fixes #2040 rename functions in OSConfigurator_bsd

src/pflib/OSConfigurator_bsd.h

@@ -63,38 +63,38 @@ protected:
                                        Configlet *configlet);
 
         // functions that generate interface address configuration
-        virtual void listAllInterfacesConfigLine(QStringList intf_names,
+        virtual void summaryConfigLineIP(QStringList intf_names,
                                                     bool ipv6);
 
-        virtual void updateAddressesOfInterface(
+        virtual void interfaceConfigLineIP(
             libfwbuilder::Interface *iface,
             std::list<std::pair<libfwbuilder::InetAddr,libfwbuilder::InetAddr> >
                 all_addresses);
 
         // functions that generate VLAN configuration
-        virtual void listAllVlansConfgLine(QStringList vlan_names);
+        virtual void summaryConfigLineVlan(QStringList vlan_names);
 
-        virtual void updateVlansOfInterface(
+        virtual void interfaceConfigLineVlan(
             libfwbuilder::Interface *iface, QStringList vlan_names);
 
         // functions that generate bridge configuration
-        virtual void listAllBridgeConfgLine(QStringList vlan_names);
+        virtual void summaryConfigLineBridge(QStringList vlan_names);
 
-        virtual void updateBridgeOfInterface(
+        virtual void interfaceConfigLineBridge(
             libfwbuilder::Interface *iface, QStringList vlan_names);
 
         // functions that generate CARP interface configuration
-        virtual void listAllCARPConfgLine(QStringList carp_names);
-        virtual void updateCARPInterface(libfwbuilder::Interface *iface,
+        virtual void summaryConfigLineCARP(QStringList carp_names);
+        virtual void interfaceConfigLineCARP(libfwbuilder::Interface *iface,
                                             libfwbuilder::FWObject *failover_group);
-        virtual void updateCARPInterfaceInternal(
+        virtual void interfaceConfigLineCARPInternal(
             libfwbuilder::Interface *iface,
             libfwbuilder::FWObject *failover_group,
             Configlet *configlet);
 
         // functions that generate pfsync interface configuration
-        virtual void listAllPfsyncConfgLine(bool have_pfsync);
-        virtual void updatePfsyncInterface(
+        virtual void summaryConfigLinePfsync(bool have_pfsync);
+        virtual void interfaceConfigLinePfsync(
             libfwbuilder::Interface *iface,
             libfwbuilder::StateSyncClusterGroup *sync_group);
 

src/pflib/OSConfigurator_bsd_interfaces.cpp

@@ -103,14 +103,14 @@ string OSConfigurator_bsd::configureInterfaces()
 
         // issue sync_vlan_interfaces command even if there are no vlans
         // since it deletes them on the firewall if they exist
-        listAllVlansConfgLine(vlan_interfaces);
+        summaryConfigLineVlan(vlan_interfaces);
 
         for (it=vlan_subinterfaces.begin(); it!=vlan_subinterfaces.end(); ++it)
         {
             Interface *iface = it.key();
             QStringList vlan_subinterfaces = it.value();
             if (vlan_subinterfaces.size() > 0)
-                updateVlansOfInterface(iface, vlan_subinterfaces);
+                interfaceConfigLineVlan(iface, vlan_subinterfaces);
         }
     }
 
@@ -145,7 +145,7 @@ string OSConfigurator_bsd::configureInterfaces()
 
         QMap<Interface*,QStringList>::iterator it;
         
-        listAllBridgeConfgLine(bridge_interfaces);
+        summaryConfigLineBridge(bridge_interfaces);
 
         for (it=bridge_subinterfaces.begin(); it!=bridge_subinterfaces.end(); ++it)
         {
@@ -153,7 +153,7 @@ string OSConfigurator_bsd::configureInterfaces()
             QStringList bridge_ports = it.value();
 
             if (bridge_ports.size() > 0)
-                updateBridgeOfInterface(iface, bridge_ports);
+                interfaceConfigLineBridge(iface, bridge_ports);
         }
     }
 
@@ -190,14 +190,14 @@ string OSConfigurator_bsd::configureInterfaces()
 
         // issue "sync_carp_interfaces" call even when we have none, it will
         // delete those that might exist on the firewall
-        listAllCARPConfgLine(carp_interfaces);
+        summaryConfigLineCARP(carp_interfaces);
 
         QMap<Interface*, FWObject*>::iterator it;
         for (it=failover_groups.begin(); it!=failover_groups.end(); ++it)
         {
             Interface *iface = it.key();
             FWObject* failover_group = it.value();
-            updateCARPInterface(iface, failover_group);
+            interfaceConfigLineCARP(iface, failover_group);
         }
     }
 
@@ -287,17 +287,17 @@ string OSConfigurator_bsd::configureInterfaces()
             }
         }
 
-        listAllInterfacesConfigLine(ipv6_names, true);
+        summaryConfigLineIP(ipv6_names, true);
 
-        listAllInterfacesConfigLine(intf_names, false);
+        summaryConfigLineIP(intf_names, false);
 
