
importer->protocol = "tcp";
*dbg << " TCP";
@ -2227,7 +2227,7 @@ void IPTCfgParser::m_udp() {
try { // for error handling
match(UDP);
if ( inputState->guessing==0 ) {
#line 1083 "iptables.g"
#line 1090 "iptables.g"
importer->protocol = "udp";
*dbg << " UDP";
@ -2250,7 +2250,7 @@ void IPTCfgParser::m_limit() {
try { // for error handling
match(M_LIMIT);
if ( inputState->guessing==0 ) {
#line 736 "iptables.g"
#line 743 "iptables.g"
*dbg << " LIMIT";
@ -2272,7 +2272,7 @@ void IPTCfgParser::m_length() {
try { // for error handling
match(M_LENGTH);
if ( inputState->guessing==0 ) {
#line 831 "iptables.g"
#line 838 "iptables.g"
*dbg << " LENGTH";
@ -2294,7 +2294,7 @@ void IPTCfgParser::m_iprange() {
try { // for error handling
match(M_IPRANGE);
if ( inputState->guessing==0 ) {
#line 775 "iptables.g"
#line 782 "iptables.g"
*dbg << " IPRANGE";
@ -2318,7 +2318,7 @@ void IPTCfgParser::m_comment() {
match(MATCH_COMMENT);
match(STRING);
if ( inputState->guessing==0 ) {
#line 874 "iptables.g"
#line 881 "iptables.g"
*dbg << " COMMENT=" << LT(0)->getText();
@ -2357,7 +2357,7 @@ void IPTCfgParser::m_unknown_module() {
try { // for error handling
match(WORD);
if ( inputState->guessing==0 ) {
#line 681 "iptables.g"
#line 688 "iptables.g"
*dbg << " UNKNOWN MODULE=" << LT(0)->getText();
importer->reportError(
@ -2424,6 +2424,8 @@ void IPTCfgParser::protocol_word() {
}
void IPTCfgParser::target_options() {
ANTLR_USE_NAMESPACE(antlr)RefToken major = ANTLR_USE_NAMESPACE(antlr)nullToken;
ANTLR_USE_NAMESPACE(antlr)RefToken minor = ANTLR_USE_NAMESPACE(antlr)nullToken;
try { // for error handling
{
@ -2438,7 +2440,7 @@ void IPTCfgParser::target_options() {
importer->action_params["reject_with"] = LT(0)->getText();
*dbg << " REJECT WITH=" << LT(0)->getText();
#line 2442 "IPTCfgParser.cpp"
#line 2444 "IPTCfgParser.cpp"
}
break;
}
@ -2469,7 +2471,7 @@ void IPTCfgParser::target_options() {
importer->action_params["log_prefix"] = LT(0)->getText();
*dbg << " LOG PREFIX=" << LT(0)->getText();
#line 2473 "IPTCfgParser.cpp"
#line 2475 "IPTCfgParser.cpp"
}
break;
}
@ -2482,7 +2484,7 @@ void IPTCfgParser::target_options() {
importer->action_params["log_tcp_seq"] = LT(0)->getText();
*dbg << " LOG TCP SEQUENCE=";
#line 2486 "IPTCfgParser.cpp"
#line 2488 "IPTCfgParser.cpp"
}
break;
}
@ -2495,7 +2497,7 @@ void IPTCfgParser::target_options() {
importer->action_params["log_tcp_options"] = LT(0)->getText();
*dbg << " LOG TCP OPTIONS=";
#line 2499 "IPTCfgParser.cpp"
#line 2501 "IPTCfgParser.cpp"
}
break;
}
@ -2508,7 +2510,7 @@ void IPTCfgParser::target_options() {
importer->action_params["log_ip_options"] = LT(0)->getText();
*dbg << " LOG IP OPTIONS=";
#line 2512 "IPTCfgParser.cpp"
#line 2514 "IPTCfgParser.cpp"
}
break;
}
@ -2539,7 +2541,7 @@ void IPTCfgParser::target_options() {
importer->action_params["log_prefix"] = LT(0)->getText();
*dbg << " ULOG PREFIX=" << LT(0)->getText();
#line 2543 "IPTCfgParser.cpp"
#line 2545 "IPTCfgParser.cpp"
}
break;
}
@ -2570,7 +2572,26 @@ void IPTCfgParser::target_options() {
importer->action_params["log_level"] = LT(0)->getText();
*dbg << " LOG LEVEL=" << LT(0)->getText();
#line 2574 "IPTCfgParser.cpp"
#line 2576 "IPTCfgParser.cpp"
}
break;
}
case SET_CLASS:
{
match(SET_CLASS);
major = LT(1);
match(INT_CONST);
match(COLON);
minor = LT(1);
match(INT_CONST);
if ( inputState->guessing==0 ) {
#line 521 "iptables.g"
importer->action_params["set_class"] =
major->getText() + ":" + minor->getText();
*dbg << " SET CLASS=" << major->getText() + ":" + minor->getText();
#line 2595 "IPTCfgParser.cpp"
}
break;
}
@ -2596,12 +2617,12 @@ void IPTCfgParser::target_options() {
}
}
if ( inputState->guessing==0 ) {
#line 521 "iptables.g"
#line 528 "iptables.g"
importer->action_params["set_mark"] = LT(0)->getText();
*dbg << " SET MARK=" << LT(0)->getText();
#line 2605 "IPTCfgParser.cpp"
#line 2626 "IPTCfgParser.cpp"
}
break;
}
@ -2609,12 +2630,12 @@ void IPTCfgParser::target_options() {
{
match(SAVE_MARK);
if ( inputState->guessing==0 ) {
#line 539 "iptables.g"
#line 546 "iptables.g"
importer->action_params["connmark_save_mark"] = "--save-mark";
*dbg << " SAVE MARK";
#line 2618 "IPTCfgParser.cpp"
#line 2639 "IPTCfgParser.cpp"
}
break;
}
@ -2622,12 +2643,12 @@ void IPTCfgParser::target_options() {
{
match(RESTORE_MARK);
if ( inputState->guessing==0 ) {
#line 545 "iptables.g"
#line 552 "iptables.g"
importer->action_params["connmark_restore_mark"] = "--restore-mark";
*dbg << " RESTORE MARK";
#line 2631 "IPTCfgParser.cpp"
#line 2652 "IPTCfgParser.cpp"
}
break;
}
@ -2635,12 +2656,12 @@ void IPTCfgParser::target_options() {
{
match(CONTINUE);
if ( inputState->guessing==0 ) {
#line 551 "iptables.g"
#line 558 "iptables.g"
importer->action_params["route_continue"] = "--continue";
*dbg << " CONTINUE";
#line 2644 "IPTCfgParser.cpp"
#line 2665 "IPTCfgParser.cpp"
}
break;
}
@ -2649,12 +2670,12 @@ void IPTCfgParser::target_options() {
match(ROUTE_IIF);
match(WORD);
if ( inputState->guessing==0 ) {
#line 557 "iptables.g"
#line 564 "iptables.g"
importer->action_params["route_iif"] = LT(0)->getText();
*dbg << " ROUTE_IIF=" << LT(0)->getText();
#line 2658 "IPTCfgParser.cpp"
#line 2679 "IPTCfgParser.cpp"
}
break;
}
@ -2663,12 +2684,12 @@ void IPTCfgParser::target_options() {
match(ROUTE_OIF);
match(WORD);
if ( inputState->guessing==0 ) {
#line 563 "iptables.g"
#line 570 "iptables.g"
importer->action_params["route_oif"] = LT(0)->getText();
*dbg << " ROUTE_OIF=" << LT(0)->getText();
#line 2672 "IPTCfgParser.cpp"
#line 2693 "IPTCfgParser.cpp"
}
break;
}
@ -2677,12 +2698,12 @@ void IPTCfgParser::target_options() {
match(ROUTE_GW);
match(IPV4);
if ( inputState->guessing==0 ) {
#line 569 "iptables.g"
#line 576 "iptables.g"
importer->action_params["route_gw"] = LT(0)->getText();
*dbg << " ROUTE_GW=" << LT(0)->getText();
#line 2686 "IPTCfgParser.cpp"
#line 2707 "IPTCfgParser.cpp"
}
break;
}
@ -2690,12 +2711,12 @@ void IPTCfgParser::target_options() {
{
match(ROUTE_TEE);
if ( inputState->guessing==0 ) {
#line 575 "iptables.g"
#line 582 "iptables.g"
importer->action_params["route_tee"] = "--tee";
*dbg << " ROUTE_TEE";
#line 2699 "IPTCfgParser.cpp"
#line 2720 "IPTCfgParser.cpp"
}
break;
}
@ -2703,11 +2724,11 @@ void IPTCfgParser::target_options() {
{
match(TO_SOURCE);
if ( inputState->guessing==0 ) {
#line 581 "iptables.g"
#line 588 "iptables.g"
*dbg << " TO-SOURCE";
#line 2711 "IPTCfgParser.cpp"
#line 2732 "IPTCfgParser.cpp"
}
nat_spec();
break;
@ -2716,11 +2737,11 @@ void IPTCfgParser::target_options() {
{
match(TO_DESTINATION);
if ( inputState->guessing==0 ) {
#line 587 "iptables.g"
#line 594 "iptables.g"
*dbg << " TO-DESTINATION";
#line 2724 "IPTCfgParser.cpp"
#line 2745 "IPTCfgParser.cpp"
}
nat_spec();
break;
@ -2735,22 +2756,22 @@ void IPTCfgParser::target_options() {
{
match(TO_NETMAP);
if ( inputState->guessing==0 ) {
#line 595 "iptables.g"
#line 602 "iptables.g"
*dbg << " TO-NETMAP";
#line 2743 "IPTCfgParser.cpp"
#line 2764 "IPTCfgParser.cpp"
}
{
match(IPV4);
if ( inputState->guessing==0 ) {
#line 600 "iptables.g"
#line 607 "iptables.g"
importer->nat_addr1 = LT(0)->getText();
importer->nat_addr2 = LT(0)->getText();
*dbg << LT(0)->getText();
#line 2754 "IPTCfgParser.cpp"
#line 2775 "IPTCfgParser.cpp"
}
match(SLASH);
{
@ -2772,12 +2793,12 @@ void IPTCfgParser::target_options() {
}
}
if ( inputState->guessing==0 ) {
#line 606 "iptables.g"
#line 613 "iptables.g"
importer->nat_nm = LT(0)->getText();
*dbg << "/" << LT(0)->getText();
#line 2781 "IPTCfgParser.cpp"
#line 2802 "IPTCfgParser.cpp"
}
}
break;
@ -2786,12 +2807,12 @@ void IPTCfgParser::target_options() {
{
match(CLAMP_MSS);
if ( inputState->guessing==0 ) {
#line 613 "iptables.g"
#line 620 "iptables.g"
importer->action_params["clamp-mss-to-pmtu"] = "--clamp-mss-to-pmtu";
*dbg << " TO-NETMAP";
#line 2795 "IPTCfgParser.cpp"
#line 2816 "IPTCfgParser.cpp"
}
break;
}
@ -2800,24 +2821,24 @@ void IPTCfgParser::target_options() {
match(SET_TOS);
match(HEX_CONST);
if ( inputState->guessing==0 ) {
#line 527 "iptables.g"
#line 534 "iptables.g"
importer->action_params["set_tos"] = LT(0)->getText();
*dbg << " SET TOS=" << LT(0)->getText();
#line 2809 "IPTCfgParser.cpp"
#line 2830 "IPTCfgParser.cpp"
}
}
else if ((LA(1) == SET_TOS) && (LA(2) == WORD)) {
match(SET_TOS);
match(WORD);
if ( inputState->guessing==0 ) {
#line 533 "iptables.g"
#line 540 "iptables.g"
importer->action_params["set_tos"] = LT(0)->getText();
*dbg << " SET TOS=" << LT(0)->getText();
#line 2821 "IPTCfgParser.cpp"
#line 2842 "IPTCfgParser.cpp"
}
}
else {
@ -2866,6 +2887,7 @@ void IPTCfgParser::nat_spec() {
case LOG_IP_OPT:
case ULOG_PREFIX:
case LOG_LEVEL:
case SET_CLASS:
case SET_MARK:
case SET_TOS:
case SAVE_MARK:
@ -2907,7 +2929,7 @@ void IPTCfgParser::nat_spec() {
}
}
if ( inputState->guessing==0 ) {
#line 624 "iptables.g"
#line 631 "iptables.g"
*dbg << " "
<< importer->nat_addr1
@ -2918,7 +2940,7 @@ void IPTCfgParser::nat_spec() {
<< "-"
<< importer->nat_port_range_end;
#line 2922 "IPTCfgParser.cpp"
#line 2944 "IPTCfgParser.cpp"
}
}
catch (ANTLR_USE_NAMESPACE(antlr)RecognitionException& ex) {
@ -2936,7 +2958,7 @@ void IPTCfgParser::redirect_spec() {
try { // for error handling
nat_port_def_with_range();
if ( inputState->guessing==0 ) {
#line 659 "iptables.g"
#line 666 "iptables.g"
*dbg << " TO-PORTS "
<< importer->nat_addr1
@ -2947,7 +2969,7 @@ void IPTCfgParser::redirect_spec() {
<< "-"
<< importer->nat_port_range_end;
#line 2951 "IPTCfgParser.cpp"
#line 2973 "IPTCfgParser.cpp"
}
}
catch (ANTLR_USE_NAMESPACE(antlr)RecognitionException& ex) {
@ -2990,28 +3012,28 @@ void IPTCfgParser::nat_addr_range() {
a2 = LT(1);
match(IPV4);
if ( inputState->guessing==0 ) {
#line 640 "iptables.g"
#line 647 "iptables.g"
importer->nat_port_range_start = "";
importer->nat_port_range_end = "";
importer->nat_addr1 = a1->getText();
importer->nat_addr2 = a2->getText();
#line 3001 "IPTCfgParser.cpp"
#line 3023 "IPTCfgParser.cpp"
}
}
}
else if ((LA(1) == IPV4) && (_tokenSet_8.member(LA(2)))) {
match(IPV4);
if ( inputState->guessing==0 ) {
#line 649 "iptables.g"
#line 656 "iptables.g"
importer->nat_port_range_start = "";
importer->nat_port_range_end = "";
importer->nat_addr1 = LT(0)->getText();
importer->nat_addr2 = LT(0)->getText();
#line 3015 "IPTCfgParser.cpp"
#line 3037 "IPTCfgParser.cpp"
}
}
else {
@ -3087,13 +3109,13 @@ void IPTCfgParser::nat_port_def_with_range() {
}
}
if ( inputState->guessing==0 ) {
#line 1036 "iptables.g"
#line 1043 "iptables.g"
importer->nat_port_range_start = LT(0)->getText();
importer->nat_port_range_end = LT(0)->getText();
*dbg << " PORT=" << LT(0)->getText();
#line 3097 "IPTCfgParser.cpp"
#line 3119 "IPTCfgParser.cpp"
}
match(MINUS);
{
@ -3115,12 +3137,12 @@ void IPTCfgParser::nat_port_def_with_range() {
}
}
if ( inputState->guessing==0 ) {
#line 1042 "iptables.g"
#line 1049 "iptables.g"
importer->nat_port_range_end = LT(0)->getText();
*dbg << ":" << LT(0)->getText();
#line 3124 "IPTCfgParser.cpp"
#line 3146 "IPTCfgParser.cpp"
}
}
}
@ -3144,13 +3166,13 @@ void IPTCfgParser::nat_port_def_with_range() {
}
}
if ( inputState->guessing==0 ) {
#line 1049 "iptables.g"
#line 1056 "iptables.g"
importer->nat_port_range_start = LT(0)->getText();
importer->nat_port_range_end = LT(0)->getText();
*dbg << " PORT=" << LT(0)->getText();
#line 3154 "IPTCfgParser.cpp"
#line 3176 "IPTCfgParser.cpp"
}
}
else {
@ -3215,11 +3237,11 @@ void IPTCfgParser::m_mark() {
try { // for error handling
match(M_MARK);
if ( inputState->guessing==0 ) {
#line 716 "iptables.g"
#line 723 "iptables.g"
*dbg << " MARK";
#line 3223 "IPTCfgParser.cpp"
#line 3245 "IPTCfgParser.cpp"
}
}
catch (ANTLR_USE_NAMESPACE(antlr)RecognitionException& ex) {
@ -3237,25 +3259,25 @@ void IPTCfgParser::limit_rate() {
try { // for error handling
match(INT_CONST);
if ( inputState->guessing==0 ) {
#line 747 "iptables.g"
#line 754 "iptables.g"
importer->limit_val = LT(0)->getText();
#line 3243 "IPTCfgParser.cpp"
#line 3265 "IPTCfgParser.cpp"
}
match(SLASH);
match(WORD);
if ( inputState->guessing==0 ) {
#line 749 "iptables.g"
#line 756 "iptables.g"
importer->limit_suffix = LT(0)->getText();
#line 3250 "IPTCfgParser.cpp"
#line 3272 "IPTCfgParser.cpp"
}
if ( inputState->guessing==0 ) {
#line 750 "iptables.g"
#line 757 "iptables.g"
*dbg << " MATCH LIMIT "
<< importer->limit_val << "/"
<< importer->limit_suffix;
#line 3259 "IPTCfgParser.cpp"
#line 3281 "IPTCfgParser.cpp"
}
}
catch (ANTLR_USE_NAMESPACE(antlr)RecognitionException& ex) {
@ -3273,11 +3295,11 @@ void IPTCfgParser::m_recent() {
try { // for error handling
match(M_RECENT);
if ( inputState->guessing==0 ) {
#line 767 "iptables.g"
#line 774 "iptables.g"
*dbg << " RECENT";
#line 3281 "IPTCfgParser.cpp"
#line 3303 "IPTCfgParser.cpp"
}
}
catch (ANTLR_USE_NAMESPACE(antlr)RecognitionException& ex) {
@ -3375,9 +3397,9 @@ void IPTCfgParser::recent_args_no_param() {
}
}
if ( inputState->guessing==0 ) {
#line 819 "iptables.g"
#line 826 "iptables.g"
importer->recent_match += LT(0)->getText() + " ";
#line 3381 "IPTCfgParser.cpp"
#line 3403 "IPTCfgParser.cpp"
}
}
catch (ANTLR_USE_NAMESPACE(antlr)RecognitionException& ex) {
@ -3417,9 +3439,9 @@ void IPTCfgParser::recent_args_param() {
}
}
if ( inputState->guessing==0 ) {
#line 823 "iptables.g"
#line 830 "iptables.g"
importer->recent_match += LT(0)->getText() + " ";
#line 3423 "IPTCfgParser.cpp"
#line 3445 "IPTCfgParser.cpp"
}
{
switch ( LA(1)) {
@ -3440,9 +3462,9 @@ void IPTCfgParser::recent_args_param() {
}
}
if ( inputState->guessing==0 ) {
#line 825 "iptables.g"
#line 832 "iptables.g"
importer->recent_match += LT(0)->getText() + " ";
#line 3446 "IPTCfgParser.cpp"
#line 3468 "IPTCfgParser.cpp"
}
}
catch (ANTLR_USE_NAMESPACE(antlr)RecognitionException& ex) {
@ -3460,24 +3482,24 @@ void IPTCfgParser::length_spec() {
try { // for error handling
match(INT_CONST);
if ( inputState->guessing==0 ) {
#line 842 "iptables.g"
#line 849 "iptables.g"
importer->length_spec = LT(0)->getText();
#line 3466 "IPTCfgParser.cpp"
#line 3488 "IPTCfgParser.cpp"
}
match(COLON);
match(INT_CONST);
if ( inputState->guessing==0 ) {
#line 844 "iptables.g"
#line 851 "iptables.g"
importer->length_spec += ":";
importer->length_spec += LT(0)->getText();
#line 3474 "IPTCfgParser.cpp"
#line 3496 "IPTCfgParser.cpp"
}
if ( inputState->guessing==0 ) {
#line 846 "iptables.g"
#line 853 "iptables.g"
*dbg << " MATCH LENGTH " << importer->length_spec;
#line 3481 "IPTCfgParser.cpp"
#line 3503 "IPTCfgParser.cpp"
}
}
catch (ANTLR_USE_NAMESPACE(antlr)RecognitionException& ex) {
@ -3517,12 +3539,12 @@ void IPTCfgParser::pkt_type_spec() {
}
}
if ( inputState->guessing==0 ) {
#line 857 "iptables.g"
#line 864 "iptables.g"
importer->pkt_type_spec = LT(0)->getText();
*dbg << " PKT_TYPE " << importer->pkt_type_spec;
#line 3526 "IPTCfgParser.cpp"
#line 3548 "IPTCfgParser.cpp"
}
}
catch (ANTLR_USE_NAMESPACE(antlr)RecognitionException& ex) {
@ -3566,13 +3588,13 @@ void IPTCfgParser::port_def_with_range() {
}
}
if ( inputState->guessing==0 ) {
#line 1007 "iptables.g"
#line 1014 "iptables.g"
importer->tmp_port_range_start = LT(0)->getText();
importer->tmp_port_range_end = LT(0)->getText();
*dbg << " PORT=" << LT(0)->getText();
#line 3576 "IPTCfgParser.cpp"
#line 3598 "IPTCfgParser.cpp"
}
{
switch ( LA(1)) {
@ -3630,12 +3652,12 @@ void IPTCfgParser::port_def_with_range() {
}
}
if ( inputState->guessing==0 ) {
#line 1014 "iptables.g"
#line 1021 "iptables.g"
importer->tmp_port_range_end = LT(0)->getText();
*dbg << ":" << LT(0)->getText();
#line 3639 "IPTCfgParser.cpp"
#line 3661 "IPTCfgParser.cpp"
}
break;
}
@ -3710,13 +3732,13 @@ void IPTCfgParser::port_def_no_range() {
}
}
if ( inputState->guessing==0 ) {
#line 989 "iptables.g"
#line 996 "iptables.g"
importer->tmp_port_range_start = LT(0)->getText();
importer->tmp_port_range_end = LT(0)->getText();
*dbg << " PORT=" << LT(0)->getText();
#line 3720 "IPTCfgParser.cpp"
#line 3742 "IPTCfgParser.cpp"
}
}
catch (ANTLR_USE_NAMESPACE(antlr)RecognitionException& ex) {
@ -3752,13 +3774,13 @@ void IPTCfgParser::port_def_with_incomplete_range() {
}
}
if ( inputState->guessing==0 ) {
#line 1023 "iptables.g"
#line 1030 "iptables.g"
importer->tmp_port_range_start = "0";
importer->tmp_port_range_end = LT(0)->getText();
*dbg << "PORT 0:" << LT(0)->getText();
#line 3762 "IPTCfgParser.cpp"
#line 3784 "IPTCfgParser.cpp"
}
}
catch (ANTLR_USE_NAMESPACE(antlr)RecognitionException& ex) {
@ -3776,7 +3798,7 @@ void IPTCfgParser::syn() {
try { // for error handling
match(MATCH_SYN);
if ( inputState->guessing==0 ) {
#line 1111 "iptables.g"
#line 1118 "iptables.g"
importer->tcp_flags_mask.clear();
importer->tcp_flags_mask.push_back(libfwbuilder::TCPService::SYN);
@ -3786,7 +3808,7 @@ void IPTCfgParser::syn() {
importer->tcp_flags_comp.clear();
importer->tcp_flags_comp.push_back(libfwbuilder::TCPService::SYN);
#line 3790 "IPTCfgParser.cpp"
#line 3812 "IPTCfgParser.cpp"
}
}
catch (ANTLR_USE_NAMESPACE(antlr)RecognitionException& ex) {
@ -3805,16 +3827,16 @@ void IPTCfgParser::tcp_flags() {
match(MATCH_TCP_FLAGS);
tcp_flags_list();
if ( inputState->guessing==0 ) {
#line 1162 "iptables.g"
#line 1169 "iptables.g"
importer->tcp_flags_mask = importer->tmp_tcp_flags_list;
importer->tmp_tcp_flags_list.clear();
#line 3814 "IPTCfgParser.cpp"
#line 3836 "IPTCfgParser.cpp"
}
tcp_flags_list();
if ( inputState->guessing==0 ) {
#line 1167 "iptables.g"
#line 1174 "iptables.g"
importer->tcp_flags_comp = importer->tmp_tcp_flags_list;
importer->tmp_tcp_flags_list.clear();
@ -3825,7 +3847,7 @@ void IPTCfgParser::tcp_flags() {
foreach(int x, importer->tcp_flags_comp)
*dbg << x << "|";
#line 3829 "IPTCfgParser.cpp"
#line 3851 "IPTCfgParser.cpp"
}
}
catch (ANTLR_USE_NAMESPACE(antlr)RecognitionException& ex) {
@ -3863,9 +3885,9 @@ void IPTCfgParser::tcp_flag_word() {
{
match(SYN);
if ( inputState->guessing==0 ) {
#line 1124 "iptables.g"
#line 1131 "iptables.g"
importer->tmp_tcp_flag_code = libfwbuilder::TCPService::SYN;
#line 3869 "IPTCfgParser.cpp"
#line 3891 "IPTCfgParser.cpp"
}
break;
}
@ -3873,9 +3895,9 @@ void IPTCfgParser::tcp_flag_word() {
{
match(ACK);
if ( inputState->guessing==0 ) {
#line 1126 "iptables.g"
#line 1133 "iptables.g"
importer->tmp_tcp_flag_code = libfwbuilder::TCPService::ACK;
#line 3879 "IPTCfgParser.cpp"
#line 3901 "IPTCfgParser.cpp"
}
break;
}
@ -3883,9 +3905,9 @@ void IPTCfgParser::tcp_flag_word() {
{
match(FIN);
if ( inputState->guessing==0 ) {
#line 1128 "iptables.g"
#line 1135 "iptables.g"
importer->tmp_tcp_flag_code = libfwbuilder::TCPService::FIN;
#line 3889 "IPTCfgParser.cpp"
#line 3911 "IPTCfgParser.cpp"
}
break;
}
@ -3893,9 +3915,9 @@ void IPTCfgParser::tcp_flag_word() {
{
match(RST);
if ( inputState->guessing==0 ) {
#line 1130 "iptables.g"
#line 1137 "iptables.g"
importer->tmp_tcp_flag_code = libfwbuilder::TCPService::RST;
#line 3899 "IPTCfgParser.cpp"
#line 3921 "IPTCfgParser.cpp"
}
break;
}
@ -3903,9 +3925,9 @@ void IPTCfgParser::tcp_flag_word() {
{
match(URG);
if ( inputState->guessing==0 ) {
#line 1132 "iptables.g"
#line 1139 "iptables.g"
importer->tmp_tcp_flag_code = libfwbuilder::TCPService::URG;
#line 3909 "IPTCfgParser.cpp"
#line 3931 "IPTCfgParser.cpp"
}
break;
}
@ -3913,9 +3935,9 @@ void IPTCfgParser::tcp_flag_word() {
{
match(PSH);
if ( inputState->guessing==0 ) {
#line 1134 "iptables.g"
#line 1141 "iptables.g"
importer->tmp_tcp_flag_code = libfwbuilder::TCPService::PSH;
#line 3919 "IPTCfgParser.cpp"
#line 3941 "IPTCfgParser.cpp"
}
break;
}
@ -3923,9 +3945,9 @@ void IPTCfgParser::tcp_flag_word() {
{
match(ALL);
if ( inputState->guessing==0 ) {
#line 1136 "iptables.g"
#line 1143 "iptables.g"
importer->tmp_tcp_flag_code = 99;
#line 3929 "IPTCfgParser.cpp"
#line 3951 "IPTCfgParser.cpp"
}
break;
}
@ -3933,9 +3955,9 @@ void IPTCfgParser::tcp_flag_word() {
{
match(NONE);
if ( inputState->guessing==0 ) {
#line 1138 "iptables.g"
#line 1145 "iptables.g"
importer->tmp_tcp_flag_code = 98;
#line 3939 "IPTCfgParser.cpp"
#line 3961 "IPTCfgParser.cpp"
}
break;
}
@ -3960,20 +3982,20 @@ void IPTCfgParser::tcp_flags_list() {
try { // for error handling
if ( inputState->guessing==0 ) {
#line 1143 "iptables.g"
#line 1150 "iptables.g"
importer->tmp_tcp_flags_list.clear();
importer->tmp_tcp_flag_code = 0;
#line 3969 "IPTCfgParser.cpp"
#line 3991 "IPTCfgParser.cpp"
}
tcp_flag_word();
if ( inputState->guessing==0 ) {
#line 1148 "iptables.g"
#line 1155 "iptables.g"
importer->tmp_tcp_flags_list.push_back(importer->tmp_tcp_flag_code);
#line 3977 "IPTCfgParser.cpp"
#line 3999 "IPTCfgParser.cpp"
}
{ // ( ... )*
for (;;) {
@ -3981,12 +4003,12 @@ void IPTCfgParser::tcp_flags_list() {
match(COMMA);
tcp_flag_word();
if ( inputState->guessing==0 ) {
#line 1153 "iptables.g"
#line 1160 "iptables.g"
importer->tmp_tcp_flags_list.push_back(
importer->tmp_tcp_flag_code);
#line 3990 "IPTCfgParser.cpp"
#line 4012 "IPTCfgParser.cpp"
}
}
else {
@ -4056,6 +4078,7 @@ const char* IPTCfgParser::tokenNames[] = {
"LOG_IP_OPT",
"ULOG_PREFIX",
"LOG_LEVEL",
"SET_CLASS",
"SET_MARK",
"HEX_CONST",
"SET_TOS",
@ -4165,7 +4188,7 @@ const ANTLR_USE_NAMESPACE(antlr)BitSet IPTCfgParser::_tokenSet_0(_tokenSet_0_dat
const unsigned long IPTCfgParser::_tokenSet_1_data_[] = { 4326962UL, 0UL, 0UL, 0UL, 0UL, 0UL };
// EOF NEWLINE NUMBER_SIGN "COMMIT" STAR COLON ADD_RULE
const ANTLR_USE_NAMESPACE(antlr)BitSet IPTCfgParser::_tokenSet_1(_tokenSet_1_data_,6);
const unsigned long IPTCfgParser::_tokenSet_2_data_[] = { 4186177536UL, 268435480UL, 16783744UL, 787454UL, 0UL, 0UL, 0UL, 0UL };
const unsigned long IPTCfgParser::_tokenSet_2_data_[] = { 4186177536UL, 536870936UL, 33567488UL, 1574908UL, 0UL, 0UL, 0UL, 0UL };
// MINUS EXCLAMATION UNSUPPORTED_OPTION OPT_MODULE OPT_SRC OPT_DST OPT_IN_INTF
// OPT_OUT_INTF OPT_PROTO OPT_TARGET OPT_FRAGM MATCH_LIMIT MATCH_LIMIT_BURST
// MATCH_IPRANGE_SRC MATCH_IPRANGE_DST MATCH_LENGTH MATCH_SRC_MULTIPORT
@ -4173,7 +4196,7 @@ const unsigned long IPTCfgParser::_tokenSet_2_data_[] = { 4186177536UL, 26843548
// MATCH_SRC_PORT_SHORT MATCH_DST_PORT MATCH_DST_PORT_SHORT MATCH_SYN MATCH_TCP_FLAGS
// MATCH_TCP_OPTION
const ANTLR_USE_NAMESPACE(antlr)BitSet IPTCfgParser::_tokenSet_2(_tokenSet_2_data_,8);
const unsigned long IPTCfgParser::_tokenSet_3_data_[] = { 4186179584UL, 268435480UL, 16783744UL, 787454UL, 0UL, 0UL, 0UL, 0UL };
const unsigned long IPTCfgParser::_tokenSet_3_data_[] = { 4186179584UL, 536870936UL, 33567488UL, 1574908UL, 0UL, 0UL, 0UL, 0UL };
// WORD MINUS EXCLAMATION UNSUPPORTED_OPTION OPT_MODULE OPT_SRC OPT_DST
// OPT_IN_INTF OPT_OUT_INTF OPT_PROTO OPT_TARGET OPT_FRAGM MATCH_LIMIT
// MATCH_LIMIT_BURST MATCH_IPRANGE_SRC MATCH_IPRANGE_DST MATCH_LENGTH MATCH_SRC_MULTIPORT
@ -4181,11 +4204,11 @@ const unsigned long IPTCfgParser::_tokenSet_3_data_[] = { 4186179584UL, 26843548
// MATCH_SRC_PORT_SHORT MATCH_DST_PORT MATCH_DST_PORT_SHORT MATCH_SYN MATCH_TCP_FLAGS
// MATCH_TCP_OPTION
const ANTLR_USE_NAMESPACE(antlr)BitSet IPTCfgParser::_tokenSet_3(_tokenSet_3_data_,8);
const unsigned long IPTCfgParser::_tokenSet_4_data_[] = { 2048UL, 7UL, 3263169602UL, 0UL, 0UL, 0UL, 0UL, 0UL };
const unsigned long IPTCfgParser::_tokenSet_4_data_[] = { 2048UL, 7UL, 2231371908UL, 1UL, 0UL, 0UL, 0UL, 0UL };
// WORD "tcp" "udp" "icmp" "state" "limit" "iprange" "length" "pkttype"
// "multiport" "comment"
const ANTLR_USE_NAMESPACE(antlr)BitSet IPTCfgParser::_tokenSet_4(_tokenSet_4_data_,8);
const unsigned long IPTCfgParser::_tokenSet_5_data_[] = { 4186177552UL, 268435480UL, 16783744UL, 787454UL, 0UL, 0UL, 0UL, 0UL };
const unsigned long IPTCfgParser::_tokenSet_5_data_[] = { 4186177552UL, 536870936UL, 33567488UL, 1574908UL, 0UL, 0UL, 0UL, 0UL };
// NEWLINE MINUS EXCLAMATION UNSUPPORTED_OPTION OPT_MODULE OPT_SRC OPT_DST
// OPT_IN_INTF OPT_OUT_INTF OPT_PROTO OPT_TARGET OPT_FRAGM MATCH_LIMIT
// MATCH_LIMIT_BURST MATCH_IPRANGE_SRC MATCH_IPRANGE_DST MATCH_LENGTH MATCH_SRC_MULTIPORT
@ -4193,35 +4216,35 @@ const unsigned long IPTCfgParser::_tokenSet_5_data_[] = { 4186177552UL, 26843548
// MATCH_SRC_PORT_SHORT MATCH_DST_PORT MATCH_DST_PORT_SHORT MATCH_SYN MATCH_TCP_FLAGS
// MATCH_TCP_OPTION
const ANTLR_USE_NAMESPACE(antlr)BitSet IPTCfgParser::_tokenSet_5(_tokenSet_5_data_,8);
const unsigned long IPTCfgParser::_tokenSet_6_data_[] = { 0UL, 268418912UL, 0UL, 0UL, 0UL, 0UL };
const unsigned long IPTCfgParser::_tokenSet_6_data_[] = { 0UL, 536837984UL, 0UL, 0UL, 0UL, 0UL };
// REJECT_WITH LOG_PREFIX LOG_TCP_SEQ LOG_TCP_OPT LOG_IP_OPT ULOG_PREFIX
// LOG_LEVEL SET_MARK SET_TOS SAVE_MARK RESTORE_MARK CONTINUE ROUTE_IIF
// ROUTE_OIF ROUTE_GW ROUTE_TEE TO_SOURCE TO_DESTINATION TO_PORTS TO_NETMAP
// CLAMP_MSS
// LOG_LEVEL SET_CLASS SET_MARK SET_TOS SAVE_MARK RESTORE_MARK CONTINUE
// ROUTE_IIF ROUTE_OIF ROUTE_GW ROUTE_TEE TO_SOURCE TO_DESTINATION TO_PORTS
// TO_NETMAP CLAMP_MSS
const ANTLR_USE_NAMESPACE(antlr)BitSet IPTCfgParser::_tokenSet_6(_tokenSet_6_data_,6);
const unsigned long IPTCfgParser::_tokenSet_7_data_[] = { 4186177552UL, 536854392UL, 16783744UL, 787454UL, 0UL, 0UL, 0UL, 0UL };
const unsigned long IPTCfgParser::_tokenSet_7_data_[] = { 4186177552UL, 1073708920UL, 33567488UL, 1574908UL, 0UL, 0UL, 0UL, 0UL };
// NEWLINE MINUS EXCLAMATION UNSUPPORTED_OPTION OPT_MODULE OPT_SRC OPT_DST
// OPT_IN_INTF OPT_OUT_INTF OPT_PROTO OPT_TARGET REJECT_WITH LOG_PREFIX
// LOG_TCP_SEQ LOG_TCP_OPT LOG_IP_OPT ULOG_PREFIX LOG_LEVEL SET_MARK SET_TOS
// SAVE_MARK RESTORE_MARK CONTINUE ROUTE_IIF ROUTE_OIF ROUTE_GW ROUTE_TEE
// TO_SOURCE TO_DESTINATION TO_PORTS TO_NETMAP CLAMP_MSS OPT_FRAGM MATCH_LIMIT
// MATCH_LIMIT_BURST MATCH_IPRANGE_SRC MATCH_IPRANGE_DST MATCH_LENGTH MATCH_SRC_MULTIPORT
// MATCH_DST_MULTIPORT MATCH_BOTH_MULTIPORT MATCH_ICMP_TYPE MATCH_SRC_PORT
// MATCH_SRC_PORT_SHORT MATCH_DST_PORT MATCH_DST_PORT_SHORT MATCH_SYN MATCH_TCP_FLAGS
// MATCH_TCP_OPTION
// LOG_TCP_SEQ LOG_TCP_OPT LOG_IP_OPT ULOG_PREFIX LOG_LEVEL SET_CLASS SET_MARK
// SET_TOS SAVE_MARK RESTORE_MARK CONTINUE ROUTE_IIF ROUTE_OIF ROUTE_GW
// ROUTE_TEE TO_SOURCE TO_DESTINATION TO_PORTS TO_NETMAP CLAMP_MSS OPT_FRAGM
// MATCH_LIMIT MATCH_LIMIT_BURST MATCH_IPRANGE_SRC MATCH_IPRANGE_DST MATCH_LENGTH
// MATCH_SRC_MULTIPORT MATCH_DST_MULTIPORT MATCH_BOTH_MULTIPORT MATCH_ICMP_TYPE
// MATCH_SRC_PORT MATCH_SRC_PORT_SHORT MATCH_DST_PORT MATCH_DST_PORT_SHORT
// MATCH_SYN MATCH_TCP_FLAGS MATCH_TCP_OPTION
const ANTLR_USE_NAMESPACE(antlr)BitSet IPTCfgParser::_tokenSet_7(_tokenSet_7_data_,8);
const unsigned long IPTCfgParser::_tokenSet_8_data_[] = { 4186308624UL, 536854392UL, 16783744UL, 787454UL, 0UL, 0UL, 0UL, 0UL };
const unsigned long IPTCfgParser::_tokenSet_8_data_[] = { 4186308624UL, 1073708920UL, 33567488UL, 1574908UL, 0UL, 0UL, 0UL, 0UL };
// NEWLINE COLON MINUS EXCLAMATION UNSUPPORTED_OPTION OPT_MODULE OPT_SRC
// OPT_DST OPT_IN_INTF OPT_OUT_INTF OPT_PROTO OPT_TARGET REJECT_WITH LOG_PREFIX
// LOG_TCP_SEQ LOG_TCP_OPT LOG_IP_OPT ULOG_PREFIX LOG_LEVEL SET_MARK SET_TOS
// SAVE_MARK RESTORE_MARK CONTINUE ROUTE_IIF ROUTE_OIF ROUTE_GW ROUTE_TEE
// TO_SOURCE TO_DESTINATION TO_PORTS TO_NETMAP CLAMP_MSS OPT_FRAGM MATCH_LIMIT
// MATCH_LIMIT_BURST MATCH_IPRANGE_SRC MATCH_IPRANGE_DST MATCH_LENGTH MATCH_SRC_MULTIPORT
// MATCH_DST_MULTIPORT MATCH_BOTH_MULTIPORT MATCH_ICMP_TYPE MATCH_SRC_PORT
// MATCH_SRC_PORT_SHORT MATCH_DST_PORT MATCH_DST_PORT_SHORT MATCH_SYN MATCH_TCP_FLAGS
// MATCH_TCP_OPTION
// LOG_TCP_SEQ LOG_TCP_OPT LOG_IP_OPT ULOG_PREFIX LOG_LEVEL SET_CLASS SET_MARK
// SET_TOS SAVE_MARK RESTORE_MARK CONTINUE ROUTE_IIF ROUTE_OIF ROUTE_GW
// ROUTE_TEE TO_SOURCE TO_DESTINATION TO_PORTS TO_NETMAP CLAMP_MSS OPT_FRAGM
// MATCH_LIMIT MATCH_LIMIT_BURST MATCH_IPRANGE_SRC MATCH_IPRANGE_DST MATCH_LENGTH
// MATCH_SRC_MULTIPORT MATCH_DST_MULTIPORT MATCH_BOTH_MULTIPORT MATCH_ICMP_TYPE
// MATCH_SRC_PORT MATCH_SRC_PORT_SHORT MATCH_DST_PORT MATCH_DST_PORT_SHORT
// MATCH_SYN MATCH_TCP_FLAGS MATCH_TCP_OPTION
const ANTLR_USE_NAMESPACE(antlr)BitSet IPTCfgParser::_tokenSet_8(_tokenSet_8_data_,8);
const unsigned long IPTCfgParser::_tokenSet_9_data_[] = { 4186177552UL, 268435480UL, 16783752UL, 787454UL, 0UL, 0UL, 0UL, 0UL };
const unsigned long IPTCfgParser::_tokenSet_9_data_[] = { 4186177552UL, 536870936UL, 33567504UL, 1574908UL, 0UL, 0UL, 0UL, 0UL };
// NEWLINE MINUS EXCLAMATION UNSUPPORTED_OPTION OPT_MODULE OPT_SRC OPT_DST
// OPT_IN_INTF OPT_OUT_INTF OPT_PROTO OPT_TARGET OPT_FRAGM COMMA MATCH_LIMIT
// MATCH_LIMIT_BURST MATCH_IPRANGE_SRC MATCH_IPRANGE_DST MATCH_LENGTH MATCH_SRC_MULTIPORT
@ -4229,15 +4252,15 @@ const unsigned long IPTCfgParser::_tokenSet_9_data_[] = { 4186177552UL, 26843548
// MATCH_SRC_PORT_SHORT MATCH_DST_PORT MATCH_DST_PORT_SHORT MATCH_SYN MATCH_TCP_FLAGS
// MATCH_TCP_OPTION
const ANTLR_USE_NAMESPACE(antlr)BitSet IPTCfgParser::_tokenSet_9(_tokenSet_9_data_,8);
const unsigned long IPTCfgParser::_tokenSet_10_data_[] = { 8388608UL, 0UL, 32UL, 0UL, 0UL, 0UL, 0UL, 0UL };
const unsigned long IPTCfgParser::_tokenSet_10_data_[] = { 8388608UL, 0UL, 64UL, 0UL, 0UL, 0UL, 0UL, 0UL };
// EXCLAMATION MATCH_MARK
const ANTLR_USE_NAMESPACE(antlr)BitSet IPTCfgParser::_tokenSet_10(_tokenSet_10_data_,8);
const unsigned long IPTCfgParser::_tokenSet_11_data_[] = { 0UL, 0UL, 8380416UL, 0UL, 0UL, 0UL, 0UL, 0UL };
const unsigned long IPTCfgParser::_tokenSet_11_data_[] = { 0UL, 0UL, 16760832UL, 0UL, 0UL, 0UL, 0UL, 0UL };
// MATCH_RECENT_SET MATCH_RECENT_RCHECK MATCH_RECENT_UPDATE MATCH_RECENT_REMOVE
// MATCH_RECENT_RTTL RSOURCE MATCH_RECENT_RDEST MATCH_RECENT_NAME MATCH_RECENT_SECONDS
// MATCH_RECENT_HITCOUNT
const ANTLR_USE_NAMESPACE(antlr)BitSet IPTCfgParser::_tokenSet_11(_tokenSet_11_data_,8);
const unsigned long IPTCfgParser::_tokenSet_12_data_[] = { 4186177552UL, 268435480UL, 25164160UL, 787454UL, 0UL, 0UL, 0UL, 0UL };
const unsigned long IPTCfgParser::_tokenSet_12_data_[] = { 4186177552UL, 536870936UL, 50328320UL, 1574908UL, 0UL, 0UL, 0UL, 0UL };
// NEWLINE MINUS EXCLAMATION UNSUPPORTED_OPTION OPT_MODULE OPT_SRC OPT_DST
// OPT_IN_INTF OPT_OUT_INTF OPT_PROTO OPT_TARGET OPT_FRAGM MATCH_LIMIT
// MATCH_LIMIT_BURST MATCH_IPRANGE_SRC MATCH_IPRANGE_DST MATCH_RECENT_SET
@ -4247,7 +4270,7 @@ const unsigned long IPTCfgParser::_tokenSet_12_data_[] = { 4186177552UL, 2684354
// MATCH_ICMP_TYPE MATCH_SRC_PORT MATCH_SRC_PORT_SHORT MATCH_DST_PORT MATCH_DST_PORT_SHORT
// MATCH_SYN MATCH_TCP_FLAGS MATCH_TCP_OPTION
const ANTLR_USE_NAMESPACE(antlr)BitSet IPTCfgParser::_tokenSet_12(_tokenSet_12_data_,8);
const unsigned long IPTCfgParser::_tokenSet_13_data_[] = { 4186177552UL, 268435480UL, 16783752UL, 1048574UL, 0UL, 0UL, 0UL, 0UL };
const unsigned long IPTCfgParser::_tokenSet_13_data_[] = { 4186177552UL, 536870936UL, 33567504UL, 2097148UL, 0UL, 0UL, 0UL, 0UL };
// NEWLINE MINUS EXCLAMATION UNSUPPORTED_OPTION OPT_MODULE OPT_SRC OPT_DST
// OPT_IN_INTF OPT_OUT_INTF OPT_PROTO OPT_TARGET OPT_FRAGM COMMA MATCH_LIMIT
// MATCH_LIMIT_BURST MATCH_IPRANGE_SRC MATCH_IPRANGE_DST MATCH_LENGTH MATCH_SRC_MULTIPORT
@ -4255,7 +4278,7 @@ const unsigned long IPTCfgParser::_tokenSet_13_data_[] = { 4186177552UL, 2684354
// MATCH_SRC_PORT_SHORT MATCH_DST_PORT MATCH_DST_PORT_SHORT MATCH_SYN "SYN"
// "ACK" "FIN" "RST" "URG" "PSH" "ALL" "NONE" MATCH_TCP_FLAGS MATCH_TCP_OPTION
const ANTLR_USE_NAMESPACE(antlr)BitSet IPTCfgParser::_tokenSet_13(_tokenSet_13_data_,8);
const unsigned long IPTCfgParser::_tokenSet_14_data_[] = { 4186177552UL, 268435480UL, 16783744UL, 1048574UL, 0UL, 0UL, 0UL, 0UL };
const unsigned long IPTCfgParser::_tokenSet_14_data_[] = { 4186177552UL, 536870936UL, 33567488UL, 2097148UL, 0UL, 0UL, 0UL, 0UL };
// NEWLINE MINUS EXCLAMATION UNSUPPORTED_OPTION OPT_MODULE OPT_SRC OPT_DST
// OPT_IN_INTF OPT_OUT_INTF OPT_PROTO OPT_TARGET OPT_FRAGM MATCH_LIMIT
// MATCH_LIMIT_BURST MATCH_IPRANGE_SRC MATCH_IPRANGE_DST MATCH_LENGTH MATCH_SRC_MULTIPORT

4
src/parsers/IPTCfgParser.hpp
View File

@ -163,10 +163,10 @@ protected:
private:
static const char* tokenNames[];
#ifndef NO_STATIC_CONSTS
static const int NUM_TOKENS = 145;
static const int NUM_TOKENS = 146;
#else
enum {
NUM_TOKENS = 145
NUM_TOKENS = 146
};
#endif

201
src/parsers/IPTCfgParserTokenTypes.hpp
View File

@ -53,106 +53,107 @@ struct CUSTOM_API IPTCfgParserTokenTypes {
LOG_IP_OPT = 42,
ULOG_PREFIX = 43,
LOG_LEVEL = 44,
SET_MARK = 45,
HEX_CONST = 46,
SET_TOS = 47,
SAVE_MARK = 48,
RESTORE_MARK = 49,
CONTINUE = 50,
ROUTE_IIF = 51,
ROUTE_OIF = 52,
ROUTE_GW = 53,
ROUTE_TEE = 54,
TO_SOURCE = 55,
TO_DESTINATION = 56,
TO_PORTS = 57,
TO_NETMAP = 58,
CLAMP_MSS = 59,
OPT_FRAGM = 60,
INVALID = 61,
NEW = 62,
ESTABLISHED = 63,
RELATED = 64,
M_STATE = 65,
MATCH_STATE = 66,
COMMA = 67,
M_MARK = 68,
MATCH_MARK = 69,
M_LIMIT = 70,
MATCH_LIMIT = 71,
MATCH_LIMIT_BURST = 72,
M_RECENT = 73,
M_IPRANGE = 74,
MATCH_IPRANGE_SRC = 75,
MATCH_IPRANGE_DST = 76,
MATCH_RECENT_SET = 77,
MATCH_RECENT_RCHECK = 78,
MATCH_RECENT_UPDATE = 79,
MATCH_RECENT_REMOVE = 80,
MATCH_RECENT_RTTL = 81,
RSOURCE = 82,
MATCH_RECENT_RDEST = 83,
MATCH_RECENT_NAME = 84,
MATCH_RECENT_SECONDS = 85,
MATCH_RECENT_HITCOUNT = 86,
M_LENGTH = 87,
MATCH_LENGTH = 88,
M_PKTTYPE = 89,
MATCH_PKT_TYPE = 90,
WORD_BROADCAST = 91,
WORD_MULTICAST = 92,
WORD_UNICAST = 93,
M_MPORT = 94,
M_COMMENT = 95,
MATCH_COMMENT = 96,
MATCH_SRC_MULTIPORT = 97,
MATCH_DST_MULTIPORT = 98,
MATCH_BOTH_MULTIPORT = 99,
MATCH_ICMP_TYPE = 100,
MATCH_SRC_PORT = 101,
MATCH_SRC_PORT_SHORT = 102,
MATCH_DST_PORT = 103,
MATCH_DST_PORT_SHORT = 104,
MATCH_SYN = 105,
SYN = 106,
ACK = 107,
FIN = 108,
RST = 109,
URG = 110,
PSH = 111,
ALL = 112,
NONE = 113,
MATCH_TCP_FLAGS = 114,
MATCH_TCP_OPTION = 115,
Whitespace = 116,
IPV6 = 117,
MAC_ADDRESS = 118,
NEG_INT_CONST = 119,
HEXDIGIT = 120,
NUM_3DIGIT = 121,
NUM_HEX_4DIGIT = 122,
NUMBER = 123,
ULOG_QTHR = 124,
ULOG_NLG = 125,
ULOG_CPR = 126,
PERCENT = 127,
AMPERSAND = 128,
APOSTROPHE = 129,
OPENING_PAREN = 130,
CLOSING_PAREN = 131,
PLUS = 132,
DOT = 133,
SEMICOLON = 134,
LESS_THAN = 135,
EQUALS = 136,
GREATER_THAN = 137,
QUESTION = 138,
COMMERCIAL_AT = 139,
CARET = 140,
UNDERLINE = 141,
OPENING_BRACE = 142,
CLOSING_BRACE = 143,
TILDE = 144,
SET_CLASS = 45,
SET_MARK = 46,
HEX_CONST = 47,
SET_TOS = 48,
SAVE_MARK = 49,
RESTORE_MARK = 50,
CONTINUE = 51,
ROUTE_IIF = 52,
ROUTE_OIF = 53,
ROUTE_GW = 54,
ROUTE_TEE = 55,
TO_SOURCE = 56,
TO_DESTINATION = 57,
TO_PORTS = 58,
TO_NETMAP = 59,
CLAMP_MSS = 60,
OPT_FRAGM = 61,
INVALID = 62,
NEW = 63,
ESTABLISHED = 64,
RELATED = 65,
M_STATE = 66,
MATCH_STATE = 67,
COMMA = 68,
M_MARK = 69,
MATCH_MARK = 70,
M_LIMIT = 71,
MATCH_LIMIT = 72,
MATCH_LIMIT_BURST = 73,
M_RECENT = 74,
M_IPRANGE = 75,
MATCH_IPRANGE_SRC = 76,
MATCH_IPRANGE_DST = 77,
MATCH_RECENT_SET = 78,
MATCH_RECENT_RCHECK = 79,
MATCH_RECENT_UPDATE = 80,
MATCH_RECENT_REMOVE = 81,
MATCH_RECENT_RTTL = 82,
RSOURCE = 83,
MATCH_RECENT_RDEST = 84,
MATCH_RECENT_NAME = 85,
MATCH_RECENT_SECONDS = 86,
MATCH_RECENT_HITCOUNT = 87,
M_LENGTH = 88,
MATCH_LENGTH = 89,
M_PKTTYPE = 90,
MATCH_PKT_TYPE = 91,
WORD_BROADCAST = 92,
WORD_MULTICAST = 93,
WORD_UNICAST = 94,
M_MPORT = 95,
M_COMMENT = 96,
MATCH_COMMENT = 97,
MATCH_SRC_MULTIPORT = 98,
MATCH_DST_MULTIPORT = 99,
MATCH_BOTH_MULTIPORT = 100,
MATCH_ICMP_TYPE = 101,
MATCH_SRC_PORT = 102,
MATCH_SRC_PORT_SHORT = 103,
MATCH_DST_PORT = 104,
MATCH_DST_PORT_SHORT = 105,
MATCH_SYN = 106,
SYN = 107,
ACK = 108,
FIN = 109,
RST = 110,
URG = 111,
PSH = 112,
ALL = 113,
NONE = 114,
MATCH_TCP_FLAGS = 115,
MATCH_TCP_OPTION = 116,
Whitespace = 117,
IPV6 = 118,
MAC_ADDRESS = 119,
NEG_INT_CONST = 120,
HEXDIGIT = 121,
NUM_3DIGIT = 122,
NUM_HEX_4DIGIT = 123,
NUMBER = 124,
ULOG_QTHR = 125,
ULOG_NLG = 126,
ULOG_CPR = 127,
PERCENT = 128,
AMPERSAND = 129,
APOSTROPHE = 130,
OPENING_PAREN = 131,
CLOSING_PAREN = 132,
PLUS = 133,
DOT = 134,
SEMICOLON = 135,
LESS_THAN = 136,
EQUALS = 137,
GREATER_THAN = 138,
QUESTION = 139,
COMMERCIAL_AT = 140,
CARET = 141,
UNDERLINE = 142,
OPENING_BRACE = 143,
CLOSING_BRACE = 144,
TILDE = 145,
NULL_TREE_LOOKAHEAD = 3
};
#ifdef __cplusplus