         QMap<Interface*, list<pair<InetAddr,InetAddr> > >::iterator it;
         for (it=all_addresses.begin(); it!=all_addresses.end(); ++it)
         {
-            // qDebug() << "updateAddressesOfInterface:"
+            // qDebug() << "interfaceConfigLineIP:"
             //          << it.key()
             //          << it.value().size();
-            updateAddressesOfInterface(it.key(), it.value());
+            interfaceConfigLineIP(it.key(), it.value());
         }
     }
 
@@ -327,24 +327,24 @@ string OSConfigurator_bsd::configureInterfaces()
 
             have_pfsync_interfaces = true;
 
-            listAllPfsyncConfgLine(have_pfsync_interfaces);
-            updatePfsyncInterface(iface, state_sync_group);
+            summaryConfigLinePfsync(have_pfsync_interfaces);
+            interfaceConfigLinePfsync(iface, state_sync_group);
 
             break;
         }
 
-        if (!have_pfsync_interfaces) listAllPfsyncConfgLine(false);
+        if (!have_pfsync_interfaces) summaryConfigLinePfsync(false);
     }
 
     
     return printAllInterfaceConfigurationLines().toStdString();
 }
 
-void OSConfigurator_bsd::listAllInterfacesConfigLine(QStringList , bool )
+void OSConfigurator_bsd::summaryConfigLineIP(QStringList , bool )
 {
 }
 
-void OSConfigurator_bsd::updateAddressesOfInterface(
+void OSConfigurator_bsd::interfaceConfigLineIP(
     Interface *iface, list<pair<InetAddr,InetAddr> > all_addresses)
 {
     QStringList arg1;
@@ -397,14 +397,14 @@ void OSConfigurator_bsd::updateAddressesOfInterface(
 
 
 
-void OSConfigurator_bsd::listAllVlansConfgLine(QStringList vlan_names)
+void OSConfigurator_bsd::summaryConfigLineVlan(QStringList vlan_names)
 {
     interface_configuration_lines <<
         QString("sync_vlan_interfaces %1").arg(vlan_names.join(" "));
 }
 
 
-void OSConfigurator_bsd::updateVlansOfInterface(Interface *iface,
+void OSConfigurator_bsd::interfaceConfigLineVlan(Interface *iface,
                                                 QStringList vlan_names)
 {
     interface_configuration_lines << 
@@ -413,14 +413,14 @@ void OSConfigurator_bsd::updateVlansOfInterface(Interface *iface,
         .arg(vlan_names.join(" "));
 }
 
-void OSConfigurator_bsd::listAllBridgeConfgLine(QStringList bridge_names)
+void OSConfigurator_bsd::summaryConfigLineBridge(QStringList bridge_names)
 {
     interface_configuration_lines <<
         QString("sync_bridge_interfaces %1").arg(bridge_names.join(" "));
 }
 
 
-void OSConfigurator_bsd::updateBridgeOfInterface(Interface *iface,
+void OSConfigurator_bsd::interfaceConfigLineBridge(Interface *iface,
                                                     QStringList bridge_port_names)
 {
     interface_configuration_lines <<
@@ -429,20 +429,20 @@ void OSConfigurator_bsd::updateBridgeOfInterface(Interface *iface,
         .arg(bridge_port_names.join(" "));
 }
 
-void OSConfigurator_bsd::listAllCARPConfgLine(QStringList carp_names)
+void OSConfigurator_bsd::summaryConfigLineCARP(QStringList carp_names)
 {
     interface_configuration_lines <<
         QString("sync_carp_interfaces %1").arg(carp_names.join(" "));
 }
 
-void OSConfigurator_bsd::updateCARPInterface(Interface *iface,
+void OSConfigurator_bsd::interfaceConfigLineCARP(Interface *iface,
                                              FWObject *failover_group)
 {
     Configlet configlet(fw, "bsd", "carp_interface");
-    updateCARPInterfaceInternal(iface, failover_group, &configlet);
+    interfaceConfigLineCARPInternal(iface, failover_group, &configlet);
 }
 
-void OSConfigurator_bsd::updateCARPInterfaceInternal(
+void OSConfigurator_bsd::interfaceConfigLineCARPInternal(
     Interface *iface, FWObject *failover_group, Configlet *configlet)
 {
     // failover_master and base_device are set in Compiler::processFailoverGroup
@@ -489,7 +489,7 @@ void OSConfigurator_bsd::updateCARPInterfaceInternal(
     interface_configuration_lines <<  configlet->expand();
 }
 
-void OSConfigurator_bsd::listAllPfsyncConfgLine(bool have_pfsync)
+void OSConfigurator_bsd::summaryConfigLinePfsync(bool have_pfsync)
 {
     interface_configuration_lines <<
         QString("sync_pfsync_interfaces %1").arg(have_pfsync?"pfsync0":"");
@@ -503,7 +503,7 @@ void OSConfigurator_bsd::listAllPfsyncConfgLine(bool have_pfsync)
  * ifconfig pfsyncN syncdev syncdev [syncpeer syncpeer]
  */
 