201
src/parsers/IPTCfgParserTokenTypes.txt
View File

@ -41,103 +41,104 @@ LOG_TCP_OPT=41
LOG_IP_OPT=42
ULOG_PREFIX=43
LOG_LEVEL=44
SET_MARK=45
HEX_CONST=46
SET_TOS=47
SAVE_MARK=48
RESTORE_MARK=49
CONTINUE=50
ROUTE_IIF=51
ROUTE_OIF=52
ROUTE_GW=53
ROUTE_TEE=54
TO_SOURCE=55
TO_DESTINATION=56
TO_PORTS=57
TO_NETMAP=58
CLAMP_MSS=59
OPT_FRAGM=60
INVALID="INVALID"=61
NEW="NEW"=62
ESTABLISHED="ESTABLISHED"=63
RELATED="RELATED"=64
M_STATE="state"=65
MATCH_STATE=66
COMMA=67
M_MARK="mark"=68
MATCH_MARK=69
M_LIMIT="limit"=70
MATCH_LIMIT=71
MATCH_LIMIT_BURST=72
M_RECENT="recent"=73
M_IPRANGE="iprange"=74
MATCH_IPRANGE_SRC=75
MATCH_IPRANGE_DST=76
MATCH_RECENT_SET=77
MATCH_RECENT_RCHECK=78
MATCH_RECENT_UPDATE=79
MATCH_RECENT_REMOVE=80
MATCH_RECENT_RTTL=81
RSOURCE=82
MATCH_RECENT_RDEST=83
MATCH_RECENT_NAME=84
MATCH_RECENT_SECONDS=85
MATCH_RECENT_HITCOUNT=86
M_LENGTH="length"=87
MATCH_LENGTH=88
M_PKTTYPE="pkttype"=89
MATCH_PKT_TYPE=90
WORD_BROADCAST="broadcast"=91
WORD_MULTICAST="multicast"=92
WORD_UNICAST="unicast"=93
M_MPORT="multiport"=94
M_COMMENT="comment"=95
MATCH_COMMENT=96
MATCH_SRC_MULTIPORT=97
MATCH_DST_MULTIPORT=98
MATCH_BOTH_MULTIPORT=99
MATCH_ICMP_TYPE=100
MATCH_SRC_PORT=101
MATCH_SRC_PORT_SHORT=102
MATCH_DST_PORT=103
MATCH_DST_PORT_SHORT=104
MATCH_SYN=105
SYN="SYN"=106
ACK="ACK"=107
FIN="FIN"=108
RST="RST"=109
URG="URG"=110
PSH="PSH"=111
ALL="ALL"=112
NONE="NONE"=113
MATCH_TCP_FLAGS=114
MATCH_TCP_OPTION=115
Whitespace=116
IPV6=117
MAC_ADDRESS=118
NEG_INT_CONST=119
HEXDIGIT=120
NUM_3DIGIT=121
NUM_HEX_4DIGIT=122
NUMBER=123
ULOG_QTHR=124
ULOG_NLG=125
ULOG_CPR=126
PERCENT=127
AMPERSAND=128
APOSTROPHE=129
OPENING_PAREN=130
CLOSING_PAREN=131
PLUS=132
DOT=133
SEMICOLON=134
LESS_THAN=135
EQUALS=136
GREATER_THAN=137
QUESTION=138
COMMERCIAL_AT=139
CARET=140
UNDERLINE=141
OPENING_BRACE=142
CLOSING_BRACE=143
TILDE=144
SET_CLASS=45
SET_MARK=46
HEX_CONST=47
SET_TOS=48
SAVE_MARK=49
RESTORE_MARK=50
CONTINUE=51
ROUTE_IIF=52
ROUTE_OIF=53
ROUTE_GW=54
ROUTE_TEE=55
TO_SOURCE=56
TO_DESTINATION=57
TO_PORTS=58
TO_NETMAP=59
CLAMP_MSS=60
OPT_FRAGM=61
INVALID="INVALID"=62
NEW="NEW"=63
ESTABLISHED="ESTABLISHED"=64
RELATED="RELATED"=65
M_STATE="state"=66
MATCH_STATE=67
COMMA=68
M_MARK="mark"=69
MATCH_MARK=70
M_LIMIT="limit"=71
MATCH_LIMIT=72
MATCH_LIMIT_BURST=73
M_RECENT="recent"=74
M_IPRANGE="iprange"=75
MATCH_IPRANGE_SRC=76
MATCH_IPRANGE_DST=77
MATCH_RECENT_SET=78
MATCH_RECENT_RCHECK=79
MATCH_RECENT_UPDATE=80
MATCH_RECENT_REMOVE=81
MATCH_RECENT_RTTL=82
RSOURCE=83
MATCH_RECENT_RDEST=84
MATCH_RECENT_NAME=85
MATCH_RECENT_SECONDS=86
MATCH_RECENT_HITCOUNT=87
M_LENGTH="length"=88
MATCH_LENGTH=89
M_PKTTYPE="pkttype"=90
MATCH_PKT_TYPE=91
WORD_BROADCAST="broadcast"=92
WORD_MULTICAST="multicast"=93
WORD_UNICAST="unicast"=94
M_MPORT="multiport"=95
M_COMMENT="comment"=96
MATCH_COMMENT=97
MATCH_SRC_MULTIPORT=98
MATCH_DST_MULTIPORT=99
MATCH_BOTH_MULTIPORT=100
MATCH_ICMP_TYPE=101
MATCH_SRC_PORT=102
MATCH_SRC_PORT_SHORT=103
MATCH_DST_PORT=104
MATCH_DST_PORT_SHORT=105
MATCH_SYN=106
SYN="SYN"=107
ACK="ACK"=108
FIN="FIN"=109
RST="RST"=110
URG="URG"=111
PSH="PSH"=112
ALL="ALL"=113
NONE="NONE"=114
MATCH_TCP_FLAGS=115
MATCH_TCP_OPTION=116
Whitespace=117
IPV6=118
MAC_ADDRESS=119
NEG_INT_CONST=120
HEXDIGIT=121
NUM_3DIGIT=122
NUM_HEX_4DIGIT=123
NUMBER=124
ULOG_QTHR=125
ULOG_NLG=126
ULOG_CPR=127
PERCENT=128
AMPERSAND=129
APOSTROPHE=130
OPENING_PAREN=131
CLOSING_PAREN=132
PLUS=133
DOT=134
SEMICOLON=135
LESS_THAN=136
EQUALS=137
GREATER_THAN=138
QUESTION=139
COMMERCIAL_AT=140
CARET=141
UNDERLINE=142
OPENING_BRACE=143
CLOSING_BRACE=144
TILDE=145

8
src/parsers/iptables.g
View File

@ -516,6 +516,13 @@ target_options :
importer->action_params["log_level"] = LT(0)->getText();
*dbg << " LOG LEVEL=" << LT(0)->getText();
}
|
SET_CLASS major:INT_CONST COLON minor:INT_CONST
{
importer->action_params["set_class"] =
major->getText() + ":" + minor->getText();
*dbg << " SET CLASS=" << major->getText() + ":" + minor->getText();
}
|
SET_MARK (INT_CONST | HEX_CONST)
{
@ -1393,6 +1400,7 @@ MATCH_PKT_TYPE : "--pkt-type" ;
// ----------------------------------------------------------------
// target options
REJECT_WITH : "--reject-with" ;
SET_CLASS : "--set-class" ;
SET_MARK : "--set-mark" ;
SAVE_MARK : "--save-mark" ;
RESTORE_MARK : "--restore-mark" ;

29
src/pf/pf.pro
View File

@ -15,30 +15,13 @@ win32:CONFIG += console
INCLUDEPATH += ../pflib ../compiler_lib ../libfwbuilder/src
DEPENDPATH += ../pflib ../compiler_lib ../libfwbuilder/src
win32:LIBS += ../common/release/common.lib \
../pflib/release/fwbpf.lib \
../compiler_lib/release/compilerdriver.lib \
../libfwbuilder/src/fwbuilder/release/fwbuilder.lib \
../libfwbuilder/src/fwcompiler/release/fwcompiler.lib
PRE_TARGETDEPS = ../common/$$BINARY_SUBDIR/libcommon.a \
../pflib/$$BINARY_SUBDIR/libfwbpf.a \
../compiler_lib/$$BINARY_SUBDIR/libcompilerdriver.a \
../libfwbuilder/src/fwcompiler/$$BINARY_SUBDIR/libfwcompiler.a \
../libfwbuilder/src/fwbuilder/$$BINARY_SUBDIR/libfwbuilder.a \
!win32:LIBS = ../common/libcommon.a \
../pflib/libfwbpf.a \
../compiler_lib/libcompilerdriver.a \
../libfwbuilder/src/fwcompiler/libfwcompiler.a \
../libfwbuilder/src/fwbuilder/libfwbuilder.a \
$$LIBS
win32:PRE_TARGETDEPS = ../common/release/common.lib \
../pflib/release/fwbpf.lib \
../compiler_lib/release/compilerdriver.lib \
../libfwbuilder/src/fwbuilder/release/fwbuilder.lib \
../libfwbuilder/src/fwcompiler/release/fwcompiler.lib
!win32:PRE_TARGETDEPS = ../common/libcommon.a \
../pflib/libfwbpf.a \
../compiler_lib/libcompilerdriver.a \
../libfwbuilder/src/fwcompiler/libfwcompiler.a \
../libfwbuilder/src/fwbuilder/libfwbuilder.a
LIBS += $$PRE_TARGETDEPS $$LIBS
TARGET = fwb_pf

11
src/pflib/PolicyCompiler_pf_writers.cpp
View File

@ -4,9 +4,7 @@
Copyright (C) 2002 NetCitadel, LLC
Author: Vadim Kurland vadim@vk.crocodile.org
$Id$
Author: Vadim Kurland vadim@fwbuilder.org
This program is free software which we release under the GNU General Public
License. You may redistribute and/or modify this program under the terms
@ -45,6 +43,7 @@
#include "fwbuilder/DNSName.h"
#include "fwbuilder/AddressTable.h"
#include "fwbuilder/XMLTools.h"
#include "fwbuilder/AttachedNetworks.h"
#include <iostream>
#include <iomanip>
@ -774,6 +773,12 @@ void PolicyCompiler_pf::PrintRule::_printAddr(Address *o,bool )
compiler->output << "<" << o->getName() << "> ";
return;
}
if (atrt->getSubstitutionTypeName()==AttachedNetworks::TYPENAME)
{
compiler->output << atrt->getSourceName() << ":network";
return ;
}
assert(atrt==NULL);
}

13
src/pflib/Preprocessor_pf.cpp
View File

@ -4,9 +4,7 @@
Copyright (C) 2006 NetCitadel, LLC
Author: Vadim Kurland vadim@vk.crocodile.org
$Id$
Author: Vadim Kurland vadim@fwbuilder.org
This program is free software which we release under the GNU General Public
License. You may redistribute and/or modify this program under the terms
@ -27,6 +25,8 @@
#include "Preprocessor_pf.h"
#include "fwbuilder/AddressTable.h"
#include "fwbuilder/AttachedNetworks.h"
using namespace libfwbuilder;
using namespace fwcompiler;
@ -35,6 +35,11 @@ using namespace std;
void Preprocessor_pf::convertObject(FWObject *obj)
{
Preprocessor::convertObject(obj);
// do not convert attachedNetworks object, compiler for PF always
// treats it as run-time object
if ( AttachedNetworks::isA(obj))
AttachedNetworks::cast(obj)->setRunTime(true);
else
Preprocessor::convertObject(obj);
}

9
src/pflib/TableFactory.cpp
View File

@ -4,9 +4,7 @@
Copyright (C) 2002 NetCitadel, LLC
Author: Vadim Kurland vadim@vk.crocodile.org
$Id$
Author: Vadim Kurland vadim@fwbuilder.org
This program is free software which we release under the GNU General Public
License. You may redistribute and/or modify this program under the terms
@ -35,6 +33,7 @@
#include "fwbuilder/Library.h"
#include "fwbuilder/Rule.h"
#include "fwbuilder/RuleElement.h"
#include "fwbuilder/AttachedNetworks.h"
#include <algorithm>
#include <functional>
@ -203,6 +202,10 @@ string TableFactory::PrintTables()
{
output << atrt->getSourceName() << " ";
}
if (atrt->getSubstitutionTypeName()==AttachedNetworks::TYPENAME)
{
output << atrt->getSourceName() << ":network";
}
} else
{
if (Interface::cast(o))

2
src/pflib/pflib.pro
View File

@ -66,7 +66,7 @@ macx:LIBS += $$LIBS_FWCOMPILER
INCLUDEPATH += ../compiler_lib ../libfwbuilder/src
DEPENDPATH += ../compiler_lib ../libfwbuilder/src
win32:PRE_TARGETDEPS = ../compiler_lib/release/compilerdriver.lib
win32:PRE_TARGETDEPS = ../compiler_lib/release/libcompilerdriver.a
!win32:PRE_TARGETDEPS = ../compiler_lib/libcompilerdriver.a

29
src/pix/pix.pro
View File

@ -15,30 +15,13 @@ win32:CONFIG += console
INCLUDEPATH += ../cisco_lib ../compiler_lib ../libfwbuilder/src
DEPENDPATH += ../cisco_lib ../compiler_lib ../libfwbuilder/src
win32:LIBS += ../common/release/common.lib \
../cisco_lib/release/fwbcisco.lib\
../compiler_lib/release/compilerdriver.lib \
../libfwbuilder/src/fwbuilder/release/fwbuilder.lib \
../libfwbuilder/src/fwcompiler/release/fwcompiler.lib
PRE_TARGETDEPS = ../common/$$BINARY_SUBDIR/libcommon.a \
../cisco_lib/$$BINARY_SUBDIR/libfwbcisco.a \
../compiler_lib/$$BINARY_SUBDIR/libcompilerdriver.a \
../libfwbuilder/src/fwcompiler/$$BINARY_SUBDIR/libfwcompiler.a \
../libfwbuilder/src/fwbuilder/$$BINARY_SUBDIR/libfwbuilder.a \
!win32:LIBS = ../common/libcommon.a \
../cisco_lib/libfwbcisco.a \
../compiler_lib/libcompilerdriver.a \
../libfwbuilder/src/fwcompiler/libfwcompiler.a \
../libfwbuilder/src/fwbuilder/libfwbuilder.a \
$$LIBS
win32:PRE_TARGETDEPS = ../common/release/common.lib \
../cisco_lib/release/fwbcisco.lib \
../compiler_lib/release/compilerdriver.lib \
../libfwbuilder/src/fwbuilder/release/fwbuilder.lib \
../libfwbuilder/src/fwcompiler/release/fwcompiler.lib
!win32:PRE_TARGETDEPS = ../common/libcommon.a \
../cisco_lib/libfwbcisco.a \
../compiler_lib/libcompilerdriver.a \
../libfwbuilder/src/fwcompiler/libfwcompiler.a \
../libfwbuilder/src/fwbuilder/libfwbuilder.a
LIBS += $$PRE_TARGETDEPS $$LIBS
TARGET = fwb_pix

30
src/procurve_acl/procurve_acl.pro
View File

@ -21,31 +21,13 @@ win32:CONFIG += console
INCLUDEPATH += ../cisco_lib ../compiler_lib ../libfwbuilder/src
DEPENDPATH += ../cisco_lib ../compiler_lib ../libfwbuilder/src
win32:LIBS += ../common/release/common.lib \
../cisco_lib/release/fwbcisco.lib \
../compiler_lib/release/compilerdriver.lib \
../libfwbuilder/src/fwbuilder/release/fwbuilder.lib \
../libfwbuilder/src/fwcompiler/release/fwcompiler.lib
!win32:LIBS = ../common/libcommon.a \
../cisco_lib/libfwbcisco.a \
../compiler_lib/libcompilerdriver.a \
../libfwbuilder/src/fwcompiler/libfwcompiler.a \
../libfwbuilder/src/fwbuilder/libfwbuilder.a \
$$LIBS
win32:PRE_TARGETDEPS = ../common/release/common.lib \
../cisco_lib/release/fwbcisco.lib \
../compiler_lib/release/compilerdriver.lib \
../libfwbuilder/src/fwbuilder/release/fwbuilder.lib \
../libfwbuilder/src/fwcompiler/release/fwcompiler.lib
!win32:PRE_TARGETDEPS = ../common/libcommon.a \
../cisco_lib/libfwbcisco.a \
../compiler_lib/libcompilerdriver.a \
../libfwbuilder/src/fwcompiler/libfwcompiler.a \
../libfwbuilder/src/fwbuilder/libfwbuilder.a
PRE_TARGETDEPS = ../common/$$BINARY_SUBDIR/libcommon.a \
../cisco_lib/$$BINARY_SUBDIR/libfwbcisco.a \
../compiler_lib/$$BINARY_SUBDIR/libcompilerdriver.a \
../libfwbuilder/src/fwcompiler/$$BINARY_SUBDIR/libfwcompiler.a \
../libfwbuilder/src/fwbuilder/$$BINARY_SUBDIR/libfwbuilder.a \
LIBS += $$PRE_TARGETDEPS $$LIBS
TARGET = fwb_procurve_acl

25
src/res/configlets/linux24/script_body_iptables_shell Normal file
View File

@ -0,0 +1,25 @@
## -*- mode: shell-script; -*-
##
## To be able to make changes to the part of configuration created
## from this configlet you need to copy this file to the directory
## fwbuilder/configlets/linux24/ in your home directory and modify it.
## Double "##" comments are removed during processing but single "#"
## comments are be retained and appear in the generated script. Empty
## lines are removed as well.
##
## Configlets support simple macro language with these constructs:
## {{$var}} is variable expansion
## {{if var}} is conditional operator.
##
## this template is used for single rule compile, both
## iptables-restore and regular, as well as for the regular
## (not iptables-restore) script
{{if auto}}{{$filter_auto_script}}
{{$mangle_auto_script}}{{endif}}
{{if nat}}{{$nat_script}}{{endif}}
{{if mangle}}{{$mangle_script}}{{endif}}
{{if filter}}{{$filter_script}}{{endif}}

17
src/res/configlets/linux24/script_body_single_rule
View File

@ -14,12 +14,19 @@
## this template is used for single rule compile, both
## iptables-restore and regular, as well as for the regular
## (not iptables-restore) script
{{if auto}}{{$filter_auto_script}}
{{$mangle_auto_script}}{{endif}}
{{if nat}}{{$nat_script}}{{endif}}
{{if filter}}
{{if iptables_restore_format}}echo '*filter' {{endif}}
{{$filter_script}}
{{endif}}
{{if mangle}}{{$mangle_script}}{{endif}}
{{if mangle}}
{{if iptables_restore_format}}echo '*mangle' {{endif}}
{{$mangle_script}}
{{endif}}
{{if filter}}{{$filter_script}}{{endif}}
{{if nat}}
{{if iptables_restore_format}}echo '*nat' {{endif}}
{{$nat_script}}
{{endif}}

31
src/res/configlets/linux24/shell_functions
View File

@ -37,6 +37,19 @@ getaddr_internal() {
eval "${name}_list=\"$L\""
}
getnet_internal() {
dev=$1
name=$2
af=$3
L=$($IP route list proto kernel | grep $dev | grep -v default | sed 's! .*$!!')
test -z "$L" && {
eval "$name=''"
return
}
eval "${name}_list=\"$L\""
}
##
## This function reads all ipv4 addresses of interface (arg 1) and
## assignes the list to the variable which name is given as arg 2.
@ -53,6 +66,24 @@ getaddr6() {
getaddr_internal $1 $2 "-6"
}
##
## This function reads all ipv4 addresses of interface (arg 1) and
## assignes list of addresses of attached networks with their netmasks
## to the variable which name is given as arg 2.
##
getnet() {
getnet_internal $1 $2 "-4"
}
##
## This function reads all ipv6 addresses of interface (arg 1) and
## assignes list of addresses of attached networks with their netmasks
## to the variable which name is given as arg 2.
##
getnet6() {
getnet_internal $1 $2 "-6"
}
# function getinterfaces is used to process wildcard interfaces
getinterfaces() {
NAME=$1

2528
src/res/help/en_US/release_notes_4.2.2.html Normal file
View File

File diff suppressed because it is too large Load Diff

4
src/res/resources.xml
View File

@ -17,6 +17,10 @@
<description>Host</description>
</Host>
<AttachedNetworks>
<description>Attached Networks</description>
</AttachedNetworks>
<Network>
<description>Network</description>
</Network>

10
src/src.pro
View File

@ -18,17 +18,17 @@ SUBDIRS = libfwbuilder \
compiler_lib \
fwtransfer \
iptlib \
pflib \
cisco_lib \
libgui \
gui \
ipt \
pflib \
pf \
ipf \
ipfw \
cisco_lib \
iosacl \
pix \
procurve_acl \
transfer_agents \
fwbedit
libgui \
fwbedit \
gui \

6
src/transfer_agents/secuwall/secuwall.pro
View File

@ -26,9 +26,9 @@ contains( HAVE_QTDBUS, 1 ):unix {
win32 {
CONFIG += console
LIBS += ../../fwtransfer/release/fwtransfer.lib \ # -lQtDBus
../../libfwbuilder/src/fwcompiler/release/fwcompiler.lib \
../../libfwbuilder/src/fwbuilder/release/fwbuilder.lib
LIBS += ../../fwtransfer/release/libfwtransfer.a \ # -lQtDBus
../../libfwbuilder/src/fwcompiler/release/libfwcompiler.a \
../../libfwbuilder/src/fwbuilder/release/libfwbuilder.a
}
TARGET = transfer_secuwall

2
src/unit_tests/ImporterTest/test_data/ios.fwb
View File

@ -1,6 +1,6 @@
<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE FWObjectDatabase SYSTEM "fwbuilder.dtd">
<FWObjectDatabase xmlns="http://www.fwbuilder.org/1.0/" version="20" lastModified="1304658161" id="root">
<FWObjectDatabase xmlns="http://www.fwbuilder.org/1.0/" version="21" lastModified="1304658161" id="root">
<Library id="syslib000" color="#d4f8ff" name="Standard" comment="Standard objects" ro="True">
<AnyNetwork id="sysid0" name="Any" comment="Any Network" ro="False" address="0.0.0.0" netmask="0.0.0.0"/>
<AnyIPService id="sysid1" protocol_num="0" name="Any" comment="Any IP Service" ro="False"/>

4
src/unit_tests/ImporterTest/test_data/ipt-no-nat.fwb
View File

@ -1,6 +1,6 @@
<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE FWObjectDatabase SYSTEM "fwbuilder.dtd">
<FWObjectDatabase xmlns="http://www.fwbuilder.org/1.0/" version="20" lastModified="1304658161" id="root">
<FWObjectDatabase xmlns="http://www.fwbuilder.org/1.0/" version="21" lastModified="1305436556" id="root">
<Library id="syslib000" color="#d4f8ff" name="Standard" comment="Standard objects" ro="True">
<AnyNetwork id="sysid0" name="Any" comment="Any Network" ro="False" address="0.0.0.0" netmask="0.0.0.0"/>
<AnyIPService id="sysid1" protocol_num="0" name="Any" comment="Any IP Service" ro="False"/>
@ -487,7 +487,6 @@
<PolicyRuleOptions>
<Option name="branch_id">id95</Option>
<Option name="stateless">True</Option>
<Option name="tagobject_id"></Option>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id43" disabled="False" group="" log="False" position="1" action="Branch" direction="Both" comment="Chain FORWARD. &#10;Created during import of line 8">
@ -509,7 +508,6 @@
<PolicyRuleOptions>
<Option name="branch_id">id95</Option>
<Option name="stateless">True</Option>
<Option name="tagobject_id"></Option>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id55" disabled="False" group="" log="False" position="2" action="Accept" direction="Both" comment="Default iptables policy in filter/FORWARD">

234
src/unit_tests/ImporterTest/test_data/ipt.fwb
View File

@ -1,6 +1,6 @@
<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE FWObjectDatabase SYSTEM "fwbuilder.dtd">
<FWObjectDatabase xmlns="http://www.fwbuilder.org/1.0/" version="20" lastModified="1304658161" id="root">
<FWObjectDatabase xmlns="http://www.fwbuilder.org/1.0/" version="21" lastModified="1305524743" id="root">
<Library id="syslib000" color="#d4f8ff" name="Standard" comment="Standard objects" ro="True">
<AnyNetwork id="sysid0" name="Any" comment="Any Network" ro="False" address="0.0.0.0" netmask="0.0.0.0"/>
<AnyIPService id="sysid1" protocol_num="0" name="Any" comment="Any IP Service" ro="False"/>
@ -439,16 +439,16 @@
<IPv4 id="id7" name="h-192.168.16.125" comment="Created during import of line 109" ro="False" address="192.168.16.125" netmask="255.255.255.255"/>
<IPv4 id="id8" name="h-192.0.34.166" comment="Created during import of line 112" ro="False" address="192.0.34.166" netmask="255.255.255.255"/>
<IPv4 id="id9" name="h-127.0.0.1" comment="Created during import of line 130" ro="False" address="127.0.0.1" netmask="255.255.255.255"/>
<IPv4 id="id10" name="h-222.222.222.222" comment="Created during import of line 284" ro="False" address="222.222.222.222" netmask="255.255.255.255"/>
<IPv4 id="id11" name="h-192.168.1.20" comment="Created during import of line 287" ro="False" address="192.168.1.20" netmask="255.255.255.255"/>
<IPv4 id="id12" name="h-192.168.1.10" comment="Created during import of line 289" ro="False" address="192.168.1.10" netmask="255.255.255.255"/>
<IPv4 id="id13" name="h-222.222.222.13" comment="Created during import of line 302" ro="False" address="222.222.222.13" netmask="255.255.255.255"/>
<IPv4 id="id14" name="h-192.168.1.212" comment="Created during import of line 302" ro="False" address="192.168.1.212" netmask="255.255.255.255"/>
<IPv4 id="id15" name="h-192.168.3.145" comment="Created during import of line 305" ro="False" address="192.168.3.145" netmask="255.255.255.255"/>
<IPv4 id="id16" name="h-1.1.1.1" comment="Created during import of line 305" ro="False" address="1.1.1.1" netmask="255.255.255.255"/>
<IPv4 id="id17" name="h-192.168.1.22" comment="Created during import of line 314" ro="False" address="192.168.1.22" netmask="255.255.255.255"/>
<IPv4 id="id18" name="h-192.168.2.10" comment="Created during import of line 314" ro="False" address="192.168.2.10" netmask="255.255.255.255"/>
<IPv4 id="id19" name="h-22.22.22.23" comment="Created during import of line 315" ro="False" address="22.22.22.23" netmask="255.255.255.255"/>
<IPv4 id="id10" name="h-222.222.222.222" comment="Created during import of line 287" ro="False" address="222.222.222.222" netmask="255.255.255.255"/>
<IPv4 id="id11" name="h-192.168.1.20" comment="Created during import of line 290" ro="False" address="192.168.1.20" netmask="255.255.255.255"/>
<IPv4 id="id12" name="h-192.168.1.10" comment="Created during import of line 292" ro="False" address="192.168.1.10" netmask="255.255.255.255"/>
<IPv4 id="id13" name="h-222.222.222.13" comment="Created during import of line 305" ro="False" address="222.222.222.13" netmask="255.255.255.255"/>
<IPv4 id="id14" name="h-192.168.1.212" comment="Created during import of line 305" ro="False" address="192.168.1.212" netmask="255.255.255.255"/>
<IPv4 id="id15" name="h-192.168.3.145" comment="Created during import of line 308" ro="False" address="192.168.3.145" netmask="255.255.255.255"/>
<IPv4 id="id16" name="h-1.1.1.1" comment="Created during import of line 308" ro="False" address="1.1.1.1" netmask="255.255.255.255"/>
<IPv4 id="id17" name="h-192.168.1.22" comment="Created during import of line 317" ro="False" address="192.168.1.22" netmask="255.255.255.255"/>
<IPv4 id="id18" name="h-192.168.2.10" comment="Created during import of line 317" ro="False" address="192.168.2.10" netmask="255.255.255.255"/>
<IPv4 id="id19" name="h-22.22.22.23" comment="Created during import of line 318" ro="False" address="22.22.22.23" netmask="255.255.255.255"/>
</ObjectGroup>
<ObjectGroup id="id20" name="DNS Names" comment="" ro="False"/>
<ObjectGroup id="id21" name="Address Tables" comment="" ro="False"/>
@ -462,15 +462,15 @@
<Network id="id29" name="net-128.143.0.0/255.255.0.0" comment="Created during import of line 95" ro="False" address="128.143.0.0" netmask="255.255.0.0"/>
<Network id="id30" name="net-1.1.0.0/255.255.0.0" comment="Created during import of line 101" ro="False" address="1.1.0.0" netmask="255.255.0.0"/>
<Network id="id31" name="net-192.168.19.0/255.255.255.0" comment="Created during import of line 108" ro="False" address="192.168.19.0" netmask="255.255.255.0"/>
<Network id="id32" name="net-192.168.1.0/255.255.255.0" comment="Created during import of line 284" ro="False" address="192.168.1.0" netmask="255.255.255.0"/>
<Network id="id33" name="net-192.168.1.32/255.255.255.224" comment="Created during import of line 286" ro="False" address="192.168.1.32" netmask="255.255.255.224"/>
<Network id="id34" name="net-222.222.222.0/255.255.255.0" comment="Created during import of line 293" ro="False" address="222.222.222.0" netmask="255.255.255.0"/>
<Network id="id32" name="net-192.168.1.0/255.255.255.0" comment="Created during import of line 277" ro="False" address="192.168.1.0" netmask="255.255.255.0"/>
<Network id="id33" name="net-192.168.1.32/255.255.255.224" comment="Created during import of line 289" ro="False" address="192.168.1.32" netmask="255.255.255.224"/>
<Network id="id34" name="net-222.222.222.0/255.255.255.0" comment="Created during import of line 296" ro="False" address="222.222.222.0" netmask="255.255.255.0"/>
</ObjectGroup>
<ObjectGroup id="id35" name="Address Ranges" comment="" ro="False">
<AddressRange id="id36" name="range-10.212.66.2-10.212.66.3" comment="Created during import of line 83" ro="False" start_address="10.212.66.2" end_address="10.212.66.3"/>
<AddressRange id="id37" name="range-192.11.1.11-192.11.1.63" comment="Created during import of line 83" ro="False" start_address="192.11.1.11" end_address="192.11.1.63"/>
<AddressRange id="id38" name="range-222.222.222.10-222.222.222.100" comment="Created during import of line 286" ro="False" start_address="222.222.222.10" end_address="222.222.222.100"/>
<AddressRange id="id39" name="range-192.168.1.1-192.168.1.10" comment="Created during import of line 288" ro="False" start_address="192.168.1.1" end_address="192.168.1.10"/>
<AddressRange id="id38" name="range-222.222.222.10-222.222.222.100" comment="Created during import of line 289" ro="False" start_address="222.222.222.10" end_address="222.222.222.100"/>
<AddressRange id="id39" name="range-192.168.1.1-192.168.1.10" comment="Created during import of line 291" ro="False" start_address="192.168.1.1" end_address="192.168.1.10"/>
</ObjectGroup>
</ObjectGroup>
<ServiceGroup id="id40" name="Services" comment="" ro="False">
@ -525,7 +525,7 @@
<ServiceRef ref="id153"/>
<ServiceRef ref="id142"/>
</ServiceGroup>
<ServiceGroup id="id82" name="tcp group 10" comment="Created during import of line 300" ro="False">
<ServiceGroup id="id82" name="tcp group 10" comment="Created during import of line 303" ro="False">
<ServiceRef ref="id162"/>
<ServiceRef ref="id163"/>
<ServiceRef ref="id164"/>
@ -542,7 +542,7 @@
<ServiceRef ref="id171"/>
<ServiceRef ref="id123"/>
</ServiceGroup>
<ServiceGroup id="id98" name="tcp group 11" comment="Created during import of line 302" ro="False">
<ServiceGroup id="id98" name="tcp group 11" comment="Created during import of line 305" ro="False">
<ServiceRef ref="id172"/>
<ServiceRef ref="id173"/>
</ServiceGroup>
@ -551,8 +551,8 @@
<ICMPService id="id102" code="-1" type="-1" name="icmp -1/-1" comment="Created during import of line 95" ro="False"/>
<ICMPService id="id103" code="-1" type="3" name="icmp 3/-1" comment="Created during import of line 209" ro="False"/>
<ICMPService id="id104" code="6" type="3" name="icmp 3/6" comment="Created during import of line 210" ro="False"/>
<ICMPService id="id105" code="0" type="8" name="icmp 8/0" comment="Created during import of line 297" ro="False"/>
<ICMPService id="id106" code="0" type="11" name="icmp 11/0" comment="Created during import of line 315" ro="False"/>
<ICMPService id="id105" code="0" type="8" name="icmp 8/0" comment="Created during import of line 300" ro="False"/>
<ICMPService id="id106" code="0" type="11" name="icmp 11/0" comment="Created during import of line 318" ro="False"/>
</ServiceGroup>
<ServiceGroup id="id107" name="IP" comment="" ro="False">
<IPService id="id108" any_opt="False" dscp="" fragm="False" lsrr="False" protocol_num="47" rr="False" rtralt="False" rtralt_value="False" short_fragm="False" ssrr="False" tos="" ts="False" name="ip-47" comment="Created during import of line 98" ro="False"/>
@ -607,21 +607,21 @@
<TCPService id="id156" ack_flag="False" ack_flag_mask="False" established="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" name="tcp 53:53 / 0:0" comment="Created during import of line 233" ro="False" src_range_start="53" src_range_end="53" dst_range_start="0" dst_range_end="0"/>
<TCPService id="id157" ack_flag="False" ack_flag_mask="False" established="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" name="tcp 0:0 / 25:25" comment="Created during import of line 252" ro="False" src_range_start="0" src_range_end="0" dst_range_start="25" dst_range_end="25"/>
<TCPService id="id158" ack_flag="False" ack_flag_mask="False" established="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" name="tcp 25:25 / 0:0" comment="Created during import of line 265" ro="False" src_range_start="25" src_range_end="25" dst_range_start="0" dst_range_end="0"/>
<TCPService id="id159" ack_flag="False" ack_flag_mask="False" established="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" name="tcp 1000:1010 / 0:0" comment="Created during import of line 289" ro="False" src_range_start="1000" src_range_end="1010" dst_range_start="0" dst_range_end="0"/>
<TCPService id="id160" ack_flag="False" ack_flag_mask="False" established="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" name="tcp 0:0 / 25:50" comment="Created during import of line 296" ro="False" src_range_start="0" src_range_end="0" dst_range_start="25" dst_range_end="50"/>
<TCPService id="id161" ack_flag="False" ack_flag_mask="False" established="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" name="tcp 0:0 / 4000:4010" comment="Created during import of line 299" ro="False" src_range_start="0" src_range_end="0" dst_range_start="4000" dst_range_end="4010"/>
<TCPService id="id162" ack_flag="False" ack_flag_mask="False" established="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" name="tcp 0:0 / 6667:6667" comment="Created during import of line 300" ro="False" src_range_start="0" src_range_end="0" dst_range_start="6667" dst_range_end="6667"/>
<TCPService id="id163" ack_flag="False" ack_flag_mask="False" established="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" name="tcp 0:0 / 3128:3128" comment="Created during import of line 300" ro="False" src_range_start="0" src_range_end="0" dst_range_start="3128" dst_range_end="3128"/>
<TCPService id="id164" ack_flag="False" ack_flag_mask="False" established="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" name="tcp 0:0 / 113:113" comment="Created during import of line 300" ro="False" src_range_start="0" src_range_end="0" dst_range_start="113" dst_range_end="113"/>
<TCPService id="id165" ack_flag="False" ack_flag_mask="False" established="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" name="tcp 0:0 / 53:53" comment="Created during import of line 300" ro="False" src_range_start="0" src_range_end="0" dst_range_start="53" dst_range_end="53"/>
<TCPService id="id166" ack_flag="False" ack_flag_mask="False" established="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" name="tcp 0:0 / 21:21" comment="Created during import of line 300" ro="False" src_range_start="0" src_range_end="0" dst_range_start="21" dst_range_end="21"/>
<TCPService id="id167" ack_flag="False" ack_flag_mask="False" established="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" name="tcp 0:0 / 119:119" comment="Created during import of line 300" ro="False" src_range_start="0" src_range_end="0" dst_range_start="119" dst_range_end="119"/>
<TCPService id="id168" ack_flag="False" ack_flag_mask="False" established="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" name="tcp 0:0 / 540:540" comment="Created during import of line 300" ro="False" src_range_start="0" src_range_end="0" dst_range_start="540" dst_range_end="540"/>
<TCPService id="id169" ack_flag="False" ack_flag_mask="False" established="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" name="tcp 0:0 / 70:70" comment="Created during import of line 300" ro="False" src_range_start="0" src_range_end="0" dst_range_start="70" dst_range_end="70"/>
<TCPService id="id170" ack_flag="False" ack_flag_mask="False" established="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" name="tcp 0:0 / 13:13" comment="Created during import of line 300" ro="False" src_range_start="0" src_range_end="0" dst_range_start="13" dst_range_end="13"/>
<TCPService id="id171" ack_flag="False" ack_flag_mask="False" established="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" name="tcp 0:0 / 2105:2105" comment="Created during import of line 300" ro="False" src_range_start="0" src_range_end="0" dst_range_start="2105" dst_range_end="2105"/>
<TCPService id="id172" ack_flag="False" ack_flag_mask="False" established="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" name="tcp 0:0 / 1720:1720" comment="Created during import of line 302" ro="False" src_range_start="0" src_range_end="0" dst_range_start="1720" dst_range_end="1720"/>
<TCPService id="id173" ack_flag="False" ack_flag_mask="False" established="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" name="tcp 0:0 / 3230:3243" comment="Created during import of line 302" ro="False" src_range_start="0" src_range_end="0" dst_range_start="3230" dst_range_end="3243"/>
<TCPService id="id159" ack_flag="False" ack_flag_mask="False" established="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" name="tcp 1000:1010 / 0:0" comment="Created during import of line 292" ro="False" src_range_start="1000" src_range_end="1010" dst_range_start="0" dst_range_end="0"/>
<TCPService id="id160" ack_flag="False" ack_flag_mask="False" established="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" name="tcp 0:0 / 25:50" comment="Created during import of line 299" ro="False" src_range_start="0" src_range_end="0" dst_range_start="25" dst_range_end="50"/>
<TCPService id="id161" ack_flag="False" ack_flag_mask="False" established="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" name="tcp 0:0 / 4000:4010" comment="Created during import of line 302" ro="False" src_range_start="0" src_range_end="0" dst_range_start="4000" dst_range_end="4010"/>
<TCPService id="id162" ack_flag="False" ack_flag_mask="False" established="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" name="tcp 0:0 / 6667:6667" comment="Created during import of line 303" ro="False" src_range_start="0" src_range_end="0" dst_range_start="6667" dst_range_end="6667"/>
<TCPService id="id163" ack_flag="False" ack_flag_mask="False" established="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" name="tcp 0:0 / 3128:3128" comment="Created during import of line 303" ro="False" src_range_start="0" src_range_end="0" dst_range_start="3128" dst_range_end="3128"/>
<TCPService id="id164" ack_flag="False" ack_flag_mask="False" established="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" name="tcp 0:0 / 113:113" comment="Created during import of line 303" ro="False" src_range_start="0" src_range_end="0" dst_range_start="113" dst_range_end="113"/>
<TCPService id="id165" ack_flag="False" ack_flag_mask="False" established="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" name="tcp 0:0 / 53:53" comment="Created during import of line 303" ro="False" src_range_start="0" src_range_end="0" dst_range_start="53" dst_range_end="53"/>
<TCPService id="id166" ack_flag="False" ack_flag_mask="False" established="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" name="tcp 0:0 / 21:21" comment="Created during import of line 303" ro="False" src_range_start="0" src_range_end="0" dst_range_start="21" dst_range_end="21"/>
<TCPService id="id167" ack_flag="False" ack_flag_mask="False" established="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" name="tcp 0:0 / 119:119" comment="Created during import of line 303" ro="False" src_range_start="0" src_range_end="0" dst_range_start="119" dst_range_end="119"/>
<TCPService id="id168" ack_flag="False" ack_flag_mask="False" established="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" name="tcp 0:0 / 540:540" comment="Created during import of line 303" ro="False" src_range_start="0" src_range_end="0" dst_range_start="540" dst_range_end="540"/>
<TCPService id="id169" ack_flag="False" ack_flag_mask="False" established="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" name="tcp 0:0 / 70:70" comment="Created during import of line 303" ro="False" src_range_start="0" src_range_end="0" dst_range_start="70" dst_range_end="70"/>
<TCPService id="id170" ack_flag="False" ack_flag_mask="False" established="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" name="tcp 0:0 / 13:13" comment="Created during import of line 303" ro="False" src_range_start="0" src_range_end="0" dst_range_start="13" dst_range_end="13"/>
<TCPService id="id171" ack_flag="False" ack_flag_mask="False" established="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" name="tcp 0:0 / 2105:2105" comment="Created during import of line 303" ro="False" src_range_start="0" src_range_end="0" dst_range_start="2105" dst_range_end="2105"/>
<TCPService id="id172" ack_flag="False" ack_flag_mask="False" established="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" name="tcp 0:0 / 1720:1720" comment="Created during import of line 305" ro="False" src_range_start="0" src_range_end="0" dst_range_start="1720" dst_range_end="1720"/>
<TCPService id="id173" ack_flag="False" ack_flag_mask="False" established="False" fin_flag="False" fin_flag_mask="False" psh_flag="False" psh_flag_mask="False" rst_flag="False" rst_flag_mask="False" syn_flag="False" syn_flag_mask="False" urg_flag="False" urg_flag_mask="False" name="tcp 0:0 / 3230:3243" comment="Created during import of line 305" ro="False" src_range_start="0" src_range_end="0" dst_range_start="3230" dst_range_end="3243"/>
</ServiceGroup>
<ServiceGroup id="id174" name="UDP" comment="" ro="False">
<UDPService id="id175" name="udp 0:0 / 1604:1604" comment="Created during import of line 45" ro="False" src_range_start="0" src_range_end="0" dst_range_start="1604" dst_range_end="1604"/>
@ -668,7 +668,7 @@
<ObjectGroup id="id198" name="Firewalls" comment="" ro="False">
<Firewall id="id199" host_OS="linux24" lastCompiled="0" lastInstalled="0" lastModified="0" platform="iptables" version="ge_1.2.6" name="test_fw" comment="Created during import of line 3" ro="False">
<NAT id="id635" name="NAT" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
<NATRule id="id637" disabled="False" group="" position="0" action="Translate" comment="Created during import of line 284">
<NATRule id="id637" disabled="False" group="" position="0" action="Translate" comment="Created during import of line 287">
<OSrc neg="False">
<ObjectRef ref="id32"/>
</OSrc>
@ -695,7 +695,7 @@
</ItfOutb>
<NATRuleOptions/>
</NATRule>
<NATRule id="id655" disabled="False" group="" position="1" action="Translate" comment="Created during import of line 285">
<NATRule id="id655" disabled="False" group="" position="1" action="Translate" comment="Created during import of line 288">
<OSrc neg="False">
<ObjectRef ref="id32"/>
</OSrc>
@ -722,7 +722,7 @@
</ItfOutb>
<NATRuleOptions/>
</NATRule>
<NATRule id="id673" disabled="False" group="" position="2" action="Translate" comment="Created during import of line 286">
<NATRule id="id673" disabled="False" group="" position="2" action="Translate" comment="Created during import of line 289">
<OSrc neg="False">
<ObjectRef ref="id33"/>
</OSrc>
@ -745,11 +745,11 @@
<ObjectRef ref="sysid0"/>
</ItfInb>
<ItfOutb neg="False">
<ObjectRef ref="id2339"/>
<ObjectRef ref="id2363"/>
</ItfOutb>
<NATRuleOptions/>
</NATRule>
<NATRule id="id691" disabled="False" group="" position="3" action="Translate" comment="Created during import of line 287">
<NATRule id="id691" disabled="False" group="" position="3" action="Translate" comment="Created during import of line 290">
<OSrc neg="False">
<ObjectRef ref="id32"/>
</OSrc>
@ -772,11 +772,11 @@
<ObjectRef ref="sysid0"/>
</ItfInb>
<ItfOutb neg="False">
<ObjectRef ref="id2339"/>
<ObjectRef ref="id2363"/>
</ItfOutb>
<NATRuleOptions/>
</NATRule>
<NATRule id="id709" disabled="False" group="" position="4" action="Translate" comment="Created during import of line 288">
<NATRule id="id709" disabled="False" group="" position="4" action="Translate" comment="Created during import of line 291">
<OSrc neg="False">
<ObjectRef ref="id32"/>
</OSrc>
@ -799,11 +799,11 @@
<ObjectRef ref="sysid0"/>
</ItfInb>
<ItfOutb neg="False">
<ObjectRef ref="id2339"/>
<ObjectRef ref="id2363"/>
</ItfOutb>
<NATRuleOptions/>
</NATRule>
<NATRule id="id727" disabled="False" group="" position="5" action="Translate" comment="Created during import of line 289">
<NATRule id="id727" disabled="False" group="" position="5" action="Translate" comment="Created during import of line 292">
<OSrc neg="False">
<ObjectRef ref="id12"/>
</OSrc>
@ -830,7 +830,7 @@
</ItfOutb>
<NATRuleOptions/>
</NATRule>
<NATRule id="id745" disabled="False" group="" position="6" action="Translate" comment="Created during import of line 291">
<NATRule id="id745" disabled="False" group="" position="6" action="Translate" comment="Created during import of line 294">
<OSrc neg="False">
<ObjectRef ref="id32"/>
</OSrc>
@ -841,7 +841,7 @@
<ServiceRef ref="sysid1"/>
</OSrv>
<TSrc neg="False">
<ObjectRef ref="id2338"/>
<ObjectRef ref="id2362"/>
</TSrc>
<TDst neg="False">
<ObjectRef ref="sysid0"/>
@ -857,7 +857,7 @@
</ItfOutb>
<NATRuleOptions/>
</NATRule>
<NATRule id="id763" disabled="False" group="" position="7" action="Translate" comment="Created during import of line 293">
<NATRule id="id763" disabled="False" group="" position="7" action="Translate" comment="Created during import of line 296">
<OSrc neg="False">
<ObjectRef ref="id32"/>
</OSrc>
@ -884,7 +884,7 @@
</ItfOutb>
<NATRuleOptions/>
</NATRule>
<NATRule id="id781" disabled="False" group="" position="8" action="Translate" comment="Created during import of line 295">
<NATRule id="id781" disabled="False" group="" position="8" action="Translate" comment="Created during import of line 298">
<OSrc neg="False">
<ObjectRef ref="sysid0"/>
</OSrc>
@ -911,7 +911,7 @@
</ItfOutb>
<NATRuleOptions/>
</NATRule>
<NATRule id="id799" disabled="False" group="" position="9" action="Translate" comment="Created during import of line 296">
<NATRule id="id799" disabled="False" group="" position="9" action="Translate" comment="Created during import of line 299">
<OSrc neg="False">
<ObjectRef ref="sysid0"/>
</OSrc>
@ -938,7 +938,7 @@
</ItfOutb>
<NATRuleOptions/>
</NATRule>
<NATRule id="id817" disabled="False" group="" position="10" action="Translate" comment="Created during import of line 297">
<NATRule id="id817" disabled="False" group="" position="10" action="Translate" comment="Created during import of line 300">
<OSrc neg="False">
<ObjectRef ref="sysid0"/>
</OSrc>
@ -965,7 +965,7 @@
</ItfOutb>
<NATRuleOptions/>
</NATRule>
<NATRule id="id835" disabled="False" group="" position="11" action="Translate" comment="Created during import of line 298">
<NATRule id="id835" disabled="False" group="" position="11" action="Translate" comment="Created during import of line 301">
<OSrc neg="False">
<ObjectRef ref="sysid0"/>
</OSrc>
@ -992,7 +992,7 @@
</ItfOutb>
<NATRuleOptions/>
</NATRule>
<NATRule id="id853" disabled="False" group="" position="12" action="Translate" comment="Created during import of line 299">
<NATRule id="id853" disabled="False" group="" position="12" action="Translate" comment="Created during import of line 302">
<OSrc neg="False">
<ObjectRef ref="sysid0"/>
</OSrc>
@ -1019,7 +1019,7 @@
</ItfOutb>
<NATRuleOptions/>
</NATRule>
<NATRule id="id871" disabled="False" group="" position="13" action="Translate" comment="Created during import of line 300">
<NATRule id="id871" disabled="False" group="" position="13" action="Translate" comment="Created during import of line 303">
<OSrc neg="False">
<ObjectRef ref="sysid0"/>
</OSrc>
@ -1046,7 +1046,7 @@
</ItfOutb>
<NATRuleOptions/>
</NATRule>
<NATRule id="id889" disabled="False" group="" position="14" action="Translate" comment="Created during import of line 302">
<NATRule id="id889" disabled="False" group="" position="14" action="Translate" comment="Created during import of line 305">
<OSrc neg="False">
<ObjectRef ref="sysid0"/>
</OSrc>
@ -1073,7 +1073,7 @@
</ItfOutb>
<NATRuleOptions/>
</NATRule>
<NATRule id="id907" disabled="False" group="" position="15" action="Translate" comment="Created during import of line 305">
<NATRule id="id907" disabled="False" group="" position="15" action="Translate" comment="Created during import of line 308">
<OSrc neg="False">
<ObjectRef ref="sysid0"/>
</OSrc>
@ -1100,7 +1100,7 @@
</ItfOutb>
<NATRuleOptions/>
</NATRule>
<NATRule id="id925" disabled="False" group="" position="16" action="Translate" comment="Created during import of line 308">
<NATRule id="id925" disabled="False" group="" position="16" action="Translate" comment="Created during import of line 311">
<OSrc neg="False">
<ObjectRef ref="id32"/>
</OSrc>
@ -1127,7 +1127,7 @@
</ItfOutb>
<NATRuleOptions/>
</NATRule>
<NATRule id="id943" disabled="False" group="" position="17" action="Translate" comment="Created during import of line 311">
<NATRule id="id943" disabled="False" group="" position="17" action="Translate" comment="Created during import of line 314">
<OSrc neg="False">
<ObjectRef ref="id32"/>
</OSrc>
@ -1154,7 +1154,7 @@
</ItfOutb>
<NATRuleOptions/>
</NATRule>
<NATRule id="id961" disabled="False" group="" position="18" action="Translate" comment="Created during import of line 314">
<NATRule id="id961" disabled="False" group="" position="18" action="Translate" comment="Created during import of line 317">
<OSrc neg="False">
<ObjectRef ref="id199"/>
</OSrc>
@ -1181,7 +1181,7 @@
</ItfOutb>
<NATRuleOptions/>
</NATRule>
<NATRule id="id979" disabled="False" group="" position="19" action="Translate" comment="Created during import of line 315">
<NATRule id="id979" disabled="False" group="" position="19" action="Translate" comment="Created during import of line 318">
<OSrc neg="False">
<ObjectRef ref="id199"/>
</OSrc>
@ -1310,7 +1310,6 @@
<PolicyRuleOptions>
<Option name="branch_id">id1787</Option>
<Option name="stateless">True</Option>
<Option name="tagobject_id"></Option>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id263" disabled="False" group="" log="False" position="5" action="Branch" direction="Both" comment="Chain OUTPUT. &#10;Created during import of line 23">
@ -1332,7 +1331,6 @@
<PolicyRuleOptions>
<Option name="branch_id">id1801</Option>
<Option name="stateless">True</Option>
<Option name="tagobject_id"></Option>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id275" disabled="False" group="" log="False" position="6" action="Branch" direction="Both" comment="Chain OUTPUT. &#10;Created during import of line 28">
@ -1354,7 +1352,6 @@
<PolicyRuleOptions>
<Option name="branch_id">id1815</Option>
<Option name="stateless">True</Option>
<Option name="tagobject_id"></Option>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id287" disabled="False" group="" log="False" position="7" action="Branch" direction="Both" comment="Chain FORWARD. &#10;Created during import of line 31">
@ -1376,7 +1373,6 @@
<PolicyRuleOptions>
<Option name="branch_id">id1829</Option>
<Option name="stateless">True</Option>
<Option name="tagobject_id"></Option>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id299" disabled="False" group="" log="False" position="8" action="Accept" direction="Inbound" comment="Chain INPUT. &#10;Created during import of line 40">
@ -1418,7 +1414,6 @@
<PolicyRuleOptions>
<Option name="branch_id">id999</Option>
<Option name="stateless">True</Option>
<Option name="tagobject_id"></Option>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id323" disabled="False" group="" log="False" position="10" action="Branch" direction="Both" comment="Chain INPUT. &#10;Created during import of line 42">
@ -1440,7 +1435,6 @@
<PolicyRuleOptions>
<Option name="branch_id">id1846</Option>
<Option name="stateless">True</Option>
<Option name="tagobject_id"></Option>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id335" disabled="False" group="" log="False" position="11" action="Branch" direction="Inbound" comment="Chain FORWARD. Both inbound and outbound interfaces in original iptables command: -i eth0 -o eth1&#10;Created during import of line 45">
@ -1462,7 +1456,6 @@
<PolicyRuleOptions>
<Option name="branch_id">id2040</Option>
<Option name="stateless">True</Option>
<Option name="tagobject_id"></Option>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id347" disabled="False" group="" log="False" position="12" action="Reject" direction="Both" comment="Chain INPUT. &#10;Created during import of line 48">
@ -1841,7 +1834,6 @@
<PolicyRuleOptions>
<Option name="branch_id">id999</Option>
<Option name="stateless">True</Option>
<Option name="tagobject_id"></Option>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id563" disabled="False" group="" log="False" position="30" action="Accept" direction="Both" comment="Chain FORWARD. &#10;Created during import of line 83">
@ -3104,7 +3096,6 @@
<PolicyRuleOptions>
<Option name="branch_id">id2056</Option>
<Option name="stateless">True</Option>
<Option name="tagobject_id"></Option>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id1679" disabled="False" group="" log="False" position="56" action="Branch" direction="Both" comment="Chain user_chain. &#10;Created during import of line 222">
@ -3126,7 +3117,6 @@
<PolicyRuleOptions>
<Option name="branch_id">id2070</Option>
<Option name="stateless">True</Option>
<Option name="tagobject_id"></Option>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id1691" disabled="False" group="" log="False" position="57" action="Branch" direction="Both" comment="Chain user_chain. &#10;Created during import of line 223">
@ -3148,7 +3138,6 @@
<PolicyRuleOptions>
<Option name="branch_id">id2084</Option>
<Option name="stateless">True</Option>
<Option name="tagobject_id"></Option>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id1703" disabled="False" group="" log="False" position="58" action="Branch" direction="Both" comment="Chain user_chain. &#10;Created during import of line 224">
@ -3170,7 +3159,6 @@
<PolicyRuleOptions>
<Option name="branch_id">id2098</Option>
<Option name="stateless">True</Option>
<Option name="tagobject_id"></Option>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id1715" disabled="False" group="" log="False" position="59" action="Branch" direction="Both" comment="Chain user_chain. &#10;Created during import of line 227">
@ -3192,7 +3180,8 @@
<PolicyRuleOptions>
<Option name="branch_id">id2112</Option>
<Option name="stateless">True</Option>
<Option name="tagobject_id"></Option>
<Option name="tagging">True</Option>
<Option name="tagobject_id">id191</Option>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id1727" disabled="False" group="" log="False" position="60" action="Branch" direction="Both" comment="Chain user_chain. &#10;Created during import of line 230">
@ -3214,7 +3203,8 @@
<PolicyRuleOptions>
<Option name="branch_id">id2126</Option>
<Option name="stateless">True</Option>
<Option name="tagobject_id"></Option>
<Option name="tagging">True</Option>
<Option name="tagobject_id">id191</Option>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id1739" disabled="False" group="" log="False" position="61" action="Branch" direction="Both" comment="Chain user_chain. &#10;Created during import of line 233&#10;Error: Original rule combines match of tcp/udp/icmp protocols with two or more module matches, such as module 'mark', 'recent' or 'length'. Use additional branches to implement this complex match.">
@ -3237,7 +3227,6 @@
<Option name="branch_id">id2140</Option>
<Option name="color">#C86E6E</Option>
<Option name="stateless">True</Option>
<Option name="tagobject_id"></Option>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id1751" disabled="False" group="" log="False" position="62" action="Branch" direction="Both" comment="Chain user_chain. &#10;Created during import of line 234&#10;Error: Original rule combines match of tcp/udp/icmp protocols with two or more module matches, such as module 'mark', 'recent' or 'length'. Use additional branches to implement this complex match.">
@ -3260,7 +3249,6 @@
<Option name="branch_id">id2154</Option>
<Option name="color">#C86E6E</Option>
<Option name="stateless">True</Option>
<Option name="tagobject_id"></Option>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id1763" disabled="False" group="" log="False" position="63" action="Deny" direction="Both" comment="Chain user_chain. &#10;Created during import of line 237">
@ -3888,7 +3876,7 @@
<RuleSetOptions/>
</Policy>
<Policy id="id2112" name="user_chain_59_mod_match" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="False">
<PolicyRule id="id2114" disabled="False" group="" log="False" position="0" action="Tag" direction="Both" comment="Called from ruleset user_chain, rule 59">
<PolicyRule id="id2114" disabled="False" group="" log="False" position="0" action="Continue" direction="Both" comment="Called from ruleset user_chain, rule 59">
<Src neg="False">
<ObjectRef ref="sysid0"/>
</Src>
@ -3905,15 +3893,15 @@
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions>
<Option name="branch_id"></Option>
<Option name="stateless">True</Option>
<Option name="tagging">True</Option>
<Option name="tagobject_id">id191</Option>
</PolicyRuleOptions>
</PolicyRule>
<RuleSetOptions/>
</Policy>
<Policy id="id2126" name="user_chain_60_mod_match" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="False">
<PolicyRule id="id2128" disabled="False" group="" log="False" position="0" action="Tag" direction="Both" comment="Called from ruleset user_chain, rule 60">
<PolicyRule id="id2128" disabled="False" group="" log="False" position="0" action="Continue" direction="Both" comment="Called from ruleset user_chain, rule 60">
<Src neg="False">
<ObjectRef ref="sysid0"/>
</Src>
@ -3930,8 +3918,8 @@
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions>
<Option name="branch_id"></Option>
<Option name="stateless">True</Option>
<Option name="tagging">True</Option>
<Option name="tagobject_id">id191</Option>
</PolicyRuleOptions>
</PolicyRule>
@ -3984,7 +3972,7 @@
<RuleSetOptions/>
</Policy>
<Policy id="id2168" name="Mangle" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
<PolicyRule id="id2170" disabled="False" group="" log="False" position="0" action="Tag" direction="Inbound" comment="Error: Fwbuilder can not reproduce iptables rule in the table 'mangle', chain FORWARD&#10;Chain FORWARD. &#10;Created during import of line 252&#10;Error: Fwbuilder can not reproduce iptables rule in the table 'mangle', chain FORWARD">
<PolicyRule id="id2170" disabled="False" group="" log="False" position="0" action="Continue" direction="Inbound" comment="Error: Fwbuilder can not reproduce iptables rule in the table 'mangle', chain FORWARD&#10;Chain FORWARD. &#10;Created during import of line 252&#10;Error: Fwbuilder can not reproduce iptables rule in the table 'mangle', chain FORWARD">
<Src neg="False">
<ObjectRef ref="sysid0"/>
</Src>
@ -4001,13 +3989,13 @@
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions>
<Option name="branch_id"></Option>
<Option name="color">#C86E6E</Option>
<Option name="stateless">True</Option>
<Option name="tagging">True</Option>
<Option name="tagobject_id">id193</Option>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id2182" disabled="False" group="" log="False" position="1" action="Tag" direction="Inbound" comment="Error: Fwbuilder can not reproduce iptables rule in the table 'mangle', chain FORWARD&#10;Chain FORWARD. &#10;Created during import of line 255&#10;Error: Fwbuilder can not reproduce iptables rule in the table 'mangle', chain FORWARD">
<PolicyRule id="id2182" disabled="False" group="" log="False" position="1" action="Continue" direction="Inbound" comment="Error: Fwbuilder can not reproduce iptables rule in the table 'mangle', chain FORWARD&#10;Chain FORWARD. &#10;Created during import of line 255&#10;Error: Fwbuilder can not reproduce iptables rule in the table 'mangle', chain FORWARD">
<Src neg="False">
<ObjectRef ref="sysid0"/>
</Src>
@ -4024,13 +4012,13 @@
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions>
<Option name="branch_id"></Option>
<Option name="color">#C86E6E</Option>
<Option name="stateless">True</Option>
<Option name="tagging">True</Option>
<Option name="tagobject_id">id194</Option>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id2194" disabled="False" group="" log="False" position="2" action="Tag" direction="Inbound" comment="Error: Fwbuilder can not reproduce iptables rule in the table 'mangle', chain FORWARD&#10;Chain FORWARD. &#10;Created during import of line 256&#10;Error: Fwbuilder can not reproduce iptables rule in the table 'mangle', chain FORWARD">
<PolicyRule id="id2194" disabled="False" group="" log="False" position="2" action="Continue" direction="Inbound" comment="Error: Fwbuilder can not reproduce iptables rule in the table 'mangle', chain FORWARD&#10;Chain FORWARD. &#10;Created during import of line 256&#10;Error: Fwbuilder can not reproduce iptables rule in the table 'mangle', chain FORWARD">
<Src neg="False">
<ObjectRef ref="sysid0"/>
</Src>
@ -4047,13 +4035,13 @@
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions>
<Option name="branch_id"></Option>
<Option name="color">#C86E6E</Option>
<Option name="stateless">True</Option>
<Option name="tagging">True</Option>
<Option name="tagobject_id">id195</Option>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id2206" disabled="False" group="" log="False" position="3" action="Tag" direction="Inbound" comment="Chain PREROUTING. &#10;Created during import of line 259">
<PolicyRule id="id2206" disabled="False" group="" log="False" position="3" action="Continue" direction="Inbound" comment="Chain PREROUTING. &#10;Created during import of line 259">
<Src neg="False">
<ObjectRef ref="sysid0"/>
</Src>
@ -4070,12 +4058,12 @@
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions>
<Option name="branch_id"></Option>
<Option name="stateless">True</Option>
<Option name="tagging">True</Option>
<Option name="tagobject_id">id193</Option>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id2218" disabled="False" group="" log="False" position="4" action="Tag" direction="Outbound" comment="Error: Fwbuilder can not reproduce iptables rule in the table 'mangle', chain POSTROUTING&#10;Chain POSTROUTING. &#10;Created during import of line 265&#10;Error: Fwbuilder can not reproduce iptables rule in the table 'mangle', chain POSTROUTING">
<PolicyRule id="id2218" disabled="False" group="" log="False" position="4" action="Continue" direction="Outbound" comment="Error: Fwbuilder can not reproduce iptables rule in the table 'mangle', chain POSTROUTING&#10;Chain POSTROUTING. &#10;Created during import of line 265&#10;Error: Fwbuilder can not reproduce iptables rule in the table 'mangle', chain POSTROUTING">
<Src neg="False">
<ObjectRef ref="sysid0"/>
</Src>
@ -4092,14 +4080,14 @@
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions>
<Option name="branch_id"></Option>
<Option name="color">#C86E6E</Option>
<Option name="ipt_mark_connections">True</Option>
<Option name="stateless">True</Option>
<Option name="tagging">True</Option>
<Option name="tagobject_id">id193</Option>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id2230" disabled="False" group="" log="False" position="5" action="Route" direction="Both" comment="Error: Fwbuilder can not reproduce iptables rule in the table 'mangle', chain POSTROUTING&#10;Chain POSTROUTING. &#10;Created during import of line 269&#10;Error: Fwbuilder can not reproduce iptables rule in the table 'mangle', chain POSTROUTING">
<PolicyRule id="id2230" disabled="False" group="" log="False" position="5" action="Continue" direction="Both" comment="Error: Fwbuilder can not reproduce iptables rule in the table 'mangle', chain POSTROUTING&#10;Chain POSTROUTING. &#10;Created during import of line 269&#10;Error: Fwbuilder can not reproduce iptables rule in the table 'mangle', chain POSTROUTING">
<Src neg="False">
<ObjectRef ref="sysid0"/>
</Src>
@ -4122,10 +4110,11 @@
<Option name="ipt_iif"></Option>
<Option name="ipt_oif">eth0</Option>
<Option name="ipt_tee">False</Option>
<Option name="routing">True</Option>
<Option name="stateless">True</Option>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id2242" disabled="False" group="" log="False" position="6" action="Route" direction="Both" comment="Error: Fwbuilder can not reproduce iptables rule in the table 'mangle', chain POSTROUTING&#10;Chain POSTROUTING. &#10;Created during import of line 270&#10;Error: Fwbuilder can not reproduce iptables rule in the table 'mangle', chain POSTROUTING">
<PolicyRule id="id2242" disabled="False" group="" log="False" position="6" action="Continue" direction="Both" comment="Error: Fwbuilder can not reproduce iptables rule in the table 'mangle', chain POSTROUTING&#10;Chain POSTROUTING. &#10;Created during import of line 270&#10;Error: Fwbuilder can not reproduce iptables rule in the table 'mangle', chain POSTROUTING">
<Src neg="False">
<ObjectRef ref="sysid0"/>
</Src>
@ -4148,6 +4137,7 @@
<Option name="ipt_iif"></Option>
<Option name="ipt_oif">eth2</Option>
<Option name="ipt_tee">False</Option>
<Option name="routing">True</Option>
<Option name="stateless">True</Option>
</PolicyRuleOptions>
</PolicyRule>
@ -4195,7 +4185,51 @@
<Option name="stateless">True</Option>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id2278" disabled="False" group="" log="False" position="9" action="Accept" direction="Both" comment="Warning: Line 247: Can not reproduce default action in table 'mangle' chain 'FORWARD'. (Generated rule may not generate equivalent iptables command when compiled)">
<PolicyRule id="id2278" disabled="False" group="" log="False" position="9" action="Continue" direction="Both" comment="Chain POSTROUTING. &#10;Created during import of line 277">
<Src neg="False">
<ObjectRef ref="id32"/>
</Src>
<Dst neg="False">
<ObjectRef ref="sysid0"/>
</Dst>
<Srv neg="False">
<ServiceRef ref="sysid1"/>
</Srv>
<Itf neg="False">
<ObjectRef ref="sysid0"/>
</Itf>
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions>
<Option name="classification">True</Option>
<Option name="classify_str">0001:0010</Option>
<Option name="stateless">True</Option>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id2290" disabled="False" group="" log="False" position="10" action="Continue" direction="Both" comment="Chain POSTROUTING. &#10;Created during import of line 278">
<Src neg="False">
<ObjectRef ref="id25"/>
</Src>
<Dst neg="False">
<ObjectRef ref="sysid0"/>
</Dst>
<Srv neg="False">
<ServiceRef ref="sysid1"/>
</Srv>
<Itf neg="False">
<ObjectRef ref="sysid0"/>
</Itf>
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions>
<Option name="classification">True</Option>
<Option name="classify_str">1:10</Option>
<Option name="stateless">True</Option>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id2302" disabled="False" group="" log="False" position="11" action="Accept" direction="Both" comment="Warning: Line 247: Can not reproduce default action in table 'mangle' chain 'FORWARD'. (Generated rule may not generate equivalent iptables command when compiled)">
<Src neg="False">
<ObjectRef ref="sysid0"/>
</Src>
@ -4216,7 +4250,7 @@
<Option name="stateless">True</Option>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id2290" disabled="False" group="" log="False" position="10" action="Accept" direction="Inbound" comment="Warning: Line 246: Can not reproduce default action in table 'mangle' chain 'INPUT'. (Generated rule may not generate equivalent iptables command when compiled)">
<PolicyRule id="id2314" disabled="False" group="" log="False" position="12" action="Accept" direction="Inbound" comment="Warning: Line 246: Can not reproduce default action in table 'mangle' chain 'INPUT'. (Generated rule may not generate equivalent iptables command when compiled)">
<Src neg="False">
<ObjectRef ref="sysid0"/>
</Src>
@ -4237,7 +4271,7 @@
<Option name="stateless">True</Option>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id2302" disabled="False" group="" log="False" position="11" action="Accept" direction="Outbound" comment="Default iptables policy in mangle/OUTPUT">
<PolicyRule id="id2326" disabled="False" group="" log="False" position="13" action="Accept" direction="Outbound" comment="Default iptables policy in mangle/OUTPUT">
<Src neg="False">
<ObjectRef ref="id199"/>
</Src>
@ -4257,7 +4291,7 @@
<Option name="stateless">True</Option>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id2314" disabled="False" group="" log="False" position="12" action="Accept" direction="Outbound" comment="Default iptables policy in mangle/POSTROUTING">
<PolicyRule id="id2338" disabled="False" group="" log="False" position="14" action="Accept" direction="Outbound" comment="Default iptables policy in mangle/POSTROUTING">
<Src neg="False">
<ObjectRef ref="sysid0"/>
</Src>
@ -4277,7 +4311,7 @@
<Option name="stateless">True</Option>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id2326" disabled="False" group="" log="False" position="13" action="Accept" direction="Inbound" comment="Default iptables policy in mangle/PREROUTING">
<PolicyRule id="id2350" disabled="False" group="" log="False" position="15" action="Accept" direction="Inbound" comment="Default iptables policy in mangle/PREROUTING">
<Src neg="False">
<ObjectRef ref="sysid0"/>
</Src>
@ -4307,8 +4341,8 @@
<Interface id="id1845" dedicated_failover="False" dyn="False" security_level="0" unnum="True" unprotected="False" name="lo" comment="Created during import of line 40" ro="False"/>
<Interface id="id2054" dedicated_failover="False" dyn="False" security_level="0" unnum="True" unprotected="False" name="eth1" comment="Created during import of line 45" ro="False"/>
<Interface id="id2055" dedicated_failover="False" dyn="False" security_level="0" unnum="True" unprotected="False" name="eth0" comment="Created during import of line 45" ro="False"/>
<Interface id="id2338" dedicated_failover="False" dyn="False" security_level="0" unnum="True" unprotected="False" name="eth2" comment="Created during import of line 270" ro="False"/>
<Interface id="id2339" dedicated_failover="False" dyn="False" security_level="0" unnum="True" unprotected="False" name="eth+" comment="Created during import of line 286" ro="False"/>
<Interface id="id2362" dedicated_failover="False" dyn="False" security_level="0" unnum="True" unprotected="False" name="eth2" comment="Created during import of line 270" ro="False"/>
<Interface id="id2363" dedicated_failover="False" dyn="False" security_level="0" unnum="True" unprotected="False" name="eth+" comment="Created during import of line 289" ro="False"/>
<Management address="0.0.0.0">
<SNMPManagement enabled="False" snmp_read_community="" snmp_write_community=""/>
<FWBDManagement enabled="False" identity="" port="-1"/>
@ -4335,7 +4369,7 @@
</FirewallOptions>
</Firewall>
</ObjectGroup>
<ObjectGroup id="id2340" name="Clusters" comment="" ro="False"/>
<IntervalGroup id="id2341" name="Time" comment="" ro="False"/>
<ObjectGroup id="id2364" name="Clusters" comment="" ro="False"/>
<IntervalGroup id="id2365" name="Time" comment="" ro="False"/>
</Library>
</FWObjectDatabase>

30
src/unit_tests/ImporterTest/test_data/ipt.output
View File

@ -68,18 +68,18 @@
274: Error: Error: Fwbuilder can not reproduce iptables rule in the table 'mangle', chain POSTROUTING
275: Error: Fwbuilder can not reproduce iptables rule in the table 'mangle', chain POSTROUTING
275: Error: Error: Fwbuilder can not reproduce iptables rule in the table 'mangle', chain POSTROUTING
280: New ruleset: nat / PREROUTING
280: Default action: Accept
281: New ruleset: nat / POSTROUTING
281: Default action: Accept
282: New ruleset: nat / OUTPUT
282: Default action: Accept
286: New interface: eth+
315: Warning: Line 5: Added rule to reproduce default policy ACCEPT in filter/OUTPUT
315: Warning: Line 247: Can not reproduce default action in table 'mangle' chain 'FORWARD'. (Generated rule may not generate equivalent iptables command when compiled)
315: Warning: Line 247: Added rule to reproduce default policy ACCEPT in mangle/FORWARD
315: Warning: Line 246: Can not reproduce default action in table 'mangle' chain 'INPUT'. (Generated rule may not generate equivalent iptables command when compiled)
315: Warning: Line 246: Added rule to reproduce default policy ACCEPT in mangle/INPUT
315: Warning: Line 248: Added rule to reproduce default policy ACCEPT in mangle/OUTPUT
315: Warning: Line 249: Added rule to reproduce default policy ACCEPT in mangle/POSTROUTING
315: Warning: Line 245: Added rule to reproduce default policy ACCEPT in mangle/PREROUTING
283: New ruleset: nat / PREROUTING
283: Default action: Accept
284: New ruleset: nat / POSTROUTING
284: Default action: Accept
285: New ruleset: nat / OUTPUT
285: Default action: Accept
289: New interface: eth+
318: Warning: Line 5: Added rule to reproduce default policy ACCEPT in filter/OUTPUT
318: Warning: Line 247: Can not reproduce default action in table 'mangle' chain 'FORWARD'. (Generated rule may not generate equivalent iptables command when compiled)
318: Warning: Line 247: Added rule to reproduce default policy ACCEPT in mangle/FORWARD
318: Warning: Line 246: Can not reproduce default action in table 'mangle' chain 'INPUT'. (Generated rule may not generate equivalent iptables command when compiled)
318: Warning: Line 246: Added rule to reproduce default policy ACCEPT in mangle/INPUT
318: Warning: Line 248: Added rule to reproduce default policy ACCEPT in mangle/OUTPUT
318: Warning: Line 249: Added rule to reproduce default policy ACCEPT in mangle/POSTROUTING
318: Warning: Line 245: Added rule to reproduce default policy ACCEPT in mangle/PREROUTING

3
src/unit_tests/ImporterTest/test_data/ipt.test
View File

@ -274,6 +274,9 @@ COMMIT
-A POSTROUTING -d 192.168.1.1 -j TOS --set-tos Minimize-Delay
-A POSTROUTING -d 192.168.1.1 -j TOS --set-tos 0x10
-A POSTROUTING -s 192.168.1.0/24 -j CLASSIFY --set-class 0001:0010
-A POSTROUTING -s 192.168.2.0/24 -j CLASSIFY --set-class 1:10
COMMIT
*nat

2
src/unit_tests/ObjectManipulatorTest/test.fwb
View File

@ -1,6 +1,6 @@
<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE FWObjectDatabase SYSTEM "fwbuilder.dtd">
<FWObjectDatabase xmlns="http://www.fwbuilder.org/1.0/" version="20" lastModified="1268754223" id="root">
<FWObjectDatabase xmlns="http://www.fwbuilder.org/1.0/" version="21" lastModified="1268754223" id="root">
<Library id="syslib000" color="#d4f8ff" name="Standard" comment="Standard objects" ro="False">
<AnyNetwork id="sysid0" name="Any" comment="Any Network" ro="False" address="0.0.0.0" netmask="0.0.0.0"/>
<AnyIPService id="sysid1" protocol_num="0" name="Any" comment="Any IP Service" ro="False"/>

14
src/unit_tests/ObjectMatcherTest/test_data.fwb
View File

@ -1,6 +1,6 @@
<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE FWObjectDatabase SYSTEM "fwbuilder.dtd">
<FWObjectDatabase xmlns="http://www.fwbuilder.org/1.0/" version="20" lastModified="1265584375" id="root">
<FWObjectDatabase xmlns="http://www.fwbuilder.org/1.0/" version="21" lastModified="1265584375" id="root">
<Library id="sysid99" name="Deleted Objects" comment="" ro="False">
<IPv4 id="id9040X76354" name="pc:eth0:ip" comment="" ro="False" address="192.168.1.1" netmask="255.255.255.0"/>
</Library>
@ -28,9 +28,9 @@
<PolicyInstallScript arguments="" command="" enabled="False"/>
</Management>
<HostOptions>
<Option name="snmp_contact"/>
<Option name="snmp_description"/>
<Option name="snmp_location"/>
<Option name="snmp_contact"></Option>
<Option name="snmp_description"></Option>
<Option name="snmp_location"></Option>
<Option name="use_mac_addr">false</Option>
<Option name="use_mac_addr_filter">False</Option>
</HostOptions>
@ -46,9 +46,9 @@
<PolicyInstallScript arguments="" command="" enabled="False"/>
</Management>
<HostOptions>
<Option name="snmp_contact"/>
<Option name="snmp_description"/>
<Option name="snmp_location"/>
<Option name="snmp_contact"></Option>
<Option name="snmp_description"></Option>
<Option name="snmp_location"></Option>
<Option name="use_mac_addr">false</Option>
<Option name="use_mac_addr_filter">False</Option>
</HostOptions>

2
src/unit_tests/PIXImporterTest/test_data/asa8.0-names.fwb
View File

@ -1,6 +1,6 @@
<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE FWObjectDatabase SYSTEM "fwbuilder.dtd">
<FWObjectDatabase xmlns="http://www.fwbuilder.org/1.0/" version="20" lastModified="1304658047" id="root">
<FWObjectDatabase xmlns="http://www.fwbuilder.org/1.0/" version="21" lastModified="1304658047" id="root">
<Library id="syslib000" color="#d4f8ff" name="Standard" comment="Standard objects" ro="True">
<AnyNetwork id="sysid0" name="Any" comment="Any Network" ro="False" address="0.0.0.0" netmask="0.0.0.0"/>
<AnyIPService id="sysid1" protocol_num="0" name="Any" comment="Any IP Service" ro="False"/>

2
src/unit_tests/PIXImporterTest/test_data/asa8.0.fwb
View File

@ -1,6 +1,6 @@
<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE FWObjectDatabase SYSTEM "fwbuilder.dtd">
<FWObjectDatabase xmlns="http://www.fwbuilder.org/1.0/" version="20" lastModified="1304658046" id="root">
<FWObjectDatabase xmlns="http://www.fwbuilder.org/1.0/" version="21" lastModified="1304658046" id="root">
<Library id="syslib000" color="#d4f8ff" name="Standard" comment="Standard objects" ro="True">
<AnyNetwork id="sysid0" name="Any" comment="Any Network" ro="False" address="0.0.0.0" netmask="0.0.0.0"/>
<AnyIPService id="sysid1" protocol_num="0" name="Any" comment="Any IP Service" ro="False"/>

2
src/unit_tests/PIXImporterTest/test_data/asa8.3-acl-object-groups.fwb
View File

@ -1,6 +1,6 @@
<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE FWObjectDatabase SYSTEM "fwbuilder.dtd">
<FWObjectDatabase xmlns="http://www.fwbuilder.org/1.0/" version="20" lastModified="1304658046" id="root">
<FWObjectDatabase xmlns="http://www.fwbuilder.org/1.0/" version="21" lastModified="1304658046" id="root">
<Library id="syslib000" color="#d4f8ff" name="Standard" comment="Standard objects" ro="True">
<AnyNetwork id="sysid0" name="Any" comment="Any Network" ro="False" address="0.0.0.0" netmask="0.0.0.0"/>
<AnyIPService id="sysid1" protocol_num="0" name="Any" comment="Any IP Service" ro="False"/>

2
src/unit_tests/PIXImporterTest/test_data/asa8.3-acl.fwb
View File

@ -1,6 +1,6 @@
<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE FWObjectDatabase SYSTEM "fwbuilder.dtd">
<FWObjectDatabase xmlns="http://www.fwbuilder.org/1.0/" version="20" lastModified="1304658046" id="root">
<FWObjectDatabase xmlns="http://www.fwbuilder.org/1.0/" version="21" lastModified="1304658046" id="root">
<Library id="syslib000" color="#d4f8ff" name="Standard" comment="Standard objects" ro="True">
<AnyNetwork id="sysid0" name="Any" comment="Any Network" ro="False" address="0.0.0.0" netmask="0.0.0.0"/>
<AnyIPService id="sysid1" protocol_num="0" name="Any" comment="Any IP Service" ro="False"/>

2
src/unit_tests/PIXImporterTest/test_data/asa8.3-objects-and-groups.fwb
View File

@ -1,6 +1,6 @@
<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE FWObjectDatabase SYSTEM "fwbuilder.dtd">
<FWObjectDatabase xmlns="http://www.fwbuilder.org/1.0/" version="20" lastModified="1304658046" id="root">
<FWObjectDatabase xmlns="http://www.fwbuilder.org/1.0/" version="21" lastModified="1304658046" id="root">
<Library id="syslib000" color="#d4f8ff" name="Standard" comment="Standard objects" ro="True">
<AnyNetwork id="sysid0" name="Any" comment="Any Network" ro="False" address="0.0.0.0" netmask="0.0.0.0"/>
<AnyIPService id="sysid1" protocol_num="0" name="Any" comment="Any IP Service" ro="False"/>

2
src/unit_tests/PIXImporterTest/test_data/asa8.3.fwb
View File

@ -1,6 +1,6 @@
<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE FWObjectDatabase SYSTEM "fwbuilder.dtd">
<FWObjectDatabase xmlns="http://www.fwbuilder.org/1.0/" version="20" lastModified="1304658046" id="root">
<FWObjectDatabase xmlns="http://www.fwbuilder.org/1.0/" version="21" lastModified="1304658046" id="root">
<Library id="syslib000" color="#d4f8ff" name="Standard" comment="Standard objects" ro="True">
<AnyNetwork id="sysid0" name="Any" comment="Any Network" ro="False" address="0.0.0.0" netmask="0.0.0.0"/>
<AnyIPService id="sysid1" protocol_num="0" name="Any" comment="Any IP Service" ro="False"/>

2
src/unit_tests/PIXImporterTest/test_data/fwsm1.fwb
View File

@ -1,6 +1,6 @@
<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE FWObjectDatabase SYSTEM "fwbuilder.dtd">
<FWObjectDatabase xmlns="http://www.fwbuilder.org/1.0/" version="20" lastModified="1304658047" id="root">
<FWObjectDatabase xmlns="http://www.fwbuilder.org/1.0/" version="21" lastModified="1304658047" id="root">
<Library id="syslib000" color="#d4f8ff" name="Standard" comment="Standard objects" ro="True">
<AnyNetwork id="sysid0" name="Any" comment="Any Network" ro="False" address="0.0.0.0" netmask="0.0.0.0"/>
<AnyIPService id="sysid1" protocol_num="0" name="Any" comment="Any IP Service" ro="False"/>

2
src/unit_tests/PIXImporterTest/test_data/pix6.fwb
View File

@ -1,6 +1,6 @@
<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE FWObjectDatabase SYSTEM "fwbuilder.dtd">
<FWObjectDatabase xmlns="http://www.fwbuilder.org/1.0/" version="20" lastModified="1304658046" id="root">
<FWObjectDatabase xmlns="http://www.fwbuilder.org/1.0/" version="21" lastModified="1304658046" id="root">
<Library id="syslib000" color="#d4f8ff" name="Standard" comment="Standard objects" ro="True">
<AnyNetwork id="sysid0" name="Any" comment="Any Network" ro="False" address="0.0.0.0" netmask="0.0.0.0"/>
<AnyIPService id="sysid1" protocol_num="0" name="Any" comment="Any IP Service" ro="False"/>

2
src/unit_tests/PIXImporterTest/test_data/pix7-nat.fwb
View File

@ -1,6 +1,6 @@
<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE FWObjectDatabase SYSTEM "fwbuilder.dtd">
<FWObjectDatabase xmlns="http://www.fwbuilder.org/1.0/" version="20" lastModified="1304658046" id="root">
<FWObjectDatabase xmlns="http://www.fwbuilder.org/1.0/" version="21" lastModified="1304658046" id="root">
<Library id="syslib000" color="#d4f8ff" name="Standard" comment="Standard objects" ro="True">
<AnyNetwork id="sysid0" name="Any" comment="Any Network" ro="False" address="0.0.0.0" netmask="0.0.0.0"/>
<AnyIPService id="sysid1" protocol_num="0" name="Any" comment="Any IP Service" ro="False"/>

2
src/unit_tests/PIXImporterTest/test_data/pix7.fwb
View File

@ -1,6 +1,6 @@
<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE FWObjectDatabase SYSTEM "fwbuilder.dtd">
<FWObjectDatabase xmlns="http://www.fwbuilder.org/1.0/" version="20" lastModified="1304658046" id="root">
<FWObjectDatabase xmlns="http://www.fwbuilder.org/1.0/" version="21" lastModified="1304658046" id="root">
<Library id="syslib000" color="#d4f8ff" name="Standard" comment="Standard objects" ro="True">
<AnyNetwork id="sysid0" name="Any" comment="Any Network" ro="False" address="0.0.0.0" netmask="0.0.0.0"/>
<AnyIPService id="sysid1" protocol_num="0" name="Any" comment="Any IP Service" ro="False"/>

2
src/unit_tests/RCS/zu.fwb
View File

@ -1,6 +1,6 @@
<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE FWObjectDatabase SYSTEM "fwbuilder.dtd">
<FWObjectDatabase xmlns="http://www.fwbuilder.org/1.0/" version="20" id="root">
<FWObjectDatabase xmlns="http://www.fwbuilder.org/1.0/" version="21" id="root">
<Library id="id40CCB499" color="#d2ffd0" name="User" comment="" ro="False">
<ObjectGroup id="id40CCB49A_clusters" name="Clusters" comment="" ro="False"/>
<ObjectGroup id="id40CCB49A" name="Objects" comment="" ro="False">

5
src/unit_tests/RuleSetViewContextMenuTest/RuleSetViewContextMenuTest.cpp
View File

@ -243,7 +243,7 @@ void RuleSetViewContextMenuTest::verifyMenu(int column)
<< "Disable Rule"
<< "Compile rule";
}
if (column > 0 && column < 5 || column == 7)
if (column > 0 && (column < 5 || column == 7))
{
names << "Edit" << "Copy" << "Cut" << "Paste"
<< "Delete"<< "Where used"
@ -264,11 +264,8 @@ void RuleSetViewContextMenuTest::verifyMenu(int column)
possibleItems["Reject"] = getActionNameForPlatform(firewall, PolicyRule::getActionAsString(PolicyRule::Reject));
possibleItems["Accounting"] = getActionNameForPlatform(firewall, PolicyRule::getActionAsString(PolicyRule::Accounting));
possibleItems["Pipe"] = getActionNameForPlatform(firewall, PolicyRule::getActionAsString(PolicyRule::Pipe));
possibleItems["Tag"] = getActionNameForPlatform(firewall, PolicyRule::getActionAsString(PolicyRule::Tag));
possibleItems["Classify"] = getActionNameForPlatform(firewall, PolicyRule::getActionAsString(PolicyRule::Classify));
possibleItems["Custom"] = getActionNameForPlatform(firewall, PolicyRule::getActionAsString(PolicyRule::Custom));
possibleItems["Branch"] = getActionNameForPlatform(firewall, PolicyRule::getActionAsString(PolicyRule::Branch));
possibleItems["Route"] = getActionNameForPlatform(firewall, PolicyRule::getActionAsString(PolicyRule::Route));
possibleItems["Continue"] = getActionNameForPlatform(firewall, PolicyRule::getActionAsString(PolicyRule::Continue));
string currentPlatform = firewall->getStr("platform");
foreach(QString item, order)

2
src/unit_tests/commandLinePrintingTest/test.fwb
View File

@ -1,6 +1,6 @@
<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE FWObjectDatabase SYSTEM "fwbuilder.dtd">
<FWObjectDatabase xmlns="http://www.fwbuilder.org/1.0/" version="20" lastModified="1280235390" id="root">
<FWObjectDatabase xmlns="http://www.fwbuilder.org/1.0/" version="21" lastModified="1280235390" id="root">
<Library id="syslib000" color="#d4f8ff" name="Standard" comment="Standard objects" ro="True">
<AnyNetwork id="sysid0" name="Any" comment="Any Network" ro="False" address="0.0.0.0" netmask="0.0.0.0"/>
<AnyIPService id="sysid1" protocol_num="0" name="Any" comment="Any IP Service" ro="False"/>

2
src/unit_tests/compilerLibTest/test.fwb
View File

@ -1,6 +1,6 @@
<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE FWObjectDatabase SYSTEM "fwbuilder.dtd">
<FWObjectDatabase xmlns="http://www.fwbuilder.org/1.0/" version="20" lastModified="1275952357" id="root">
<FWObjectDatabase xmlns="http://www.fwbuilder.org/1.0/" version="21" lastModified="1275952357" id="root">
<Library id="syslib000" color="#d4f8ff" name="Standard" comment="Standard objects" ro="True">
<AnyNetwork id="sysid0" name="Any" comment="Any Network" ro="False" address="0.0.0.0" netmask="0.0.0.0"/>
<AnyIPService id="sysid1" protocol_num="0" name="Any" comment="Any IP Service" ro="False"/>

2
src/unit_tests/generatedScriptTestsIpfilter/test1.fwb
View File

@ -1,6 +1,6 @@
<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE FWObjectDatabase SYSTEM "fwbuilder.dtd">
<FWObjectDatabase xmlns="http://www.fwbuilder.org/1.0/" version="20" lastModified="1284658651" id="root">
<FWObjectDatabase xmlns="http://www.fwbuilder.org/1.0/" version="21" lastModified="1284658651" id="root">
<Library id="syslib000" color="#d4f8ff" name="Standard" comment="Standard objects" ro="True">
<AnyNetwork id="sysid0" name="Any" comment="Any Network" ro="False" address="0.0.0.0" netmask="0.0.0.0"/>
<AnyIPService id="sysid1" protocol_num="0" name="Any" comment="Any IP Service" ro="False"/>

2
src/unit_tests/generatedScriptTestsIpfw/test1.fwb
View File

@ -1,6 +1,6 @@
<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE FWObjectDatabase SYSTEM "fwbuilder.dtd">
<FWObjectDatabase xmlns="http://www.fwbuilder.org/1.0/" version="20" lastModified="1284658651" id="root">
<FWObjectDatabase xmlns="http://www.fwbuilder.org/1.0/" version="21" lastModified="1284658651" id="root">
<Library id="syslib000" color="#d4f8ff" name="Standard" comment="Standard objects" ro="True">
<AnyNetwork id="sysid0" name="Any" comment="Any Network" ro="False" address="0.0.0.0" netmask="0.0.0.0"/>
<AnyIPService id="sysid1" protocol_num="0" name="Any" comment="Any IP Service" ro="False"/>

2
src/unit_tests/generatedScriptTestsLinux/test1.fwb
View File

@ -1,6 +1,6 @@
<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE FWObjectDatabase SYSTEM "fwbuilder.dtd">
<FWObjectDatabase xmlns="http://www.fwbuilder.org/1.0/" version="20" lastModified="1296619808" id="root">
<FWObjectDatabase xmlns="http://www.fwbuilder.org/1.0/" version="21" lastModified="1296619808" id="root">
<Library id="syslib000" color="#d4f8ff" name="Standard" comment="Standard objects" ro="True">
<AnyNetwork id="sysid0" name="Any" comment="Any Network" ro="False" address="0.0.0.0" netmask="0.0.0.0"/>
<AnyIPService id="sysid1" protocol_num="0" name="Any" comment="Any IP Service" ro="False"/>

2
src/unit_tests/generatedScriptTestsPF/test1.fwb
View File

@ -1,6 +1,6 @@
<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE FWObjectDatabase SYSTEM "fwbuilder.dtd">
<FWObjectDatabase xmlns="http://www.fwbuilder.org/1.0/" version="20" lastModified="1296774909" id="root">
<FWObjectDatabase xmlns="http://www.fwbuilder.org/1.0/" version="21" lastModified="1296774909" id="root">
<Library id="syslib000" color="#d4f8ff" name="Standard" comment="Standard objects" ro="True">
<AnyNetwork id="sysid0" name="Any" comment="Any Network" ro="False" address="0.0.0.0" netmask="0.0.0.0"/>
<AnyIPService id="sysid1" protocol_num="0" name="Any" comment="Any IP Service" ro="False"/>

2
src/unit_tests/generatedScriptTestsSecuwall/test1.fwb
View File

@ -1,6 +1,6 @@
<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE FWObjectDatabase SYSTEM "fwbuilder.dtd">
<FWObjectDatabase xmlns="http://www.fwbuilder.org/1.0/" version="20" lastModified="1269017995" id="root">
<FWObjectDatabase xmlns="http://www.fwbuilder.org/1.0/" version="21" lastModified="1269017995" id="root">
<Library id="syslib000" color="#d4f8ff" name="Standard" comment="Standard objects" ro="True">
<AnyNetwork id="sysid0" name="Any" comment="Any Network" ro="False" address="0.0.0.0" netmask="0.0.0.0"/>
<AnyIPService id="sysid1" protocol_num="0" name="Any" comment="Any IP Service" ro="False"/>

2
src/unit_tests/instDialogClusterTest/test.fwb
View File

@ -1,6 +1,6 @@
<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE FWObjectDatabase SYSTEM "fwbuilder.dtd">
<FWObjectDatabase xmlns="http://www.fwbuilder.org/1.0/" version="20" lastModified="1263678434" id="root">
<FWObjectDatabase xmlns="http://www.fwbuilder.org/1.0/" version="21" lastModified="1263678434" id="root">
<Library id="syslib000" color="#d4f8ff" name="Standard" comment="Standard objects" ro="True">
<AnyNetwork id="sysid0" name="Any" comment="Any Network" ro="False" address="0.0.0.0" netmask="0.0.0.0"/>
<AnyIPService id="sysid1" protocol_num="0" name="Any" comment="Any IP Service" ro="False"/>

2
src/unit_tests/instDialogCompileTest/test.fwb
View File

@ -1,6 +1,6 @@
<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE FWObjectDatabase SYSTEM "fwbuilder.dtd">
<FWObjectDatabase xmlns="http://www.fwbuilder.org/1.0/" version="20" lastModified="1263678434" id="root">
<FWObjectDatabase xmlns="http://www.fwbuilder.org/1.0/" version="21" lastModified="1263678434" id="root">
<Library id="syslib000" color="#d4f8ff" name="Standard" comment="Standard objects" ro="True">
<AnyNetwork id="sysid0" name="Any" comment="Any Network" ro="False" address="0.0.0.0" netmask="0.0.0.0"/>
<AnyIPService id="sysid1" protocol_num="0" name="Any" comment="Any IP Service" ro="False"/>

2
src/unit_tests/instDialogInspectTest/test.fwb
View File

@ -1,6 +1,6 @@
<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE FWObjectDatabase SYSTEM "fwbuilder.dtd">
<FWObjectDatabase xmlns="http://www.fwbuilder.org/1.0/" version="20" lastModified="1263678434" id="root">
<FWObjectDatabase xmlns="http://www.fwbuilder.org/1.0/" version="21" lastModified="1263678434" id="root">
<Library id="syslib000" color="#d4f8ff" name="Standard" comment="Standard objects" ro="True">
<AnyNetwork id="sysid0" name="Any" comment="Any Network" ro="False" address="0.0.0.0" netmask="0.0.0.0"/>
<AnyIPService id="sysid1" protocol_num="0" name="Any" comment="Any IP Service" ro="False"/>

2
src/unit_tests/instDialogInstallTest/test.fwb
View File

@ -1,6 +1,6 @@
<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE FWObjectDatabase SYSTEM "fwbuilder.dtd">
<FWObjectDatabase xmlns="http://www.fwbuilder.org/1.0/" version="20" lastModified="1263678434" id="root">
<FWObjectDatabase xmlns="http://www.fwbuilder.org/1.0/" version="21" lastModified="1263678434" id="root">
<Library id="syslib000" color="#d4f8ff" name="Standard" comment="Standard objects" ro="True">
<AnyNetwork id="sysid0" name="Any" comment="Any Network" ro="False" address="0.0.0.0" netmask="0.0.0.0"/>
<AnyIPService id="sysid1" protocol_num="0" name="Any" comment="Any IP Service" ro="False"/>

2
src/unit_tests/instDialogObjectListTest/test.fwb
View File

@ -1,6 +1,6 @@
<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE FWObjectDatabase SYSTEM "fwbuilder.dtd">
<FWObjectDatabase xmlns="http://www.fwbuilder.org/1.0/" version="20" lastModified="1263678434" id="root">
<FWObjectDatabase xmlns="http://www.fwbuilder.org/1.0/" version="21" lastModified="1263678434" id="root">
<Library id="syslib000" color="#d4f8ff" name="Standard" comment="Standard objects" ro="True">
<AnyNetwork id="sysid0" name="Any" comment="Any Network" ro="False" address="0.0.0.0" netmask="0.0.0.0"/>
<AnyIPService id="sysid1" protocol_num="0" name="Any" comment="Any IP Service" ro="False"/>

7
src/unit_tests/newClusterDialogTest/test.fwb
View File

@ -1,6 +1,6 @@
<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE FWObjectDatabase SYSTEM "fwbuilder.dtd">
<FWObjectDatabase xmlns="http://www.fwbuilder.org/1.0/" version="20" lastModified="1261881957" id="root">
<FWObjectDatabase xmlns="http://www.fwbuilder.org/1.0/" version="21" lastModified="1261881957" id="root">
<Library id="sysid99" name="Deleted Objects" comment="" ro="False"/>
<Library id="id6821X7237" color="#FFFFFF" name="new_cluster_test" comment="" ro="False">
<ObjectGroup id="id6822X7237" name="Objects" comment="" ro="False">
@ -410,7 +410,7 @@
<Option name="stateless">True</Option>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id7037X7237" disabled="False" group="" log="True" position="7" action="Tag" direction="Both" comment="">
<PolicyRule id="id7037X7237" disabled="False" group="" log="True" position="7" action="Continue" direction="Both" comment="">
<Src neg="False">
<ObjectRef ref="sysid0"/>
</Src>
@ -427,8 +427,11 @@
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions>
<Option name="classification">False</Option>
<Option name="pf_classify_str"></Option>
<Option name="routing">False</Option>
<Option name="stateless">False</Option>
<Option name="tagging">True</Option>
</PolicyRuleOptions>
</PolicyRule>
<RuleSetOptions/>

9
src/unit_tests/unit_tests.pro
View File

@ -3,14 +3,11 @@ DOLLAR = $
libgui.target = ../libgui/libgui.a
libgui.commands = cd ../libgui && qmake -spec $$QMAKESPEC && make && cd -
build_tests.commands = echo "Building tests..."; \
./unit_tests.sh make build_tests
build_tests.commands = ./unit_tests.sh make build_tests
run_tests.commands = echo "Running tests..."; \
./unit_tests.sh make run_tests
run_tests.commands = ./unit_tests.sh make run_tests
clean_tests.commands = echo "Cleaning tests..."; \
./unit_tests.sh make clean
clean_tests.commands = ./unit_tests.sh make clean
build_tests.depends = libgui
run_tests.depends = libgui

31
src/unit_tests/unit_tests.sh
View File

@ -1,24 +1,27 @@
#!/bin/bash
#!/bin/sh
set +x
QMAKE="${QMAKE:-qmake}"
QMAKEPARAMS="${QMAKESPEC:+ -spec $QMAKESPEC}"
commands=$@
set -e
build() {
directory=$1
shift
commands=$@
cd $directory
[ ! -e Makefile ] && qmake -spec $QMAKESPEC
$commands || exit 1
cd -
local _d="$1"
shift
(
cd "$_d" &&
([ -f Makefile ] || $QMAKE $QMAKEPARAMS) &&
"$@"
)
}
build main $commands
build main "$@"
for directory in `find . -maxdepth 1 -type d -regex '\./[A-Za-z0-9\-\_]*'`
find . -maxdepth 1 -type d |
egrep -- '^\./[A-Za-z0-9_-]*$' |
while read _d
do
echo "======================= $directory"
build $directory $commands
echo "======================= $_d"
build "$_d" "$@"
done

27
test/ipt/cluster1_secuwall-1.fw.orig
View File

@ -2,9 +2,9 @@
#
# This is automatically generated file. DO NOT MODIFY !
#
# Firewall Builder fwb_ipt v4.2.1.3538
# Firewall Builder fwb_ipt v4.3.0.3542
#
# Generated Thu May 5 20:30:53 2011 PDT by vadim
# Generated Sat May 14 15:42:18 2011 PDT by vadim
#
# files: * cluster1_secuwall-1.fw /etc/cluster1_secuwall-1.fw
#
@ -58,6 +58,19 @@ getaddr_internal() {
eval "${name}_list=\"$L\""
}
getnet_internal() {
dev=$1
name=$2
af=$3
L=$($IP route list proto kernel | grep $dev | grep -v default | sed 's! .*$!!')
test -z "$L" && {
eval "$name=''"
return
}
eval "${name}_list=\"$L\""
}
getaddr() {
getaddr_internal $1 $2 "-4"
}
@ -66,6 +79,14 @@ getaddr6() {
getaddr_internal $1 $2 "-6"
}
getnet() {
getnet_internal $1 $2 "-4"
}
getnet6() {
getnet_internal $1 $2 "-6"
}
# function getinterfaces is used to process wildcard interfaces
getinterfaces() {
NAME=$1
@ -588,7 +609,7 @@ test -z "$cmd" && {
case "$cmd" in
start)
log "Activating firewall script generated Thu May 5 20:30:53 2011 by vadim"
log "Activating firewall script generated Sat May 14 15:42:18 2011 by vadim"
log "Database was cluster-tests.fwb"
check_tools
check_run_time_address_table_files

27
test/ipt/firewall-base-rulesets.fw.orig
View File

@ -2,9 +2,9 @@
#
# This is automatically generated file. DO NOT MODIFY !
#
# Firewall Builder fwb_ipt v4.2.1.3538
# Firewall Builder fwb_ipt v4.3.0.3542
#
# Generated Thu May 5 20:30:07 2011 PDT by vadim
# Generated Sat May 14 15:41:25 2011 PDT by vadim
#
# files: * firewall-base-rulesets.fw /etc/fw/firewall-base-rulesets.fw
#
@ -57,6 +57,19 @@ getaddr_internal() {
eval "${name}_list=\"$L\""
}
getnet_internal() {
dev=$1
name=$2
af=$3
L=$($IP route list proto kernel | grep $dev | grep -v default | sed 's! .*$!!')
test -z "$L" && {
eval "$name=''"
return
}
eval "${name}_list=\"$L\""
}
getaddr() {
getaddr_internal $1 $2 "-4"
}
@ -65,6 +78,14 @@ getaddr6() {
getaddr_internal $1 $2 "-6"
}
getnet() {
getnet_internal $1 $2 "-4"
}
getnet6() {
getnet_internal $1 $2 "-6"
}
# function getinterfaces is used to process wildcard interfaces
getinterfaces() {
NAME=$1
@ -445,7 +466,7 @@ test -z "$cmd" && {
case "$cmd" in
start)
log "Activating firewall script generated Thu May 5 20:30:07 2011 by vadim"
log "Activating firewall script generated Sat May 14 15:41:25 2011 by vadim"
check_tools
prolog_commands
check_run_time_address_table_files

27
test/ipt/firewall-ipv6-1.fw.orig
View File

@ -2,9 +2,9 @@
#
# This is automatically generated file. DO NOT MODIFY !
#
# Firewall Builder fwb_ipt v4.2.1.3538
# Firewall Builder fwb_ipt v4.3.0.3542
#
# Generated Thu May 5 20:30:16 2011 PDT by vadim
# Generated Sat May 14 15:41:38 2011 PDT by vadim
#
# files: * firewall-ipv6-1.fw /etc/firewall-ipv6-1.fw
#
@ -89,6 +89,19 @@ getaddr_internal() {
eval "${name}_list=\"$L\""
}
getnet_internal() {
dev=$1
name=$2
af=$3
L=$($IP route list proto kernel | grep $dev | grep -v default | sed 's! .*$!!')
test -z "$L" && {
eval "$name=''"
return
}
eval "${name}_list=\"$L\""
}
getaddr() {
getaddr_internal $1 $2 "-4"
}
@ -97,6 +110,14 @@ getaddr6() {
getaddr_internal $1 $2 "-6"
}
getnet() {
getnet_internal $1 $2 "-4"
}
getnet6() {
getnet_internal $1 $2 "-6"
}
# function getinterfaces is used to process wildcard interfaces
getinterfaces() {
NAME=$1
@ -702,7 +723,7 @@ test -z "$cmd" && {
case "$cmd" in
start)
log "Activating firewall script generated Thu May 5 20:30:16 2011 by vadim"
log "Activating firewall script generated Sat May 14 15:41:38 2011 by vadim"
check_tools
prolog_commands
check_run_time_address_table_files

27
test/ipt/firewall-ipv6-2.fw.orig
View File

@ -2,9 +2,9 @@
#
# This is automatically generated file. DO NOT MODIFY !
#
# Firewall Builder fwb_ipt v4.2.1.3538
# Firewall Builder fwb_ipt v4.3.0.3542
#
# Generated Thu May 5 20:30:16 2011 PDT by vadim
# Generated Sat May 14 15:41:38 2011 PDT by vadim
#
# files: * firewall-ipv6-2.fw /etc/firewall-ipv6-2.fw
#
@ -117,6 +117,19 @@ getaddr_internal() {
eval "${name}_list=\"$L\""
}
getnet_internal() {
dev=$1
name=$2
af=$3
L=$($IP route list proto kernel | grep $dev | grep -v default | sed 's! .*$!!')
test -z "$L" && {
eval "$name=''"
return
}
eval "${name}_list=\"$L\""
}
getaddr() {
getaddr_internal $1 $2 "-4"
}
@ -125,6 +138,14 @@ getaddr6() {
getaddr_internal $1 $2 "-6"
}
getnet() {
getnet_internal $1 $2 "-4"
}
getnet6() {
getnet_internal $1 $2 "-6"
}
# function getinterfaces is used to process wildcard interfaces
getinterfaces() {
NAME=$1
@ -966,7 +987,7 @@ test -z "$cmd" && {
case "$cmd" in
start)
log "Activating firewall script generated Thu May 5 20:30:16 2011 by vadim"
log "Activating firewall script generated Sat May 14 15:41:38 2011 by vadim"
check_tools
prolog_commands
check_run_time_address_table_files

27
test/ipt/firewall-ipv6-3.fw.orig
View File

@ -2,9 +2,9 @@
#
# This is automatically generated file. DO NOT MODIFY !
#
# Firewall Builder fwb_ipt v4.2.1.3538
# Firewall Builder fwb_ipt v4.3.0.3542
#
# Generated Thu May 5 20:30:27 2011 PDT by vadim
# Generated Sat May 14 15:41:49 2011 PDT by vadim
#
# files: * firewall-ipv6-3.fw /etc/firewall-ipv6-3.fw
#
@ -66,6 +66,19 @@ getaddr_internal() {
eval "${name}_list=\"$L\""
}
getnet_internal() {
dev=$1
name=$2
af=$3
L=$($IP route list proto kernel | grep $dev | grep -v default | sed 's! .*$!!')
test -z "$L" && {
eval "$name=''"
return
}
eval "${name}_list=\"$L\""
}
getaddr() {
getaddr_internal $1 $2 "-4"
}
@ -74,6 +87,14 @@ getaddr6() {
getaddr_internal $1 $2 "-6"
}
getnet() {
getnet_internal $1 $2 "-4"
}
getnet6() {
getnet_internal $1 $2 "-6"
}
# function getinterfaces is used to process wildcard interfaces
getinterfaces() {
NAME=$1
@ -596,7 +617,7 @@ test -z "$cmd" && {
case "$cmd" in
start)
log "Activating firewall script generated Thu May 5 20:30:27 2011 by vadim"
log "Activating firewall script generated Sat May 14 15:41:49 2011 by vadim"
check_tools
prolog_commands
check_run_time_address_table_files

29
test/ipt/firewall-ipv6-4-1.fw.orig
View File

@ -2,9 +2,9 @@
#
# This is automatically generated file. DO NOT MODIFY !
#
# Firewall Builder fwb_ipt v4.2.1.3538
# Firewall Builder fwb_ipt v4.3.0.3542
#
# Generated Thu May 5 20:30:38 2011 PDT by vadim
# Generated Sat May 14 15:42:00 2011 PDT by vadim
#
# files: * firewall-ipv6-4-1.fw /etc/firewall-ipv6-4-1.fw
#
@ -68,6 +68,19 @@ getaddr_internal() {
eval "${name}_list=\"$L\""
}
getnet_internal() {
dev=$1
name=$2
af=$3
L=$($IP route list proto kernel | grep $dev | grep -v default | sed 's! .*$!!')
test -z "$L" && {
eval "$name=''"
return
}
eval "${name}_list=\"$L\""
}
getaddr() {
getaddr_internal $1 $2 "-4"
}
@ -76,6 +89,14 @@ getaddr6() {
getaddr_internal $1 $2 "-6"
}
getnet() {
getnet_internal $1 $2 "-4"
}
getnet6() {
getnet_internal $1 $2 "-6"
}
# function getinterfaces is used to process wildcard interfaces
getinterfaces() {
NAME=$1
@ -305,6 +326,8 @@ configure_interfaces() {
update_addresses_of_interface "eth0 fe80::21d:9ff:fe8b:8e94/64 1.1.1.1/24" ""
getaddr eth1 i_eth1
getaddr6 eth1 i_eth1_v6
getnet eth1 i_eth1_network
getnet6 eth1 i_eth1_v6_network
}
script_body() {
@ -545,7 +568,7 @@ test -z "$cmd" && {
case "$cmd" in
start)
log "Activating firewall script generated Thu May 5 20:30:38 2011 by vadim"
log "Activating firewall script generated Sat May 14 15:42:00 2011 by vadim"
check_tools
prolog_commands
check_run_time_address_table_files

29
test/ipt/firewall-ipv6-4.fw.orig
View File

@ -2,9 +2,9 @@
#
# This is automatically generated file. DO NOT MODIFY !
#
# Firewall Builder fwb_ipt v4.2.1.3538
# Firewall Builder fwb_ipt v4.3.0.3542
#
# Generated Thu May 5 20:30:27 2011 PDT by vadim
# Generated Sat May 14 15:41:49 2011 PDT by vadim
#
# files: * firewall-ipv6-4.fw /etc/firewall-ipv6-4.fw
#
@ -66,6 +66,19 @@ getaddr_internal() {
eval "${name}_list=\"$L\""
}
getnet_internal() {
dev=$1
name=$2
af=$3
L=$($IP route list proto kernel | grep $dev | grep -v default | sed 's! .*$!!')
test -z "$L" && {
eval "$name=''"
return
}
eval "${name}_list=\"$L\""
}
getaddr() {
getaddr_internal $1 $2 "-4"
}
@ -74,6 +87,14 @@ getaddr6() {
getaddr_internal $1 $2 "-6"
}
getnet() {
getnet_internal $1 $2 "-4"
}
getnet6() {
getnet_internal $1 $2 "-6"
}
# function getinterfaces is used to process wildcard interfaces
getinterfaces() {
NAME=$1
@ -303,6 +324,8 @@ configure_interfaces() {
update_addresses_of_interface "eth0 fe80::21d:9ff:fe8b:8e94/64 1.1.1.1/24" ""
getaddr eth1 i_eth1
getaddr6 eth1 i_eth1_v6
getnet eth1 i_eth1_network
getnet6 eth1 i_eth1_v6_network
}
script_body() {
@ -581,7 +604,7 @@ test -z "$cmd" && {
case "$cmd" in
start)
log "Activating firewall script generated Thu May 5 20:30:27 2011 by vadim"
log "Activating firewall script generated Sat May 14 15:41:49 2011 by vadim"
check_tools
prolog_commands
check_run_time_address_table_files

27
test/ipt/firewall-ipv6-5.fw.orig
View File

@ -2,9 +2,9 @@
#
# This is automatically generated file. DO NOT MODIFY !
#
# Firewall Builder fwb_ipt v4.2.1.3538
# Firewall Builder fwb_ipt v4.3.0.3542
#
# Generated Thu May 5 20:30:29 2011 PDT by vadim
# Generated Sat May 14 15:41:51 2011 PDT by vadim
#
# files: * firewall-ipv6-5.fw /etc/firewall-ipv6-5.fw
#
@ -59,6 +59,19 @@ getaddr_internal() {
eval "${name}_list=\"$L\""
}
getnet_internal() {
dev=$1
name=$2
af=$3
L=$($IP route list proto kernel | grep $dev | grep -v default | sed 's! .*$!!')
test -z "$L" && {
eval "$name=''"
return
}
eval "${name}_list=\"$L\""
}
getaddr() {
getaddr_internal $1 $2 "-4"
}
@ -67,6 +80,14 @@ getaddr6() {
getaddr_internal $1 $2 "-6"
}
getnet() {
getnet_internal $1 $2 "-4"
}
getnet6() {
getnet_internal $1 $2 "-6"
}
# function getinterfaces is used to process wildcard interfaces
getinterfaces() {
NAME=$1
@ -412,7 +433,7 @@ test -z "$cmd" && {
case "$cmd" in
start)
log "Activating firewall script generated Thu May 5 20:30:29 2011 by vadim"
log "Activating firewall script generated Sat May 14 15:41:51 2011 by vadim"
check_tools
prolog_commands
check_run_time_address_table_files

29
test/ipt/firewall-ipv6-6.fw.orig
View File

@ -2,9 +2,9 @@
#
# This is automatically generated file. DO NOT MODIFY !
#
# Firewall Builder fwb_ipt v4.2.1.3538
# Firewall Builder fwb_ipt v4.3.0.3542
#
# Generated Thu May 5 20:30:31 2011 PDT by vadim
# Generated Sat May 14 15:41:53 2011 PDT by vadim
#
# files: * firewall-ipv6-6.fw /etc/firewall-ipv6-6.fw
#
@ -57,6 +57,19 @@ getaddr_internal() {
eval "${name}_list=\"$L\""
}
getnet_internal() {
dev=$1
name=$2
af=$3
L=$($IP route list proto kernel | grep $dev | grep -v default | sed 's! .*$!!')
test -z "$L" && {
eval "$name=''"
return
}
eval "${name}_list=\"$L\""
}
getaddr() {
getaddr_internal $1 $2 "-4"
}
@ -65,6 +78,14 @@ getaddr6() {
getaddr_internal $1 $2 "-6"
}
getnet() {
getnet_internal $1 $2 "-4"
}
getnet6() {
getnet_internal $1 $2 "-6"
}
# function getinterfaces is used to process wildcard interfaces
getinterfaces() {
NAME=$1
@ -292,6 +313,8 @@ configure_interfaces() {
update_addresses_of_interface "eth0 fe80::21d:9ff:fe8b:8e94/64 1.1.1.1/24" ""
getaddr eth1 i_eth1
getaddr6 eth1 i_eth1_v6
getnet eth1 i_eth1_network
getnet6 eth1 i_eth1_v6_network
}
script_body() {
@ -399,7 +422,7 @@ test -z "$cmd" && {
case "$cmd" in
start)
log "Activating firewall script generated Thu May 5 20:30:31 2011 by vadim"
log "Activating firewall script generated Sat May 14 15:41:53 2011 by vadim"
check_tools
prolog_commands
check_run_time_address_table_files

29
test/ipt/firewall-ipv6-7.fw.orig
View File

@ -2,9 +2,9 @@
#
# This is automatically generated file. DO NOT MODIFY !
#
# Firewall Builder fwb_ipt v4.2.1.3538
# Firewall Builder fwb_ipt v4.3.0.3542
#
# Generated Thu May 5 20:30:32 2011 PDT by vadim
# Generated Sat May 14 15:41:55 2011 PDT by vadim
#
# files: * firewall-ipv6-7.fw /etc/firewall-ipv6-7.fw
#
@ -57,6 +57,19 @@ getaddr_internal() {
eval "${name}_list=\"$L\""
}
getnet_internal() {
dev=$1
name=$2
af=$3
L=$($IP route list proto kernel | grep $dev | grep -v default | sed 's! .*$!!')
test -z "$L" && {
eval "$name=''"
return
}
eval "${name}_list=\"$L\""
}
getaddr() {
getaddr_internal $1 $2 "-4"
}
@ -65,6 +78,14 @@ getaddr6() {
getaddr_internal $1 $2 "-6"
}
getnet() {
getnet_internal $1 $2 "-4"
}
getnet6() {
getnet_internal $1 $2 "-6"
}
# function getinterfaces is used to process wildcard interfaces
getinterfaces() {
NAME=$1
@ -294,6 +315,8 @@ configure_interfaces() {
update_addresses_of_interface "eth0 fe80::21d:9ff:fe8b:8e94/64 1.1.1.1/24" ""
getaddr eth1 i_eth1
getaddr6 eth1 i_eth1_v6
getnet eth1 i_eth1_network
getnet6 eth1 i_eth1_v6_network
}
script_body() {
@ -443,7 +466,7 @@ test -z "$cmd" && {
case "$cmd" in
start)
log "Activating firewall script generated Thu May 5 20:30:32 2011 by vadim"
log "Activating firewall script generated Sat May 14 15:41:55 2011 by vadim"
check_tools
prolog_commands
check_run_time_address_table_files

63
test/ipt/firewall-ipv6-8.fw.orig
View File

@ -2,9 +2,9 @@
#
# This is automatically generated file. DO NOT MODIFY !
#
# Firewall Builder fwb_ipt v4.2.1.3538
# Firewall Builder fwb_ipt v4.3.0.3542
#
# Generated Thu May 5 20:30:34 2011 PDT by vadim
# Generated Sun May 15 12:01:42 2011 PDT by vadim
#
# files: * firewall-ipv6-8.fw /etc/firewall-ipv6-8.fw
#
@ -57,6 +57,19 @@ getaddr_internal() {
eval "${name}_list=\"$L\""
}
getnet_internal() {
dev=$1
name=$2
af=$3
L=$($IP route list proto kernel | grep $dev | grep -v default | sed 's! .*$!!')
test -z "$L" && {
eval "$name=''"
return
}
eval "${name}_list=\"$L\""
}
getaddr() {
getaddr_internal $1 $2 "-4"
}
@ -65,6 +78,14 @@ getaddr6() {
getaddr_internal $1 $2 "-6"
}
getnet() {
getnet_internal $1 $2 "-4"
}
getnet6() {
getnet_internal $1 $2 "-6"
}
# function getinterfaces is used to process wildcard interfaces
getinterfaces() {
NAME=$1
@ -294,9 +315,36 @@ configure_interfaces() {
update_addresses_of_interface "eth0 fe80::21d:9ff:fe8b:8e94/64 1.1.1.1/24" ""
getaddr eth1 i_eth1
getaddr6 eth1 i_eth1_v6
getnet eth1 i_eth1_network
getnet6 eth1 i_eth1_v6_network
}
script_body() {
# ================ IPv4
(
echo '*filter'
# ================ Table 'filter', rule set Policy_OSPF
#
# Rule Policy_OSPF 2 (global)
echo ":Policy_OSPF - [0:0]"
echo "-A Policy_OSPF -j DROP "
#
echo COMMIT
) | $IPTABLES_RESTORE; IPTABLES_RESTORE_RES=$?
test $IPTABLES_RESTORE_RES != 0 && run_epilog_and_exit $IPTABLES_RESTORE_RES
# ================ IPv6
@ -340,6 +388,9 @@ script_body() {
# Rule Policy_OSPF 1 (global)
echo "-A Policy_OSPF -s fe80::/10 -d ff00::/8 -j ACCEPT "
echo "-A Policy_OSPF -s fe80::/10 -d fe80::/10 -j ACCEPT "
#
# Rule Policy_OSPF 2 (global)
echo "-A Policy_OSPF -j DROP "
#
# ================ Table 'filter', rule set Policy_v6
#
@ -438,7 +489,8 @@ echo 1 > /proc/sys/net/ipv6/conf/all/forwarding
reset_all() {
:
reset_iptables_v6
reset_iptables_v4
reset_iptables_v6
}
block_action() {
@ -447,6 +499,9 @@ block_action() {
stop_action() {
reset_all
$IPTABLES -P OUTPUT ACCEPT
$IPTABLES -P INPUT ACCEPT
$IPTABLES -P FORWARD ACCEPT
$IP6TABLES -P OUTPUT ACCEPT
$IP6TABLES -P INPUT ACCEPT
$IP6TABLES -P FORWARD ACCEPT
@ -484,7 +539,7 @@ test -z "$cmd" && {
case "$cmd" in
start)
log "Activating firewall script generated Thu May 5 20:30:34 2011 by vadim"
log "Activating firewall script generated Sun May 15 12:01:42 2011 by vadim"
check_tools
prolog_commands
check_run_time_address_table_files

35
test/ipt/firewall-ipv6-ipt-reset-prolog-after-flush.fw.orig
View File

@ -2,9 +2,9 @@
#
# This is automatically generated file. DO NOT MODIFY !
#
# Firewall Builder fwb_ipt v4.2.1.3538
# Firewall Builder fwb_ipt v4.3.0.3542
#
# Generated Thu May 5 20:30:35 2011 PDT by vadim
# Generated Sat May 14 15:41:58 2011 PDT by vadim
#
# files: * firewall-ipv6-ipt-reset-prolog-after-flush.fw /etc/firewall-ipv6-ipt-reset-prolog-after-flush.fw
#
@ -57,6 +57,19 @@ getaddr_internal() {
eval "${name}_list=\"$L\""
}
getnet_internal() {
dev=$1
name=$2
af=$3
L=$($IP route list proto kernel | grep $dev | grep -v default | sed 's! .*$!!')
test -z "$L" && {
eval "$name=''"
return
}
eval "${name}_list=\"$L\""
}
getaddr() {
getaddr_internal $1 $2 "-4"
}
@ -65,6 +78,14 @@ getaddr6() {
getaddr_internal $1 $2 "-6"
}
getnet() {
getnet_internal $1 $2 "-4"
}
getnet6() {
getnet_internal $1 $2 "-6"
}
# function getinterfaces is used to process wildcard interfaces
getinterfaces() {
NAME=$1
@ -378,14 +399,6 @@ script_body() {
echo '*nat'
# ================ Table 'nat', rule set NAT
echo :PREROUTING ACCEPT [0:0]
echo :POSTROUTING ACCEPT [0:0]
echo :OUTPUT ACCEPT [0:0]
#
echo COMMIT
) | $IP6TABLES_RESTORE; IPTABLES_RESTORE_RES=$?
@ -450,7 +463,7 @@ test -z "$cmd" && {
case "$cmd" in
start)
log "Activating firewall script generated Thu May 5 20:30:35 2011 by vadim"
log "Activating firewall script generated Sat May 14 15:41:58 2011 by vadim"
check_tools
prolog_commands
check_run_time_address_table_files

35
test/ipt/firewall-ipv6-ipt-reset-prolog-after-interfaces.fw.orig
View File

@ -2,9 +2,9 @@
#
# This is automatically generated file. DO NOT MODIFY !
#
# Firewall Builder fwb_ipt v4.2.1.3538
# Firewall Builder fwb_ipt v4.3.0.3542
#
# Generated Thu May 5 20:30:37 2011 PDT by vadim
# Generated Sat May 14 15:42:00 2011 PDT by vadim
#
# files: * firewall-ipv6-ipt-reset-prolog-after-interfaces.fw /etc/firewall-ipv6-ipt-reset-prolog-after-interfaces.fw
#
@ -57,6 +57,19 @@ getaddr_internal() {
eval "${name}_list=\"$L\""
}
getnet_internal() {
dev=$1
name=$2
af=$3
L=$($IP route list proto kernel | grep $dev | grep -v default | sed 's! .*$!!')
test -z "$L" && {
eval "$name=''"
return
}
eval "${name}_list=\"$L\""
}
getaddr() {
getaddr_internal $1 $2 "-4"
}
@ -65,6 +78,14 @@ getaddr6() {
getaddr_internal $1 $2 "-6"
}
getnet() {
getnet_internal $1 $2 "-4"
}
getnet6() {
getnet_internal $1 $2 "-6"
}
# function getinterfaces is used to process wildcard interfaces
getinterfaces() {
NAME=$1
@ -378,14 +399,6 @@ script_body() {
echo '*nat'
# ================ Table 'nat', rule set NAT
echo :PREROUTING ACCEPT [0:0]
echo :POSTROUTING ACCEPT [0:0]
echo :OUTPUT ACCEPT [0:0]
#
echo COMMIT
) | $IP6TABLES_RESTORE; IPTABLES_RESTORE_RES=$?
@ -450,7 +463,7 @@ test -z "$cmd" && {
case "$cmd" in
start)
log "Activating firewall script generated Thu May 5 20:30:37 2011 by vadim"
log "Activating firewall script generated Sat May 14 15:42:00 2011 by vadim"
check_tools
check_run_time_address_table_files

35
test/ipt/firewall-ipv6-ipt-reset-prolog-top.fw.orig
View File

@ -2,9 +2,9 @@
#
# This is automatically generated file. DO NOT MODIFY !
#
# Firewall Builder fwb_ipt v4.2.1.3538
# Firewall Builder fwb_ipt v4.3.0.3542
#
# Generated Thu May 5 20:30:39 2011 PDT by vadim
# Generated Sat May 14 15:42:02 2011 PDT by vadim
#
# files: * firewall-ipv6-ipt-reset-prolog-top.fw /etc/firewall-ipv6-ipt-reset-prolog-top.fw
#
@ -57,6 +57,19 @@ getaddr_internal() {
eval "${name}_list=\"$L\""
}
getnet_internal() {
dev=$1
name=$2
af=$3
L=$($IP route list proto kernel | grep $dev | grep -v default | sed 's! .*$!!')
test -z "$L" && {
eval "$name=''"
return
}
eval "${name}_list=\"$L\""
}
getaddr() {
getaddr_internal $1 $2 "-4"
}
@ -65,6 +78,14 @@ getaddr6() {
getaddr_internal $1 $2 "-6"
}
getnet() {
getnet_internal $1 $2 "-4"
}
getnet6() {
getnet_internal $1 $2 "-6"
}
# function getinterfaces is used to process wildcard interfaces
getinterfaces() {
NAME=$1
@ -378,14 +399,6 @@ script_body() {
echo '*nat'
# ================ Table 'nat', rule set NAT
echo :PREROUTING ACCEPT [0:0]
echo :POSTROUTING ACCEPT [0:0]
echo :OUTPUT ACCEPT [0:0]
#
echo COMMIT
) | $IP6TABLES_RESTORE; IPTABLES_RESTORE_RES=$?
@ -450,7 +463,7 @@ test -z "$cmd" && {
case "$cmd" in
start)
log "Activating firewall script generated Thu May 5 20:30:39 2011 by vadim"
log "Activating firewall script generated Sat May 14 15:42:02 2011 by vadim"
check_tools
prolog_commands
check_run_time_address_table_files

27
test/ipt/firewall-ipv6-nd-ns-1.fw.orig
View File

@ -2,9 +2,9 @@
#
# This is automatically generated file. DO NOT MODIFY !
#
# Firewall Builder fwb_ipt v4.2.1.3538
# Firewall Builder fwb_ipt v4.3.0.3542
#
# Generated Thu May 5 20:30:40 2011 PDT by vadim
# Generated Sat May 14 15:42:02 2011 PDT by vadim
#
# files: * firewall-ipv6-nd-ns-1.fw /etc/firewall-ipv6-nd-ns-1.fw
#
@ -57,6 +57,19 @@ getaddr_internal() {
eval "${name}_list=\"$L\""
}
getnet_internal() {
dev=$1
name=$2
af=$3
L=$($IP route list proto kernel | grep $dev | grep -v default | sed 's! .*$!!')
test -z "$L" && {
eval "$name=''"
return
}
eval "${name}_list=\"$L\""
}
getaddr() {
getaddr_internal $1 $2 "-4"
}
@ -65,6 +78,14 @@ getaddr6() {
getaddr_internal $1 $2 "-6"
}
getnet() {
getnet_internal $1 $2 "-4"
}
getnet6() {
getnet_internal $1 $2 "-6"
}
# function getinterfaces is used to process wildcard interfaces
getinterfaces() {
NAME=$1
@ -442,7 +463,7 @@ test -z "$cmd" && {
case "$cmd" in
start)
log "Activating firewall script generated Thu May 5 20:30:40 2011 by vadim"
log "Activating firewall script generated Sat May 14 15:42:02 2011 by vadim"
check_tools
prolog_commands
check_run_time_address_table_files

27
test/ipt/firewall-ipv6-nd-ns-2.fw.orig
View File

@ -2,9 +2,9 @@
#
# This is automatically generated file. DO NOT MODIFY !
#
# Firewall Builder fwb_ipt v4.2.1.3538
# Firewall Builder fwb_ipt v4.3.0.3542
#
# Generated Thu May 5 20:30:41 2011 PDT by vadim
# Generated Sat May 14 15:42:04 2011 PDT by vadim
#
# files: * firewall-ipv6-nd-ns-2.fw /etc/firewall-ipv6-nd-ns-2.fw
#
@ -57,6 +57,19 @@ getaddr_internal() {
eval "${name}_list=\"$L\""
}
getnet_internal() {
dev=$1
name=$2
af=$3
L=$($IP route list proto kernel | grep $dev | grep -v default | sed 's! .*$!!')
test -z "$L" && {
eval "$name=''"
return
}
eval "${name}_list=\"$L\""
}
getaddr() {
getaddr_internal $1 $2 "-4"
}
@ -65,6 +78,14 @@ getaddr6() {
getaddr_internal $1 $2 "-6"
}
getnet() {
getnet_internal $1 $2 "-4"
}
getnet6() {
getnet_internal $1 $2 "-6"
}
# function getinterfaces is used to process wildcard interfaces
getinterfaces() {
NAME=$1
@ -446,7 +467,7 @@ test -z "$cmd" && {
case "$cmd" in
start)
log "Activating firewall script generated Thu May 5 20:30:41 2011 by vadim"
log "Activating firewall script generated Sat May 14 15:42:04 2011 by vadim"
check_tools
prolog_commands
check_run_time_address_table_files

27
test/ipt/firewall-ipv6-prolog-after-flush.fw.orig
View File

@ -2,9 +2,9 @@
#
# This is automatically generated file. DO NOT MODIFY !
#
# Firewall Builder fwb_ipt v4.2.1.3538
# Firewall Builder fwb_ipt v4.3.0.3542
#
# Generated Thu May 5 20:30:42 2011 PDT by vadim
# Generated Sat May 14 15:42:05 2011 PDT by vadim
#
# files: * firewall-ipv6-prolog-after-flush.fw /etc/firewall-ipv6-prolog-after-flush.fw
#
@ -57,6 +57,19 @@ getaddr_internal() {
eval "${name}_list=\"$L\""
}
getnet_internal() {
dev=$1
name=$2
af=$3
L=$($IP route list proto kernel | grep $dev | grep -v default | sed 's! .*$!!')
test -z "$L" && {
eval "$name=''"
return
}
eval "${name}_list=\"$L\""
}
getaddr() {
getaddr_internal $1 $2 "-4"
}
@ -65,6 +78,14 @@ getaddr6() {
getaddr_internal $1 $2 "-6"
}
getnet() {
getnet_internal $1 $2 "-4"
}
getnet6() {
getnet_internal $1 $2 "-6"
}
# function getinterfaces is used to process wildcard interfaces
getinterfaces() {
NAME=$1
@ -420,7 +441,7 @@ test -z "$cmd" && {
case "$cmd" in
start)
log "Activating firewall script generated Thu May 5 20:30:42 2011 by vadim"
log "Activating firewall script generated Sat May 14 15:42:05 2011 by vadim"
check_tools
check_run_time_address_table_files

27
test/ipt/firewall-ipv6-prolog-after-interfaces.fw.orig
View File

@ -2,9 +2,9 @@
#
# This is automatically generated file. DO NOT MODIFY !
#
# Firewall Builder fwb_ipt v4.2.1.3538
# Firewall Builder fwb_ipt v4.3.0.3542
#
# Generated Thu May 5 20:30:43 2011 PDT by vadim
# Generated Sat May 14 15:42:06 2011 PDT by vadim
#
# files: * firewall-ipv6-prolog-after-interfaces.fw /etc/firewall-ipv6-prolog-after-interfaces.fw
#
@ -57,6 +57,19 @@ getaddr_internal() {
eval "${name}_list=\"$L\""
}
getnet_internal() {
dev=$1
name=$2
af=$3
L=$($IP route list proto kernel | grep $dev | grep -v default | sed 's! .*$!!')
test -z "$L" && {
eval "$name=''"
return
}
eval "${name}_list=\"$L\""
}
getaddr() {
getaddr_internal $1 $2 "-4"
}
@ -65,6 +78,14 @@ getaddr6() {
getaddr_internal $1 $2 "-6"
}
getnet() {
getnet_internal $1 $2 "-4"
}
getnet6() {
getnet_internal $1 $2 "-6"
}
# function getinterfaces is used to process wildcard interfaces
getinterfaces() {
NAME=$1
@ -420,7 +441,7 @@ test -z "$cmd" && {
case "$cmd" in
start)
log "Activating firewall script generated Thu May 5 20:30:43 2011 by vadim"
log "Activating firewall script generated Sat May 14 15:42:06 2011 by vadim"
check_tools
check_run_time_address_table_files

27
test/ipt/firewall-ipv6-prolog-top.fw.orig
View File

@ -2,9 +2,9 @@
#
# This is automatically generated file. DO NOT MODIFY !
#
# Firewall Builder fwb_ipt v4.2.1.3538
# Firewall Builder fwb_ipt v4.3.0.3542
#
# Generated Thu May 5 20:30:44 2011 PDT by vadim
# Generated Sat May 14 15:42:07 2011 PDT by vadim
#
# files: * firewall-ipv6-prolog-top.fw /etc/firewall-ipv6-prolog-top.fw
#
@ -57,6 +57,19 @@ getaddr_internal() {
eval "${name}_list=\"$L\""
}
getnet_internal() {
dev=$1
name=$2
af=$3
L=$($IP route list proto kernel | grep $dev | grep -v default | sed 's! .*$!!')
test -z "$L" && {
eval "$name=''"
return
}
eval "${name}_list=\"$L\""
}
getaddr() {
getaddr_internal $1 $2 "-4"
}
@ -65,6 +78,14 @@ getaddr6() {
getaddr_internal $1 $2 "-6"
}
getnet() {
getnet_internal $1 $2 "-4"
}
getnet6() {
getnet_internal $1 $2 "-6"
}
# function getinterfaces is used to process wildcard interfaces
getinterfaces() {
NAME=$1
@ -420,7 +441,7 @@ test -z "$cmd" && {
case "$cmd" in
start)
log "Activating firewall script generated Thu May 5 20:30:44 2011 by vadim"
log "Activating firewall script generated Sat May 14 15:42:07 2011 by vadim"
check_tools
prolog_commands
check_run_time_address_table_files

27
test/ipt/firewall-server-1-s.fw.orig
View File

@ -2,9 +2,9 @@
#
# This is automatically generated file. DO NOT MODIFY !
#
# Firewall Builder fwb_ipt v4.2.1.3538
# Firewall Builder fwb_ipt v4.3.0.3542
#
# Generated Thu May 5 20:30:45 2011 PDT by vadim
# Generated Sat May 14 15:42:08 2011 PDT by vadim
#
# files: * firewall-server-1-s.fw /etc/fw/firewall-server-1-s.fw
#
@ -60,6 +60,19 @@ getaddr_internal() {
eval "${name}_list=\"$L\""
}
getnet_internal() {
dev=$1
name=$2
af=$3
L=$($IP route list proto kernel | grep $dev | grep -v default | sed 's! .*$!!')
test -z "$L" && {
eval "$name=''"
return
}
eval "${name}_list=\"$L\""
}
getaddr() {
getaddr_internal $1 $2 "-4"
}
@ -68,6 +81,14 @@ getaddr6() {
getaddr_internal $1 $2 "-6"
}
getnet() {
getnet_internal $1 $2 "-4"
}
getnet6() {
getnet_internal $1 $2 "-6"
}
# function getinterfaces is used to process wildcard interfaces
getinterfaces() {
NAME=$1
@ -393,7 +414,7 @@ test -z "$cmd" && {
case "$cmd" in
start)
log "Activating firewall script generated Thu May 5 20:30:45 2011 by vadim"
log "Activating firewall script generated Sat May 14 15:42:08 2011 by vadim"
check_tools
prolog_commands
check_run_time_address_table_files

27
test/ipt/firewall.fw.orig
View File

@ -2,9 +2,9 @@
#
# This is automatically generated file. DO NOT MODIFY !
#
# Firewall Builder fwb_ipt v4.2.1.3538
# Firewall Builder fwb_ipt v4.3.0.3542
#
# Generated Thu May 5 20:28:22 2011 PDT by vadim
# Generated Sat May 14 15:39:37 2011 PDT by vadim
#
# files: * firewall.fw /etc/fw/firewall.fw
#
@ -87,6 +87,19 @@ getaddr_internal() {
eval "${name}_list=\"$L\""
}
getnet_internal() {
dev=$1
name=$2
af=$3
L=$($IP route list proto kernel | grep $dev | grep -v default | sed 's! .*$!!')
test -z "$L" && {
eval "$name=''"
return
}
eval "${name}_list=\"$L\""
}
getaddr() {
getaddr_internal $1 $2 "-4"
}
@ -95,6 +108,14 @@ getaddr6() {
getaddr_internal $1 $2 "-6"
}
getnet() {
getnet_internal $1 $2 "-4"
}
getnet6() {
getnet_internal $1 $2 "-6"
}
# function getinterfaces is used to process wildcard interfaces
getinterfaces() {
NAME=$1
@ -1376,7 +1397,7 @@ test -z "$cmd" && {
case "$cmd" in
start)
log "Activating firewall script generated Thu May 5 20:28:22 2011 by vadim"
log "Activating firewall script generated Sat May 14 15:39:37 2011 by vadim"
check_tools
prolog_commands
check_run_time_address_table_files

27
test/ipt/firewall1.fw.orig
View File

@ -2,9 +2,9 @@
#
# This is automatically generated file. DO NOT MODIFY !
#
# Firewall Builder fwb_ipt v4.2.1.ma_1
# Firewall Builder fwb_ipt v4.3.0.3542
#
# Generated Tue May 3 19:32:00 2011 PDT by vadim
# Generated Sat May 14 15:39:39 2011 PDT by vadim
#
# files: * firewall1.fw /etc/fw/firewall1.fw
#
@ -58,6 +58,19 @@ getaddr_internal() {
eval "${name}_list=\"$L\""
}
getnet_internal() {
dev=$1
name=$2
af=$3
L=$($IP route list proto kernel | grep $dev | grep -v default | sed 's! .*$!!')
test -z "$L" && {
eval "$name=''"
return
}
eval "${name}_list=\"$L\""
}
getaddr() {
getaddr_internal $1 $2 "-4"
}
@ -66,6 +79,14 @@ getaddr6() {
getaddr_internal $1 $2 "-6"
}
getnet() {
getnet_internal $1 $2 "-4"
}
getnet6() {
getnet_internal $1 $2 "-6"
}
# function getinterfaces is used to process wildcard interfaces
getinterfaces() {
NAME=$1
@ -1248,7 +1269,7 @@ test -z "$cmd" && {
case "$cmd" in
start)
log "Activating firewall script generated Tue May 3 19:32:00 2011 by vadim"
log "Activating firewall script generated Sat May 14 15:39:39 2011 by vadim"
check_tools
check_run_time_address_table_files

27
test/ipt/firewall10.fw.orig
View File

@ -2,9 +2,9 @@
#
# This is automatically generated file. DO NOT MODIFY !
#
# Firewall Builder fwb_ipt v4.2.1.3538
# Firewall Builder fwb_ipt v4.3.0.3542
#
# Generated Thu May 5 20:28:24 2011 PDT by vadim
# Generated Sat May 14 15:39:39 2011 PDT by vadim
#
# files: * firewall10.fw /etc/fw/firewall10.fw
#
@ -59,6 +59,19 @@ getaddr_internal() {
eval "${name}_list=\"$L\""
}
getnet_internal() {
dev=$1
name=$2
af=$3
L=$($IP route list proto kernel | grep $dev | grep -v default | sed 's! .*$!!')
test -z "$L" && {
eval "$name=''"
return
}
eval "${name}_list=\"$L\""
}
getaddr() {
getaddr_internal $1 $2 "-4"
}
@ -67,6 +80,14 @@ getaddr6() {
getaddr_internal $1 $2 "-6"
}
getnet() {
getnet_internal $1 $2 "-4"
}
getnet6() {
getnet_internal $1 $2 "-6"
}
# function getinterfaces is used to process wildcard interfaces
getinterfaces() {
NAME=$1
@ -473,7 +494,7 @@ test -z "$cmd" && {
case "$cmd" in
start)
log "Activating firewall script generated Thu May 5 20:28:24 2011 by vadim"
log "Activating firewall script generated Sat May 14 15:39:39 2011 by vadim"
check_tools
prolog_commands
check_run_time_address_table_files

31
test/ipt/firewall11.fw.orig
View File

@ -2,9 +2,9 @@
#
# This is automatically generated file. DO NOT MODIFY !
#
# Firewall Builder fwb_ipt v4.2.1.3538
# Firewall Builder fwb_ipt v4.3.0.3542
#
# Generated Thu May 5 20:28:26 2011 PDT by vadim
# Generated Sat May 14 15:39:42 2011 PDT by vadim
#
# files: * firewall11.fw /etc/fw/firewall11.fw
#
@ -62,6 +62,19 @@ getaddr_internal() {
eval "${name}_list=\"$L\""
}
getnet_internal() {
dev=$1
name=$2
af=$3
L=$($IP route list proto kernel | grep $dev | grep -v default | sed 's! .*$!!')
test -z "$L" && {
eval "$name=''"
return
}
eval "${name}_list=\"$L\""
}
getaddr() {
getaddr_internal $1 $2 "-4"
}
@ -70,6 +83,14 @@ getaddr6() {
getaddr_internal $1 $2 "-6"
}
getnet() {
getnet_internal $1 $2 "-4"
}
getnet6() {
getnet_internal $1 $2 "-6"
}
# function getinterfaces is used to process wildcard interfaces
getinterfaces() {
NAME=$1
@ -279,8 +300,12 @@ configure_interfaces() {
update_addresses_of_interface "eth3 10.1.1.1/32" ""
getaddr eth2 i_eth2
getaddr6 eth2 i_eth2_v6
getnet eth2 i_eth2_network
getnet6 eth2 i_eth2_v6_network
getaddr br0 i_br0
getaddr6 br0 i_br0_v6
getnet br0 i_br0_network
getnet6 br0 i_br0_v6_network
}
script_body() {
@ -589,7 +614,7 @@ test -z "$cmd" && {
case "$cmd" in
start)
log "Activating firewall script generated Thu May 5 20:28:26 2011 by vadim"
log "Activating firewall script generated Sat May 14 15:39:42 2011 by vadim"
check_tools
prolog_commands
check_run_time_address_table_files

27
test/ipt/firewall12.fw.orig
View File

@ -2,9 +2,9 @@
#
# This is automatically generated file. DO NOT MODIFY !
#
# Firewall Builder fwb_ipt v4.2.1.3538
# Firewall Builder fwb_ipt v4.3.0.3542
#
# Generated Thu May 5 20:28:26 2011 PDT by vadim
# Generated Sat May 14 15:39:42 2011 PDT by vadim
#
# files: * firewall12.fw /etc/fw/firewall12.fw
#
@ -71,6 +71,19 @@ getaddr_internal() {
eval "${name}_list=\"$L\""
}
getnet_internal() {
dev=$1
name=$2
af=$3
L=$($IP route list proto kernel | grep $dev | grep -v default | sed 's! .*$!!')
test -z "$L" && {
eval "$name=''"
return
}
eval "${name}_list=\"$L\""
}
getaddr() {
getaddr_internal $1 $2 "-4"
}
@ -79,6 +92,14 @@ getaddr6() {
getaddr_internal $1 $2 "-6"
}
getnet() {
getnet_internal $1 $2 "-4"
}
getnet6() {
getnet_internal $1 $2 "-6"
}
# function getinterfaces is used to process wildcard interfaces
getinterfaces() {
NAME=$1
@ -511,7 +532,7 @@ test -z "$cmd" && {
case "$cmd" in
start)
log "Activating firewall script generated Thu May 5 20:28:26 2011 by vadim"
log "Activating firewall script generated Sat May 14 15:39:42 2011 by vadim"
check_tools
prolog_commands
check_run_time_address_table_files

27
test/ipt/firewall13.fw.orig
View File

@ -2,9 +2,9 @@
#
# This is automatically generated file. DO NOT MODIFY !
#
# Firewall Builder fwb_ipt v4.2.1.3538
# Firewall Builder fwb_ipt v4.3.0.3542
#
# Generated Thu May 5 20:28:29 2011 PDT by vadim
# Generated Sat May 14 15:39:44 2011 PDT by vadim
#
# files: * firewall13.fw /etc/fw/firewall13.fw
#
@ -69,6 +69,19 @@ getaddr_internal() {
eval "${name}_list=\"$L\""
}
getnet_internal() {
dev=$1
name=$2
af=$3
L=$($IP route list proto kernel | grep $dev | grep -v default | sed 's! .*$!!')
test -z "$L" && {
eval "$name=''"
return
}
eval "${name}_list=\"$L\""
}
getaddr() {
getaddr_internal $1 $2 "-4"
}
@ -77,6 +90,14 @@ getaddr6() {
getaddr_internal $1 $2 "-6"
}
getnet() {
getnet_internal $1 $2 "-4"
}
getnet6() {
getnet_internal $1 $2 "-6"
}
# function getinterfaces is used to process wildcard interfaces
getinterfaces() {
NAME=$1
@ -385,7 +406,7 @@ test -z "$cmd" && {
case "$cmd" in
start)
log "Activating firewall script generated Thu May 5 20:28:29 2011 by vadim"
log "Activating firewall script generated Sat May 14 15:39:44 2011 by vadim"
check_tools
prolog_commands
check_run_time_address_table_files

27
test/ipt/firewall14.fw.orig
View File

@ -2,9 +2,9 @@
#
# This is automatically generated file. DO NOT MODIFY !
#
# Firewall Builder fwb_ipt v4.2.1.3538
# Firewall Builder fwb_ipt v4.3.0.3542
#
# Generated Thu May 5 20:28:29 2011 PDT by vadim
# Generated Sat May 14 15:39:44 2011 PDT by vadim
#
# files: * firewall14.fw /etc/fw/firewall14.fw
#
@ -58,6 +58,19 @@ getaddr_internal() {
eval "${name}_list=\"$L\""
}
getnet_internal() {
dev=$1
name=$2
af=$3
L=$($IP route list proto kernel | grep $dev | grep -v default | sed 's! .*$!!')
test -z "$L" && {
eval "$name=''"
return
}
eval "${name}_list=\"$L\""
}
getaddr() {
getaddr_internal $1 $2 "-4"
}
@ -66,6 +79,14 @@ getaddr6() {
getaddr_internal $1 $2 "-6"
}
getnet() {
getnet_internal $1 $2 "-4"
}
getnet6() {
getnet_internal $1 $2 "-6"
}
# function getinterfaces is used to process wildcard interfaces
getinterfaces() {
NAME=$1
@ -404,7 +425,7 @@ test -z "$cmd" && {
case "$cmd" in
start)
log "Activating firewall script generated Thu May 5 20:28:29 2011 by vadim"
log "Activating firewall script generated Sat May 14 15:39:44 2011 by vadim"
check_tools
prolog_commands
check_run_time_address_table_files

27
test/ipt/firewall15.fw.orig
View File

@ -2,9 +2,9 @@
#
# This is automatically generated file. DO NOT MODIFY !
#
# Firewall Builder fwb_ipt v4.2.1.3538
# Firewall Builder fwb_ipt v4.3.0.3542
#
# Generated Thu May 5 20:28:31 2011 PDT by vadim
# Generated Sat May 14 15:39:47 2011 PDT by vadim
#
# files: * firewall15.fw /etc/fw/firewall15.fw
#
@ -59,6 +59,19 @@ getaddr_internal() {
eval "${name}_list=\"$L\""
}
getnet_internal() {
dev=$1
name=$2
af=$3
L=$($IP route list proto kernel | grep $dev | grep -v default | sed 's! .*$!!')
test -z "$L" && {
eval "$name=''"
return
}
eval "${name}_list=\"$L\""
}
getaddr() {
getaddr_internal $1 $2 "-4"
}
@ -67,6 +80,14 @@ getaddr6() {
getaddr_internal $1 $2 "-6"
}
getnet() {
getnet_internal $1 $2 "-4"
}
getnet6() {
getnet_internal $1 $2 "-6"
}
# function getinterfaces is used to process wildcard interfaces
getinterfaces() {
NAME=$1
@ -388,7 +409,7 @@ test -z "$cmd" && {
case "$cmd" in
start)
log "Activating firewall script generated Thu May 5 20:28:31 2011 by vadim"
log "Activating firewall script generated Sat May 14 15:39:47 2011 by vadim"
check_tools
prolog_commands
check_run_time_address_table_files

27
test/ipt/firewall16.fw.orig
View File

@ -2,9 +2,9 @@
#
# This is automatically generated file. DO NOT MODIFY !
#
# Firewall Builder fwb_ipt v4.2.1.3538
# Firewall Builder fwb_ipt v4.3.0.3542
#
# Generated Thu May 5 20:28:31 2011 PDT by vadim
# Generated Sat May 14 15:39:47 2011 PDT by vadim
#
# files: * firewall16.fw /etc/fw/firewall16.fw
#
@ -59,6 +59,19 @@ getaddr_internal() {
eval "${name}_list=\"$L\""
}
getnet_internal() {
dev=$1
name=$2
af=$3
L=$($IP route list proto kernel | grep $dev | grep -v default | sed 's! .*$!!')
test -z "$L" && {
eval "$name=''"
return
}
eval "${name}_list=\"$L\""
}
getaddr() {
getaddr_internal $1 $2 "-4"
}
@ -67,6 +80,14 @@ getaddr6() {
getaddr_internal $1 $2 "-6"
}
getnet() {
getnet_internal $1 $2 "-4"
}
getnet6() {
getnet_internal $1 $2 "-6"
}
# function getinterfaces is used to process wildcard interfaces
getinterfaces() {
NAME=$1
@ -492,7 +513,7 @@ test -z "$cmd" && {
case "$cmd" in
start)
log "Activating firewall script generated Thu May 5 20:28:31 2011 by vadim"
log "Activating firewall script generated Sat May 14 15:39:47 2011 by vadim"
check_tools
prolog_commands
check_run_time_address_table_files

27
test/ipt/firewall17.fw.orig
View File

@ -2,9 +2,9 @@
#
# This is automatically generated file. DO NOT MODIFY !
#
# Firewall Builder fwb_ipt v4.2.1.3538
# Firewall Builder fwb_ipt v4.3.0.3542
#
# Generated Thu May 5 20:28:33 2011 PDT by vadim
# Generated Sat May 14 15:39:49 2011 PDT by vadim
#
# files: * firewall17.fw /etc/fw/firewall17.fw
#
@ -68,6 +68,19 @@ getaddr_internal() {
eval "${name}_list=\"$L\""
}
getnet_internal() {
dev=$1
name=$2
af=$3
L=$($IP route list proto kernel | grep $dev | grep -v default | sed 's! .*$!!')
test -z "$L" && {
eval "$name=''"
return
}
eval "${name}_list=\"$L\""
}
getaddr() {
getaddr_internal $1 $2 "-4"
}
@ -76,6 +89,14 @@ getaddr6() {
getaddr_internal $1 $2 "-6"
}
getnet() {
getnet_internal $1 $2 "-4"
}
getnet6() {
getnet_internal $1 $2 "-6"
}
# function getinterfaces is used to process wildcard interfaces
getinterfaces() {
NAME=$1
@ -471,7 +492,7 @@ test -z "$cmd" && {
case "$cmd" in
start)
log "Activating firewall script generated Thu May 5 20:28:33 2011 by vadim"
log "Activating firewall script generated Sat May 14 15:39:49 2011 by vadim"
check_tools
prolog_commands
check_run_time_address_table_files

29
test/ipt/firewall18.fw.orig
View File

@ -2,9 +2,9 @@
#
# This is automatically generated file. DO NOT MODIFY !
#
# Firewall Builder fwb_ipt v4.2.1.3538
# Firewall Builder fwb_ipt v4.3.0.3542
#
# Generated Thu May 5 20:28:33 2011 PDT by vadim
# Generated Sat May 14 15:39:50 2011 PDT by vadim
#
# files: * firewall18.fw /etc/fw/firewall18.fw
#
@ -57,6 +57,19 @@ getaddr_internal() {
eval "${name}_list=\"$L\""
}
getnet_internal() {
dev=$1
name=$2
af=$3
L=$($IP route list proto kernel | grep $dev | grep -v default | sed 's! .*$!!')
test -z "$L" && {
eval "$name=''"
return
}
eval "${name}_list=\"$L\""
}
getaddr() {
getaddr_internal $1 $2 "-4"
}
@ -65,6 +78,14 @@ getaddr6() {
getaddr_internal $1 $2 "-6"
}
getnet() {
getnet_internal $1 $2 "-4"
}
getnet6() {
getnet_internal $1 $2 "-6"
}
# function getinterfaces is used to process wildcard interfaces
getinterfaces() {
NAME=$1
@ -295,6 +316,8 @@ configure_interfaces() {
update_addresses_of_interface "lo 127.0.0.1/8" ""
getaddr ppp0 i_ppp0
getaddr6 ppp0 i_ppp0_v6
getnet ppp0 i_ppp0_network
getnet6 ppp0 i_ppp0_v6_network
}
script_body() {
@ -504,7 +527,7 @@ test -z "$cmd" && {
case "$cmd" in
start)
log "Activating firewall script generated Thu May 5 20:28:33 2011 by vadim"
log "Activating firewall script generated Sat May 14 15:39:50 2011 by vadim"
check_tools
prolog_commands
check_run_time_address_table_files

29
test/ipt/firewall19.fw.orig
View File

@ -2,9 +2,9 @@
#
# This is automatically generated file. DO NOT MODIFY !
#
# Firewall Builder fwb_ipt v4.2.1.3538
# Firewall Builder fwb_ipt v4.3.0.3542
#
# Generated Thu May 5 20:28:35 2011 PDT by vadim
# Generated Sat May 14 15:39:52 2011 PDT by vadim
#
# files: * firewall19.fw /etc/fw/firewall19.fw
#
@ -57,6 +57,19 @@ getaddr_internal() {
eval "${name}_list=\"$L\""
}
getnet_internal() {
dev=$1
name=$2
af=$3
L=$($IP route list proto kernel | grep $dev | grep -v default | sed 's! .*$!!')
test -z "$L" && {
eval "$name=''"
return
}
eval "${name}_list=\"$L\""
}
getaddr() {
getaddr_internal $1 $2 "-4"
}
@ -65,6 +78,14 @@ getaddr6() {
getaddr_internal $1 $2 "-6"
}
getnet() {
getnet_internal $1 $2 "-4"
}
getnet6() {
getnet_internal $1 $2 "-6"
}
# function getinterfaces is used to process wildcard interfaces
getinterfaces() {
NAME=$1
@ -295,6 +316,8 @@ configure_interfaces() {
update_addresses_of_interface "lo 127.0.0.1/8" ""
getaddr ppp0 i_ppp0
getaddr6 ppp0 i_ppp0_v6
getnet ppp0 i_ppp0_network
getnet6 ppp0 i_ppp0_v6_network
}
script_body() {
@ -508,7 +531,7 @@ test -z "$cmd" && {
case "$cmd" in
start)
log "Activating firewall script generated Thu May 5 20:28:35 2011 by vadim"
log "Activating firewall script generated Sat May 14 15:39:52 2011 by vadim"
check_tools
prolog_commands
check_run_time_address_table_files

27
test/ipt/firewall2-1.fw.orig
View File

@ -2,9 +2,9 @@
#
# This is automatically generated file. DO NOT MODIFY !
#
# Firewall Builder fwb_ipt v4.2.1.3538
# Firewall Builder fwb_ipt v4.3.0.3542
#
# Generated Thu May 5 20:28:43 2011 PDT by vadim
# Generated Sat May 14 15:40:00 2011 PDT by vadim
#
# files: * firewall2-1.fw /etc/fw/firewall2-1.fw
#
@ -80,6 +80,19 @@ getaddr_internal() {
eval "${name}_list=\"$L\""
}
getnet_internal() {
dev=$1
name=$2
af=$3
L=$($IP route list proto kernel | grep $dev | grep -v default | sed 's! .*$!!')
test -z "$L" && {
eval "$name=''"
return
}
eval "${name}_list=\"$L\""
}
getaddr() {
getaddr_internal $1 $2 "-4"
}
@ -88,6 +101,14 @@ getaddr6() {
getaddr_internal $1 $2 "-6"
}
getnet() {
getnet_internal $1 $2 "-4"
}
getnet6() {
getnet_internal $1 $2 "-6"
}
# function getinterfaces is used to process wildcard interfaces
getinterfaces() {
NAME=$1
@ -1430,7 +1451,7 @@ test -z "$cmd" && {
case "$cmd" in
start)
log "Activating firewall script generated Thu May 5 20:28:43 2011 by vadim"
log "Activating firewall script generated Sat May 14 15:40:00 2011 by vadim"
check_tools
check_run_time_address_table_files

27
test/ipt/firewall2-2.fw.orig
View File

@ -2,9 +2,9 @@
#
# This is automatically generated file. DO NOT MODIFY !
#
# Firewall Builder fwb_ipt v4.2.1.3538
# Firewall Builder fwb_ipt v4.3.0.3542
#
# Generated Thu May 5 20:28:46 2011 PDT by vadim
# Generated Sat May 14 15:40:04 2011 PDT by vadim
#
# files: * firewall2-2.fw /etc/fw/firewall2-2.fw
#
@ -80,6 +80,19 @@ getaddr_internal() {
eval "${name}_list=\"$L\""
}
getnet_internal() {
dev=$1
name=$2
af=$3
L=$($IP route list proto kernel | grep $dev | grep -v default | sed 's! .*$!!')
test -z "$L" && {
eval "$name=''"
return
}
eval "${name}_list=\"$L\""
}
getaddr() {
getaddr_internal $1 $2 "-4"
}
@ -88,6 +101,14 @@ getaddr6() {
getaddr_internal $1 $2 "-6"
}
getnet() {
getnet_internal $1 $2 "-4"
}
getnet6() {
getnet_internal $1 $2 "-6"
}
# function getinterfaces is used to process wildcard interfaces
getinterfaces() {
NAME=$1
@ -1259,7 +1280,7 @@ test -z "$cmd" && {
case "$cmd" in
start)
log "Activating firewall script generated Thu May 5 20:28:46 2011 by vadim"
log "Activating firewall script generated Sat May 14 15:40:04 2011 by vadim"
check_tools
check_run_time_address_table_files

27
test/ipt/firewall2-3.fw.orig
View File

@ -2,9 +2,9 @@
#
# This is automatically generated file. DO NOT MODIFY !
#
# Firewall Builder fwb_ipt v4.2.1.3538
# Firewall Builder fwb_ipt v4.3.0.3542
#
# Generated Thu May 5 20:28:48 2011 PDT by vadim
# Generated Sat May 14 15:40:05 2011 PDT by vadim
#
# files: * firewall2-3.fw /etc/fw/firewall2-3.fw
#
@ -64,6 +64,19 @@ getaddr_internal() {
eval "${name}_list=\"$L\""
}
getnet_internal() {
dev=$1
name=$2
af=$3
L=$($IP route list proto kernel | grep $dev | grep -v default | sed 's! .*$!!')
test -z "$L" && {
eval "$name=''"
return
}
eval "${name}_list=\"$L\""
}
getaddr() {
getaddr_internal $1 $2 "-4"
}
@ -72,6 +85,14 @@ getaddr6() {
getaddr_internal $1 $2 "-6"
}
getnet() {
getnet_internal $1 $2 "-4"
}
getnet6() {
getnet_internal $1 $2 "-6"
}
# function getinterfaces is used to process wildcard interfaces
getinterfaces() {
NAME=$1
@ -1118,7 +1139,7 @@ test -z "$cmd" && {
case "$cmd" in
start)
log "Activating firewall script generated Thu May 5 20:28:48 2011 by vadim"
log "Activating firewall script generated Sat May 14 15:40:05 2011 by vadim"
check_tools
check_run_time_address_table_files

27
test/ipt/firewall2-4.fw.orig
View File

@ -2,9 +2,9 @@
#
# This is automatically generated file. DO NOT MODIFY !
#
# Firewall Builder fwb_ipt v4.2.1.3538
# Firewall Builder fwb_ipt v4.3.0.3542
#
# Generated Thu May 5 20:28:50 2011 PDT by vadim
# Generated Sat May 14 15:40:08 2011 PDT by vadim
#
# files: * firewall2-4.fw /etc/fw/firewall2-4.fw
#
@ -71,6 +71,19 @@ getaddr_internal() {
eval "${name}_list=\"$L\""
}
getnet_internal() {
dev=$1
name=$2
af=$3
L=$($IP route list proto kernel | grep $dev | grep -v default | sed 's! .*$!!')
test -z "$L" && {
eval "$name=''"
return
}
eval "${name}_list=\"$L\""
}
getaddr() {
getaddr_internal $1 $2 "-4"
}
@ -79,6 +92,14 @@ getaddr6() {
getaddr_internal $1 $2 "-6"
}
getnet() {
getnet_internal $1 $2 "-4"
}
getnet6() {
getnet_internal $1 $2 "-6"
}
# function getinterfaces is used to process wildcard interfaces
getinterfaces() {
NAME=$1
@ -424,7 +445,7 @@ test -z "$cmd" && {
case "$cmd" in
start)
log "Activating firewall script generated Thu May 5 20:28:50 2011 by vadim"
log "Activating firewall script generated Sat May 14 15:40:08 2011 by vadim"
check_tools
check_run_time_address_table_files

27
test/ipt/firewall2-5.fw.orig
View File

@ -2,9 +2,9 @@
#
# This is automatically generated file. DO NOT MODIFY !
#
# Firewall Builder fwb_ipt v4.2.1.3538
# Firewall Builder fwb_ipt v4.3.0.3542
#
# Generated Thu May 5 20:28:52 2011 PDT by vadim
# Generated Sat May 14 15:40:10 2011 PDT by vadim
#
# files: * firewall2-5.fw /etc/fw/firewall2-5.fw
#
@ -61,6 +61,19 @@ getaddr_internal() {
eval "${name}_list=\"$L\""
}
getnet_internal() {
dev=$1
name=$2
af=$3
L=$($IP route list proto kernel | grep $dev | grep -v default | sed 's! .*$!!')
test -z "$L" && {
eval "$name=''"
return
}
eval "${name}_list=\"$L\""
}
getaddr() {
getaddr_internal $1 $2 "-4"
}
@ -69,6 +82,14 @@ getaddr6() {
getaddr_internal $1 $2 "-6"
}
getnet() {
getnet_internal $1 $2 "-4"
}
getnet6() {
getnet_internal $1 $2 "-6"
}
# function getinterfaces is used to process wildcard interfaces
getinterfaces() {
NAME=$1
@ -455,7 +476,7 @@ test -z "$cmd" && {
case "$cmd" in
start)
log "Activating firewall script generated Thu May 5 20:28:52 2011 by vadim"
log "Activating firewall script generated Sat May 14 15:40:10 2011 by vadim"
check_tools
check_run_time_address_table_files

27
test/ipt/firewall2-6.fw.orig
View File

@ -2,9 +2,9 @@
#
# This is automatically generated file. DO NOT MODIFY !
#
# Firewall Builder fwb_ipt v4.2.1.ma_1
# Firewall Builder fwb_ipt v4.3.0.3542
#
# Generated Tue May 3 19:32:31 2011 PDT by vadim
# Generated Sat May 14 15:40:12 2011 PDT by vadim
#
# files: * firewall2-6.fw /etc/fw/firewall2-6.fw
#
@ -71,6 +71,19 @@ getaddr_internal() {
eval "${name}_list=\"$L\""
}
getnet_internal() {
dev=$1
name=$2
af=$3
L=$($IP route list proto kernel | grep $dev | grep -v default | sed 's! .*$!!')
test -z "$L" && {
eval "$name=''"
return
}
eval "${name}_list=\"$L\""
}
getaddr() {
getaddr_internal $1 $2 "-4"
}
@ -79,6 +92,14 @@ getaddr6() {
getaddr_internal $1 $2 "-6"
}
getnet() {
getnet_internal $1 $2 "-4"
}
getnet6() {
getnet_internal $1 $2 "-6"
}
# function getinterfaces is used to process wildcard interfaces
getinterfaces() {
NAME=$1
@ -482,7 +503,7 @@ test -z "$cmd" && {
case "$cmd" in
start)
log "Activating firewall script generated Tue May 3 19:32:31 2011 by vadim"
log "Activating firewall script generated Sat May 14 15:40:12 2011 by vadim"
check_tools
check_run_time_address_table_files

27
test/ipt/firewall2-7.fw.orig
View File

@ -2,9 +2,9 @@
#
# This is automatically generated file. DO NOT MODIFY !
#
# Firewall Builder fwb_ipt v4.2.1.3538
# Firewall Builder fwb_ipt v4.3.0.3542
#
# Generated Thu May 5 20:28:57 2011 PDT by vadim
# Generated Sat May 14 15:40:14 2011 PDT by vadim
#
# files: * firewall2-7.fw /etc/fw/firewall2-7.fw
#
@ -57,6 +57,19 @@ getaddr_internal() {
eval "${name}_list=\"$L\""
}
getnet_internal() {
dev=$1
name=$2
af=$3
L=$($IP route list proto kernel | grep $dev | grep -v default | sed 's! .*$!!')
test -z "$L" && {
eval "$name=''"
return
}
eval "${name}_list=\"$L\""
}
getaddr() {
getaddr_internal $1 $2 "-4"
}
@ -65,6 +78,14 @@ getaddr6() {
getaddr_internal $1 $2 "-6"
}
getnet() {
getnet_internal $1 $2 "-4"
}
getnet6() {
getnet_internal $1 $2 "-6"
}
# function getinterfaces is used to process wildcard interfaces
getinterfaces() {
NAME=$1
@ -424,7 +445,7 @@ test -z "$cmd" && {
case "$cmd" in
start)
log "Activating firewall script generated Thu May 5 20:28:57 2011 by vadim"
log "Activating firewall script generated Sat May 14 15:40:14 2011 by vadim"
check_tools
check_run_time_address_table_files

27
test/ipt/firewall2.fw.orig
View File

@ -2,9 +2,9 @@
#
# This is automatically generated file. DO NOT MODIFY !
#
# Firewall Builder fwb_ipt v4.2.1.3538
# Firewall Builder fwb_ipt v4.3.0.3542
#
# Generated Thu May 5 20:28:37 2011 PDT by vadim
# Generated Sat May 14 15:39:54 2011 PDT by vadim
#
# files: * firewall2.fw /etc/fw/firewall2.fw
#
@ -89,6 +89,19 @@ getaddr_internal() {
eval "${name}_list=\"$L\""
}
getnet_internal() {
dev=$1
name=$2
af=$3
L=$($IP route list proto kernel | grep $dev | grep -v default | sed 's! .*$!!')
test -z "$L" && {
eval "$name=''"
return
}
eval "${name}_list=\"$L\""
}
getaddr() {
getaddr_internal $1 $2 "-4"
}
@ -97,6 +110,14 @@ getaddr6() {
getaddr_internal $1 $2 "-6"
}
getnet() {
getnet_internal $1 $2 "-4"
}
getnet6() {
getnet_internal $1 $2 "-6"
}
# function getinterfaces is used to process wildcard interfaces
getinterfaces() {
NAME=$1
@ -1482,7 +1503,7 @@ test -z "$cmd" && {
case "$cmd" in
start)
log "Activating firewall script generated Thu May 5 20:28:37 2011 by vadim"
log "Activating firewall script generated Sat May 14 15:39:54 2011 by vadim"
check_tools
check_run_time_address_table_files

27
test/ipt/firewall20-ipv6.fw.orig
View File

@ -2,9 +2,9 @@
#
# This is automatically generated file. DO NOT MODIFY !
#
# Firewall Builder fwb_ipt v4.2.1.3538
# Firewall Builder fwb_ipt v4.3.0.3542
#
# Generated Thu May 5 20:28:39 2011 PDT by vadim
# Generated Sat May 14 15:39:56 2011 PDT by vadim
#
# files: * firewall20-ipv6.fw /etc/fw/firewall20-ipv6.fw
#
@ -60,6 +60,19 @@ getaddr_internal() {
eval "${name}_list=\"$L\""
}
getnet_internal() {
dev=$1
name=$2
af=$3
L=$($IP route list proto kernel | grep $dev | grep -v default | sed 's! .*$!!')
test -z "$L" && {
eval "$name=''"
return
}
eval "${name}_list=\"$L\""
}
getaddr() {
getaddr_internal $1 $2 "-4"
}
@ -68,6 +81,14 @@ getaddr6() {
getaddr_internal $1 $2 "-6"
}
getnet() {
getnet_internal $1 $2 "-4"
}
getnet6() {
getnet_internal $1 $2 "-6"
}
# function getinterfaces is used to process wildcard interfaces
getinterfaces() {
NAME=$1
@ -456,7 +477,7 @@ test -z "$cmd" && {
case "$cmd" in
start)
log "Activating firewall script generated Thu May 5 20:28:39 2011 by vadim"
log "Activating firewall script generated Sat May 14 15:39:56 2011 by vadim"
check_tools
prolog_commands
check_run_time_address_table_files

27
test/ipt/firewall20.fw.orig
View File

@ -2,9 +2,9 @@
#
# This is automatically generated file. DO NOT MODIFY !
#
# Firewall Builder fwb_ipt v4.2.1.3538
# Firewall Builder fwb_ipt v4.3.0.3542
#
# Generated Thu May 5 20:28:37 2011 PDT by vadim
# Generated Sat May 14 15:39:54 2011 PDT by vadim
#
# files: * firewall20.fw /etc/fw/firewall20.fw
#
@ -67,6 +67,19 @@ getaddr_internal() {
eval "${name}_list=\"$L\""
}
getnet_internal() {
dev=$1
name=$2
af=$3
L=$($IP route list proto kernel | grep $dev | grep -v default | sed 's! .*$!!')
test -z "$L" && {
eval "$name=''"
return
}
eval "${name}_list=\"$L\""
}
getaddr() {
getaddr_internal $1 $2 "-4"
}
@ -75,6 +88,14 @@ getaddr6() {
getaddr_internal $1 $2 "-6"
}
getnet() {
getnet_internal $1 $2 "-4"
}
getnet6() {
getnet_internal $1 $2 "-6"
}
# function getinterfaces is used to process wildcard interfaces
getinterfaces() {
NAME=$1
@ -674,7 +695,7 @@ test -z "$cmd" && {
case "$cmd" in
start)
log "Activating firewall script generated Thu May 5 20:28:37 2011 by vadim"
log "Activating firewall script generated Sat May 14 15:39:54 2011 by vadim"
check_tools
prolog_commands
check_run_time_address_table_files

31
test/ipt/firewall21-1.fw.orig
View File

@ -2,9 +2,9 @@
#
# This is automatically generated file. DO NOT MODIFY !
#
# Firewall Builder fwb_ipt v4.2.1.3538
# Firewall Builder fwb_ipt v4.3.0.3542
#
# Generated Thu May 5 20:28:42 2011 PDT by vadim
# Generated Sat May 14 15:39:58 2011 PDT by vadim
#
# files: * firewall21-1.fw /etc/fw/firewall21-1.fw
#
@ -59,6 +59,19 @@ getaddr_internal() {
eval "${name}_list=\"$L\""
}
getnet_internal() {
dev=$1
name=$2
af=$3
L=$($IP route list proto kernel | grep $dev | grep -v default | sed 's! .*$!!')
test -z "$L" && {
eval "$name=''"
return
}
eval "${name}_list=\"$L\""
}
getaddr() {
getaddr_internal $1 $2 "-4"
}
@ -67,6 +80,14 @@ getaddr6() {
getaddr_internal $1 $2 "-6"
}
getnet() {
getnet_internal $1 $2 "-4"
}
getnet6() {
getnet_internal $1 $2 "-6"
}
# function getinterfaces is used to process wildcard interfaces
getinterfaces() {
NAME=$1
@ -276,8 +297,12 @@ configure_interfaces() {
update_addresses_of_interface "eth2 192.168.1.100/24" ""
getaddr eth0 i_eth0
getaddr6 eth0 i_eth0_v6
getnet eth0 i_eth0_network
getnet6 eth0 i_eth0_v6_network
getaddr eth1 i_eth1
getaddr6 eth1 i_eth1_v6
getnet eth1 i_eth1_network
getnet6 eth1 i_eth1_v6_network
}
script_body() {
@ -470,7 +495,7 @@ test -z "$cmd" && {
case "$cmd" in
start)
log "Activating firewall script generated Thu May 5 20:28:42 2011 by vadim"
log "Activating firewall script generated Sat May 14 15:39:58 2011 by vadim"
check_tools
prolog_commands
check_run_time_address_table_files

31
test/ipt/firewall21.fw.orig
View File

@ -2,9 +2,9 @@
#
# This is automatically generated file. DO NOT MODIFY !
#
# Firewall Builder fwb_ipt v4.2.1.3538
# Firewall Builder fwb_ipt v4.3.0.3542
#
# Generated Thu May 5 20:28:39 2011 PDT by vadim
# Generated Sat May 14 15:39:56 2011 PDT by vadim
#
# files: * firewall21.fw /etc/fw/firewall21.fw
#
@ -58,6 +58,19 @@ getaddr_internal() {
eval "${name}_list=\"$L\""
}
getnet_internal() {
dev=$1
name=$2
af=$3
L=$($IP route list proto kernel | grep $dev | grep -v default | sed 's! .*$!!')
test -z "$L" && {
eval "$name=''"
return
}
eval "${name}_list=\"$L\""
}
getaddr() {
getaddr_internal $1 $2 "-4"
}
@ -66,6 +79,14 @@ getaddr6() {
getaddr_internal $1 $2 "-6"
}
getnet() {
getnet_internal $1 $2 "-4"
}
getnet6() {
getnet_internal $1 $2 "-6"
}
# function getinterfaces is used to process wildcard interfaces
getinterfaces() {
NAME=$1
@ -275,8 +296,12 @@ configure_interfaces() {
update_addresses_of_interface "eth2 192.168.1.100/24" ""
getaddr eth0 i_eth0
getaddr6 eth0 i_eth0_v6
getnet eth0 i_eth0_network
getnet6 eth0 i_eth0_v6_network
getaddr eth1 i_eth1
getaddr6 eth1 i_eth1_v6
getnet eth1 i_eth1_network
getnet6 eth1 i_eth1_v6_network
}
script_body() {
@ -469,7 +494,7 @@ test -z "$cmd" && {
case "$cmd" in
start)
log "Activating firewall script generated Thu May 5 20:28:39 2011 by vadim"
log "Activating firewall script generated Sat May 14 15:39:56 2011 by vadim"
check_tools
prolog_commands
check_run_time_address_table_files

27
test/ipt/firewall22.fw.orig
View File

@ -2,9 +2,9 @@
#
# This is automatically generated file. DO NOT MODIFY !
#
# Firewall Builder fwb_ipt v4.2.1.3538
# Firewall Builder fwb_ipt v4.3.0.3542
#
# Generated Thu May 5 20:28:43 2011 PDT by vadim
# Generated Sat May 14 15:40:00 2011 PDT by vadim
#
# files: * firewall22.fw /etc/fw/firewall22.fw
#
@ -57,6 +57,19 @@ getaddr_internal() {
eval "${name}_list=\"$L\""
}
getnet_internal() {
dev=$1
name=$2
af=$3
L=$($IP route list proto kernel | grep $dev | grep -v default | sed 's! .*$!!')
test -z "$L" && {
eval "$name=''"
return
}
eval "${name}_list=\"$L\""
}
getaddr() {
getaddr_internal $1 $2 "-4"
}
@ -65,6 +78,14 @@ getaddr6() {
getaddr_internal $1 $2 "-6"
}
getnet() {
getnet_internal $1 $2 "-4"
}
getnet6() {
getnet_internal $1 $2 "-6"
}
# function getinterfaces is used to process wildcard interfaces
getinterfaces() {
NAME=$1
@ -390,7 +411,7 @@ test -z "$cmd" && {
case "$cmd" in
start)
log "Activating firewall script generated Thu May 5 20:28:43 2011 by vadim"
log "Activating firewall script generated Sat May 14 15:40:00 2011 by vadim"
check_tools
prolog_commands
check_run_time_address_table_files

42
test/ipt/firewall23-1.fw.orig
View File

@ -2,9 +2,9 @@
#
# This is automatically generated file. DO NOT MODIFY !
#
# Firewall Builder fwb_ipt v4.2.1.3538
# Firewall Builder fwb_ipt v4.3.0.3542
#
# Generated Thu May 5 20:28:48 2011 PDT by vadim
# Generated Sat May 14 15:40:06 2011 PDT by vadim
#
# files: * firewall23-1.fw /etc/fw/firewall23-1.fw
#
@ -58,6 +58,19 @@ getaddr_internal() {
eval "${name}_list=\"$L\""
}
getnet_internal() {
dev=$1
name=$2
af=$3
L=$($IP route list proto kernel | grep $dev | grep -v default | sed 's! .*$!!')
test -z "$L" && {
eval "$name=''"
return
}
eval "${name}_list=\"$L\""
}
getaddr() {
getaddr_internal $1 $2 "-4"
}
@ -66,6 +79,14 @@ getaddr6() {
getaddr_internal $1 $2 "-6"
}
getnet() {
getnet_internal $1 $2 "-4"
}
getnet6() {
getnet_internal $1 $2 "-6"
}
# function getinterfaces is used to process wildcard interfaces
getinterfaces() {
NAME=$1
@ -299,22 +320,19 @@ script_body() {
#
echo "Rule 13 (eth2)"
#
$IPTABLES -t mangle -A POSTROUTING -m physdev --physdev-out eth2 -p tcp -m tcp -d 192.168.1.0/24 --dport 22 -j CLASSIFY --set-class 1:12
$IPTABLES -t mangle -A POSTROUTING -m physdev --physdev-out eth2 -p tcp -m tcp -d 192.168.1.0/24 --dport 22 -j CLASSIFY --set-class 1:12
#
# Rule 14 (eth3)
#
echo "Rule 14 (eth3)"
#
$IPTABLES -t mangle -A POSTROUTING -m physdev --physdev-out eth3 -p tcp -m tcp -d 192.168.1.0/24 --dport 22 -j CLASSIFY --set-class 2:12
$IPTABLES -t mangle -A POSTROUTING -m physdev --physdev-out eth3 -p tcp -m tcp -d 192.168.1.0/24 --dport 22 -j CLASSIFY --set-class 2:12
#
# Rule 15 (eth2)
#
echo "Rule 15 (eth2)"
#
$IPTABLES -N Out_RULE_15 -t mangle
$IPTABLES -t mangle -A POSTROUTING -m physdev --physdev-out eth2 -p tcp -m tcp -d 192.168.1.0/24 --dport 22 -j Out_RULE_15
$IPTABLES -t mangle -A Out_RULE_15 -j LOG --log-level debug
$IPTABLES -t mangle -A Out_RULE_15 -j CLASSIFY --set-class 1:12
$IPTABLES -t mangle -A POSTROUTING -m physdev --physdev-out eth2 -p tcp -m tcp -d 192.168.1.0/24 --dport 22 -j CLASSIFY --set-class 1:12
# ================ Table 'filter', rule set Policy
#
@ -425,6 +443,12 @@ script_body() {
#
$IPTABLES -A FORWARD -m physdev --physdev-out eth3 -s 192.168.1.10 -d 224.0.0.0/4 -m state --state NEW -j ACCEPT
#
# Rule 15 (eth2)
#
echo "Rule 15 (eth2)"
#
$IPTABLES -A FORWARD -m physdev --physdev-out eth2 -p tcp -m tcp -d 192.168.1.0/24 --dport 22 -j LOG --log-level debug
#
# Rule 16 (global)
#
echo "Rule 16 (global)"
@ -561,7 +585,7 @@ test -z "$cmd" && {
case "$cmd" in
start)
log "Activating firewall script generated Thu May 5 20:28:48 2011 by vadim"
log "Activating firewall script generated Sat May 14 15:40:06 2011 by vadim"
check_tools
prolog_commands
check_run_time_address_table_files

27
test/ipt/firewall23.fw.orig
View File

@ -2,9 +2,9 @@
#
# This is automatically generated file. DO NOT MODIFY !
#
# Firewall Builder fwb_ipt v4.2.1.3538
# Firewall Builder fwb_ipt v4.3.0.3542
#
# Generated Thu May 5 20:28:46 2011 PDT by vadim
# Generated Sat May 14 15:40:03 2011 PDT by vadim
#
# files: * firewall23.fw /etc/fw/firewall23.fw
#
@ -57,6 +57,19 @@ getaddr_internal() {
eval "${name}_list=\"$L\""
}
getnet_internal() {
dev=$1
name=$2
af=$3
L=$($IP route list proto kernel | grep $dev | grep -v default | sed 's! .*$!!')
test -z "$L" && {
eval "$name=''"
return
}
eval "${name}_list=\"$L\""
}
getaddr() {
getaddr_internal $1 $2 "-4"
}
@ -65,6 +78,14 @@ getaddr6() {
getaddr_internal $1 $2 "-6"
}
getnet() {
getnet_internal $1 $2 "-4"
}
getnet6() {
getnet_internal $1 $2 "-6"
}
# function getinterfaces is used to process wildcard interfaces
getinterfaces() {
NAME=$1
@ -476,7 +497,7 @@ test -z "$cmd" && {
case "$cmd" in
start)
log "Activating firewall script generated Thu May 5 20:28:46 2011 by vadim"
log "Activating firewall script generated Sat May 14 15:40:03 2011 by vadim"
check_tools
prolog_commands
check_run_time_address_table_files

27
test/ipt/firewall24.fw.orig
View File

@ -2,9 +2,9 @@
#
# This is automatically generated file. DO NOT MODIFY !
#
# Firewall Builder fwb_ipt v4.2.1.3538
# Firewall Builder fwb_ipt v4.3.0.3542
#
# Generated Thu May 5 20:28:50 2011 PDT by vadim
# Generated Sat May 14 15:40:07 2011 PDT by vadim
#
# files: * firewall24.fw /etc/fw/firewall24.fw
#
@ -57,6 +57,19 @@ getaddr_internal() {
eval "${name}_list=\"$L\""
}
getnet_internal() {
dev=$1
name=$2
af=$3
L=$($IP route list proto kernel | grep $dev | grep -v default | sed 's! .*$!!')
test -z "$L" && {
eval "$name=''"
return
}
eval "${name}_list=\"$L\""
}
getaddr() {
getaddr_internal $1 $2 "-4"
}
@ -65,6 +78,14 @@ getaddr6() {
getaddr_internal $1 $2 "-6"
}
getnet() {
getnet_internal $1 $2 "-4"
}
getnet6() {
getnet_internal $1 $2 "-6"
}
# function getinterfaces is used to process wildcard interfaces
getinterfaces() {
NAME=$1
@ -493,7 +514,7 @@ test -z "$cmd" && {
case "$cmd" in
start)
log "Activating firewall script generated Thu May 5 20:28:50 2011 by vadim"
log "Activating firewall script generated Sat May 14 15:40:07 2011 by vadim"
check_tools
prolog_commands
check_run_time_address_table_files

56
test/ipt/firewall25.fw.orig
View File

@ -2,9 +2,9 @@
#
# This is automatically generated file. DO NOT MODIFY !
#
# Firewall Builder fwb_ipt v4.2.1.3538
# Firewall Builder fwb_ipt v4.3.0.3542
#
# Generated Thu May 5 20:28:52 2011 PDT by vadim
# Generated Sat May 14 15:40:10 2011 PDT by vadim
#
# files: * firewall25.fw /etc/fw/firewall25.fw
#
@ -65,6 +65,19 @@ getaddr_internal() {
eval "${name}_list=\"$L\""
}
getnet_internal() {
dev=$1
name=$2
af=$3
L=$($IP route list proto kernel | grep $dev | grep -v default | sed 's! .*$!!')
test -z "$L" && {
eval "$name=''"
return
}
eval "${name}_list=\"$L\""
}
getaddr() {
getaddr_internal $1 $2 "-4"
}
@ -73,6 +86,14 @@ getaddr6() {
getaddr_internal $1 $2 "-6"
}
getnet() {
getnet_internal $1 $2 "-4"
}
getnet6() {
getnet_internal $1 $2 "-6"
}
# function getinterfaces is used to process wildcard interfaces
getinterfaces() {
NAME=$1
@ -506,6 +527,15 @@ script_body() {
echo "-A Cid417C6878.1 -s 192.168.1.0/24 -j ACCEPT "
echo "-A Cid417C6878.1 -s 192.168.2.0/24 -j ACCEPT "
#
# Rule 17 (global)
# this rule should go to mangle table,
# since we also have default rule that goes to mangle (TCPMSS)
# and pure mangle ruleset, making sure all rules for
# mangle table end up with one COMMIT
echo "-A OUTPUT -m state --state NEW -j LOG "
echo "-A INPUT -m state --state NEW -j LOG "
echo "-A FORWARD -m state --state NEW -j LOG "
#
# Rule 18 (global)
echo "-A OUTPUT -j policy_2 "
echo "-A INPUT -j policy_2 "
@ -530,18 +560,6 @@ script_body() {
echo '*mangle'
# ================ Table 'mangle', automatic rules
echo "-A FORWARD -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu"
# ================ Table 'mangle', rule set policy_2
#
# Rule policy_2 0 (eth2)
echo ":policy_2 - [0:0]"
echo "-A policy_2 -o eth2 -m state --state NEW -j ACCEPT "
#
# Rule policy_2 1 (global)
echo ":policy_2_1 - [0:0]"
echo "-A policy_2 -j policy_2_1 "
echo "-A policy_2_1 -j LOG "
echo "-A policy_2_1 -j DROP "
#
# ================ Table 'mangle', rule set policy_2_mangle
#
# Rule policy_2_mangle 0 (eth2)
@ -570,13 +588,11 @@ script_body() {
# since we also have default rule that goes to mangle (TCPMSS)
# and pure mangle ruleset, making sure all rules for
# mangle table end up with one COMMIT
echo ":RULE_17 - [0:0]"
echo "-A OUTPUT -m state --state NEW -j RULE_17 "
echo "-A PREROUTING -m state --state NEW -j RULE_17 "
echo "-A RULE_17 -j LOG "
echo "-A RULE_17 -j MARK --set-mark 10"
echo "-A OUTPUT -m state --state NEW -j MARK --set-mark 10"
echo "-A PREROUTING -m state --state NEW -j MARK --set-mark 10"
#
# Rule 18 (global)
echo ":policy_2 - [0:0]"
echo "-A PREROUTING -j policy_2 "
echo "-A POSTROUTING -j policy_2 "
echo "-A FORWARD -j policy_2 "
@ -689,7 +705,7 @@ test -z "$cmd" && {
case "$cmd" in
start)
log "Activating firewall script generated Thu May 5 20:28:52 2011 by vadim"
log "Activating firewall script generated Sat May 14 15:40:10 2011 by vadim"
check_tools
prolog_commands
check_run_time_address_table_files

29
test/ipt/firewall26.fw.orig
View File

@ -2,9 +2,9 @@
#
# This is automatically generated file. DO NOT MODIFY !
#
# Firewall Builder fwb_ipt v4.2.1.3538
# Firewall Builder fwb_ipt v4.3.0.3542
#
# Generated Thu May 5 20:28:55 2011 PDT by vadim
# Generated Sat May 14 15:40:12 2011 PDT by vadim
#
# files: * firewall26.fw /etc/fw/firewall26.fw
#
@ -59,6 +59,19 @@ getaddr_internal() {
eval "${name}_list=\"$L\""
}
getnet_internal() {
dev=$1
name=$2
af=$3
L=$($IP route list proto kernel | grep $dev | grep -v default | sed 's! .*$!!')
test -z "$L" && {
eval "$name=''"
return
}
eval "${name}_list=\"$L\""
}
getaddr() {
getaddr_internal $1 $2 "-4"
}
@ -67,6 +80,14 @@ getaddr6() {
getaddr_internal $1 $2 "-6"
}
getnet() {
getnet_internal $1 $2 "-4"
}
getnet6() {
getnet_internal $1 $2 "-6"
}
# function getinterfaces is used to process wildcard interfaces
getinterfaces() {
NAME=$1
@ -283,6 +304,8 @@ configure_interfaces() {
update_addresses_of_interface "eth2 192.168.2.1/24" ""
getaddr ppp i_ppp
getaddr6 ppp i_ppp_v6
getnet ppp i_ppp_network
getnet6 ppp i_ppp_v6_network
}
script_body() {
@ -562,7 +585,7 @@ test -z "$cmd" && {
case "$cmd" in
start)
log "Activating firewall script generated Thu May 5 20:28:55 2011 by vadim"
log "Activating firewall script generated Sat May 14 15:40:12 2011 by vadim"
check_tools
prolog_commands
check_run_time_address_table_files

27
test/ipt/firewall27.fw.orig
View File

@ -2,9 +2,9 @@
#
# This is automatically generated file. DO NOT MODIFY !
#
# Firewall Builder fwb_ipt v4.2.1.3538
# Firewall Builder fwb_ipt v4.3.0.3542
#
# Generated Thu May 5 20:28:57 2011 PDT by vadim
# Generated Sat May 14 15:40:14 2011 PDT by vadim
#
# files: * firewall27.fw /etc/fw/firewall27.fw
#
@ -59,6 +59,19 @@ getaddr_internal() {
eval "${name}_list=\"$L\""
}
getnet_internal() {
dev=$1
name=$2
af=$3
L=$($IP route list proto kernel | grep $dev | grep -v default | sed 's! .*$!!')
test -z "$L" && {
eval "$name=''"
return
}
eval "${name}_list=\"$L\""
}
getaddr() {
getaddr_internal $1 $2 "-4"
}
@ -67,6 +80,14 @@ getaddr6() {
getaddr_internal $1 $2 "-6"
}
getnet() {
getnet_internal $1 $2 "-4"
}
getnet6() {
getnet_internal $1 $2 "-6"
}
# function getinterfaces is used to process wildcard interfaces
getinterfaces() {
NAME=$1
@ -546,7 +567,7 @@ test -z "$cmd" && {
case "$cmd" in
start)
log "Activating firewall script generated Thu May 5 20:28:57 2011 by vadim"
log "Activating firewall script generated Sat May 14 15:40:14 2011 by vadim"
check_tools
prolog_commands
check_run_time_address_table_files

27
test/ipt/firewall28.fw.orig
View File

@ -2,9 +2,9 @@
#
# This is automatically generated file. DO NOT MODIFY !
#
# Firewall Builder fwb_ipt v4.2.1.3538
# Firewall Builder fwb_ipt v4.3.0.3542
#
# Generated Thu May 5 20:29:00 2011 PDT by vadim
# Generated Sat May 14 15:40:17 2011 PDT by vadim
#
# files: * firewall28.fw /etc/fw/firewall28.fw
#
@ -56,6 +56,19 @@ getaddr_internal() {
eval "${name}_list=\"$L\""
}
getnet_internal() {
dev=$1
name=$2
af=$3
L=$($IP route list proto kernel | grep $dev | grep -v default | sed 's! .*$!!')
test -z "$L" && {
eval "$name=''"
return
}
eval "${name}_list=\"$L\""
}
getaddr() {
getaddr_internal $1 $2 "-4"
}
@ -64,6 +77,14 @@ getaddr6() {
getaddr_internal $1 $2 "-6"
}
getnet() {
getnet_internal $1 $2 "-4"
}
getnet6() {
getnet_internal $1 $2 "-6"
}
# function getinterfaces is used to process wildcard interfaces
getinterfaces() {
NAME=$1
@ -409,7 +430,7 @@ test -z "$cmd" && {
case "$cmd" in
start)
log "Activating firewall script generated Thu May 5 20:29:00 2011 by vadim"
log "Activating firewall script generated Sat May 14 15:40:17 2011 by vadim"
check_tools
prolog_commands
check_run_time_address_table_files

31
test/ipt/firewall29.fw.orig
View File

@ -2,9 +2,9 @@
#
# This is automatically generated file. DO NOT MODIFY !
#
# Firewall Builder fwb_ipt v4.2.1.3538
# Firewall Builder fwb_ipt v4.3.0.3542
#
# Generated Thu May 5 20:29:00 2011 PDT by vadim
# Generated Sat May 14 15:40:17 2011 PDT by vadim
#
# files: * firewall29.fw /etc/fw/firewall29.fw
#
@ -58,6 +58,19 @@ getaddr_internal() {
eval "${name}_list=\"$L\""
}
getnet_internal() {
dev=$1
name=$2
af=$3
L=$($IP route list proto kernel | grep $dev | grep -v default | sed 's! .*$!!')
test -z "$L" && {
eval "$name=''"
return
}
eval "${name}_list=\"$L\""
}
getaddr() {
getaddr_internal $1 $2 "-4"
}
@ -66,6 +79,14 @@ getaddr6() {
getaddr_internal $1 $2 "-6"
}
getnet() {
getnet_internal $1 $2 "-4"
}
getnet6() {
getnet_internal $1 $2 "-6"
}
# function getinterfaces is used to process wildcard interfaces
getinterfaces() {
NAME=$1
@ -275,8 +296,12 @@ configure_interfaces() {
update_addresses_of_interface "eth1 192.168.1.100/24" ""
getaddr eth0.200 i_eth0_200
getaddr6 eth0.200 i_eth0_200_v6
getnet eth0.200 i_eth0_200_network
getnet6 eth0.200 i_eth0_200_v6_network
getaddr eth0.100 i_eth0_100
getaddr6 eth0.100 i_eth0_100_v6
getnet eth0.100 i_eth0_100_network
getnet6 eth0.100 i_eth0_100_v6_network
}
script_body() {
@ -440,7 +465,7 @@ test -z "$cmd" && {
case "$cmd" in
start)
log "Activating firewall script generated Thu May 5 20:29:00 2011 by vadim"
log "Activating firewall script generated Sat May 14 15:40:17 2011 by vadim"
check_tools
prolog_commands
check_run_time_address_table_files

27
test/ipt/firewall3.fw.orig
View File

@ -2,9 +2,9 @@
#
# This is automatically generated file. DO NOT MODIFY !
#
# Firewall Builder fwb_ipt v4.2.1.3538
# Firewall Builder fwb_ipt v4.3.0.3542
#
# Generated Thu May 5 20:29:02 2011 PDT by vadim
# Generated Sat May 14 15:40:19 2011 PDT by vadim
#
# files: * firewall3.fw /etc/fw/firewall3.fw
#
@ -57,6 +57,19 @@ getaddr_internal() {
eval "${name}_list=\"$L\""
}
getnet_internal() {
dev=$1
name=$2
af=$3
L=$($IP route list proto kernel | grep $dev | grep -v default | sed 's! .*$!!')
test -z "$L" && {
eval "$name=''"
return
}
eval "${name}_list=\"$L\""
}
getaddr() {
getaddr_internal $1 $2 "-4"
}
@ -65,6 +78,14 @@ getaddr6() {
getaddr_internal $1 $2 "-6"
}
getnet() {
getnet_internal $1 $2 "-4"
}
getnet6() {
getnet_internal $1 $2 "-6"
}
# function getinterfaces is used to process wildcard interfaces
getinterfaces() {
NAME=$1
@ -578,7 +599,7 @@ test -z "$cmd" && {
case "$cmd" in
start)
log "Activating firewall script generated Thu May 5 20:29:02 2011 by vadim"
log "Activating firewall script generated Sat May 14 15:40:19 2011 by vadim"
check_tools
prolog_commands
check_run_time_address_table_files

27
test/ipt/firewall30.fw.orig
View File

@ -2,9 +2,9 @@
#
# This is automatically generated file. DO NOT MODIFY !
#
# Firewall Builder fwb_ipt v4.2.1.3538
# Firewall Builder fwb_ipt v4.3.0.3542
#
# Generated Thu May 5 20:29:02 2011 PDT by vadim
# Generated Sat May 14 15:40:19 2011 PDT by vadim
#
# files: * firewall30.fw /etc/fw/firewall30.fw
#
@ -57,6 +57,19 @@ getaddr_internal() {
eval "${name}_list=\"$L\""
}
getnet_internal() {
dev=$1
name=$2
af=$3
L=$($IP route list proto kernel | grep $dev | grep -v default | sed 's! .*$!!')
test -z "$L" && {
eval "$name=''"
return
}
eval "${name}_list=\"$L\""
}
getaddr() {
getaddr_internal $1 $2 "-4"
}
@ -65,6 +78,14 @@ getaddr6() {
getaddr_internal $1 $2 "-6"
}
getnet() {
getnet_internal $1 $2 "-4"
}
getnet6() {
getnet_internal $1 $2 "-6"
}
# function getinterfaces is used to process wildcard interfaces
getinterfaces() {
NAME=$1
@ -375,7 +396,7 @@ test -z "$cmd" && {
case "$cmd" in
start)
log "Activating firewall script generated Thu May 5 20:29:02 2011 by vadim"
log "Activating firewall script generated Sat May 14 15:40:19 2011 by vadim"
check_tools
prolog_commands
check_run_time_address_table_files

29
test/ipt/firewall31.fw.orig
View File

@ -2,9 +2,9 @@
#
# This is automatically generated file. DO NOT MODIFY !
#
# Firewall Builder fwb_ipt v4.2.1.3538
# Firewall Builder fwb_ipt v4.3.0.3542
#
# Generated Thu May 5 20:29:05 2011 PDT by vadim
# Generated Sat May 14 15:40:22 2011 PDT by vadim
#
# files: * firewall31.fw /etc/fw/firewall31.fw
#
@ -57,6 +57,19 @@ getaddr_internal() {
eval "${name}_list=\"$L\""
}
getnet_internal() {
dev=$1
name=$2
af=$3
L=$($IP route list proto kernel | grep $dev | grep -v default | sed 's! .*$!!')
test -z "$L" && {
eval "$name=''"
return
}
eval "${name}_list=\"$L\""
}
getaddr() {
getaddr_internal $1 $2 "-4"
}
@ -65,6 +78,14 @@ getaddr6() {
getaddr_internal $1 $2 "-6"
}
getnet() {
getnet_internal $1 $2 "-4"
}
getnet6() {
getnet_internal $1 $2 "-6"
}
# function getinterfaces is used to process wildcard interfaces
getinterfaces() {
NAME=$1
@ -287,6 +308,8 @@ configure_interfaces() {
update_addresses_of_interface "eth1 192.168.1.1/24" ""
getaddr ppp0 i_ppp0
getaddr6 ppp0 i_ppp0_v6
getnet ppp0 i_ppp0_network
getnet6 ppp0 i_ppp0_v6_network
}
script_body() {
@ -445,7 +468,7 @@ test -z "$cmd" && {
case "$cmd" in
start)
log "Activating firewall script generated Thu May 5 20:29:05 2011 by vadim"
log "Activating firewall script generated Sat May 14 15:40:22 2011 by vadim"
check_tools
prolog_commands
check_run_time_address_table_files

29
test/ipt/firewall32.fw.orig
View File

@ -2,9 +2,9 @@
#
# This is automatically generated file. DO NOT MODIFY !
#
# Firewall Builder fwb_ipt v4.2.1.3538
# Firewall Builder fwb_ipt v4.3.0.3542
#
# Generated Thu May 5 20:29:05 2011 PDT by vadim
# Generated Sat May 14 15:40:22 2011 PDT by vadim
#
# files: * firewall32.fw /etc/fw/firewall32.fw
#
@ -57,6 +57,19 @@ getaddr_internal() {
eval "${name}_list=\"$L\""
}
getnet_internal() {
dev=$1
name=$2
af=$3
L=$($IP route list proto kernel | grep $dev | grep -v default | sed 's! .*$!!')
test -z "$L" && {
eval "$name=''"
return
}
eval "${name}_list=\"$L\""
}
getaddr() {
getaddr_internal $1 $2 "-4"
}
@ -65,6 +78,14 @@ getaddr6() {
getaddr_internal $1 $2 "-6"
}
getnet() {
getnet_internal $1 $2 "-4"
}
getnet6() {
getnet_internal $1 $2 "-6"
}
# function getinterfaces is used to process wildcard interfaces
getinterfaces() {
NAME=$1
@ -274,6 +295,8 @@ configure_interfaces() {
update_addresses_of_interface "eth1 192.168.1.100/24" ""
getaddr eth0.100 i_eth0_100
getaddr6 eth0.100 i_eth0_100_v6
getnet eth0.100 i_eth0_100_network
getnet6 eth0.100 i_eth0_100_v6_network
}
script_body() {
@ -416,7 +439,7 @@ test -z "$cmd" && {
case "$cmd" in
start)
log "Activating firewall script generated Thu May 5 20:29:05 2011 by vadim"
log "Activating firewall script generated Sat May 14 15:40:22 2011 by vadim"
check_tools
prolog_commands
check_run_time_address_table_files

38
test/ipt/firewall33-1.fw.orig
View File

@ -2,9 +2,9 @@
#
# This is automatically generated file. DO NOT MODIFY !
#
# Firewall Builder fwb_ipt v4.2.1.3538
# Firewall Builder fwb_ipt v4.3.0.3542
#
# Generated Thu May 5 20:29:13 2011 PDT by vadim
# Generated Sat May 14 15:40:29 2011 PDT by vadim
#
# files: * firewall33-1.fw /etc/fw/firewall33-1.fw
#
@ -61,6 +61,19 @@ getaddr_internal() {
eval "${name}_list=\"$L\""
}
getnet_internal() {
dev=$1
name=$2
af=$3
L=$($IP route list proto kernel | grep $dev | grep -v default | sed 's! .*$!!')
test -z "$L" && {
eval "$name=''"
return
}
eval "${name}_list=\"$L\""
}
getaddr() {
getaddr_internal $1 $2 "-4"
}
@ -69,6 +82,14 @@ getaddr6() {
getaddr_internal $1 $2 "-6"
}
getnet() {
getnet_internal $1 $2 "-4"
}
getnet6() {
getnet_internal $1 $2 "-6"
}
# function getinterfaces is used to process wildcard interfaces
getinterfaces() {
NAME=$1
@ -395,11 +416,12 @@ script_body() {
#
$IPTABLES -N Cid438728A918346.0
$IPTABLES -A Policy -m state --state NEW -j Cid438728A918346.0
$IPTABLES -A Cid438728A918346.0 -d 74.125.224.48 -j RETURN
$IPTABLES -A Cid438728A918346.0 -d 74.125.224.49 -j RETURN
$IPTABLES -A Cid438728A918346.0 -d 74.125.224.50 -j RETURN
$IPTABLES -A Cid438728A918346.0 -d 74.125.224.51 -j RETURN
$IPTABLES -A Cid438728A918346.0 -d 74.125.224.52 -j RETURN
$IPTABLES -A Cid438728A918346.0 -d 74.125.153.99 -j RETURN
$IPTABLES -A Cid438728A918346.0 -d 74.125.153.103 -j RETURN
$IPTABLES -A Cid438728A918346.0 -d 74.125.153.104 -j RETURN
$IPTABLES -A Cid438728A918346.0 -d 74.125.153.105 -j RETURN
$IPTABLES -A Cid438728A918346.0 -d 74.125.153.106 -j RETURN
$IPTABLES -A Cid438728A918346.0 -d 74.125.153.147 -j RETURN
$IPTABLES -A Cid438728A918346.0 -d 157.166.224.25 -j RETURN
$IPTABLES -A Cid438728A918346.0 -d 157.166.224.26 -j RETURN
$IPTABLES -A Cid438728A918346.0 -d 157.166.226.25 -j RETURN
@ -525,7 +547,7 @@ test -z "$cmd" && {
case "$cmd" in
start)
log "Activating firewall script generated Thu May 5 20:29:13 2011 by vadim"
log "Activating firewall script generated Sat May 14 15:40:29 2011 by vadim"
check_tools
prolog_commands
check_run_time_address_table_files

40
test/ipt/firewall33.fw.orig
View File

@ -2,9 +2,9 @@
#
# This is automatically generated file. DO NOT MODIFY !
#
# Firewall Builder fwb_ipt v4.2.1.3538
# Firewall Builder fwb_ipt v4.3.0.3542
#
# Generated Thu May 5 20:29:13 2011 PDT by vadim
# Generated Sat May 14 15:40:29 2011 PDT by vadim
#
# files: * firewall33.fw /etc/fw/firewall33.fw
#
@ -61,6 +61,19 @@ getaddr_internal() {
eval "${name}_list=\"$L\""
}
getnet_internal() {
dev=$1
name=$2
af=$3
L=$($IP route list proto kernel | grep $dev | grep -v default | sed 's! .*$!!')
test -z "$L" && {
eval "$name=''"
return
}
eval "${name}_list=\"$L\""
}
getaddr() {
getaddr_internal $1 $2 "-4"
}
@ -69,6 +82,14 @@ getaddr6() {
getaddr_internal $1 $2 "-6"
}
getnet() {
getnet_internal $1 $2 "-4"
}
getnet6() {
getnet_internal $1 $2 "-6"
}
# function getinterfaces is used to process wildcard interfaces
getinterfaces() {
NAME=$1
@ -278,6 +299,8 @@ configure_interfaces() {
update_addresses_of_interface "eth1 192.168.1.100/24" ""
getaddr eth0.100 i_eth0_100
getaddr6 eth0.100 i_eth0_100_v6
getnet eth0.100 i_eth0_100_network
getnet6 eth0.100 i_eth0_100_v6_network
}
script_body() {
@ -443,11 +466,12 @@ script_body() {
$IPTABLES -A OUTPUT -m state --state NEW -j Cid438728A918346.0
$IPTABLES -A INPUT -m state --state NEW -j Cid438728A918346.0
$IPTABLES -A FORWARD -m state --state NEW -j Cid438728A918346.0
$IPTABLES -A Cid438728A918346.0 -d 74.125.224.48 -j RETURN
$IPTABLES -A Cid438728A918346.0 -d 74.125.224.49 -j RETURN
$IPTABLES -A Cid438728A918346.0 -d 74.125.224.50 -j RETURN
$IPTABLES -A Cid438728A918346.0 -d 74.125.224.51 -j RETURN
$IPTABLES -A Cid438728A918346.0 -d 74.125.224.52 -j RETURN
$IPTABLES -A Cid438728A918346.0 -d 74.125.153.99 -j RETURN
$IPTABLES -A Cid438728A918346.0 -d 74.125.153.103 -j RETURN
$IPTABLES -A Cid438728A918346.0 -d 74.125.153.104 -j RETURN
$IPTABLES -A Cid438728A918346.0 -d 74.125.153.105 -j RETURN
$IPTABLES -A Cid438728A918346.0 -d 74.125.153.106 -j RETURN
$IPTABLES -A Cid438728A918346.0 -d 74.125.153.147 -j RETURN
$IPTABLES -A Cid438728A918346.0 -d 157.166.224.25 -j RETURN
$IPTABLES -A Cid438728A918346.0 -d 157.166.224.26 -j RETURN
$IPTABLES -A Cid438728A918346.0 -d 157.166.226.25 -j RETURN
@ -572,7 +596,7 @@ test -z "$cmd" && {
case "$cmd" in
start)
log "Activating firewall script generated Thu May 5 20:29:13 2011 by vadim"
log "Activating firewall script generated Sat May 14 15:40:29 2011 by vadim"
check_tools
prolog_commands
check_run_time_address_table_files

29
test/ipt/firewall34.fw.orig
View File

@ -2,9 +2,9 @@
#
# This is automatically generated file. DO NOT MODIFY !
#
# Firewall Builder fwb_ipt v4.2.1.3538
# Firewall Builder fwb_ipt v4.3.0.3542
#
# Generated Thu May 5 20:29:15 2011 PDT by vadim
# Generated Sat May 14 15:40:31 2011 PDT by vadim
#
# files: * firewall34.fw /etc/fw/firewall34.fw
#
@ -59,6 +59,19 @@ getaddr_internal() {
eval "${name}_list=\"$L\""
}
getnet_internal() {
dev=$1
name=$2
af=$3
L=$($IP route list proto kernel | grep $dev | grep -v default | sed 's! .*$!!')
test -z "$L" && {
eval "$name=''"
return
}
eval "${name}_list=\"$L\""
}
getaddr() {
getaddr_internal $1 $2 "-4"
}
@ -67,6 +80,14 @@ getaddr6() {
getaddr_internal $1 $2 "-6"
}
getnet() {
getnet_internal $1 $2 "-4"
}
getnet6() {
getnet_internal $1 $2 "-6"
}
# function getinterfaces is used to process wildcard interfaces
getinterfaces() {
NAME=$1
@ -277,6 +298,8 @@ configure_interfaces() {
update_addresses_of_interface "eth1 192.168.1.100/24" ""
getaddr eth0.100 i_eth0_100
getaddr6 eth0.100 i_eth0_100_v6
getnet eth0.100 i_eth0_100_network
getnet6 eth0.100 i_eth0_100_v6_network
}
script_body() {
@ -648,7 +671,7 @@ test -z "$cmd" && {
case "$cmd" in
start)
log "Activating firewall script generated Thu May 5 20:29:15 2011 by vadim"
log "Activating firewall script generated Sat May 14 15:40:31 2011 by vadim"
check_tools
prolog_commands
check_run_time_address_table_files

29
test/ipt/firewall35.fw.orig
View File

@ -2,9 +2,9 @@
#
# This is automatically generated file. DO NOT MODIFY !
#
# Firewall Builder fwb_ipt v4.2.1.3538
# Firewall Builder fwb_ipt v4.3.0.3542
#
# Generated Thu May 5 20:29:15 2011 PDT by vadim
# Generated Sat May 14 15:40:31 2011 PDT by vadim
#
# files: * firewall35.fw /etc/fw/firewall35.fw
#
@ -59,6 +59,19 @@ getaddr_internal() {
eval "${name}_list=\"$L\""
}
getnet_internal() {
dev=$1
name=$2
af=$3
L=$($IP route list proto kernel | grep $dev | grep -v default | sed 's! .*$!!')
test -z "$L" && {
eval "$name=''"
return
}
eval "${name}_list=\"$L\""
}
getaddr() {
getaddr_internal $1 $2 "-4"
}
@ -67,6 +80,14 @@ getaddr6() {
getaddr_internal $1 $2 "-6"
}
getnet() {
getnet_internal $1 $2 "-4"
}
getnet6() {
getnet_internal $1 $2 "-6"
}
# function getinterfaces is used to process wildcard interfaces
getinterfaces() {
NAME=$1
@ -277,6 +298,8 @@ configure_interfaces() {
update_addresses_of_interface "eth1 192.168.1.100/24" ""
getaddr eth0.100 i_eth0_100
getaddr6 eth0.100 i_eth0_100_v6
getnet eth0.100 i_eth0_100_network
getnet6 eth0.100 i_eth0_100_v6_network
}
script_body() {
@ -540,7 +563,7 @@ test -z "$cmd" && {
case "$cmd" in
start)
log "Activating firewall script generated Thu May 5 20:29:15 2011 by vadim"
log "Activating firewall script generated Sat May 14 15:40:31 2011 by vadim"
check_tools
prolog_commands
check_run_time_address_table_files

27
test/ipt/firewall36-1.fw.orig
View File

@ -2,9 +2,9 @@
#
# This is automatically generated file. DO NOT MODIFY !
#
# Firewall Builder fwb_ipt v4.2.1.3538
# Firewall Builder fwb_ipt v4.3.0.3542
#
# Generated Thu May 5 20:29:17 2011 PDT by vadim
# Generated Sat May 14 15:40:34 2011 PDT by vadim
#
# files: * firewall36-1.fw /etc/firewall36-1.fw
#
@ -57,6 +57,19 @@ getaddr_internal() {
eval "${name}_list=\"$L\""
}
getnet_internal() {
dev=$1
name=$2
af=$3
L=$($IP route list proto kernel | grep $dev | grep -v default | sed 's! .*$!!')
test -z "$L" && {
eval "$name=''"
return
}
eval "${name}_list=\"$L\""
}
getaddr() {
getaddr_internal $1 $2 "-4"
}
@ -65,6 +78,14 @@ getaddr6() {
getaddr_internal $1 $2 "-6"
}
getnet() {
getnet_internal $1 $2 "-4"
}
getnet6() {
getnet_internal $1 $2 "-6"
}
# function getinterfaces is used to process wildcard interfaces
getinterfaces() {
NAME=$1
@ -433,7 +454,7 @@ test -z "$cmd" && {
case "$cmd" in
start)
log "Activating firewall script generated Thu May 5 20:29:17 2011 by vadim"
log "Activating firewall script generated Sat May 14 15:40:34 2011 by vadim"
check_tools
prolog_commands
check_run_time_address_table_files

27
test/ipt/firewall36-2.fw.orig
View File

@ -2,9 +2,9 @@
#
# This is automatically generated file. DO NOT MODIFY !
#
# Firewall Builder fwb_ipt v4.2.1.3538
# Firewall Builder fwb_ipt v4.3.0.3542
#
# Generated Thu May 5 20:29:20 2011 PDT by vadim
# Generated Sat May 14 15:40:36 2011 PDT by vadim
#
# files: * firewall36-2.fw /etc/firewall36-2.fw
#
@ -57,6 +57,19 @@ getaddr_internal() {
eval "${name}_list=\"$L\""
}
getnet_internal() {
dev=$1
name=$2
af=$3
L=$($IP route list proto kernel | grep $dev | grep -v default | sed 's! .*$!!')
test -z "$L" && {
eval "$name=''"
return
}
eval "${name}_list=\"$L\""
}
getaddr() {
getaddr_internal $1 $2 "-4"
}
@ -65,6 +78,14 @@ getaddr6() {
getaddr_internal $1 $2 "-6"
}
getnet() {
getnet_internal $1 $2 "-4"
}
getnet6() {
getnet_internal $1 $2 "-6"
}
# function getinterfaces is used to process wildcard interfaces
getinterfaces() {
NAME=$1
@ -433,7 +454,7 @@ test -z "$cmd" && {
case "$cmd" in
start)
log "Activating firewall script generated Thu May 5 20:29:20 2011 by vadim"
log "Activating firewall script generated Sat May 14 15:40:36 2011 by vadim"
check_tools
prolog_commands
check_run_time_address_table_files

88
test/ipt/firewall36.fw.orig
View File

@ -2,18 +2,19 @@
#
# This is automatically generated file. DO NOT MODIFY !
#
# Firewall Builder fwb_ipt v4.2.1.3538
# Firewall Builder fwb_ipt v4.3.0.3542
#
# Generated Thu May 5 20:29:17 2011 PDT by vadim
# Generated Sat May 14 15:40:33 2011 PDT by vadim
#
# files: * firewall36.fw /etc/firewall36.fw
#
# Compiled for iptables (any version)
#
# testing routing rules - both actually routing and ROUTE target
# testing routing rules
# routing ruleset installs ECMP default
# ROUTE target is deprecated in 4.3.0
# firewall36:Routing:4: warning: Rule has been suppressed because it contains IPv6 objects and Firewall Builder does not support IPv6 routing rules at this time
@ -59,6 +60,19 @@ getaddr_internal() {
eval "${name}_list=\"$L\""
}
getnet_internal() {
dev=$1
name=$2
af=$3
L=$($IP route list proto kernel | grep $dev | grep -v default | sed 's! .*$!!')
test -z "$L" && {
eval "$name=''"
return
}
eval "${name}_list=\"$L\""
}
getaddr() {
getaddr_internal $1 $2 "-4"
}
@ -67,6 +81,14 @@ getaddr6() {
getaddr_internal $1 $2 "-6"
}
getnet() {
getnet_internal $1 $2 "-4"
}
getnet6() {
getnet_internal $1 $2 "-6"
}
# function getinterfaces is used to process wildcard interfaces
getinterfaces() {
NAME=$1
@ -310,61 +332,9 @@ script_body() {
# ================ Table 'mangle', rule set Policy
#
# Rule 1 (global)
#
echo "Rule 1 (global)"
#
$IPTABLES -t mangle -A POSTROUTING -p icmp -m icmp --icmp-type any -j ROUTE --oif eth1
#
# Rule 2 (global)
#
echo "Rule 2 (global)"
#
$IPTABLES -t mangle -A POSTROUTING -p tcp -m tcp --dport 80 -j ROUTE --oif eth1 --continue
#
# Rule 3 (global)
#
echo "Rule 3 (global)"
#
$IPTABLES -t mangle -A POSTROUTING -p tcp -m tcp --dport 22 -j ROUTE --gw 1.2.3.4 --continue
#
# Rule 4 (global)
#
echo "Rule 4 (global)"
#
$IPTABLES -t mangle -A PREROUTING -p icmp -m icmp --icmp-type any -j ROUTE --iif eth1
#
# Rule 5 (global)
#
echo "Rule 5 (global)"
#
$IPTABLES -t mangle -A POSTROUTING -p tcp -m tcp --dport 13 -j ROUTE --gw 1.2.3.4 --tee
$IPTABLES -t mangle -A PREROUTING -p tcp -m tcp --dport 13 -j ROUTE --gw 1.2.3.4 --tee
# ================ Table 'filter', rule set Policy
#
# Rule 0 (global)
#
echo "Rule 0 (global)"
#
# This permits access from internal net
# to the Internet and DMZ
$IPTABLES -A INPUT -s 192.168.1.0/24 -m state --state NEW -j ACCEPT
$IPTABLES -A OUTPUT -s 192.168.1.0/24 -m state --state NEW -j ACCEPT
$IPTABLES -A FORWARD -s 192.168.1.0/24 -m state --state NEW -j ACCEPT
#
# Rule 6 (global)
#
echo "Rule 6 (global)"
#
$IPTABLES -N RULE_6
$IPTABLES -A OUTPUT -j RULE_6
$IPTABLES -A INPUT -j RULE_6
$IPTABLES -A FORWARD -j RULE_6
$IPTABLES -A RULE_6 -j LOG --log-level info --log-prefix "RULE 6 -- DENY "
$IPTABLES -A RULE_6 -j DROP
@ -548,7 +518,7 @@ test -z "$cmd" && {
case "$cmd" in
start)
log "Activating firewall script generated Thu May 5 20:29:17 2011 by vadim"
log "Activating firewall script generated Sat May 14 15:40:33 2011 by vadim"
check_tools
prolog_commands
check_run_time_address_table_files

497
test/ipt/firewall37-1.fw.orig
View File

@ -2,9 +2,9 @@
#
# This is automatically generated file. DO NOT MODIFY !
#
# Firewall Builder fwb_ipt v4.2.1.ma_1
# Firewall Builder fwb_ipt v4.3.0.3542
#
# Generated Tue May 3 20:22:31 2011 PDT by vadim
# Generated Sat May 14 15:40:38 2011 PDT by vadim
#
# files: * firewall37-1.fw /etc/fw/firewall37-1.fw
#
@ -59,6 +59,19 @@ getaddr_internal() {
eval "${name}_list=\"$L\""
}
getnet_internal() {
dev=$1
name=$2
af=$3
L=$($IP route list proto kernel | grep $dev | grep -v default | sed 's! .*$!!')
test -z "$L" && {
eval "$name=''"
return
}
eval "${name}_list=\"$L\""
}
getaddr() {
getaddr_internal $1 $2 "-4"
}
@ -67,6 +80,14 @@ getaddr6() {
getaddr_internal $1 $2 "-6"
}
getnet() {
getnet_internal $1 $2 "-4"
}
getnet6() {
getnet_internal $1 $2 "-6"
}
# function getinterfaces is used to process wildcard interfaces
getinterfaces() {
NAME=$1
@ -327,19 +348,7 @@ script_body() {
echo "Rule rule27_branch 0 (global)"
#
$IPTABLES -N rule27_branch -t mangle
$IPTABLES -N Cid45AB5C2E25451.0 -t mangle
$IPTABLES -t mangle -A rule27_branch -p tcp -m tcp --tcp-flags ALL ACK -j Cid45AB5C2E25451.0
$IPTABLES -t mangle -A Cid45AB5C2E25451.0 -j CLASSIFY --set-class 1:16
$IPTABLES -t mangle -A Cid45AB5C2E25451.0 -j ACCEPT
#
# Rule rule27_branch 1 (global)
#
echo "Rule rule27_branch 1 (global)"
#
$IPTABLES -N rule27_branch_1 -t mangle
$IPTABLES -t mangle -A rule27_branch -p tcp -m tcp --dport 80 -m state --state NEW -j rule27_branch_1
$IPTABLES -t mangle -A rule27_branch_1 -j LOG --log-level info --log-prefix "RULE 1 -- ACCEPT "
$IPTABLES -t mangle -A rule27_branch_1 -j ACCEPT
$IPTABLES -t mangle -A rule27_branch -p tcp -m tcp --tcp-flags ALL ACK -j CLASSIFY --set-class 1:16
# ================ Table 'mangle', rule set Policy
#
# Rule 0 (global)
@ -347,27 +356,20 @@ script_body() {
echo "Rule 0 (global)"
#
# terminating target
$IPTABLES -N Cid45AB5AAD25451.0 -t mangle
$IPTABLES -t mangle -A OUTPUT -p 50 -m state --state NEW -j Cid45AB5AAD25451.0
$IPTABLES -t mangle -A OUTPUT -p ah -m state --state NEW -j Cid45AB5AAD25451.0
$IPTABLES -t mangle -A PREROUTING -p 50 -m state --state NEW -j Cid45AB5AAD25451.0
$IPTABLES -t mangle -A PREROUTING -p ah -m state --state NEW -j Cid45AB5AAD25451.0
$IPTABLES -t mangle -A Cid45AB5AAD25451.0 -j MARK --set-mark 16
$IPTABLES -t mangle -A Cid45AB5AAD25451.0 -j ACCEPT
$IPTABLES -t mangle -A OUTPUT -p 50 -m state --state NEW -j MARK --set-mark 16
$IPTABLES -t mangle -A OUTPUT -p ah -m state --state NEW -j MARK --set-mark 16
$IPTABLES -t mangle -A PREROUTING -p 50 -m state --state NEW -j MARK --set-mark 16
$IPTABLES -t mangle -A PREROUTING -p ah -m state --state NEW -j MARK --set-mark 16
#
# Rule 1 (global)
#
echo "Rule 1 (global)"
#
# terminating target
$IPTABLES -N RULE_1 -t mangle
$IPTABLES -t mangle -A OUTPUT -p 50 -m state --state NEW -j RULE_1
$IPTABLES -t mangle -A OUTPUT -p ah -m state --state NEW -j RULE_1
$IPTABLES -t mangle -A PREROUTING -p 50 -m state --state NEW -j RULE_1
$IPTABLES -t mangle -A PREROUTING -p ah -m state --state NEW -j RULE_1
$IPTABLES -t mangle -A RULE_1 -j LOG --log-level info --log-prefix "RULE 1 -- ACCEPT "
$IPTABLES -t mangle -A RULE_1 -j MARK --set-mark 16
$IPTABLES -t mangle -A RULE_1 -j ACCEPT
$IPTABLES -t mangle -A OUTPUT -p 50 -m state --state NEW -j MARK --set-mark 16
$IPTABLES -t mangle -A OUTPUT -p ah -m state --state NEW -j MARK --set-mark 16
$IPTABLES -t mangle -A PREROUTING -p 50 -m state --state NEW -j MARK --set-mark 16
$IPTABLES -t mangle -A PREROUTING -p ah -m state --state NEW -j MARK --set-mark 16
#
# Rule 2 (global)
#
@ -381,64 +383,53 @@ script_body() {
$IPTABLES -t mangle -A PREROUTING -p ah -m state --state NEW -j Cid45AB5AC525451.0
$IPTABLES -t mangle -A Cid45AB5AC525451.0 -s 192.168.1.0/24 -j RETURN
$IPTABLES -t mangle -A Cid45AB5AC525451.0 -s 192.168.2.0/24 -j RETURN
$IPTABLES -N RULE_2_3 -t mangle
$IPTABLES -t mangle -A Cid45AB5AC525451.0 -j RULE_2_3
$IPTABLES -t mangle -A RULE_2_3 -j LOG --log-level info --log-prefix "RULE 2 -- ACCEPT "
$IPTABLES -t mangle -A RULE_2_3 -j MARK --set-mark 16
$IPTABLES -t mangle -A RULE_2_3 -j ACCEPT
$IPTABLES -t mangle -A Cid45AB5AC525451.0 -j MARK --set-mark 16
#
# Rule 3 (eth1)
#
echo "Rule 3 (eth1)"
#
# terminating target
$IPTABLES -N Cid45AB5AD225451.0 -t mangle
$IPTABLES -t mangle -A PREROUTING -i eth1 -p 50 -m state --state NEW -j Cid45AB5AD225451.0
$IPTABLES -t mangle -A PREROUTING -i eth1 -p ah -m state --state NEW -j Cid45AB5AD225451.0
$IPTABLES -t mangle -A Cid45AB5AD225451.0 -j MARK --set-mark 16
$IPTABLES -t mangle -A Cid45AB5AD225451.0 -j ACCEPT
$IPTABLES -t mangle -A PREROUTING -i eth1 -p 50 -m state --state NEW -j MARK --set-mark 16
$IPTABLES -t mangle -A PREROUTING -i eth1 -p ah -m state --state NEW -j MARK --set-mark 16
#
# Rule 4 (eth1)
#
echo "Rule 4 (eth1)"
#
# temrinating target
$IPTABLES -N Cid45AB5ADE25451.0 -t mangle
$IPTABLES -t mangle -A OUTPUT -o eth1 -p 50 -m state --state NEW -j Cid45AB5ADE25451.0
$IPTABLES -t mangle -A OUTPUT -o eth1 -p ah -m state --state NEW -j Cid45AB5ADE25451.0
$IPTABLES -t mangle -A POSTROUTING -o eth1 -p 50 -m state --state NEW -j Cid45AB5ADE25451.0
$IPTABLES -t mangle -A POSTROUTING -o eth1 -p ah -m state --state NEW -j Cid45AB5ADE25451.0
$IPTABLES -t mangle -A Cid45AB5ADE25451.0 -j MARK --set-mark 16
$IPTABLES -t mangle -A Cid45AB5ADE25451.0 -j ACCEPT
$IPTABLES -t mangle -A OUTPUT -o eth1 -p 50 -m state --state NEW -j MARK --set-mark 16
$IPTABLES -t mangle -A OUTPUT -o eth1 -p ah -m state --state NEW -j MARK --set-mark 16
$IPTABLES -t mangle -A POSTROUTING -o eth1 -p 50 -m state --state NEW -j MARK --set-mark 16
$IPTABLES -t mangle -A POSTROUTING -o eth1 -p ah -m state --state NEW -j MARK --set-mark 16
#
# Rule 5 (global)
#
echo "Rule 5 (global)"
#
# terminating and CONNMARK
$IPTABLES -N Cid45AB5AEA25451.0 -t mangle
$IPTABLES -t mangle -A OUTPUT -p 50 -m state --state NEW -j Cid45AB5AEA25451.0
$IPTABLES -t mangle -A OUTPUT -p ah -m state --state NEW -j Cid45AB5AEA25451.0
$IPTABLES -t mangle -A PREROUTING -p 50 -m state --state NEW -j Cid45AB5AEA25451.0
$IPTABLES -t mangle -A PREROUTING -p ah -m state --state NEW -j Cid45AB5AEA25451.0
$IPTABLES -t mangle -A Cid45AB5AEA25451.0 -j MARK --set-mark 10
$IPTABLES -t mangle -A Cid45AB5AEA25451.0 -j CONNMARK --save-mark
$IPTABLES -t mangle -A Cid45AB5AEA25451.0 -j ACCEPT
$IPTABLES -t mangle -A OUTPUT -p 50 -m state --state NEW -j MARK --set-mark 10
$IPTABLES -t mangle -A OUTPUT -p ah -m state --state NEW -j MARK --set-mark 10
$IPTABLES -t mangle -A PREROUTING -p 50 -m state --state NEW -j MARK --set-mark 10
$IPTABLES -t mangle -A PREROUTING -p ah -m state --state NEW -j MARK --set-mark 10
$IPTABLES -t mangle -A OUTPUT -p 50 -m state --state NEW -j CONNMARK --save-mark
$IPTABLES -t mangle -A OUTPUT -p ah -m state --state NEW -j CONNMARK --save-mark
$IPTABLES -t mangle -A PREROUTING -p 50 -m state --state NEW -j CONNMARK --save-mark
$IPTABLES -t mangle -A PREROUTING -p ah -m state --state NEW -j CONNMARK --save-mark
#
# Rule 6 (global)
#
echo "Rule 6 (global)"
#
# terminating and CONNMARK
$IPTABLES -N RULE_6 -t mangle
$IPTABLES -t mangle -A OUTPUT -p 50 -m state --state NEW -j RULE_6
$IPTABLES -t mangle -A OUTPUT -p ah -m state --state NEW -j RULE_6
$IPTABLES -t mangle -A PREROUTING -p 50 -m state --state NEW -j RULE_6
$IPTABLES -t mangle -A PREROUTING -p ah -m state --state NEW -j RULE_6
$IPTABLES -t mangle -A RULE_6 -j LOG --log-level info --log-prefix "RULE 6 -- ACCEPT "
$IPTABLES -t mangle -A RULE_6 -j MARK --set-mark 10
$IPTABLES -t mangle -A RULE_6 -j CONNMARK --save-mark
$IPTABLES -t mangle -A RULE_6 -j ACCEPT
$IPTABLES -t mangle -A OUTPUT -p 50 -m state --state NEW -j MARK --set-mark 10
$IPTABLES -t mangle -A OUTPUT -p ah -m state --state NEW -j MARK --set-mark 10
$IPTABLES -t mangle -A PREROUTING -p 50 -m state --state NEW -j MARK --set-mark 10
$IPTABLES -t mangle -A PREROUTING -p ah -m state --state NEW -j MARK --set-mark 10
$IPTABLES -t mangle -A OUTPUT -p 50 -m state --state NEW -j CONNMARK --save-mark
$IPTABLES -t mangle -A OUTPUT -p ah -m state --state NEW -j CONNMARK --save-mark
$IPTABLES -t mangle -A PREROUTING -p 50 -m state --state NEW -j CONNMARK --save-mark
$IPTABLES -t mangle -A PREROUTING -p ah -m state --state NEW -j CONNMARK --save-mark
#
# Rule 7 (global)
#
@ -452,38 +443,32 @@ script_body() {
$IPTABLES -t mangle -A PREROUTING -p ah -m state --state NEW -j Cid45AB5B0225451.0
$IPTABLES -t mangle -A Cid45AB5B0225451.0 -s 192.168.1.0/24 -j RETURN
$IPTABLES -t mangle -A Cid45AB5B0225451.0 -s 192.168.2.0/24 -j RETURN
$IPTABLES -N RULE_7_3 -t mangle
$IPTABLES -t mangle -A Cid45AB5B0225451.0 -j RULE_7_3
$IPTABLES -t mangle -A RULE_7_3 -j LOG --log-level info --log-prefix "RULE 7 -- ACCEPT "
$IPTABLES -t mangle -A RULE_7_3 -j MARK --set-mark 10
$IPTABLES -t mangle -A RULE_7_3 -j CONNMARK --save-mark
$IPTABLES -t mangle -A RULE_7_3 -j ACCEPT
$IPTABLES -t mangle -A Cid45AB5B0225451.0 -j MARK --set-mark 10
$IPTABLES -t mangle -A Cid45AB5B0225451.0 -j CONNMARK --save-mark
#
# Rule 8 (eth1)
#
echo "Rule 8 (eth1)"
#
# terminating and CONNMARK
$IPTABLES -N Cid45AB5B0F25451.0 -t mangle
$IPTABLES -t mangle -A PREROUTING -i eth1 -p 50 -m state --state NEW -j Cid45AB5B0F25451.0
$IPTABLES -t mangle -A PREROUTING -i eth1 -p ah -m state --state NEW -j Cid45AB5B0F25451.0
$IPTABLES -t mangle -A Cid45AB5B0F25451.0 -j MARK --set-mark 8
$IPTABLES -t mangle -A Cid45AB5B0F25451.0 -j CONNMARK --save-mark
$IPTABLES -t mangle -A Cid45AB5B0F25451.0 -j ACCEPT
$IPTABLES -t mangle -A PREROUTING -i eth1 -p 50 -m state --state NEW -j MARK --set-mark 8
$IPTABLES -t mangle -A PREROUTING -i eth1 -p ah -m state --state NEW -j MARK --set-mark 8
$IPTABLES -t mangle -A PREROUTING -i eth1 -p 50 -m state --state NEW -j CONNMARK --save-mark
$IPTABLES -t mangle -A PREROUTING -i eth1 -p ah -m state --state NEW -j CONNMARK --save-mark
#
# Rule 9 (eth1)
#
echo "Rule 9 (eth1)"
#
# terminating and CONNMARK
$IPTABLES -N Cid45AB5B1B25451.0 -t mangle
$IPTABLES -t mangle -A OUTPUT -o eth1 -p 50 -m state --state NEW -j Cid45AB5B1B25451.0
$IPTABLES -t mangle -A OUTPUT -o eth1 -p ah -m state --state NEW -j Cid45AB5B1B25451.0
$IPTABLES -t mangle -A POSTROUTING -o eth1 -p 50 -m state --state NEW -j Cid45AB5B1B25451.0
$IPTABLES -t mangle -A POSTROUTING -o eth1 -p ah -m state --state NEW -j Cid45AB5B1B25451.0
$IPTABLES -t mangle -A Cid45AB5B1B25451.0 -j MARK --set-mark 9
$IPTABLES -t mangle -A Cid45AB5B1B25451.0 -j CONNMARK --save-mark
$IPTABLES -t mangle -A Cid45AB5B1B25451.0 -j ACCEPT
$IPTABLES -t mangle -A OUTPUT -o eth1 -p 50 -m state --state NEW -j MARK --set-mark 9
$IPTABLES -t mangle -A OUTPUT -o eth1 -p ah -m state --state NEW -j MARK --set-mark 9
$IPTABLES -t mangle -A POSTROUTING -o eth1 -p 50 -m state --state NEW -j MARK --set-mark 9
$IPTABLES -t mangle -A POSTROUTING -o eth1 -p ah -m state --state NEW -j MARK --set-mark 9
$IPTABLES -t mangle -A OUTPUT -o eth1 -p 50 -m state --state NEW -j CONNMARK --save-mark
$IPTABLES -t mangle -A OUTPUT -o eth1 -p ah -m state --state NEW -j CONNMARK --save-mark
$IPTABLES -t mangle -A POSTROUTING -o eth1 -p 50 -m state --state NEW -j CONNMARK --save-mark
$IPTABLES -t mangle -A POSTROUTING -o eth1 -p ah -m state --state NEW -j CONNMARK --save-mark
#
# Rule 11 (global)
#
@ -493,20 +478,14 @@ script_body() {
# this rule, and the next one, should place
# CLASSIFY rule in a separate chain
# and pass control to it using -g
$IPTABLES -N Cid45AB5B9525451.0 -t mangle
$IPTABLES -t mangle -A POSTROUTING -p icmp -m icmp --icmp-type 3 -j Cid45AB5B9525451.0
$IPTABLES -t mangle -A Cid45AB5B9525451.0 -j CLASSIFY --set-class 1:10
$IPTABLES -t mangle -A Cid45AB5B9525451.0 -j ACCEPT
$IPTABLES -t mangle -A POSTROUTING -p icmp -m icmp --icmp-type 3 -j CLASSIFY --set-class 1:10
#
# Rule 12 (eth0)
#
echo "Rule 12 (eth0)"
#
# second rule for bug #1618381
$IPTABLES -N Cid45AB5BA125451.0 -t mangle
$IPTABLES -t mangle -A POSTROUTING -o eth0 -j Cid45AB5BA125451.0
$IPTABLES -t mangle -A Cid45AB5BA125451.0 -j CLASSIFY --set-class 1:11
$IPTABLES -t mangle -A Cid45AB5BA125451.0 -j ACCEPT
$IPTABLES -t mangle -A POSTROUTING -o eth0 -j CLASSIFY --set-class 1:11
#
# Rule 13 (global)
#
@ -518,7 +497,6 @@ script_body() {
$IPTABLES -t mangle -A Cid45AB5BAD25451.0 -s 192.168.1.0/24 -j RETURN
$IPTABLES -t mangle -A Cid45AB5BAD25451.0 -s 192.168.2.0/24 -j RETURN
$IPTABLES -t mangle -A Cid45AB5BAD25451.0 -j CLASSIFY --set-class 1:10
$IPTABLES -t mangle -A Cid45AB5BAD25451.0 -j ACCEPT
#
# Rule 14 (global)
#
@ -531,7 +509,6 @@ script_body() {
$IPTABLES -t mangle -A Cid45AB5BBA25451.0 -s 192.168.1.0/24 -j RETURN
$IPTABLES -t mangle -A Cid45AB5BBA25451.0 -s 192.168.2.0/24 -j RETURN
$IPTABLES -t mangle -A Cid45AB5BBA25451.0 -j CLASSIFY --set-class 1:10
$IPTABLES -t mangle -A Cid45AB5BBA25451.0 -j ACCEPT
#
# Rule 15 (eth0)
#
@ -541,12 +518,9 @@ script_body() {
# this rule uses multiport
# and has to be split because
# of that
$IPTABLES -N Cid45AB5BC825451.0 -t mangle
$IPTABLES -t mangle -A POSTROUTING -o eth0 -p tcp -m tcp --dport 10000:11000 -j Cid45AB5BC825451.0
$IPTABLES -t mangle -A POSTROUTING -o eth0 -p tcp -m tcp -m multiport --dports 113,13,53,2105,21,70,80,443,6667,119,25,3128,22,23,540 -j Cid45AB5BC825451.0
$IPTABLES -t mangle -A POSTROUTING -o eth0 -p udp -m udp -m multiport --dports 53,161 -j Cid45AB5BC825451.0
$IPTABLES -t mangle -A Cid45AB5BC825451.0 -j CLASSIFY --set-class 1:11
$IPTABLES -t mangle -A Cid45AB5BC825451.0 -j ACCEPT
$IPTABLES -t mangle -A POSTROUTING -o eth0 -p tcp -m tcp --dport 10000:11000 -j CLASSIFY --set-class 1:11
$IPTABLES -t mangle -A POSTROUTING -o eth0 -p tcp -m tcp -m multiport --dports 113,13,53,2105,21,70,80,443,6667,119,25,3128,22,23,540 -j CLASSIFY --set-class 1:11
$IPTABLES -t mangle -A POSTROUTING -o eth0 -p udp -m udp -m multiport --dports 53,161 -j CLASSIFY --set-class 1:11
#
# Rule 16 (global)
#
@ -556,30 +530,20 @@ script_body() {
# this rule, and the next one, should place
# CLASSIFY rule in a separate chain
# and pass control to it using -g
$IPTABLES -N Cid45AB5BD525451.0 -t mangle
$IPTABLES -t mangle -A POSTROUTING -p icmp -m icmp --icmp-type 3 -j Cid45AB5BD525451.0
$IPTABLES -t mangle -A Cid45AB5BD525451.0 -j CLASSIFY --set-class 1:10
$IPTABLES -t mangle -A Cid45AB5BD525451.0 -j ACCEPT
$IPTABLES -t mangle -A POSTROUTING -p icmp -m icmp --icmp-type 3 -j CLASSIFY --set-class 1:10
#
# Rule 17 (eth0)
#
echo "Rule 17 (eth0)"
#
# second rule for bug #1618381
$IPTABLES -N Cid45AB5BE125451.0 -t mangle
$IPTABLES -t mangle -A POSTROUTING -o eth0 -j Cid45AB5BE125451.0
$IPTABLES -t mangle -A Cid45AB5BE125451.0 -j CLASSIFY --set-class 1:11
$IPTABLES -t mangle -A Cid45AB5BE125451.0 -j ACCEPT
$IPTABLES -t mangle -A POSTROUTING -o eth0 -j CLASSIFY --set-class 1:11
#
# Rule 18 (eth0)
#
echo "Rule 18 (eth0)"
#
$IPTABLES -N Out_RULE_18 -t mangle
$IPTABLES -t mangle -A POSTROUTING -o eth0 -s 192.168.1.0/24 -j Out_RULE_18
$IPTABLES -t mangle -A Out_RULE_18 -j LOG --log-level info --log-prefix "RULE 18 -- ACCEPT "
$IPTABLES -t mangle -A Out_RULE_18 -j CLASSIFY --set-class 1:11
$IPTABLES -t mangle -A Out_RULE_18 -j ACCEPT
$IPTABLES -t mangle -A POSTROUTING -o eth0 -s 192.168.1.0/24 -j CLASSIFY --set-class 1:11
#
# Rule 19 (global)
#
@ -591,7 +555,6 @@ script_body() {
$IPTABLES -t mangle -A Cid45AB5BF925451.0 -s 192.168.1.0/24 -j RETURN
$IPTABLES -t mangle -A Cid45AB5BF925451.0 -s 192.168.2.0/24 -j RETURN
$IPTABLES -t mangle -A Cid45AB5BF925451.0 -j CLASSIFY --set-class 1:10
$IPTABLES -t mangle -A Cid45AB5BF925451.0 -j ACCEPT
#
# Rule 20 (global)
#
@ -604,7 +567,6 @@ script_body() {
$IPTABLES -t mangle -A Cid45AB5C0625451.0 -s 192.168.1.0/24 -j RETURN
$IPTABLES -t mangle -A Cid45AB5C0625451.0 -s 192.168.2.0/24 -j RETURN
$IPTABLES -t mangle -A Cid45AB5C0625451.0 -j CLASSIFY --set-class 1:10
$IPTABLES -t mangle -A Cid45AB5C0625451.0 -j ACCEPT
#
# Rule 21 (eth0)
#
@ -614,12 +576,9 @@ script_body() {
# this rule uses multiport
# and has to be split because
# of that
$IPTABLES -N Cid45AB5C1425451.0 -t mangle
$IPTABLES -t mangle -A POSTROUTING -o eth0 -p tcp -m tcp --dport 10000:11000 -j Cid45AB5C1425451.0
$IPTABLES -t mangle -A POSTROUTING -o eth0 -p tcp -m tcp -m multiport --dports 113,13,53,2105,21,70,80,443,6667,119,25,3128,22,23,540 -j Cid45AB5C1425451.0
$IPTABLES -t mangle -A POSTROUTING -o eth0 -p udp -m udp -m multiport --dports 53,161 -j Cid45AB5C1425451.0
$IPTABLES -t mangle -A Cid45AB5C1425451.0 -j CLASSIFY --set-class 1:11
$IPTABLES -t mangle -A Cid45AB5C1425451.0 -j ACCEPT
$IPTABLES -t mangle -A POSTROUTING -o eth0 -p tcp -m tcp --dport 10000:11000 -j CLASSIFY --set-class 1:11
$IPTABLES -t mangle -A POSTROUTING -o eth0 -p tcp -m tcp -m multiport --dports 113,13,53,2105,21,70,80,443,6667,119,25,3128,22,23,540 -j CLASSIFY --set-class 1:11
$IPTABLES -t mangle -A POSTROUTING -o eth0 -p udp -m udp -m multiport --dports 53,161 -j CLASSIFY --set-class 1:11
#
# Rule 22 (global)
#
@ -634,17 +593,155 @@ script_body() {
# ================ Table 'filter', rule set rule27_branch
#
# Rule rule27_branch 0 (global)
#
echo "Rule rule27_branch 0 (global)"
#
$IPTABLES -N rule27_branch
$IPTABLES -A rule27_branch -p tcp -m tcp --tcp-flags ALL ACK -j ACCEPT
#
# Rule rule27_branch 1 (global)
#
echo "Rule rule27_branch 1 (global)"
#
$IPTABLES -N rule27_branch
$IPTABLES -N rule27_branch_1
$IPTABLES -A rule27_branch -p tcp -m tcp --dport 80 -m state --state NEW -j rule27_branch_1
$IPTABLES -A rule27_branch_1 -j LOG --log-level info --log-prefix "RULE 1 -- ACCEPT "
$IPTABLES -A rule27_branch_1 -j ACCEPT
# ================ Table 'filter', rule set Policy
#
# Rule 0 (global)
#
echo "Rule 0 (global)"
#
# terminating target
$IPTABLES -A OUTPUT -p 50 -m state --state NEW -j ACCEPT
$IPTABLES -A OUTPUT -p ah -m state --state NEW -j ACCEPT
$IPTABLES -A INPUT -p 50 -m state --state NEW -j ACCEPT
$IPTABLES -A INPUT -p ah -m state --state NEW -j ACCEPT
$IPTABLES -A FORWARD -p 50 -m state --state NEW -j ACCEPT
$IPTABLES -A FORWARD -p ah -m state --state NEW -j ACCEPT
#
# Rule 1 (global)
#
echo "Rule 1 (global)"
#
# terminating target
$IPTABLES -N RULE_1
$IPTABLES -A OUTPUT -p 50 -m state --state NEW -j RULE_1
$IPTABLES -A OUTPUT -p ah -m state --state NEW -j RULE_1
$IPTABLES -A INPUT -p 50 -m state --state NEW -j RULE_1
$IPTABLES -A INPUT -p ah -m state --state NEW -j RULE_1
$IPTABLES -A FORWARD -p 50 -m state --state NEW -j RULE_1
$IPTABLES -A FORWARD -p ah -m state --state NEW -j RULE_1
$IPTABLES -A RULE_1 -j LOG --log-level info --log-prefix "RULE 1 -- ACCEPT "
$IPTABLES -A RULE_1 -j ACCEPT
#
# Rule 2 (global)
#
echo "Rule 2 (global)"
#
# terminating target
$IPTABLES -N Cid45AB5AC525451.0
$IPTABLES -A OUTPUT -p 50 -m state --state NEW -j Cid45AB5AC525451.0
$IPTABLES -A OUTPUT -p ah -m state --state NEW -j Cid45AB5AC525451.0
$IPTABLES -A INPUT -p 50 -m state --state NEW -j Cid45AB5AC525451.0
$IPTABLES -A INPUT -p ah -m state --state NEW -j Cid45AB5AC525451.0
$IPTABLES -A FORWARD -p 50 -m state --state NEW -j Cid45AB5AC525451.0
$IPTABLES -A FORWARD -p ah -m state --state NEW -j Cid45AB5AC525451.0
$IPTABLES -A Cid45AB5AC525451.0 -s 192.168.1.0/24 -j RETURN
$IPTABLES -A Cid45AB5AC525451.0 -s 192.168.2.0/24 -j RETURN
$IPTABLES -N RULE_2_3
$IPTABLES -A Cid45AB5AC525451.0 -j RULE_2_3
$IPTABLES -A RULE_2_3 -j LOG --log-level info --log-prefix "RULE 2 -- ACCEPT "
$IPTABLES -A RULE_2_3 -j ACCEPT
#
# Rule 3 (eth1)
#
echo "Rule 3 (eth1)"
#
# terminating target
$IPTABLES -A INPUT -i eth1 -p 50 -m state --state NEW -j ACCEPT
$IPTABLES -A INPUT -i eth1 -p ah -m state --state NEW -j ACCEPT
$IPTABLES -A FORWARD -i eth1 -p 50 -m state --state NEW -j ACCEPT
$IPTABLES -A FORWARD -i eth1 -p ah -m state --state NEW -j ACCEPT
#
# Rule 4 (eth1)
#
echo "Rule 4 (eth1)"
#
# temrinating target
$IPTABLES -A OUTPUT -o eth1 -p 50 -m state --state NEW -j ACCEPT
$IPTABLES -A OUTPUT -o eth1 -p ah -m state --state NEW -j ACCEPT
$IPTABLES -A FORWARD -o eth1 -p 50 -m state --state NEW -j ACCEPT
$IPTABLES -A FORWARD -o eth1 -p ah -m state --state NEW -j ACCEPT
#
# Rule 5 (global)
#
echo "Rule 5 (global)"
#
# terminating and CONNMARK
$IPTABLES -A OUTPUT -p 50 -m state --state NEW -j ACCEPT
$IPTABLES -A OUTPUT -p ah -m state --state NEW -j ACCEPT
$IPTABLES -A INPUT -p 50 -m state --state NEW -j ACCEPT
$IPTABLES -A INPUT -p ah -m state --state NEW -j ACCEPT
$IPTABLES -A FORWARD -p 50 -m state --state NEW -j ACCEPT
$IPTABLES -A FORWARD -p ah -m state --state NEW -j ACCEPT
#
# Rule 6 (global)
#
echo "Rule 6 (global)"
#
# terminating and CONNMARK
$IPTABLES -N RULE_6
$IPTABLES -A OUTPUT -p 50 -m state --state NEW -j RULE_6
$IPTABLES -A OUTPUT -p ah -m state --state NEW -j RULE_6
$IPTABLES -A INPUT -p 50 -m state --state NEW -j RULE_6
$IPTABLES -A INPUT -p ah -m state --state NEW -j RULE_6
$IPTABLES -A FORWARD -p 50 -m state --state NEW -j RULE_6
$IPTABLES -A FORWARD -p ah -m state --state NEW -j RULE_6
$IPTABLES -A RULE_6 -j LOG --log-level info --log-prefix "RULE 6 -- ACCEPT "
$IPTABLES -A RULE_6 -j ACCEPT
#
# Rule 7 (global)
#
echo "Rule 7 (global)"
#
# terminating and CONNMARK
$IPTABLES -N Cid45AB5B0225451.0
$IPTABLES -A OUTPUT -p 50 -m state --state NEW -j Cid45AB5B0225451.0
$IPTABLES -A OUTPUT -p ah -m state --state NEW -j Cid45AB5B0225451.0
$IPTABLES -A INPUT -p 50 -m state --state NEW -j Cid45AB5B0225451.0
$IPTABLES -A INPUT -p ah -m state --state NEW -j Cid45AB5B0225451.0
$IPTABLES -A FORWARD -p 50 -m state --state NEW -j Cid45AB5B0225451.0
$IPTABLES -A FORWARD -p ah -m state --state NEW -j Cid45AB5B0225451.0
$IPTABLES -A Cid45AB5B0225451.0 -s 192.168.1.0/24 -j RETURN
$IPTABLES -A Cid45AB5B0225451.0 -s 192.168.2.0/24 -j RETURN
$IPTABLES -N RULE_7_3
$IPTABLES -A Cid45AB5B0225451.0 -j RULE_7_3
$IPTABLES -A RULE_7_3 -j LOG --log-level info --log-prefix "RULE 7 -- ACCEPT "
$IPTABLES -A RULE_7_3 -j ACCEPT
#
# Rule 8 (eth1)
#
echo "Rule 8 (eth1)"
#
# terminating and CONNMARK
$IPTABLES -A INPUT -i eth1 -p 50 -m state --state NEW -j ACCEPT
$IPTABLES -A INPUT -i eth1 -p ah -m state --state NEW -j ACCEPT
$IPTABLES -A FORWARD -i eth1 -p 50 -m state --state NEW -j ACCEPT
$IPTABLES -A FORWARD -i eth1 -p ah -m state --state NEW -j ACCEPT
#
# Rule 9 (eth1)
#
echo "Rule 9 (eth1)"
#
# terminating and CONNMARK
$IPTABLES -A OUTPUT -o eth1 -p 50 -m state --state NEW -j ACCEPT
$IPTABLES -A OUTPUT -o eth1 -p ah -m state --state NEW -j ACCEPT
$IPTABLES -A FORWARD -o eth1 -p 50 -m state --state NEW -j ACCEPT
$IPTABLES -A FORWARD -o eth1 -p ah -m state --state NEW -j ACCEPT
#
# Rule 10 (global)
#
echo "Rule 10 (global)"
@ -652,6 +749,160 @@ script_body() {
$IPTABLES -A OUTPUT -p tcp -m tcp -d 192.168.2.10 --dport 80 -j QUEUE
$IPTABLES -A FORWARD -p tcp -m tcp -d 192.168.2.10 --dport 80 -j QUEUE
#
# Rule 11 (global)
#
echo "Rule 11 (global)"
#
# testing for bug #1618381
# this rule, and the next one, should place
# CLASSIFY rule in a separate chain
# and pass control to it using -g
$IPTABLES -A OUTPUT -p icmp -m icmp --icmp-type 3 -j ACCEPT
$IPTABLES -A INPUT -p icmp -m icmp --icmp-type 3 -j ACCEPT
$IPTABLES -A FORWARD -p icmp -m icmp --icmp-type 3 -j ACCEPT
#
# Rule 12 (eth0)
#
echo "Rule 12 (eth0)"
#
# second rule for bug #1618381
$IPTABLES -A INPUT -i eth0 -j ACCEPT
$IPTABLES -A FORWARD -i eth0 -j ACCEPT
$IPTABLES -A OUTPUT -o eth0 -j ACCEPT
$IPTABLES -A FORWARD -o eth0 -j ACCEPT
#
# Rule 13 (global)
#
echo "Rule 13 (global)"
#
# testing for bug #1618381
$IPTABLES -N Cid45AB5BAD25451.0
$IPTABLES -A OUTPUT -p icmp -m icmp --icmp-type 3 -j Cid45AB5BAD25451.0
$IPTABLES -A INPUT -p icmp -m icmp --icmp-type 3 -j Cid45AB5BAD25451.0
$IPTABLES -A FORWARD -p icmp -m icmp --icmp-type 3 -j Cid45AB5BAD25451.0
$IPTABLES -A Cid45AB5BAD25451.0 -s 192.168.1.0/24 -j RETURN
$IPTABLES -A Cid45AB5BAD25451.0 -s 192.168.2.0/24 -j RETURN
$IPTABLES -A Cid45AB5BAD25451.0 -j ACCEPT
#
# Rule 14 (global)
#
echo "Rule 14 (global)"
#
# testing for bug #1618381
$IPTABLES -N Cid45AB5BBA25451.0
$IPTABLES -A OUTPUT -p icmp -m icmp --icmp-type 3 -j Cid45AB5BBA25451.0
$IPTABLES -A OUTPUT -p tcp -m tcp --dport 80 -j Cid45AB5BBA25451.0
$IPTABLES -A INPUT -p icmp -m icmp --icmp-type 3 -j Cid45AB5BBA25451.0
$IPTABLES -A INPUT -p tcp -m tcp --dport 80 -j Cid45AB5BBA25451.0
$IPTABLES -A FORWARD -p icmp -m icmp --icmp-type 3 -j Cid45AB5BBA25451.0
$IPTABLES -A FORWARD -p tcp -m tcp --dport 80 -j Cid45AB5BBA25451.0
$IPTABLES -A Cid45AB5BBA25451.0 -s 192.168.1.0/24 -j RETURN
$IPTABLES -A Cid45AB5BBA25451.0 -s 192.168.2.0/24 -j RETURN
$IPTABLES -A Cid45AB5BBA25451.0 -j ACCEPT
#
# Rule 15 (eth0)
#
echo "Rule 15 (eth0)"
#
# bug #1618381
# this rule uses multiport
# and has to be split because
# of that
$IPTABLES -A INPUT -i eth0 -p tcp -m tcp --dport 10000:11000 -j ACCEPT
$IPTABLES -A INPUT -i eth0 -p tcp -m tcp -m multiport --dports 113,13,53,2105,21,70,80,443,6667,119,25,3128,22,23,540 -j ACCEPT
$IPTABLES -A INPUT -i eth0 -p udp -m udp -m multiport --dports 53,161 -j ACCEPT
$IPTABLES -A FORWARD -i eth0 -p tcp -m tcp --dport 10000:11000 -j ACCEPT
$IPTABLES -A FORWARD -i eth0 -p tcp -m tcp -m multiport --dports 113,13,53,2105,21,70,80,443,6667,119,25,3128,22,23,540 -j ACCEPT
$IPTABLES -A FORWARD -i eth0 -p udp -m udp -m multiport --dports 53,161 -j ACCEPT
$IPTABLES -A OUTPUT -o eth0 -p tcp -m tcp --dport 10000:11000 -j ACCEPT
$IPTABLES -A OUTPUT -o eth0 -p tcp -m tcp -m multiport --dports 113,13,53,2105,21,70,80,443,6667,119,25,3128,22,23,540 -j ACCEPT
$IPTABLES -A OUTPUT -o eth0 -p udp -m udp -m multiport --dports 53,161 -j ACCEPT
$IPTABLES -A FORWARD -o eth0 -p tcp -m tcp --dport 10000:11000 -j ACCEPT
$IPTABLES -A FORWARD -o eth0 -p tcp -m tcp -m multiport --dports 113,13,53,2105,21,70,80,443,6667,119,25,3128,22,23,540 -j ACCEPT
$IPTABLES -A FORWARD -o eth0 -p udp -m udp -m multiport --dports 53,161 -j ACCEPT
#
# Rule 16 (global)
#
echo "Rule 16 (global)"
#
# testing for bug #1618381
# this rule, and the next one, should place
# CLASSIFY rule in a separate chain
# and pass control to it using -g
$IPTABLES -A OUTPUT -p icmp -m icmp --icmp-type 3 -j ACCEPT
$IPTABLES -A INPUT -p icmp -m icmp --icmp-type 3 -j ACCEPT
$IPTABLES -A FORWARD -p icmp -m icmp --icmp-type 3 -j ACCEPT
#
# Rule 17 (eth0)
#
echo "Rule 17 (eth0)"
#
# second rule for bug #1618381
$IPTABLES -A INPUT -i eth0 -j ACCEPT
$IPTABLES -A FORWARD -i eth0 -j ACCEPT
$IPTABLES -A OUTPUT -o eth0 -j ACCEPT
$IPTABLES -A FORWARD -o eth0 -j ACCEPT
#
# Rule 18 (eth0)
#
echo "Rule 18 (eth0)"
#
$IPTABLES -N Out_RULE_18
$IPTABLES -A OUTPUT -o eth0 -s 192.168.1.0/24 -j Out_RULE_18
$IPTABLES -A FORWARD -o eth0 -s 192.168.1.0/24 -j Out_RULE_18
$IPTABLES -A Out_RULE_18 -j LOG --log-level info --log-prefix "RULE 18 -- ACCEPT "
$IPTABLES -A Out_RULE_18 -j ACCEPT
#
# Rule 19 (global)
#
echo "Rule 19 (global)"
#
# testing for bug #1618381
$IPTABLES -N Cid45AB5BF925451.0
$IPTABLES -A OUTPUT -p icmp -m icmp --icmp-type 3 -j Cid45AB5BF925451.0
$IPTABLES -A INPUT -p icmp -m icmp --icmp-type 3 -j Cid45AB5BF925451.0
$IPTABLES -A FORWARD -p icmp -m icmp --icmp-type 3 -j Cid45AB5BF925451.0
$IPTABLES -A Cid45AB5BF925451.0 -s 192.168.1.0/24 -j RETURN
$IPTABLES -A Cid45AB5BF925451.0 -s 192.168.2.0/24 -j RETURN
$IPTABLES -A Cid45AB5BF925451.0 -j ACCEPT
#
# Rule 20 (global)
#
echo "Rule 20 (global)"
#
# testing for bug #1618381
$IPTABLES -N Cid45AB5C0625451.0
$IPTABLES -A OUTPUT -p icmp -m icmp --icmp-type 3 -j Cid45AB5C0625451.0
$IPTABLES -A OUTPUT -p tcp -m tcp --dport 80 -j Cid45AB5C0625451.0
$IPTABLES -A INPUT -p icmp -m icmp --icmp-type 3 -j Cid45AB5C0625451.0
$IPTABLES -A INPUT -p tcp -m tcp --dport 80 -j Cid45AB5C0625451.0
$IPTABLES -A FORWARD -p icmp -m icmp --icmp-type 3 -j Cid45AB5C0625451.0
$IPTABLES -A FORWARD -p tcp -m tcp --dport 80 -j Cid45AB5C0625451.0
$IPTABLES -A Cid45AB5C0625451.0 -s 192.168.1.0/24 -j RETURN
$IPTABLES -A Cid45AB5C0625451.0 -s 192.168.2.0/24 -j RETURN
$IPTABLES -A Cid45AB5C0625451.0 -j ACCEPT
#
# Rule 21 (eth0)
#
echo "Rule 21 (eth0)"
#
# bug #1618381
# this rule uses multiport
# and has to be split because
# of that
$IPTABLES -A INPUT -i eth0 -p tcp -m tcp --dport 10000:11000 -j ACCEPT
$IPTABLES -A INPUT -i eth0 -p tcp -m tcp -m multiport --dports 113,13,53,2105,21,70,80,443,6667,119,25,3128,22,23,540 -j ACCEPT
$IPTABLES -A INPUT -i eth0 -p udp -m udp -m multiport --dports 53,161 -j ACCEPT
$IPTABLES -A FORWARD -i eth0 -p tcp -m tcp --dport 10000:11000 -j ACCEPT
$IPTABLES -A FORWARD -i eth0 -p tcp -m tcp -m multiport --dports 113,13,53,2105,21,70,80,443,6667,119,25,3128,22,23,540 -j ACCEPT
$IPTABLES -A FORWARD -i eth0 -p udp -m udp -m multiport --dports 53,161 -j ACCEPT
$IPTABLES -A OUTPUT -o eth0 -p tcp -m tcp --dport 10000:11000 -j ACCEPT
$IPTABLES -A OUTPUT -o eth0 -p tcp -m tcp -m multiport --dports 113,13,53,2105,21,70,80,443,6667,119,25,3128,22,23,540 -j ACCEPT
$IPTABLES -A OUTPUT -o eth0 -p udp -m udp -m multiport --dports 53,161 -j ACCEPT
$IPTABLES -A FORWARD -o eth0 -p tcp -m tcp --dport 10000:11000 -j ACCEPT
$IPTABLES -A FORWARD -o eth0 -p tcp -m tcp -m multiport --dports 113,13,53,2105,21,70,80,443,6667,119,25,3128,22,23,540 -j ACCEPT
$IPTABLES -A FORWARD -o eth0 -p udp -m udp -m multiport --dports 53,161 -j ACCEPT
#
# Rule 22 (global)
#
echo "Rule 22 (global)"
@ -736,7 +987,7 @@ test -z "$cmd" && {
case "$cmd" in
start)
log "Activating firewall script generated Tue May 3 20:22:31 2011 by vadim"
log "Activating firewall script generated Sat May 14 15:40:38 2011 by vadim"
check_tools
prolog_commands
check_run_time_address_table_files

701
test/ipt/firewall37-2.fw.orig Executable file
View File

@ -0,0 +1,701 @@
#!/bin/sh
#
# This is automatically generated file. DO NOT MODIFY !
#
# Firewall Builder fwb_ipt v4.3.0.3542
#
# Generated Sat May 14 15:40:39 2011 PDT by vadim
#
# files: * firewall37-2.fw /etc/fw/firewall37-2.fw
#
# Compiled for iptables (any version)
#
# testing TAG and CLASSIFY rules and combinations
# normal script mode (not using iptables-restore)
FWBDEBUG=""
PATH="/sbin:/usr/sbin:/bin:/usr/bin:${PATH}"
export PATH
LSMOD="/sbin/lsmod"
MODPROBE="/sbin/modprobe"
IPTABLES="/sbin/iptables"
IP6TABLES="/sbin/ip6tables"
IPTABLES_RESTORE="/sbin/iptables-restore"
IP6TABLES_RESTORE="/sbin/ip6tables-restore"
IP="/sbin/ip"
IFCONFIG="/sbin/ifconfig"
VCONFIG="/sbin/vconfig"
BRCTL="/sbin/brctl"
IFENSLAVE="/sbin/ifenslave"
IPSET="/usr/sbin/ipset"
LOGGER="/usr/bin/logger"
log() {
echo "$1"
command -v "$LOGGER" >/dev/null 2>&1 && $LOGGER -p info "$1"
}
getInterfaceVarName() {
echo $1 | sed 's/\./_/'
}
getaddr_internal() {
dev=$1
name=$2
af=$3
L=$($IP $af addr show dev $dev | sed -n '/inet/{s!.*inet6* !!;s!/.*!!p}' | sed 's/peer.*//')
test -z "$L" && {
eval "$name=''"
return
}
eval "${name}_list=\"$L\""
}
getnet_internal() {
dev=$1
name=$2
af=$3
L=$($IP route list proto kernel | grep $dev | grep -v default | sed 's! .*$!!')
test -z "$L" && {
eval "$name=''"
return
}
eval "${name}_list=\"$L\""
}
getaddr() {
getaddr_internal $1 $2 "-4"
}
getaddr6() {
getaddr_internal $1 $2 "-6"
}
getnet() {
getnet_internal $1 $2 "-4"
}
getnet6() {
getnet_internal $1 $2 "-6"
}
# function getinterfaces is used to process wildcard interfaces
getinterfaces() {
NAME=$1
$IP link show | grep ": $NAME" | while read L; do
OIFS=$IFS
IFS=" :"
set $L
IFS=$OIFS
echo $2
done
}
diff_intf() {
func=$1
list1=$2
list2=$3
cmd=$4
for intf in $list1
do
echo $list2 | grep -q $intf || {
# $vlan is absent in list 2
$func $intf $cmd
}
done
}
find_program() {
PGM=$1
command -v $PGM >/dev/null 2>&1 || {
echo "$PGM not found"
exit 1
}
}
check_tools() {
find_program $IPTABLES
find_program $MODPROBE
find_program $IP
}
reset_iptables_v4() {
$IPTABLES -P OUTPUT DROP
$IPTABLES -P INPUT DROP
$IPTABLES -P FORWARD DROP
cat /proc/net/ip_tables_names | while read table; do
$IPTABLES -t $table -L -n | while read c chain rest; do
if test "X$c" = "XChain" ; then
$IPTABLES -t $table -F $chain
fi
done
$IPTABLES -t $table -X
done
}
reset_iptables_v6() {
$IP6TABLES -P OUTPUT DROP
$IP6TABLES -P INPUT DROP
$IP6TABLES -P FORWARD DROP
cat /proc/net/ip6_tables_names | while read table; do
$IP6TABLES -t $table -L -n | while read c chain rest; do
if test "X$c" = "XChain" ; then
$IP6TABLES -t $table -F $chain
fi
done
$IP6TABLES -t $table -X
done
}
P2P_INTERFACE_WARNING=""
missing_address() {
address=$1
cmd=$2
oldIFS=$IFS
IFS="@"
set $address
addr=$1
interface=$2
IFS=$oldIFS
$IP addr show dev $interface | grep -q POINTOPOINT && {
test -z "$P2P_INTERFACE_WARNING" && echo "Warning: Can not update address of interface $interface. fwbuilder can not manage addresses of point-to-point interfaces yet"
P2P_INTERFACE_WARNING="yes"
return
}
test "$cmd" = "add" && {
echo "# Adding ip address: $interface $addr"
echo $addr | grep -q ':' && {
$FWBDEBUG $IP addr $cmd $addr dev $interface
} || {
$FWBDEBUG $IP addr $cmd $addr broadcast + dev $interface
}
}
test "$cmd" = "del" && {
echo "# Removing ip address: $interface $addr"
$FWBDEBUG $IP addr $cmd $addr dev $interface || exit 1
}
$FWBDEBUG $IP link set $interface up
}
list_addresses_by_scope() {
interface=$1
scope=$2
ignore_list=$3
$IP addr ls dev $interface | \
awk -v IGNORED="$ignore_list" -v SCOPE="$scope" \
'BEGIN {
split(IGNORED,ignored_arr);
for (a in ignored_arr) {ignored_dict[ignored_arr[a]]=1;}
}
(/inet |inet6 / && $0 ~ SCOPE && !($2 in ignored_dict)) {print $2;}' | \
while read addr; do
echo "${addr}@$interface"
done | sort
}
update_addresses_of_interface() {
ignore_list=$2
set $1
interface=$1
shift
FWB_ADDRS=$(
for addr in $*; do
echo "${addr}@$interface"
done | sort
)
CURRENT_ADDRS_ALL_SCOPES=""
CURRENT_ADDRS_GLOBAL_SCOPE=""
$IP link show dev $interface >/dev/null 2>&1 && {
CURRENT_ADDRS_ALL_SCOPES=$(list_addresses_by_scope $interface 'scope .*' "$ignore_list")
CURRENT_ADDRS_GLOBAL_SCOPE=$(list_addresses_by_scope $interface 'scope global' "$ignore_list")
} || {
echo "# Interface $interface does not exist"
# Stop the script if we are not in test mode
test -z "$FWBDEBUG" && exit 1
}
diff_intf missing_address "$FWB_ADDRS" "$CURRENT_ADDRS_ALL_SCOPES" add
diff_intf missing_address "$CURRENT_ADDRS_GLOBAL_SCOPE" "$FWB_ADDRS" del
}
clear_addresses_except_known_interfaces() {
$IP link show | sed 's/://g' | awk -v IGNORED="$*" \
'BEGIN {
split(IGNORED,ignored_arr);
for (a in ignored_arr) {ignored_dict[ignored_arr[a]]=1;}
}
(/state/ && !($2 in ignored_dict)) {print $2;}' | \
while read intf; do
echo "# Removing addresses not configured in fwbuilder from interface $intf"
$FWBDEBUG $IP addr flush dev $intf scope global
$FWBDEBUG $IP link set $intf down
done
}
check_file() {
test -r "$2" || {
echo "Can not find file $2 referenced by address table object $1"
exit 1
}
}
check_run_time_address_table_files() {
:
}
load_modules() {
:
OPTS=$1
MODULES_DIR="/lib/modules/`uname -r`/kernel/net/"
MODULES=$(find $MODULES_DIR -name '*conntrack*' \! -name '*ipv6*'|sed -e 's/^.*\///' -e 's/\([^\.]\)\..*/\1/')
echo $OPTS | grep -q nat && {
MODULES="$MODULES $(find $MODULES_DIR -name '*nat*'|sed -e 's/^.*\///' -e 's/\([^\.]\)\..*/\1/')"
}
echo $OPTS | grep -q ipv6 && {
MODULES="$MODULES $(find $MODULES_DIR -name nf_conntrack_ipv6|sed -e 's/^.*\///' -e 's/\([^\.]\)\..*/\1/')"
}
for module in $MODULES; do
if $LSMOD | grep ${module} >/dev/null; then continue; fi
$MODPROBE ${module} || exit 1
done
}
verify_interfaces() {
:
}
prolog_commands() {
echo "Running prolog script"
}
epilog_commands() {
echo "Running epilog script"
}
run_epilog_and_exit() {
epilog_commands
exit $1
}
configure_interfaces() {
:
# Configure interfaces
update_addresses_of_interface "eth0 192.168.1.22/24" ""
update_addresses_of_interface "eth1 22.22.23.22/24" ""
update_addresses_of_interface "eth2 192.168.2.1/24" ""
}
script_body() {
echo 30 > /proc/sys/net/ipv4/tcp_fin_timeout
echo 1800 > /proc/sys/net/ipv4/tcp_keepalive_intvl
# ================ IPv4
# ================ Table 'filter', automatic rules
# accept established sessions
$IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
# ================ Table 'mangle', rule set Policy
#
# Rule 0 (eth0)
#
echo "Rule 0 (eth0)"
#
$IPTABLES -t mangle -A PREROUTING -i eth0 -s 192.168.1.0/24 -j MARK --set-mark 2
$IPTABLES -t mangle -A POSTROUTING -i eth0 -s 192.168.1.0/24 -j CLASSIFY --set-class 1:2
#
# Rule 1 (eth0)
#
echo "Rule 1 (eth0)"
#
$IPTABLES -t mangle -A PREROUTING -i eth0 -s 192.168.1.0/24 -m state --state NEW -j MARK --set-mark 2
$IPTABLES -t mangle -A POSTROUTING -i eth0 -s 192.168.1.0/24 -m state --state NEW -j CLASSIFY --set-class 1:2
#
# Rule 2 (eth0)
#
echo "Rule 2 (eth0)"
#
$IPTABLES -t mangle -A PREROUTING -i eth0 -s 192.168.1.0/24 -m state --state NEW -j MARK --set-mark 2
$IPTABLES -t mangle -A POSTROUTING -i eth0 -s 192.168.1.0/24 -m state --state NEW -j CLASSIFY --set-class 1:2
#
# Rule 3 (eth0)
#
echo "Rule 3 (eth0)"
#
$IPTABLES -t mangle -A PREROUTING -i eth0 -s 192.168.1.0/24 -j MARK --set-mark 2
$IPTABLES -t mangle -A POSTROUTING -i eth0 -s 192.168.1.0/24 -j CLASSIFY --set-class 1:2
#
# Rule 4 (eth0)
#
echo "Rule 4 (eth0)"
#
$IPTABLES -t mangle -A PREROUTING -i eth0 -s ! 192.168.1.0/24 -j MARK --set-mark 2
$IPTABLES -t mangle -A POSTROUTING -i eth0 -s ! 192.168.1.0/24 -j CLASSIFY --set-class 1:2
#
# Rule 5 (eth0)
#
echo "Rule 5 (eth0)"
#
$IPTABLES -t mangle -A PREROUTING -i eth0 -s ! 192.168.1.0/24 -m state --state NEW -j MARK --set-mark 2
$IPTABLES -t mangle -A POSTROUTING -i eth0 -s ! 192.168.1.0/24 -m state --state NEW -j CLASSIFY --set-class 1:2
#
# Rule 6 (eth0)
#
echo "Rule 6 (eth0)"
#
$IPTABLES -t mangle -A PREROUTING -i eth0 -s ! 192.168.1.0/24 -m state --state NEW -j MARK --set-mark 2
$IPTABLES -t mangle -A POSTROUTING -i eth0 -s ! 192.168.1.0/24 -m state --state NEW -j CLASSIFY --set-class 1:2
#
# Rule 7 (eth0)
#
echo "Rule 7 (eth0)"
#
$IPTABLES -t mangle -A PREROUTING -i eth0 -s ! 192.168.1.0/24 -j MARK --set-mark 2
$IPTABLES -t mangle -A POSTROUTING -i eth0 -s ! 192.168.1.0/24 -j CLASSIFY --set-class 1:2
#
# Rule 8 (eth0)
#
echo "Rule 8 (eth0)"
#
$IPTABLES -N Cid591898X26049.0 -t mangle
$IPTABLES -t mangle -A PREROUTING -i eth0 -j Cid591898X26049.0
$IPTABLES -t mangle -A Cid591898X26049.0 -s 192.168.1.0/24 -j RETURN
$IPTABLES -t mangle -A Cid591898X26049.0 -s 192.168.2.0/24 -j RETURN
$IPTABLES -t mangle -A Cid591898X26049.0 -j MARK --set-mark 2
$IPTABLES -N Cid591898X26049.1 -t mangle
$IPTABLES -t mangle -A POSTROUTING -i eth0 -j Cid591898X26049.1
$IPTABLES -t mangle -A Cid591898X26049.1 -s 192.168.1.0/24 -j RETURN
$IPTABLES -t mangle -A Cid591898X26049.1 -s 192.168.2.0/24 -j RETURN
$IPTABLES -t mangle -A Cid591898X26049.1 -j CLASSIFY --set-class 1:2
#
# Rule 9 (eth0)
#
echo "Rule 9 (eth0)"
#
$IPTABLES -N Cid591842X26049.0 -t mangle
$IPTABLES -t mangle -A PREROUTING -i eth0 -m state --state NEW -j Cid591842X26049.0
$IPTABLES -t mangle -A Cid591842X26049.0 -s 192.168.1.0/24 -j RETURN
$IPTABLES -t mangle -A Cid591842X26049.0 -s 192.168.2.0/24 -j RETURN
$IPTABLES -t mangle -A Cid591842X26049.0 -j MARK --set-mark 2
$IPTABLES -N Cid591842X26049.1 -t mangle
$IPTABLES -t mangle -A POSTROUTING -i eth0 -m state --state NEW -j Cid591842X26049.1
$IPTABLES -t mangle -A Cid591842X26049.1 -s 192.168.1.0/24 -j RETURN
$IPTABLES -t mangle -A Cid591842X26049.1 -s 192.168.2.0/24 -j RETURN
$IPTABLES -t mangle -A Cid591842X26049.1 -j CLASSIFY --set-class 1:2
#
# Rule 10 (eth0)
#
echo "Rule 10 (eth0)"
#
$IPTABLES -N Cid591786X26049.0 -t mangle
$IPTABLES -t mangle -A PREROUTING -i eth0 -m state --state NEW -j Cid591786X26049.0
$IPTABLES -t mangle -A Cid591786X26049.0 -s 192.168.1.0/24 -j RETURN
$IPTABLES -t mangle -A Cid591786X26049.0 -s 192.168.2.0/24 -j RETURN
$IPTABLES -t mangle -A Cid591786X26049.0 -j MARK --set-mark 2
$IPTABLES -N Cid591786X26049.1 -t mangle
$IPTABLES -t mangle -A POSTROUTING -i eth0 -m state --state NEW -j Cid591786X26049.1
$IPTABLES -t mangle -A Cid591786X26049.1 -s 192.168.1.0/24 -j RETURN
$IPTABLES -t mangle -A Cid591786X26049.1 -s 192.168.2.0/24 -j RETURN
$IPTABLES -t mangle -A Cid591786X26049.1 -j CLASSIFY --set-class 1:2
#
# Rule 11 (eth0)
#
echo "Rule 11 (eth0)"
#
$IPTABLES -N Cid591730X26049.0 -t mangle
$IPTABLES -t mangle -A PREROUTING -i eth0 -j Cid591730X26049.0
$IPTABLES -t mangle -A Cid591730X26049.0 -s 192.168.1.0/24 -j RETURN
$IPTABLES -t mangle -A Cid591730X26049.0 -s 192.168.2.0/24 -j RETURN
$IPTABLES -t mangle -A Cid591730X26049.0 -j MARK --set-mark 2
$IPTABLES -N Cid591730X26049.1 -t mangle
$IPTABLES -t mangle -A POSTROUTING -i eth0 -j Cid591730X26049.1
$IPTABLES -t mangle -A Cid591730X26049.1 -s 192.168.1.0/24 -j RETURN
$IPTABLES -t mangle -A Cid591730X26049.1 -s 192.168.2.0/24 -j RETURN
$IPTABLES -t mangle -A Cid591730X26049.1 -j CLASSIFY --set-class 1:2
#
# Rule 12 (eth0)
#
echo "Rule 12 (eth0)"
#
$IPTABLES -N Cid994929X26049.0 -t mangle
$IPTABLES -t mangle -A PREROUTING -i eth0 -s 192.168.1.0/24 -j Cid994929X26049.0
$IPTABLES -t mangle -A Cid994929X26049.0 -p icmp -m icmp --icmp-type 8/0 -j MARK --set-mark 2
$IPTABLES -t mangle -A Cid994929X26049.0 -p tcp -m tcp --dport 80 -j MARK --set-mark 2
$IPTABLES -N Cid994929X26049.1 -t mangle
$IPTABLES -t mangle -A POSTROUTING -i eth0 -s 192.168.1.0/24 -j Cid994929X26049.1
$IPTABLES -t mangle -A Cid994929X26049.1 -p icmp -m icmp --icmp-type 8/0 -j CLASSIFY --set-class 1:2
$IPTABLES -t mangle -A Cid994929X26049.1 -p tcp -m tcp --dport 80 -j CLASSIFY --set-class 1:2
#
# Rule 13 (eth0)
#
echo "Rule 13 (eth0)"
#
$IPTABLES -N Cid994873X26049.0 -t mangle
$IPTABLES -t mangle -A PREROUTING -i eth0 -s 192.168.1.0/24 -m state --state NEW -j Cid994873X26049.0
$IPTABLES -t mangle -A Cid994873X26049.0 -p icmp -m icmp --icmp-type 8/0 -j MARK --set-mark 2
$IPTABLES -t mangle -A Cid994873X26049.0 -p tcp -m tcp --dport 80 -j MARK --set-mark 2
$IPTABLES -N Cid994873X26049.1 -t mangle
$IPTABLES -t mangle -A POSTROUTING -i eth0 -s 192.168.1.0/24 -m state --state NEW -j Cid994873X26049.1
$IPTABLES -t mangle -A Cid994873X26049.1 -p icmp -m icmp --icmp-type 8/0 -j CLASSIFY --set-class 1:2
$IPTABLES -t mangle -A Cid994873X26049.1 -p tcp -m tcp --dport 80 -j CLASSIFY --set-class 1:2
#
# Rule 14 (eth0)
#
echo "Rule 14 (eth0)"
#
$IPTABLES -N Cid994817X26049.0 -t mangle
$IPTABLES -t mangle -A PREROUTING -i eth0 -s 192.168.1.0/24 -m state --state NEW -j Cid994817X26049.0
$IPTABLES -t mangle -A Cid994817X26049.0 -p icmp -m icmp --icmp-type 8/0 -j MARK --set-mark 2
$IPTABLES -t mangle -A Cid994817X26049.0 -p tcp -m tcp --dport 80 -j MARK --set-mark 2
$IPTABLES -N Cid994817X26049.1 -t mangle
$IPTABLES -t mangle -A POSTROUTING -i eth0 -s 192.168.1.0/24 -m state --state NEW -j Cid994817X26049.1
$IPTABLES -t mangle -A Cid994817X26049.1 -p icmp -m icmp --icmp-type 8/0 -j CLASSIFY --set-class 1:2
$IPTABLES -t mangle -A Cid994817X26049.1 -p tcp -m tcp --dport 80 -j CLASSIFY --set-class 1:2
#
# Rule 15 (eth0)
#
echo "Rule 15 (eth0)"
#
$IPTABLES -N Cid994761X26049.0 -t mangle
$IPTABLES -t mangle -A PREROUTING -i eth0 -s 192.168.1.0/24 -j Cid994761X26049.0
$IPTABLES -t mangle -A Cid994761X26049.0 -p icmp -m icmp --icmp-type 8/0 -j MARK --set-mark 2
$IPTABLES -t mangle -A Cid994761X26049.0 -p tcp -m tcp --dport 80 -j MARK --set-mark 2
$IPTABLES -N Cid994761X26049.1 -t mangle
$IPTABLES -t mangle -A POSTROUTING -i eth0 -s 192.168.1.0/24 -j Cid994761X26049.1
$IPTABLES -t mangle -A Cid994761X26049.1 -p icmp -m icmp --icmp-type 8/0 -j CLASSIFY --set-class 1:2
$IPTABLES -t mangle -A Cid994761X26049.1 -p tcp -m tcp --dport 80 -j CLASSIFY --set-class 1:2
# ================ Table 'filter', rule set Policy
#
# Rule 1 (eth0)
#
echo "Rule 1 (eth0)"
#
$IPTABLES -A INPUT -i eth0 -s 192.168.1.0/24 -m state --state NEW -j ACCEPT
$IPTABLES -A FORWARD -i eth0 -s 192.168.1.0/24 -m state --state NEW -j ACCEPT
#
# Rule 3 (eth0)
#
echo "Rule 3 (eth0)"
#
$IPTABLES -A INPUT -i eth0 -s 192.168.1.0/24 -j ACCEPT
$IPTABLES -A FORWARD -i eth0 -s 192.168.1.0/24 -j ACCEPT
#
# Rule 5 (eth0)
#
echo "Rule 5 (eth0)"
#
$IPTABLES -A INPUT -i eth0 -s ! 192.168.1.0/24 -m state --state NEW -j ACCEPT
$IPTABLES -A FORWARD -i eth0 -s ! 192.168.1.0/24 -m state --state NEW -j ACCEPT
#
# Rule 7 (eth0)
#
echo "Rule 7 (eth0)"
#
$IPTABLES -A INPUT -i eth0 -s ! 192.168.1.0/24 -j ACCEPT
$IPTABLES -A FORWARD -i eth0 -s ! 192.168.1.0/24 -j ACCEPT
#
# Rule 9 (eth0)
#
echo "Rule 9 (eth0)"
#
$IPTABLES -N Cid591842X26049.0
$IPTABLES -A INPUT -i eth0 -m state --state NEW -j Cid591842X26049.0
$IPTABLES -A FORWARD -i eth0 -m state --state NEW -j Cid591842X26049.0
$IPTABLES -A Cid591842X26049.0 -s 192.168.1.0/24 -j RETURN
$IPTABLES -A Cid591842X26049.0 -s 192.168.2.0/24 -j RETURN
$IPTABLES -A Cid591842X26049.0 -j ACCEPT
#
# Rule 11 (eth0)
#
echo "Rule 11 (eth0)"
#
$IPTABLES -N Cid591730X26049.0
$IPTABLES -A INPUT -i eth0 -j Cid591730X26049.0
$IPTABLES -A FORWARD -i eth0 -j Cid591730X26049.0
$IPTABLES -A Cid591730X26049.0 -s 192.168.1.0/24 -j RETURN
$IPTABLES -A Cid591730X26049.0 -s 192.168.2.0/24 -j RETURN
$IPTABLES -A Cid591730X26049.0 -j ACCEPT
#
# Rule 13 (eth0)
#
echo "Rule 13 (eth0)"
#
$IPTABLES -N Cid994873X26049.0
$IPTABLES -A INPUT -i eth0 -s 192.168.1.0/24 -m state --state NEW -j Cid994873X26049.0
$IPTABLES -A Cid994873X26049.0 -p icmp -m icmp --icmp-type 8/0 -j ACCEPT
$IPTABLES -A Cid994873X26049.0 -p tcp -m tcp --dport 80 -j ACCEPT
$IPTABLES -N Cid994873X26049.1
$IPTABLES -A FORWARD -i eth0 -s 192.168.1.0/24 -m state --state NEW -j Cid994873X26049.1
$IPTABLES -A Cid994873X26049.1 -p icmp -m icmp --icmp-type 8/0 -j ACCEPT
$IPTABLES -A Cid994873X26049.1 -p tcp -m tcp --dport 80 -j ACCEPT
#
# Rule 15 (eth0)
#
echo "Rule 15 (eth0)"
#
$IPTABLES -N Cid994761X26049.0
$IPTABLES -A INPUT -i eth0 -s 192.168.1.0/24 -j Cid994761X26049.0
$IPTABLES -A Cid994761X26049.0 -p icmp -m icmp --icmp-type 8/0 -j ACCEPT
$IPTABLES -A Cid994761X26049.0 -p tcp -m tcp --dport 80 -j ACCEPT
$IPTABLES -N Cid994761X26049.1
$IPTABLES -A FORWARD -i eth0 -s 192.168.1.0/24 -j Cid994761X26049.1
$IPTABLES -A Cid994761X26049.1 -p icmp -m icmp --icmp-type 8/0 -j ACCEPT
$IPTABLES -A Cid994761X26049.1 -p tcp -m tcp --dport 80 -j ACCEPT
#
# Rule 16 (global)
#
echo "Rule 16 (global)"
#
$IPTABLES -N RULE_16
$IPTABLES -A OUTPUT -j RULE_16
$IPTABLES -A INPUT -j RULE_16
$IPTABLES -A FORWARD -j RULE_16
$IPTABLES -A RULE_16 -j LOG --log-level info --log-prefix "RULE 16 -- DENY "
$IPTABLES -A RULE_16 -j DROP
}
ip_forward() {
:
}
reset_all() {
:
reset_iptables_v4
}
block_action() {
reset_all
}
stop_action() {
reset_all
$IPTABLES -P OUTPUT ACCEPT
$IPTABLES -P INPUT ACCEPT
$IPTABLES -P FORWARD ACCEPT
}
check_iptables() {
IP_TABLES="$1"
[ ! -e $IP_TABLES ] && return 151
NF_TABLES=$(cat $IP_TABLES 2>/dev/null)
[ -z "$NF_TABLES" ] && return 152
return 0
}
status_action() {
check_iptables "/proc/net/ip_tables_names"
ret_ipv4=$?
check_iptables "/proc/net/ip6_tables_names"
ret_ipv6=$?
[ $ret_ipv4 -eq 0 -o $ret_ipv6 -eq 0 ] && return 0
[ $ret_ipv4 -eq 151 -o $ret_ipv6 -eq 151 ] && {
echo "iptables modules are not loaded"
}
[ $ret_ipv4 -eq 152 -o $ret_ipv6 -eq 152 ] && {
echo "Firewall is not configured"
}
exit 3
}
# See how we were called.
# For backwards compatibility missing argument is equivalent to 'start'
cmd=$1
test -z "$cmd" && {
cmd="start"
}
case "$cmd" in
start)
log "Activating firewall script generated Sat May 14 15:40:39 2011 by vadim"
check_tools
prolog_commands
check_run_time_address_table_files
load_modules " "
configure_interfaces
verify_interfaces
reset_all
script_body
ip_forward
epilog_commands
RETVAL=$?
;;
stop)
stop_action
RETVAL=$?
;;
status)
status_action
RETVAL=$?
;;
block)
block_action
RETVAL=$?
;;
reload)
$0 stop
$0 start
RETVAL=$?
;;
interfaces)
configure_interfaces
RETVAL=$?
;;
test_interfaces)
FWBDEBUG="echo"
configure_interfaces
RETVAL=$?
;;
*)
echo "Usage $0 [start|stop|status|block|reload|interfaces|test_interfaces]"
;;
esac
exit $RETVAL

734
test/ipt/firewall37.fw.orig
View File

@ -2,9 +2,9 @@
#
# This is automatically generated file. DO NOT MODIFY !
#
# Firewall Builder fwb_ipt v4.2.1.ma_1
# Firewall Builder fwb_ipt v4.3.0.3542
#
# Generated Tue May 3 20:28:13 2011 PDT by vadim
# Generated Sat May 14 15:40:41 2011 PDT by vadim
#
# files: * firewall37.fw /etc/fw/firewall37.fw
#
@ -14,11 +14,11 @@
# normal script mode (not using iptables-restore)
# firewall37:mangle_rules:4: error: DNSName object "6bone.net (ct)" (compile time) can not resolve dns name "6bone.net" (AF_INET): Host or network '6bone.net' not found; last error: Unknown error Using dummy address in test mode
# firewall37:mangle_rules:4: error: DNSName object "6bone.net (ct)" (compile time) can not resolve dns name "6bone.net" (AF_INET): Host or network '6bone.net' not found; last error: Unknown error Using dummy address in test mode
# firewall37:mangle_rules:7: warning: Empty group or address table object 'empty Ogroup'
# firewall37:mangle_rules:7: warning: After removal of all empty groups and address table objects rule element Src becomes 'any' in the rule mangle_rules 7 (global)
# Dropping rule mangle_rules 7 (global) because option 'Ignore rules with empty groups' is in effect
# firewall37:mangle_rules:4: error: DNSName object "6bone.net (ct)" (compile time) can not resolve dns name "6bone.net" (AF_INET): Host or network '6bone.net' not found; last error: Unknown error Using dummy address in test mode
# firewall37:mangle_rules:4: error: DNSName object "6bone.net (ct)" (compile time) can not resolve dns name "6bone.net" (AF_INET): Host or network '6bone.net' not found; last error: Unknown error Using dummy address in test mode
# firewall37:mangle_rules:13: error: DNSName object "6bone.net (ct)" (compile time) can not resolve dns name "6bone.net" (AF_INET): Host or network '6bone.net' not found; last error: Unknown error Using dummy address in test mode
@ -64,6 +64,19 @@ getaddr_internal() {
eval "${name}_list=\"$L\""
}
getnet_internal() {
dev=$1
name=$2
af=$3
L=$($IP route list proto kernel | grep $dev | grep -v default | sed 's! .*$!!')
test -z "$L" && {
eval "$name=''"
return
}
eval "${name}_list=\"$L\""
}
getaddr() {
getaddr_internal $1 $2 "-4"
}
@ -72,6 +85,14 @@ getaddr6() {
getaddr_internal $1 $2 "-6"
}
getnet() {
getnet_internal $1 $2 "-4"
}
getnet6() {
getnet_internal $1 $2 "-6"
}
# function getinterfaces is used to process wildcard interfaces
getinterfaces() {
NAME=$1
@ -332,142 +353,103 @@ script_body() {
echo "Rule mymark 0 (global)"
#
$IPTABLES -N mymark -t mangle
$IPTABLES -N Cid29866X28575.0 -t mangle
$IPTABLES -t mangle -A mymark -d 192.168.2.0/24 -m state --state NEW -j Cid29866X28575.0
$IPTABLES -t mangle -A Cid29866X28575.0 -j MARK --set-mark 16
$IPTABLES -t mangle -A Cid29866X28575.0 -j ACCEPT
$IPTABLES -t mangle -A mymark -d 192.168.2.0/24 -m state --state NEW -j MARK --set-mark 16
#
# Rule mymark 1 (global)
#
echo "Rule mymark 1 (global)"
#
$IPTABLES -t mangle -A mymark -j MARK --set-mark 2
$IPTABLES -t mangle -A mymark -j ACCEPT
$IPTABLES -t mangle -A mymark -m state --state NEW -j MARK --set-mark 2
# ================ Table 'mangle', rule set Policy
#
# Rule 0 (global)
#
echo "Rule 0 (global)"
#
$IPTABLES -N Cid43BBA6A09745.0 -t mangle
$IPTABLES -t mangle -A OUTPUT -p 50 -m state --state NEW -j Cid43BBA6A09745.0
$IPTABLES -t mangle -A OUTPUT -p ah -m state --state NEW -j Cid43BBA6A09745.0
$IPTABLES -t mangle -A PREROUTING -p 50 -m state --state NEW -j Cid43BBA6A09745.0
$IPTABLES -t mangle -A PREROUTING -p ah -m state --state NEW -j Cid43BBA6A09745.0
$IPTABLES -t mangle -A Cid43BBA6A09745.0 -j MARK --set-mark 16
$IPTABLES -t mangle -A Cid43BBA6A09745.0 -j ACCEPT
$IPTABLES -t mangle -A OUTPUT -p 50 -m state --state NEW -j MARK --set-mark 16
$IPTABLES -t mangle -A OUTPUT -p ah -m state --state NEW -j MARK --set-mark 16
$IPTABLES -t mangle -A PREROUTING -p 50 -m state --state NEW -j MARK --set-mark 16
$IPTABLES -t mangle -A PREROUTING -p ah -m state --state NEW -j MARK --set-mark 16
#
# Rule 1 (global)
#
echo "Rule 1 (global)"
#
$IPTABLES -N RULE_1 -t mangle
$IPTABLES -t mangle -A OUTPUT -p 50 -m state --state NEW -j RULE_1
$IPTABLES -t mangle -A OUTPUT -p ah -m state --state NEW -j RULE_1
$IPTABLES -t mangle -A PREROUTING -p 50 -m state --state NEW -j RULE_1
$IPTABLES -t mangle -A PREROUTING -p ah -m state --state NEW -j RULE_1
$IPTABLES -t mangle -A RULE_1 -j LOG --log-level info --log-prefix "RULE 1 -- ACCEPT "
$IPTABLES -t mangle -A RULE_1 -j MARK --set-mark 16
$IPTABLES -t mangle -A RULE_1 -j ACCEPT
$IPTABLES -t mangle -A OUTPUT -p 50 -m state --state NEW -j MARK --set-mark 16
$IPTABLES -t mangle -A OUTPUT -p ah -m state --state NEW -j MARK --set-mark 16
$IPTABLES -t mangle -A PREROUTING -p 50 -m state --state NEW -j MARK --set-mark 16
$IPTABLES -t mangle -A PREROUTING -p ah -m state --state NEW -j MARK --set-mark 16
#
# Rule 2 (global)
#
echo "Rule 2 (global)"
#
$IPTABLES -N Cid483502D710047.0 -t mangle
$IPTABLES -t mangle -A OUTPUT -p 50 -m state --state NEW -j Cid483502D710047.0
$IPTABLES -t mangle -A OUTPUT -p ah -m state --state NEW -j Cid483502D710047.0
$IPTABLES -t mangle -A Cid483502D710047.0 -j MARK --set-mark 16
$IPTABLES -t mangle -A Cid483502D710047.0 -j ACCEPT
$IPTABLES -t mangle -A OUTPUT -p 50 -m state --state NEW -j MARK --set-mark 16
$IPTABLES -t mangle -A OUTPUT -p ah -m state --state NEW -j MARK --set-mark 16
#
# Rule 3 (eth1)
#
echo "Rule 3 (eth1)"
#
$IPTABLES -N Cid30009X2275.0 -t mangle
$IPTABLES -t mangle -A OUTPUT -o eth1 -p 50 -m state --state NEW -j Cid30009X2275.0
$IPTABLES -t mangle -A OUTPUT -o eth1 -p ah -m state --state NEW -j Cid30009X2275.0
$IPTABLES -t mangle -A Cid30009X2275.0 -j MARK --set-mark 16
$IPTABLES -t mangle -A Cid30009X2275.0 -j ACCEPT
$IPTABLES -t mangle -A OUTPUT -o eth1 -p 50 -m state --state NEW -j MARK --set-mark 16
$IPTABLES -t mangle -A OUTPUT -o eth1 -p ah -m state --state NEW -j MARK --set-mark 16
#
# Rule 4 (global)
#
echo "Rule 4 (global)"
#
$IPTABLES -N RULE_4 -t mangle
$IPTABLES -t mangle -A OUTPUT -p 50 -m state --state NEW -j RULE_4
$IPTABLES -t mangle -A OUTPUT -p ah -m state --state NEW -j RULE_4
$IPTABLES -t mangle -A RULE_4 -j LOG --log-level info --log-prefix "RULE 4 -- ACCEPT "
$IPTABLES -t mangle -A RULE_4 -j MARK --set-mark 16
$IPTABLES -t mangle -A RULE_4 -j ACCEPT
$IPTABLES -t mangle -A OUTPUT -p 50 -m state --state NEW -j MARK --set-mark 16
$IPTABLES -t mangle -A OUTPUT -p ah -m state --state NEW -j MARK --set-mark 16
#
# Rule 5 (eth1)
#
echo "Rule 5 (eth1)"
#
$IPTABLES -N Cid43501X5007.1 -t mangle
$IPTABLES -t mangle -A OUTPUT -o eth1 -s 22.22.23.22 -m state --state NEW -j Cid43501X5007.1
$IPTABLES -N Cid43501X5007.0 -t mangle
$IPTABLES -t mangle -A Cid43501X5007.1 -p 50 -j Cid43501X5007.0
$IPTABLES -t mangle -A Cid43501X5007.1 -p ah -j Cid43501X5007.0
$IPTABLES -t mangle -A Cid43501X5007.0 -j MARK --set-mark 16
$IPTABLES -t mangle -A Cid43501X5007.0 -j ACCEPT
$IPTABLES -t mangle -A OUTPUT -o eth1 -s 22.22.23.22 -m state --state NEW -j Cid43501X5007.0
$IPTABLES -t mangle -A Cid43501X5007.0 -p 50 -j MARK --set-mark 16
$IPTABLES -t mangle -A Cid43501X5007.0 -p ah -j MARK --set-mark 16
#
# Rule 6 (eth1)
#
echo "Rule 6 (eth1)"
#
$IPTABLES -N Cid43518X5007.1 -t mangle
$IPTABLES -t mangle -A OUTPUT -o eth1 -s 22.22.23.22 -m state --state NEW -j Cid43518X5007.1
$IPTABLES -N Cid43518X5007.0 -t mangle
$IPTABLES -t mangle -A Cid43518X5007.1 -p 50 -j Cid43518X5007.0
$IPTABLES -t mangle -A Cid43518X5007.1 -p ah -j Cid43518X5007.0
$IPTABLES -t mangle -A Cid43518X5007.0 -j MARK --set-mark 16
$IPTABLES -t mangle -A Cid43518X5007.0 -j ACCEPT
$IPTABLES -t mangle -A OUTPUT -o eth1 -s 22.22.23.22 -m state --state NEW -j Cid43518X5007.0
$IPTABLES -t mangle -A Cid43518X5007.0 -p 50 -j MARK --set-mark 16
$IPTABLES -t mangle -A Cid43518X5007.0 -p ah -j MARK --set-mark 16
#
# Rule 7 (eth1)
#
echo "Rule 7 (eth1)"
#
$IPTABLES -N Cid43535X5007.0 -t mangle
$IPTABLES -t mangle -A OUTPUT -o eth1 -p 50 -m state --state NEW -j Cid43535X5007.0
$IPTABLES -t mangle -A OUTPUT -o eth1 -p ah -m state --state NEW -j Cid43535X5007.0
$IPTABLES -t mangle -A Cid43535X5007.0 -j MARK --set-mark 16
$IPTABLES -t mangle -A Cid43535X5007.0 -j ACCEPT
$IPTABLES -t mangle -A OUTPUT -o eth1 -p 50 -m state --state NEW -j MARK --set-mark 16
$IPTABLES -t mangle -A OUTPUT -o eth1 -p ah -m state --state NEW -j MARK --set-mark 16
#
# Rule 8 (eth1)
#
echo "Rule 8 (eth1)"
#
$IPTABLES -N Cid43554X5007.1 -t mangle
$IPTABLES -t mangle -A OUTPUT -o eth1 -s 22.22.23.22 -j Cid43554X5007.1
$IPTABLES -N Cid43554X5007.0 -t mangle
$IPTABLES -t mangle -A Cid43554X5007.1 -p 50 -j Cid43554X5007.0
$IPTABLES -t mangle -A Cid43554X5007.1 -p ah -j Cid43554X5007.0
$IPTABLES -t mangle -A Cid43554X5007.0 -j MARK --set-mark 16
$IPTABLES -t mangle -A Cid43554X5007.0 -j ACCEPT
$IPTABLES -t mangle -A OUTPUT -o eth1 -s 22.22.23.22 -j Cid43554X5007.0
$IPTABLES -t mangle -A Cid43554X5007.0 -p 50 -j MARK --set-mark 16
$IPTABLES -t mangle -A Cid43554X5007.0 -p ah -j MARK --set-mark 16
#
# Rule 9 (eth1)
#
echo "Rule 9 (eth1)"
#
$IPTABLES -N Cid43571X5007.1 -t mangle
$IPTABLES -t mangle -A OUTPUT -o eth1 -s 22.22.23.22 -j Cid43571X5007.1
$IPTABLES -N Cid43571X5007.0 -t mangle
$IPTABLES -t mangle -A Cid43571X5007.1 -p 50 -j Cid43571X5007.0
$IPTABLES -t mangle -A Cid43571X5007.1 -p ah -j Cid43571X5007.0
$IPTABLES -t mangle -A Cid43571X5007.0 -j MARK --set-mark 16
$IPTABLES -t mangle -A Cid43571X5007.0 -j ACCEPT
$IPTABLES -t mangle -A OUTPUT -o eth1 -s 22.22.23.22 -j Cid43571X5007.0
$IPTABLES -t mangle -A Cid43571X5007.0 -p 50 -j MARK --set-mark 16
$IPTABLES -t mangle -A Cid43571X5007.0 -p ah -j MARK --set-mark 16
#
# Rule 10 (eth1)
#
echo "Rule 10 (eth1)"
#
$IPTABLES -N Cid43588X5007.0 -t mangle
$IPTABLES -t mangle -A OUTPUT -o eth1 -p 50 -j Cid43588X5007.0
$IPTABLES -t mangle -A OUTPUT -o eth1 -p ah -j Cid43588X5007.0
$IPTABLES -t mangle -A Cid43588X5007.0 -j MARK --set-mark 16
$IPTABLES -t mangle -A Cid43588X5007.0 -j ACCEPT
$IPTABLES -t mangle -A OUTPUT -o eth1 -p 50 -j MARK --set-mark 16
$IPTABLES -t mangle -A OUTPUT -o eth1 -p ah -j MARK --set-mark 16
#
# Rule 11 (global)
#
@ -480,79 +462,62 @@ script_body() {
$IPTABLES -t mangle -A PREROUTING -p ah -m state --state NEW -j Cid43BBCC139745.0
$IPTABLES -t mangle -A Cid43BBCC139745.0 -s 192.168.1.0/24 -j RETURN
$IPTABLES -t mangle -A Cid43BBCC139745.0 -s 192.168.2.0/24 -j RETURN
$IPTABLES -N RULE_11_3 -t mangle
$IPTABLES -t mangle -A Cid43BBCC139745.0 -j RULE_11_3
$IPTABLES -t mangle -A RULE_11_3 -j LOG --log-level info --log-prefix "RULE 11 -- ACCEPT "
$IPTABLES -t mangle -A RULE_11_3 -j MARK --set-mark 16
$IPTABLES -t mangle -A RULE_11_3 -j ACCEPT
$IPTABLES -t mangle -A Cid43BBCC139745.0 -j MARK --set-mark 16
#
# Rule 12 (eth1)
#
echo "Rule 12 (eth1)"
#
$IPTABLES -N Cid4665E24F7765.0 -t mangle
$IPTABLES -t mangle -A PREROUTING -i eth1 -p 50 -m state --state NEW -j Cid4665E24F7765.0
$IPTABLES -t mangle -A PREROUTING -i eth1 -p ah -m state --state NEW -j Cid4665E24F7765.0
$IPTABLES -t mangle -A Cid4665E24F7765.0 -j MARK --set-mark 16
$IPTABLES -t mangle -A Cid4665E24F7765.0 -j ACCEPT
$IPTABLES -N Cid4665E24F7765.1 -t mangle
$IPTABLES -t mangle -A OUTPUT -o eth1 -p 50 -m state --state NEW -j Cid4665E24F7765.1
$IPTABLES -t mangle -A OUTPUT -o eth1 -p ah -m state --state NEW -j Cid4665E24F7765.1
$IPTABLES -t mangle -A POSTROUTING -o eth1 -p 50 -m state --state NEW -j Cid4665E24F7765.1
$IPTABLES -t mangle -A POSTROUTING -o eth1 -p ah -m state --state NEW -j Cid4665E24F7765.1
$IPTABLES -t mangle -A Cid4665E24F7765.1 -j MARK --set-mark 16
$IPTABLES -t mangle -A Cid4665E24F7765.1 -j ACCEPT
$IPTABLES -t mangle -A PREROUTING -i eth1 -p 50 -m state --state NEW -j MARK --set-mark 16
$IPTABLES -t mangle -A PREROUTING -i eth1 -p ah -m state --state NEW -j MARK --set-mark 16
$IPTABLES -t mangle -A OUTPUT -o eth1 -p 50 -m state --state NEW -j MARK --set-mark 16
$IPTABLES -t mangle -A OUTPUT -o eth1 -p ah -m state --state NEW -j MARK --set-mark 16
$IPTABLES -t mangle -A POSTROUTING -o eth1 -p 50 -m state --state NEW -j MARK --set-mark 16
$IPTABLES -t mangle -A POSTROUTING -o eth1 -p ah -m state --state NEW -j MARK --set-mark 16
#
# Rule 13 (eth1)
#
echo "Rule 13 (eth1)"
#
$IPTABLES -N Cid43BBCC3D9745.0 -t mangle
$IPTABLES -t mangle -A PREROUTING -i eth1 -p 50 -m state --state NEW -j Cid43BBCC3D9745.0
$IPTABLES -t mangle -A PREROUTING -i eth1 -p ah -m state --state NEW -j Cid43BBCC3D9745.0
$IPTABLES -t mangle -A Cid43BBCC3D9745.0 -j MARK --set-mark 16
$IPTABLES -t mangle -A Cid43BBCC3D9745.0 -j ACCEPT
$IPTABLES -t mangle -A PREROUTING -i eth1 -p 50 -m state --state NEW -j MARK --set-mark 16
$IPTABLES -t mangle -A PREROUTING -i eth1 -p ah -m state --state NEW -j MARK --set-mark 16
#
# Rule 14 (eth1)
#
echo "Rule 14 (eth1)"
#
$IPTABLES -N Cid459E471C10946.0 -t mangle
$IPTABLES -t mangle -A OUTPUT -o eth1 -p 50 -m state --state NEW -j Cid459E471C10946.0
$IPTABLES -t mangle -A OUTPUT -o eth1 -p ah -m state --state NEW -j Cid459E471C10946.0
$IPTABLES -t mangle -A POSTROUTING -o eth1 -p 50 -m state --state NEW -j Cid459E471C10946.0
$IPTABLES -t mangle -A POSTROUTING -o eth1 -p ah -m state --state NEW -j Cid459E471C10946.0
$IPTABLES -t mangle -A Cid459E471C10946.0 -j MARK --set-mark 16
$IPTABLES -t mangle -A Cid459E471C10946.0 -j ACCEPT
$IPTABLES -t mangle -A OUTPUT -o eth1 -p 50 -m state --state NEW -j MARK --set-mark 16
$IPTABLES -t mangle -A OUTPUT -o eth1 -p ah -m state --state NEW -j MARK --set-mark 16
$IPTABLES -t mangle -A POSTROUTING -o eth1 -p 50 -m state --state NEW -j MARK --set-mark 16
$IPTABLES -t mangle -A POSTROUTING -o eth1 -p ah -m state --state NEW -j MARK --set-mark 16
#
# Rule 15 (global)
#
echo "Rule 15 (global)"
#
# using CONNMARK
$IPTABLES -N Cid4483A4BD1810.0 -t mangle
$IPTABLES -t mangle -A OUTPUT -p 50 -m state --state NEW -j Cid4483A4BD1810.0
$IPTABLES -t mangle -A OUTPUT -p ah -m state --state NEW -j Cid4483A4BD1810.0
$IPTABLES -t mangle -A PREROUTING -p 50 -m state --state NEW -j Cid4483A4BD1810.0
$IPTABLES -t mangle -A PREROUTING -p ah -m state --state NEW -j Cid4483A4BD1810.0
$IPTABLES -t mangle -A Cid4483A4BD1810.0 -j MARK --set-mark 10
$IPTABLES -t mangle -A Cid4483A4BD1810.0 -j CONNMARK --save-mark
$IPTABLES -t mangle -A Cid4483A4BD1810.0 -j ACCEPT
$IPTABLES -t mangle -A OUTPUT -p 50 -m state --state NEW -j MARK --set-mark 10
$IPTABLES -t mangle -A OUTPUT -p ah -m state --state NEW -j MARK --set-mark 10
$IPTABLES -t mangle -A PREROUTING -p 50 -m state --state NEW -j MARK --set-mark 10
$IPTABLES -t mangle -A PREROUTING -p ah -m state --state NEW -j MARK --set-mark 10
$IPTABLES -t mangle -A OUTPUT -p 50 -m state --state NEW -j CONNMARK --save-mark
$IPTABLES -t mangle -A OUTPUT -p ah -m state --state NEW -j CONNMARK --save-mark
$IPTABLES -t mangle -A PREROUTING -p 50 -m state --state NEW -j CONNMARK --save-mark
$IPTABLES -t mangle -A PREROUTING -p ah -m state --state NEW -j CONNMARK --save-mark
#
# Rule 16 (global)
#
echo "Rule 16 (global)"
#
# using CONNMARK
$IPTABLES -N RULE_16 -t mangle
$IPTABLES -t mangle -A OUTPUT -p 50 -m state --state NEW -j RULE_16
$IPTABLES -t mangle -A OUTPUT -p ah -m state --state NEW -j RULE_16
$IPTABLES -t mangle -A PREROUTING -p 50 -m state --state NEW -j RULE_16
$IPTABLES -t mangle -A PREROUTING -p ah -m state --state NEW -j RULE_16
$IPTABLES -t mangle -A RULE_16 -j LOG --log-level info --log-prefix "RULE 16 -- ACCEPT "
$IPTABLES -t mangle -A RULE_16 -j MARK --set-mark 10
$IPTABLES -t mangle -A RULE_16 -j CONNMARK --save-mark
$IPTABLES -t mangle -A RULE_16 -j ACCEPT
$IPTABLES -t mangle -A OUTPUT -p 50 -m state --state NEW -j MARK --set-mark 10
$IPTABLES -t mangle -A OUTPUT -p ah -m state --state NEW -j MARK --set-mark 10
$IPTABLES -t mangle -A PREROUTING -p 50 -m state --state NEW -j MARK --set-mark 10
$IPTABLES -t mangle -A PREROUTING -p ah -m state --state NEW -j MARK --set-mark 10
$IPTABLES -t mangle -A OUTPUT -p 50 -m state --state NEW -j CONNMARK --save-mark
$IPTABLES -t mangle -A OUTPUT -p ah -m state --state NEW -j CONNMARK --save-mark
$IPTABLES -t mangle -A PREROUTING -p 50 -m state --state NEW -j CONNMARK --save-mark
$IPTABLES -t mangle -A PREROUTING -p ah -m state --state NEW -j CONNMARK --save-mark
#
# Rule 17 (global)
#
@ -566,57 +531,44 @@ script_body() {
$IPTABLES -t mangle -A PREROUTING -p ah -m state --state NEW -j Cid4483A4DF1810.0
$IPTABLES -t mangle -A Cid4483A4DF1810.0 -s 192.168.1.0/24 -j RETURN
$IPTABLES -t mangle -A Cid4483A4DF1810.0 -s 192.168.2.0/24 -j RETURN
$IPTABLES -N RULE_17_3 -t mangle
$IPTABLES -t mangle -A Cid4483A4DF1810.0 -j RULE_17_3
$IPTABLES -t mangle -A RULE_17_3 -j LOG --log-level info --log-prefix "RULE 17 -- ACCEPT "
$IPTABLES -t mangle -A RULE_17_3 -j MARK --set-mark 10
$IPTABLES -t mangle -A RULE_17_3 -j CONNMARK --save-mark
$IPTABLES -t mangle -A RULE_17_3 -j ACCEPT
$IPTABLES -t mangle -A Cid4483A4DF1810.0 -j MARK --set-mark 10
$IPTABLES -t mangle -A Cid4483A4DF1810.0 -j CONNMARK --save-mark
#
# Rule 18 (eth1)
#
echo "Rule 18 (eth1)"
#
# using CONNMARK
$IPTABLES -N Cid4483A4F01810.0 -t mangle
$IPTABLES -t mangle -A PREROUTING -i eth1 -p 50 -m state --state NEW -j Cid4483A4F01810.0
$IPTABLES -t mangle -A PREROUTING -i eth1 -p ah -m state --state NEW -j Cid4483A4F01810.0
$IPTABLES -t mangle -A Cid4483A4F01810.0 -j MARK --set-mark 10
$IPTABLES -t mangle -A Cid4483A4F01810.0 -j CONNMARK --save-mark
$IPTABLES -t mangle -A Cid4483A4F01810.0 -j ACCEPT
$IPTABLES -t mangle -A PREROUTING -i eth1 -p 50 -m state --state NEW -j MARK --set-mark 10
$IPTABLES -t mangle -A PREROUTING -i eth1 -p ah -m state --state NEW -j MARK --set-mark 10
$IPTABLES -t mangle -A PREROUTING -i eth1 -p 50 -m state --state NEW -j CONNMARK --save-mark
$IPTABLES -t mangle -A PREROUTING -i eth1 -p ah -m state --state NEW -j CONNMARK --save-mark
#
# Rule 19 (eth1)
#
echo "Rule 19 (eth1)"
#
# using CONNMARK
$IPTABLES -N Cid459E472D10946.0 -t mangle
$IPTABLES -t mangle -A OUTPUT -o eth1 -p 50 -m state --state NEW -j Cid459E472D10946.0
$IPTABLES -t mangle -A OUTPUT -o eth1 -p ah -m state --state NEW -j Cid459E472D10946.0
$IPTABLES -t mangle -A POSTROUTING -o eth1 -p 50 -m state --state NEW -j Cid459E472D10946.0
$IPTABLES -t mangle -A POSTROUTING -o eth1 -p ah -m state --state NEW -j Cid459E472D10946.0
$IPTABLES -t mangle -A Cid459E472D10946.0 -j MARK --set-mark 10
$IPTABLES -t mangle -A Cid459E472D10946.0 -j CONNMARK --save-mark
$IPTABLES -t mangle -A Cid459E472D10946.0 -j ACCEPT
$IPTABLES -t mangle -A OUTPUT -o eth1 -p 50 -m state --state NEW -j MARK --set-mark 10
$IPTABLES -t mangle -A OUTPUT -o eth1 -p ah -m state --state NEW -j MARK --set-mark 10
$IPTABLES -t mangle -A POSTROUTING -o eth1 -p 50 -m state --state NEW -j MARK --set-mark 10
$IPTABLES -t mangle -A POSTROUTING -o eth1 -p ah -m state --state NEW -j MARK --set-mark 10
$IPTABLES -t mangle -A OUTPUT -o eth1 -p 50 -m state --state NEW -j CONNMARK --save-mark
$IPTABLES -t mangle -A OUTPUT -o eth1 -p ah -m state --state NEW -j CONNMARK --save-mark
$IPTABLES -t mangle -A POSTROUTING -o eth1 -p 50 -m state --state NEW -j CONNMARK --save-mark
$IPTABLES -t mangle -A POSTROUTING -o eth1 -p ah -m state --state NEW -j CONNMARK --save-mark
#
# Rule 22 (global)
#
echo "Rule 22 (global)"
#
$IPTABLES -N Cid43BB81879745.0 -t mangle
$IPTABLES -t mangle -A POSTROUTING -s 192.168.1.0/24 -j Cid43BB81879745.0
$IPTABLES -t mangle -A Cid43BB81879745.0 -j CLASSIFY --set-class 1:2
$IPTABLES -t mangle -A Cid43BB81879745.0 -j ACCEPT
$IPTABLES -t mangle -A POSTROUTING -s 192.168.1.0/24 -j CLASSIFY --set-class 1:2
#
# Rule 23 (global)
#
echo "Rule 23 (global)"
#
$IPTABLES -N RULE_23 -t mangle
$IPTABLES -t mangle -A POSTROUTING -s 192.168.1.0/24 -j RULE_23
$IPTABLES -t mangle -A RULE_23 -j LOG --log-level info --log-prefix "RULE 23 -- ACCEPT "
$IPTABLES -t mangle -A RULE_23 -j CLASSIFY --set-class 1:2
$IPTABLES -t mangle -A RULE_23 -j ACCEPT
$IPTABLES -t mangle -A POSTROUTING -s 192.168.1.0/24 -j CLASSIFY --set-class 1:2
#
# Rule 24 (global)
#
@ -627,7 +579,6 @@ script_body() {
$IPTABLES -t mangle -A Cid451E56936383.0 -s 192.168.1.0/24 -j RETURN
$IPTABLES -t mangle -A Cid451E56936383.0 -s 192.168.2.0/24 -j RETURN
$IPTABLES -t mangle -A Cid451E56936383.0 -j CLASSIFY --set-class 1:2
$IPTABLES -t mangle -A Cid451E56936383.0 -j ACCEPT
#
# Rule 25 (global)
#
@ -637,49 +588,31 @@ script_body() {
$IPTABLES -t mangle -A POSTROUTING -j Cid451E56A46383.0
$IPTABLES -t mangle -A Cid451E56A46383.0 -s 192.168.1.0/24 -j RETURN
$IPTABLES -t mangle -A Cid451E56A46383.0 -s 192.168.2.0/24 -j RETURN
$IPTABLES -N RULE_25_3 -t mangle
$IPTABLES -t mangle -A Cid451E56A46383.0 -j RULE_25_3
$IPTABLES -t mangle -A RULE_25_3 -j LOG --log-level info --log-prefix "RULE 25 -- ACCEPT "
$IPTABLES -t mangle -A RULE_25_3 -j CLASSIFY --set-class 1:2
$IPTABLES -t mangle -A RULE_25_3 -j ACCEPT
$IPTABLES -t mangle -A Cid451E56A46383.0 -j CLASSIFY --set-class 1:2
#
# Rule 26 (eth1)
#
echo "Rule 26 (eth1)"
#
$IPTABLES -N Cid451EAD596383.0 -t mangle
$IPTABLES -t mangle -A POSTROUTING -o eth1 -s 192.168.1.0/24 -j Cid451EAD596383.0
$IPTABLES -t mangle -A Cid451EAD596383.0 -j CLASSIFY --set-class 1:2
$IPTABLES -t mangle -A Cid451EAD596383.0 -j ACCEPT
$IPTABLES -t mangle -A POSTROUTING -o eth1 -s 192.168.1.0/24 -j CLASSIFY --set-class 1:2
#
# Rule 27 (eth1)
#
echo "Rule 27 (eth1)"
#
$IPTABLES -N Out_RULE_27 -t mangle
$IPTABLES -t mangle -A POSTROUTING -o eth1 -s 192.168.1.0/24 -j Out_RULE_27
$IPTABLES -t mangle -A Out_RULE_27 -j LOG --log-level info --log-prefix "RULE 27 -- ACCEPT "
$IPTABLES -t mangle -A Out_RULE_27 -j CLASSIFY --set-class 1:2
$IPTABLES -t mangle -A Out_RULE_27 -j ACCEPT
$IPTABLES -t mangle -A POSTROUTING -o eth1 -s 192.168.1.0/24 -j CLASSIFY --set-class 1:2
#
# Rule 28 (eth1)
#
echo "Rule 28 (eth1)"
#
$IPTABLES -N Cid451ED8E76383.0 -t mangle
$IPTABLES -t mangle -A POSTROUTING -o ! eth1 -s 192.168.1.0/24 -j Cid451ED8E76383.0
$IPTABLES -t mangle -A Cid451ED8E76383.0 -j CLASSIFY --set-class 1:2
$IPTABLES -t mangle -A Cid451ED8E76383.0 -j ACCEPT
$IPTABLES -t mangle -A POSTROUTING -o ! eth1 -s 192.168.1.0/24 -j CLASSIFY --set-class 1:2
#
# Rule 29 (eth1)
#
echo "Rule 29 (eth1)"
#
$IPTABLES -N Out_RULE_29 -t mangle
$IPTABLES -t mangle -A POSTROUTING -o ! eth1 -s 192.168.1.0/24 -j Out_RULE_29
$IPTABLES -t mangle -A Out_RULE_29 -j LOG --log-level info --log-prefix "RULE 29 -- ACCEPT "
$IPTABLES -t mangle -A Out_RULE_29 -j CLASSIFY --set-class 1:2
$IPTABLES -t mangle -A Out_RULE_29 -j ACCEPT
$IPTABLES -t mangle -A POSTROUTING -o ! eth1 -s 192.168.1.0/24 -j CLASSIFY --set-class 1:2
#
# Rule 30 (global)
#
@ -688,20 +621,14 @@ script_body() {
# testing for bug #1618381
# classify action is non-terminating
# in this firewall object
$IPTABLES -N Cid4599A9DC19324.0 -t mangle
$IPTABLES -t mangle -A POSTROUTING -p icmp -m icmp --icmp-type 3 -j Cid4599A9DC19324.0
$IPTABLES -t mangle -A Cid4599A9DC19324.0 -j CLASSIFY --set-class 1:10
$IPTABLES -t mangle -A Cid4599A9DC19324.0 -j ACCEPT
$IPTABLES -t mangle -A POSTROUTING -p icmp -m icmp --icmp-type 3 -j CLASSIFY --set-class 1:10
#
# Rule 31 (eth0)
#
echo "Rule 31 (eth0)"
#
# second rule for bug #1618381
$IPTABLES -N Cid4599A9E919324.0 -t mangle
$IPTABLES -t mangle -A POSTROUTING -o eth0 -j Cid4599A9E919324.0
$IPTABLES -t mangle -A Cid4599A9E919324.0 -j CLASSIFY --set-class 1:11
$IPTABLES -t mangle -A Cid4599A9E919324.0 -j ACCEPT
$IPTABLES -t mangle -A POSTROUTING -o eth0 -j CLASSIFY --set-class 1:11
#
# Rule 32 (global)
#
@ -713,7 +640,6 @@ script_body() {
$IPTABLES -t mangle -A Cid459A026219324.0 -s 192.168.1.0/24 -j RETURN
$IPTABLES -t mangle -A Cid459A026219324.0 -s 192.168.2.0/24 -j RETURN
$IPTABLES -t mangle -A Cid459A026219324.0 -j CLASSIFY --set-class 1:10
$IPTABLES -t mangle -A Cid459A026219324.0 -j ACCEPT
#
# Rule 33 (global)
#
@ -726,7 +652,6 @@ script_body() {
$IPTABLES -t mangle -A Cid459A5AFB19324.0 -s 192.168.1.0/24 -j RETURN
$IPTABLES -t mangle -A Cid459A5AFB19324.0 -s 192.168.2.0/24 -j RETURN
$IPTABLES -t mangle -A Cid459A5AFB19324.0 -j CLASSIFY --set-class 1:10
$IPTABLES -t mangle -A Cid459A5AFB19324.0 -j ACCEPT
#
# Rule 34 (eth0)
#
@ -736,23 +661,17 @@ script_body() {
# this rule uses multiport
# and has to be split because
# of that
$IPTABLES -N Cid459A875F19324.0 -t mangle
$IPTABLES -t mangle -A POSTROUTING -o eth0 -p tcp -m tcp --dport 10000:11000 -j Cid459A875F19324.0
$IPTABLES -t mangle -A POSTROUTING -o eth0 -p tcp -m tcp -m multiport --dports 113,13,53,2105,21,70,80,443,6667,119,25,3128,22,23,540 -j Cid459A875F19324.0
$IPTABLES -t mangle -A POSTROUTING -o eth0 -p udp -m udp -m multiport --dports 53,161 -j Cid459A875F19324.0
$IPTABLES -t mangle -A Cid459A875F19324.0 -j CLASSIFY --set-class 1:11
$IPTABLES -t mangle -A Cid459A875F19324.0 -j ACCEPT
$IPTABLES -t mangle -A POSTROUTING -o eth0 -p tcp -m tcp --dport 10000:11000 -j CLASSIFY --set-class 1:11
$IPTABLES -t mangle -A POSTROUTING -o eth0 -p tcp -m tcp -m multiport --dports 113,13,53,2105,21,70,80,443,6667,119,25,3128,22,23,540 -j CLASSIFY --set-class 1:11
$IPTABLES -t mangle -A POSTROUTING -o eth0 -p udp -m udp -m multiport --dports 53,161 -j CLASSIFY --set-class 1:11
#
# Rule 36 (global)
#
echo "Rule 36 (global)"
#
$IPTABLES -N RULE_36 -t mangle
$IPTABLES -t mangle -A PREROUTING -j RULE_36
$IPTABLES -t mangle -A RULE_36 -j LOG --log-level info --log-prefix "RULE 36 -- BRANCH "
$IPTABLES -t mangle -A RULE_36 -j mymark
$IPTABLES -t mangle -A POSTROUTING -j RULE_36
$IPTABLES -t mangle -A FORWARD -j RULE_36
$IPTABLES -t mangle -A PREROUTING -j mymark
$IPTABLES -t mangle -A POSTROUTING -j mymark
$IPTABLES -t mangle -A FORWARD -j mymark
# ================ Table 'mangle', rule set mangle_rules
#
# Rule mangle_rules 0 (global)
@ -767,21 +686,16 @@ script_body() {
#
echo "Rule mangle_rules 1 (global)"
#
$IPTABLES -N Cid56804X29169.0 -t mangle
$IPTABLES -t mangle -A OUTPUT -p tcp -m tcp --dport 80 -m state --state NEW -j Cid56804X29169.0
$IPTABLES -t mangle -A PREROUTING -p tcp -m tcp --dport 80 -m state --state NEW -j Cid56804X29169.0
$IPTABLES -t mangle -A Cid56804X29169.0 -j MARK --set-mark 1
$IPTABLES -t mangle -A Cid56804X29169.0 -j CONNMARK --save-mark
$IPTABLES -t mangle -A Cid56804X29169.0 -j ACCEPT
$IPTABLES -t mangle -A OUTPUT -p tcp -m tcp --dport 80 -m state --state NEW -j MARK --set-mark 1
$IPTABLES -t mangle -A PREROUTING -p tcp -m tcp --dport 80 -m state --state NEW -j MARK --set-mark 1
$IPTABLES -t mangle -A OUTPUT -p tcp -m tcp --dport 80 -m state --state NEW -j CONNMARK --save-mark
$IPTABLES -t mangle -A PREROUTING -p tcp -m tcp --dport 80 -m state --state NEW -j CONNMARK --save-mark
#
# Rule mangle_rules 2 (global)
#
echo "Rule mangle_rules 2 (global)"
#
$IPTABLES -N Cid56817X29169.0 -t mangle
$IPTABLES -t mangle -A POSTROUTING -m mark --mark 1 -j Cid56817X29169.0
$IPTABLES -t mangle -A Cid56817X29169.0 -j CLASSIFY --set-class 1:12
$IPTABLES -t mangle -A Cid56817X29169.0 -j ACCEPT
$IPTABLES -t mangle -A POSTROUTING -m mark --mark 1 -j CLASSIFY --set-class 1:12
#
# Rule mangle_rules 4 (global)
#
@ -884,8 +798,248 @@ script_body() {
$IPTABLES -t mangle -A Cid43052X80179.0 -s 6bone.net -j ACCEPT
$IPTABLES -t mangle -A Cid43052X80179.0 -s ny6ix.net -j ACCEPT
# ================ Table 'filter', rule set mymark
#
# Rule mymark 0 (global)
#
echo "Rule mymark 0 (global)"
#
$IPTABLES -N mymark
$IPTABLES -A mymark -d 192.168.2.0/24 -m state --state NEW -j ACCEPT
#
# Rule mymark 1 (global)
#
echo "Rule mymark 1 (global)"
#
$IPTABLES -A mymark -m state --state NEW -j ACCEPT
# ================ Table 'filter', rule set Policy
#
# Rule 0 (global)
#
echo "Rule 0 (global)"
#
$IPTABLES -A OUTPUT -p 50 -m state --state NEW -j ACCEPT
$IPTABLES -A OUTPUT -p ah -m state --state NEW -j ACCEPT
$IPTABLES -A INPUT -p 50 -m state --state NEW -j ACCEPT
$IPTABLES -A INPUT -p ah -m state --state NEW -j ACCEPT
$IPTABLES -A FORWARD -p 50 -m state --state NEW -j ACCEPT
$IPTABLES -A FORWARD -p ah -m state --state NEW -j ACCEPT
#
# Rule 1 (global)
#
echo "Rule 1 (global)"
#
$IPTABLES -N RULE_1
$IPTABLES -A OUTPUT -p 50 -m state --state NEW -j RULE_1
$IPTABLES -A OUTPUT -p ah -m state --state NEW -j RULE_1
$IPTABLES -A INPUT -p 50 -m state --state NEW -j RULE_1
$IPTABLES -A INPUT -p ah -m state --state NEW -j RULE_1
$IPTABLES -A FORWARD -p 50 -m state --state NEW -j RULE_1
$IPTABLES -A FORWARD -p ah -m state --state NEW -j RULE_1
$IPTABLES -A RULE_1 -j LOG --log-level info --log-prefix "RULE 1 -- ACCEPT "
$IPTABLES -A RULE_1 -j ACCEPT
#
# Rule 2 (global)
#
echo "Rule 2 (global)"
#
$IPTABLES -N Cid483502D710047.0
$IPTABLES -A INPUT -p 50 -m state --state NEW -j Cid483502D710047.0
$IPTABLES -A INPUT -p ah -m state --state NEW -j Cid483502D710047.0
$IPTABLES -A Cid483502D710047.0 -s 22.22.23.22 -j ACCEPT
$IPTABLES -A Cid483502D710047.0 -s 192.168.1.22 -j ACCEPT
$IPTABLES -A Cid483502D710047.0 -s 192.168.2.1 -j ACCEPT
$IPTABLES -A OUTPUT -p 50 -m state --state NEW -j ACCEPT
$IPTABLES -A OUTPUT -p ah -m state --state NEW -j ACCEPT
#
# Rule 3 (eth1)
#
echo "Rule 3 (eth1)"
#
$IPTABLES -A OUTPUT -o eth1 -p 50 -m state --state NEW -j ACCEPT
$IPTABLES -A OUTPUT -o eth1 -p ah -m state --state NEW -j ACCEPT
#
# Rule 4 (global)
#
echo "Rule 4 (global)"
#
$IPTABLES -N Cid483502E810047.0
$IPTABLES -A INPUT -p 50 -m state --state NEW -j Cid483502E810047.0
$IPTABLES -A INPUT -p ah -m state --state NEW -j Cid483502E810047.0
$IPTABLES -N RULE_4
$IPTABLES -A Cid483502E810047.0 -s 22.22.23.22 -j RULE_4
$IPTABLES -A Cid483502E810047.0 -s 192.168.1.22 -j RULE_4
$IPTABLES -A Cid483502E810047.0 -s 192.168.2.1 -j RULE_4
$IPTABLES -A OUTPUT -p 50 -m state --state NEW -j RULE_4
$IPTABLES -A OUTPUT -p ah -m state --state NEW -j RULE_4
$IPTABLES -A RULE_4 -j LOG --log-level info --log-prefix "RULE 4 -- ACCEPT "
$IPTABLES -A RULE_4 -j ACCEPT
#
# Rule 5 (eth1)
#
echo "Rule 5 (eth1)"
#
$IPTABLES -N Cid43501X5007.0
$IPTABLES -A OUTPUT -o eth1 -s 22.22.23.22 -m state --state NEW -j Cid43501X5007.0
$IPTABLES -A Cid43501X5007.0 -p 50 -j ACCEPT
$IPTABLES -A Cid43501X5007.0 -p ah -j ACCEPT
#
# Rule 6 (eth1)
#
echo "Rule 6 (eth1)"
#
$IPTABLES -N Cid43518X5007.0
$IPTABLES -A OUTPUT -o eth1 -s 22.22.23.22 -m state --state NEW -j Cid43518X5007.0
$IPTABLES -A Cid43518X5007.0 -p 50 -j ACCEPT
$IPTABLES -A Cid43518X5007.0 -p ah -j ACCEPT
#
# Rule 7 (eth1)
#
echo "Rule 7 (eth1)"
#
$IPTABLES -A OUTPUT -o eth1 -p 50 -m state --state NEW -j ACCEPT
$IPTABLES -A OUTPUT -o eth1 -p ah -m state --state NEW -j ACCEPT
#
# Rule 8 (eth1)
#
echo "Rule 8 (eth1)"
#
$IPTABLES -N Cid43554X5007.0
$IPTABLES -A OUTPUT -o eth1 -s 22.22.23.22 -j Cid43554X5007.0
$IPTABLES -A Cid43554X5007.0 -p 50 -j ACCEPT
$IPTABLES -A Cid43554X5007.0 -p ah -j ACCEPT
#
# Rule 9 (eth1)
#
echo "Rule 9 (eth1)"
#
$IPTABLES -N Cid43571X5007.0
$IPTABLES -A OUTPUT -o eth1 -s 22.22.23.22 -j Cid43571X5007.0
$IPTABLES -A Cid43571X5007.0 -p 50 -j ACCEPT
$IPTABLES -A Cid43571X5007.0 -p ah -j ACCEPT
#
# Rule 10 (eth1)
#
echo "Rule 10 (eth1)"
#
$IPTABLES -A OUTPUT -o eth1 -p 50 -j ACCEPT
$IPTABLES -A OUTPUT -o eth1 -p ah -j ACCEPT
#
# Rule 11 (global)
#
echo "Rule 11 (global)"
#
$IPTABLES -N Cid43BBCC139745.0
$IPTABLES -A OUTPUT -p 50 -m state --state NEW -j Cid43BBCC139745.0
$IPTABLES -A OUTPUT -p ah -m state --state NEW -j Cid43BBCC139745.0
$IPTABLES -A INPUT -p 50 -m state --state NEW -j Cid43BBCC139745.0
$IPTABLES -A INPUT -p ah -m state --state NEW -j Cid43BBCC139745.0
$IPTABLES -A FORWARD -p 50 -m state --state NEW -j Cid43BBCC139745.0
$IPTABLES -A FORWARD -p ah -m state --state NEW -j Cid43BBCC139745.0
$IPTABLES -A Cid43BBCC139745.0 -s 192.168.1.0/24 -j RETURN
$IPTABLES -A Cid43BBCC139745.0 -s 192.168.2.0/24 -j RETURN
$IPTABLES -N RULE_11_3
$IPTABLES -A Cid43BBCC139745.0 -j RULE_11_3
$IPTABLES -A RULE_11_3 -j LOG --log-level info --log-prefix "RULE 11 -- ACCEPT "
$IPTABLES -A RULE_11_3 -j ACCEPT
#
# Rule 12 (eth1)
#
echo "Rule 12 (eth1)"
#
$IPTABLES -A INPUT -i eth1 -p 50 -m state --state NEW -j ACCEPT
$IPTABLES -A INPUT -i eth1 -p ah -m state --state NEW -j ACCEPT
$IPTABLES -A FORWARD -i eth1 -p 50 -m state --state NEW -j ACCEPT
$IPTABLES -A FORWARD -i eth1 -p ah -m state --state NEW -j ACCEPT
$IPTABLES -A OUTPUT -o eth1 -p 50 -m state --state NEW -j ACCEPT
$IPTABLES -A OUTPUT -o eth1 -p ah -m state --state NEW -j ACCEPT
$IPTABLES -A FORWARD -o eth1 -p 50 -m state --state NEW -j ACCEPT
$IPTABLES -A FORWARD -o eth1 -p ah -m state --state NEW -j ACCEPT
#
# Rule 13 (eth1)
#
echo "Rule 13 (eth1)"
#
$IPTABLES -A INPUT -i eth1 -p 50 -m state --state NEW -j ACCEPT
$IPTABLES -A INPUT -i eth1 -p ah -m state --state NEW -j ACCEPT
$IPTABLES -A FORWARD -i eth1 -p 50 -m state --state NEW -j ACCEPT
$IPTABLES -A FORWARD -i eth1 -p ah -m state --state NEW -j ACCEPT
#
# Rule 14 (eth1)
#
echo "Rule 14 (eth1)"
#
$IPTABLES -A OUTPUT -o eth1 -p 50 -m state --state NEW -j ACCEPT
$IPTABLES -A OUTPUT -o eth1 -p ah -m state --state NEW -j ACCEPT
$IPTABLES -A FORWARD -o eth1 -p 50 -m state --state NEW -j ACCEPT
$IPTABLES -A FORWARD -o eth1 -p ah -m state --state NEW -j ACCEPT
#
# Rule 15 (global)
#
echo "Rule 15 (global)"
#
# using CONNMARK
$IPTABLES -A OUTPUT -p 50 -m state --state NEW -j ACCEPT
$IPTABLES -A OUTPUT -p ah -m state --state NEW -j ACCEPT
$IPTABLES -A INPUT -p 50 -m state --state NEW -j ACCEPT
$IPTABLES -A INPUT -p ah -m state --state NEW -j ACCEPT
$IPTABLES -A FORWARD -p 50 -m state --state NEW -j ACCEPT
$IPTABLES -A FORWARD -p ah -m state --state NEW -j ACCEPT
#
# Rule 16 (global)
#
echo "Rule 16 (global)"
#
# using CONNMARK
$IPTABLES -N RULE_16
$IPTABLES -A OUTPUT -p 50 -m state --state NEW -j RULE_16
$IPTABLES -A OUTPUT -p ah -m state --state NEW -j RULE_16
$IPTABLES -A INPUT -p 50 -m state --state NEW -j RULE_16
$IPTABLES -A INPUT -p ah -m state --state NEW -j RULE_16
$IPTABLES -A FORWARD -p 50 -m state --state NEW -j RULE_16
$IPTABLES -A FORWARD -p ah -m state --state NEW -j RULE_16
$IPTABLES -A RULE_16 -j LOG --log-level info --log-prefix "RULE 16 -- ACCEPT "
$IPTABLES -A RULE_16 -j ACCEPT
#
# Rule 17 (global)
#
echo "Rule 17 (global)"
#
# using CONNMARK
$IPTABLES -N Cid4483A4DF1810.0
$IPTABLES -A OUTPUT -p 50 -m state --state NEW -j Cid4483A4DF1810.0
$IPTABLES -A OUTPUT -p ah -m state --state NEW -j Cid4483A4DF1810.0
$IPTABLES -A INPUT -p 50 -m state --state NEW -j Cid4483A4DF1810.0
$IPTABLES -A INPUT -p ah -m state --state NEW -j Cid4483A4DF1810.0
$IPTABLES -A FORWARD -p 50 -m state --state NEW -j Cid4483A4DF1810.0
$IPTABLES -A FORWARD -p ah -m state --state NEW -j Cid4483A4DF1810.0
$IPTABLES -A Cid4483A4DF1810.0 -s 192.168.1.0/24 -j RETURN
$IPTABLES -A Cid4483A4DF1810.0 -s 192.168.2.0/24 -j RETURN
$IPTABLES -N RULE_17_3
$IPTABLES -A Cid4483A4DF1810.0 -j RULE_17_3
$IPTABLES -A RULE_17_3 -j LOG --log-level info --log-prefix "RULE 17 -- ACCEPT "
$IPTABLES -A RULE_17_3 -j ACCEPT
#
# Rule 18 (eth1)
#
echo "Rule 18 (eth1)"
#
# using CONNMARK
$IPTABLES -A INPUT -i eth1 -p 50 -m state --state NEW -j ACCEPT
$IPTABLES -A INPUT -i eth1 -p ah -m state --state NEW -j ACCEPT
$IPTABLES -A FORWARD -i eth1 -p 50 -m state --state NEW -j ACCEPT
$IPTABLES -A FORWARD -i eth1 -p ah -m state --state NEW -j ACCEPT
#
# Rule 19 (eth1)
#
echo "Rule 19 (eth1)"
#
# using CONNMARK
$IPTABLES -A OUTPUT -o eth1 -p 50 -m state --state NEW -j ACCEPT
$IPTABLES -A OUTPUT -o eth1 -p ah -m state --state NEW -j ACCEPT
$IPTABLES -A FORWARD -o eth1 -p 50 -m state --state NEW -j ACCEPT
$IPTABLES -A FORWARD -o eth1 -p ah -m state --state NEW -j ACCEPT
#
# Rule 20 (global)
#
echo "Rule 20 (global)"
@ -902,6 +1056,171 @@ script_body() {
$IPTABLES -A OUTPUT -p tcp -m tcp -d 192.168.2.10 --dport 80 -j QUEUE
$IPTABLES -A FORWARD -p tcp -m tcp -d 192.168.2.10 --dport 80 -j QUEUE
#
# Rule 22 (global)
#
echo "Rule 22 (global)"
#
$IPTABLES -A INPUT -s 192.168.1.0/24 -j ACCEPT
$IPTABLES -A OUTPUT -s 192.168.1.0/24 -j ACCEPT
$IPTABLES -A FORWARD -s 192.168.1.0/24 -j ACCEPT
#
# Rule 23 (global)
#
echo "Rule 23 (global)"
#
$IPTABLES -N RULE_23
$IPTABLES -A INPUT -s 192.168.1.0/24 -j RULE_23
$IPTABLES -A OUTPUT -s 192.168.1.0/24 -j RULE_23
$IPTABLES -A FORWARD -s 192.168.1.0/24 -j RULE_23
$IPTABLES -A RULE_23 -j LOG --log-level info --log-prefix "RULE 23 -- ACCEPT "
$IPTABLES -A RULE_23 -j ACCEPT
#
# Rule 24 (global)
#
echo "Rule 24 (global)"
#
$IPTABLES -N Cid451E56936383.0
$IPTABLES -A OUTPUT -j Cid451E56936383.0
$IPTABLES -A INPUT -j Cid451E56936383.0
$IPTABLES -A FORWARD -j Cid451E56936383.0
$IPTABLES -A Cid451E56936383.0 -s 192.168.1.0/24 -j RETURN
$IPTABLES -A Cid451E56936383.0 -s 192.168.2.0/24 -j RETURN
$IPTABLES -A Cid451E56936383.0 -j ACCEPT
#
# Rule 25 (global)
#
echo "Rule 25 (global)"
#
$IPTABLES -N Cid451E56A46383.0
$IPTABLES -A OUTPUT -j Cid451E56A46383.0
$IPTABLES -A INPUT -j Cid451E56A46383.0
$IPTABLES -A FORWARD -j Cid451E56A46383.0
$IPTABLES -A Cid451E56A46383.0 -s 192.168.1.0/24 -j RETURN
$IPTABLES -A Cid451E56A46383.0 -s 192.168.2.0/24 -j RETURN
$IPTABLES -N RULE_25_3
$IPTABLES -A Cid451E56A46383.0 -j RULE_25_3
$IPTABLES -A RULE_25_3 -j LOG --log-level info --log-prefix "RULE 25 -- ACCEPT "
$IPTABLES -A RULE_25_3 -j ACCEPT
#
# Rule 26 (eth1)
#
echo "Rule 26 (eth1)"
#
$IPTABLES -A INPUT -i eth1 -s 192.168.1.0/24 -j ACCEPT
$IPTABLES -A FORWARD -i eth1 -s 192.168.1.0/24 -j ACCEPT
$IPTABLES -A OUTPUT -o eth1 -s 192.168.1.0/24 -j ACCEPT
$IPTABLES -A FORWARD -o eth1 -s 192.168.1.0/24 -j ACCEPT
#
# Rule 27 (eth1)
#
echo "Rule 27 (eth1)"
#
$IPTABLES -N In_RULE_27
$IPTABLES -A INPUT -i eth1 -s 192.168.1.0/24 -j In_RULE_27
$IPTABLES -A FORWARD -i eth1 -s 192.168.1.0/24 -j In_RULE_27
$IPTABLES -A In_RULE_27 -j LOG --log-level info --log-prefix "RULE 27 -- ACCEPT "
$IPTABLES -A In_RULE_27 -j ACCEPT
$IPTABLES -N Out_RULE_27
$IPTABLES -A OUTPUT -o eth1 -s 192.168.1.0/24 -j Out_RULE_27
$IPTABLES -A FORWARD -o eth1 -s 192.168.1.0/24 -j Out_RULE_27
$IPTABLES -A Out_RULE_27 -j LOG --log-level info --log-prefix "RULE 27 -- ACCEPT "
$IPTABLES -A Out_RULE_27 -j ACCEPT
#
# Rule 28 (eth1)
#
echo "Rule 28 (eth1)"
#
$IPTABLES -A INPUT -i ! eth1 -s 192.168.1.0/24 -j ACCEPT
$IPTABLES -A FORWARD -i ! eth1 -s 192.168.1.0/24 -j ACCEPT
$IPTABLES -A OUTPUT -o ! eth1 -s 192.168.1.0/24 -j ACCEPT
$IPTABLES -A FORWARD -o ! eth1 -s 192.168.1.0/24 -j ACCEPT
#
# Rule 29 (eth1)
#
echo "Rule 29 (eth1)"
#
$IPTABLES -N In_RULE_29
$IPTABLES -A INPUT -i ! eth1 -s 192.168.1.0/24 -j In_RULE_29
$IPTABLES -A FORWARD -i ! eth1 -s 192.168.1.0/24 -j In_RULE_29
$IPTABLES -A In_RULE_29 -j LOG --log-level info --log-prefix "RULE 29 -- ACCEPT "
$IPTABLES -A In_RULE_29 -j ACCEPT
$IPTABLES -N Out_RULE_29
$IPTABLES -A OUTPUT -o ! eth1 -s 192.168.1.0/24 -j Out_RULE_29
$IPTABLES -A FORWARD -o ! eth1 -s 192.168.1.0/24 -j Out_RULE_29
$IPTABLES -A Out_RULE_29 -j LOG --log-level info --log-prefix "RULE 29 -- ACCEPT "
$IPTABLES -A Out_RULE_29 -j ACCEPT
#
# Rule 30 (global)
#
echo "Rule 30 (global)"
#
# testing for bug #1618381
# classify action is non-terminating
# in this firewall object
$IPTABLES -A OUTPUT -p icmp -m icmp --icmp-type 3 -j ACCEPT
$IPTABLES -A INPUT -p icmp -m icmp --icmp-type 3 -j ACCEPT
$IPTABLES -A FORWARD -p icmp -m icmp --icmp-type 3 -j ACCEPT
#
# Rule 31 (eth0)
#
echo "Rule 31 (eth0)"
#
# second rule for bug #1618381
$IPTABLES -A INPUT -i eth0 -j ACCEPT
$IPTABLES -A FORWARD -i eth0 -j ACCEPT
$IPTABLES -A OUTPUT -o eth0 -j ACCEPT
$IPTABLES -A FORWARD -o eth0 -j ACCEPT
#
# Rule 32 (global)
#
echo "Rule 32 (global)"
#
# testing for bug #1618381
$IPTABLES -N Cid459A026219324.0
$IPTABLES -A OUTPUT -p icmp -m icmp --icmp-type 3 -j Cid459A026219324.0
$IPTABLES -A INPUT -p icmp -m icmp --icmp-type 3 -j Cid459A026219324.0
$IPTABLES -A FORWARD -p icmp -m icmp --icmp-type 3 -j Cid459A026219324.0
$IPTABLES -A Cid459A026219324.0 -s 192.168.1.0/24 -j RETURN
$IPTABLES -A Cid459A026219324.0 -s 192.168.2.0/24 -j RETURN
$IPTABLES -A Cid459A026219324.0 -j ACCEPT
#
# Rule 33 (global)
#
echo "Rule 33 (global)"
#
# testing for bug #1618381
$IPTABLES -N Cid459A5AFB19324.0
$IPTABLES -A OUTPUT -p icmp -m icmp --icmp-type 3 -j Cid459A5AFB19324.0
$IPTABLES -A OUTPUT -p tcp -m tcp --dport 80 -j Cid459A5AFB19324.0
$IPTABLES -A INPUT -p icmp -m icmp --icmp-type 3 -j Cid459A5AFB19324.0
$IPTABLES -A INPUT -p tcp -m tcp --dport 80 -j Cid459A5AFB19324.0
$IPTABLES -A FORWARD -p icmp -m icmp --icmp-type 3 -j Cid459A5AFB19324.0
$IPTABLES -A FORWARD -p tcp -m tcp --dport 80 -j Cid459A5AFB19324.0
$IPTABLES -A Cid459A5AFB19324.0 -s 192.168.1.0/24 -j RETURN
$IPTABLES -A Cid459A5AFB19324.0 -s 192.168.2.0/24 -j RETURN
$IPTABLES -A Cid459A5AFB19324.0 -j ACCEPT
#
# Rule 34 (eth0)
#
echo "Rule 34 (eth0)"
#
# bug #1618381
# this rule uses multiport
# and has to be split because
# of that
$IPTABLES -A INPUT -i eth0 -p tcp -m tcp --dport 10000:11000 -j ACCEPT
$IPTABLES -A INPUT -i eth0 -p tcp -m tcp -m multiport --dports 113,13,53,2105,21,70,80,443,6667,119,25,3128,22,23,540 -j ACCEPT
$IPTABLES -A INPUT -i eth0 -p udp -m udp -m multiport --dports 53,161 -j ACCEPT
$IPTABLES -A FORWARD -i eth0 -p tcp -m tcp --dport 10000:11000 -j ACCEPT
$IPTABLES -A FORWARD -i eth0 -p tcp -m tcp -m multiport --dports 113,13,53,2105,21,70,80,443,6667,119,25,3128,22,23,540 -j ACCEPT
$IPTABLES -A FORWARD -i eth0 -p udp -m udp -m multiport --dports 53,161 -j ACCEPT
$IPTABLES -A OUTPUT -o eth0 -p tcp -m tcp --dport 10000:11000 -j ACCEPT
$IPTABLES -A OUTPUT -o eth0 -p tcp -m tcp -m multiport --dports 113,13,53,2105,21,70,80,443,6667,119,25,3128,22,23,540 -j ACCEPT
$IPTABLES -A OUTPUT -o eth0 -p udp -m udp -m multiport --dports 53,161 -j ACCEPT
$IPTABLES -A FORWARD -o eth0 -p tcp -m tcp --dport 10000:11000 -j ACCEPT
$IPTABLES -A FORWARD -o eth0 -p tcp -m tcp -m multiport --dports 113,13,53,2105,21,70,80,443,6667,119,25,3128,22,23,540 -j ACCEPT
$IPTABLES -A FORWARD -o eth0 -p udp -m udp -m multiport --dports 53,161 -j ACCEPT
#
# Rule 35 (global)
#
echo "Rule 35 (global)"
@ -919,7 +1238,6 @@ script_body() {
$IPTABLES -A INPUT -j RULE_36
$IPTABLES -A FORWARD -j RULE_36
$IPTABLES -A RULE_36 -j LOG --log-level info --log-prefix "RULE 36 -- BRANCH "
$IPTABLES -N mymark
$IPTABLES -A RULE_36 -j mymark
#
# Rule 37 (global)
@ -987,7 +1305,7 @@ test -z "$cmd" && {
case "$cmd" in
start)
log "Activating firewall script generated Tue May 3 20:28:13 2011 by vadim"
log "Activating firewall script generated Sat May 14 15:40:41 2011 by vadim"
check_tools
prolog_commands
check_run_time_address_table_files

84
test/ipt/firewall38.fw.orig
View File

@ -2,9 +2,9 @@
#
# This is automatically generated file. DO NOT MODIFY !
#
# Firewall Builder fwb_ipt v4.2.1.ma_1
# Firewall Builder fwb_ipt v4.3.0.3542
#
# Generated Tue May 3 19:32:56 2011 PDT by vadim
# Generated Sat May 14 15:40:41 2011 PDT by vadim
#
# files: * firewall38.fw /etc/fw/firewall38.fw
#
@ -59,6 +59,19 @@ getaddr_internal() {
eval "${name}_list=\"$L\""
}
getnet_internal() {
dev=$1
name=$2
af=$3
L=$($IP route list proto kernel | grep $dev | grep -v default | sed 's! .*$!!')
test -z "$L" && {
eval "$name=''"
return
}
eval "${name}_list=\"$L\""
}
getaddr() {
getaddr_internal $1 $2 "-4"
}
@ -67,6 +80,14 @@ getaddr6() {
getaddr_internal $1 $2 "-6"
}
getnet() {
getnet_internal $1 $2 "-4"
}
getnet6() {
getnet_internal $1 $2 "-6"
}
# function getinterfaces is used to process wildcard interfaces
getinterfaces() {
NAME=$1
@ -313,6 +334,36 @@ script_body() {
echo "-A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT "
# ================ Table 'filter', rule set Policy
#
# Rule 1 (global)
echo "-A OUTPUT -p 50 -m state --state NEW -j LOG --log-level info --log-prefix \"RULE 1 -- CONTINUE \""
echo "-A OUTPUT -p ah -m state --state NEW -j LOG --log-level info --log-prefix \"RULE 1 -- CONTINUE \""
echo "-A INPUT -p 50 -m state --state NEW -j LOG --log-level info --log-prefix \"RULE 1 -- CONTINUE \""
echo "-A INPUT -p ah -m state --state NEW -j LOG --log-level info --log-prefix \"RULE 1 -- CONTINUE \""
echo "-A FORWARD -p 50 -m state --state NEW -j LOG --log-level info --log-prefix \"RULE 1 -- CONTINUE \""
echo "-A FORWARD -p ah -m state --state NEW -j LOG --log-level info --log-prefix \"RULE 1 -- CONTINUE \""
#
# Rule 2 (global)
echo ":Cid43BBF1AD9745.0 - [0:0]"
echo "-A OUTPUT -s ! 192.168.1.0/24 -m state --state NEW -j Cid43BBF1AD9745.0 "
echo "-A Cid43BBF1AD9745.0 -p 50 -j LOG --log-level info --log-prefix \"RULE 2 -- CONTINUE \""
echo "-A Cid43BBF1AD9745.0 -p ah -j LOG --log-level info --log-prefix \"RULE 2 -- CONTINUE \""
echo ":Cid43BBF1AD9745.1 - [0:0]"
echo "-A INPUT -s ! 192.168.1.0/24 -m state --state NEW -j Cid43BBF1AD9745.1 "
echo "-A Cid43BBF1AD9745.1 -p 50 -j LOG --log-level info --log-prefix \"RULE 2 -- CONTINUE \""
echo "-A Cid43BBF1AD9745.1 -p ah -j LOG --log-level info --log-prefix \"RULE 2 -- CONTINUE \""
echo ":Cid43BBF1AD9745.2 - [0:0]"
echo "-A OUTPUT -s ! 192.168.1.0/24 -m state --state NEW -j Cid43BBF1AD9745.2 "
echo "-A Cid43BBF1AD9745.2 -p 50 -j LOG --log-level info --log-prefix \"RULE 2 -- CONTINUE \""
echo "-A Cid43BBF1AD9745.2 -p ah -j LOG --log-level info --log-prefix \"RULE 2 -- CONTINUE \""
echo ":Cid43BBF1AD9745.3 - [0:0]"
echo "-A FORWARD -s ! 192.168.1.0/24 -m state --state NEW -j Cid43BBF1AD9745.3 "
echo "-A Cid43BBF1AD9745.3 -p 50 -j LOG --log-level info --log-prefix \"RULE 2 -- CONTINUE \""
echo "-A Cid43BBF1AD9745.3 -p ah -j LOG --log-level info --log-prefix \"RULE 2 -- CONTINUE \""
#
# Rule 5 (global)
echo "-A INPUT -p tcp -m tcp -s 22.22.23.22 --dport 80 -m state --state NEW -j LOG --log-level info --log-prefix \"RULE 5 -- CONTINUE \""
echo "-A OUTPUT -p tcp -m tcp -s 22.22.23.22 --dport 80 -m state --state NEW -j LOG --log-level info --log-prefix \"RULE 5 -- CONTINUE \""
#
# Rule 9 (global)
echo "-A OUTPUT -m mark --mark 16 -m state --state NEW -j ACCEPT "
echo "-A INPUT -m mark --mark 16 -m state --state NEW -j ACCEPT "
@ -372,26 +423,20 @@ script_body() {
echo "-A PREROUTING -p ah -m state --state NEW -j MARK --set-mark 16"
#
# Rule 1 (global)
echo ":RULE_1 - [0:0]"
echo "-A OUTPUT -p 50 -m state --state NEW -j RULE_1 "
echo "-A OUTPUT -p ah -m state --state NEW -j RULE_1 "
echo "-A PREROUTING -p 50 -m state --state NEW -j RULE_1 "
echo "-A PREROUTING -p ah -m state --state NEW -j RULE_1 "
echo "-A RULE_1 -j LOG --log-level info --log-prefix \"RULE 1 -- CONTINUE \""
echo "-A RULE_1 -j MARK --set-mark 16"
echo "-A OUTPUT -p 50 -m state --state NEW -j MARK --set-mark 16"
echo "-A OUTPUT -p ah -m state --state NEW -j MARK --set-mark 16"
echo "-A PREROUTING -p 50 -m state --state NEW -j MARK --set-mark 16"
echo "-A PREROUTING -p ah -m state --state NEW -j MARK --set-mark 16"
#
# Rule 2 (global)
echo ":Cid43BBF1AD9745.0 - [0:0]"
echo "-A OUTPUT -s ! 192.168.1.0/24 -m state --state NEW -j Cid43BBF1AD9745.0 "
echo ":RULE_2 - [0:0]"
echo "-A Cid43BBF1AD9745.0 -p 50 -j RULE_2 "
echo "-A Cid43BBF1AD9745.0 -p ah -j RULE_2 "
echo "-A Cid43BBF1AD9745.0 -p 50 -j MARK --set-mark 16"
echo "-A Cid43BBF1AD9745.0 -p ah -j MARK --set-mark 16"
echo ":Cid43BBF1AD9745.1 - [0:0]"
echo "-A PREROUTING -s ! 192.168.1.0/24 -m state --state NEW -j Cid43BBF1AD9745.1 "
echo "-A Cid43BBF1AD9745.1 -p 50 -j RULE_2 "
echo "-A Cid43BBF1AD9745.1 -p ah -j RULE_2 "
echo "-A RULE_2 -j LOG --log-level info --log-prefix \"RULE 2 -- CONTINUE \""
echo "-A RULE_2 -j MARK --set-mark 16"
echo "-A Cid43BBF1AD9745.1 -p 50 -j MARK --set-mark 16"
echo "-A Cid43BBF1AD9745.1 -p ah -j MARK --set-mark 16"
#
# Rule 3 (eth1)
echo "-A PREROUTING -i eth1 -p 50 -m state --state NEW -j MARK --set-mark 16"
@ -402,10 +447,7 @@ script_body() {
echo "-A OUTPUT -p tcp -m tcp --dport 80 -m state --state NEW -j MARK --set-mark 2"
#
# Rule 5 (global)
echo ":RULE_5 - [0:0]"
echo "-A OUTPUT -p tcp -m tcp -s 22.22.23.22 --dport 80 -m state --state NEW -j RULE_5 "
echo "-A RULE_5 -j LOG --log-level info --log-prefix \"RULE 5 -- CONTINUE \""
echo "-A RULE_5 -j MARK --set-mark 2"
echo "-A OUTPUT -p tcp -m tcp -s 22.22.23.22 --dport 80 -m state --state NEW -j MARK --set-mark 2"
#
# Rule 6 (eth1)
echo "-A OUTPUT -o eth1 -p tcp -m tcp -s 22.22.23.22 --dport 80 -m state --state NEW -j MARK --set-mark 2"
@ -498,7 +540,7 @@ test -z "$cmd" && {
case "$cmd" in
start)
log "Activating firewall script generated Tue May 3 19:32:56 2011 by vadim"
log "Activating firewall script generated Sat May 14 15:40:41 2011 by vadim"
check_tools
prolog_commands
check_run_time_address_table_files

Some files were not shown because too many files have changed in this diff Show More