-void OSConfigurator_bsd::updatePfsyncInterface(
+void OSConfigurator_bsd::interfaceConfigLinePfsync(
     Interface *iface, StateSyncClusterGroup *state_sync_group)
 {
     Configlet configlet(fw, "bsd", "pfsync_interface");

src/pflib/OSConfigurator_freebsd.cpp

@@ -100,7 +100,7 @@ int OSConfigurator_freebsd::prolog()
     return 0;
 }
 
-void OSConfigurator_freebsd::listAllInterfacesConfigLine(QStringList names,
+void OSConfigurator_freebsd::summaryConfigLineIP(QStringList names,
                                                             bool ipv6)
 {
     FWOptions* options = fw->getOptionsObject();
@@ -118,7 +118,7 @@ void OSConfigurator_freebsd::listAllInterfacesConfigLine(QStringList names,
     }
 }
         
-void OSConfigurator_freebsd::updateAddressesOfInterface(
+void OSConfigurator_freebsd::interfaceConfigLineIP(
     Interface *iface, list<pair<InetAddr,InetAddr> > all_addresses)
 {
     FWOptions* options = fw->getOptionsObject();
@@ -195,10 +195,10 @@ void OSConfigurator_freebsd::updateAddressesOfInterface(
             }
         }
     } else
-        OSConfigurator_bsd::updateAddressesOfInterface(iface, all_addresses);
+        OSConfigurator_bsd::interfaceConfigLineIP(iface, all_addresses);
 }
 
-void OSConfigurator_freebsd::listAllVlansConfgLine(QStringList vlan_names)
+void OSConfigurator_freebsd::summaryConfigLineVlan(QStringList vlan_names)
 {
     FWOptions* options = fw->getOptionsObject();
     if (options->getBool("generate_rc_conf_file"))
@@ -233,7 +233,7 @@ void OSConfigurator_freebsd::listAllVlansConfgLine(QStringList vlan_names)
  create_args_myvlan="vlan 102"
 
  */
-void OSConfigurator_freebsd::updateVlansOfInterface(Interface *iface,
+void OSConfigurator_freebsd::interfaceConfigLineVlan(Interface *iface,
                                                     QStringList vlan_names)
 {
     FWOptions* options = fw->getOptionsObject();
@@ -264,14 +264,14 @@ void OSConfigurator_freebsd::updateVlansOfInterface(Interface *iface,
             .arg(vlan_names.join(" "));
 }
 
-void OSConfigurator_freebsd::listAllBridgeConfgLine(QStringList bridge_names)
+void OSConfigurator_freebsd::summaryConfigLineBridge(QStringList bridge_names)
 {
     FWOptions* options = fw->getOptionsObject();
     if (options->getBool("generate_rc_conf_file"))
     {
         cloned_interfaces += bridge_names;
     } else
-        OSConfigurator_bsd::listAllBridgeConfgLine(bridge_names);
+        OSConfigurator_bsd::summaryConfigLineBridge(bridge_names);
 }
 
 /*
@@ -310,7 +310,7 @@ http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/network-bridging.html
 TODO:  STP support should be optional
 
  */
-void OSConfigurator_freebsd::updateBridgeOfInterface(Interface *iface,
+void OSConfigurator_freebsd::interfaceConfigLineBridge(Interface *iface,
                                                      QStringList bridge_port_names)
 {
     FWOptions* options = fw->getOptionsObject();
@@ -334,40 +334,40 @@ void OSConfigurator_freebsd::updateBridgeOfInterface(Interface *iface,
 
         interface_configuration_lines <<  outp.join("\n");
     } else
-        OSConfigurator_bsd::updateBridgeOfInterface(iface, bridge_port_names);
+        OSConfigurator_bsd::interfaceConfigLineBridge(iface, bridge_port_names);
 }
 
 
-void OSConfigurator_freebsd::listAllCARPConfgLine(QStringList carp_names)
+void OSConfigurator_freebsd::summaryConfigLineCARP(QStringList carp_names)
 {
     FWOptions* options = fw->getOptionsObject();
     if (options->getBool("generate_rc_conf_file"))
     {
         cloned_interfaces += carp_names;
     } else
-        OSConfigurator_bsd::listAllCARPConfgLine(carp_names);
+        OSConfigurator_bsd::summaryConfigLineCARP(carp_names);
 }
 
-void OSConfigurator_freebsd::updateCARPInterface(Interface *iface,
+void OSConfigurator_freebsd::interfaceConfigLineCARP(Interface *iface,
                                                  FWObject *failover_group)
 {
     FWOptions* options = fw->getOptionsObject();
     if (options->getBool("generate_rc_conf_file"))
     {
         Configlet configlet(fw, "freebsd", "rc_conf_carp_interface");
-        updateCARPInterfaceInternal(iface, failover_group, &configlet);
+        interfaceConfigLineCARPInternal(iface, failover_group, &configlet);
     } else
-        OSConfigurator_bsd::updateCARPInterface(iface, failover_group);
+        OSConfigurator_bsd::interfaceConfigLineCARP(iface, failover_group);
 }
 
-void OSConfigurator_freebsd::listAllPfsyncConfgLine(bool have_pfsync)
+void OSConfigurator_freebsd::summaryConfigLinePfsync(bool have_pfsync)
 {
     FWOptions* options = fw->getOptionsObject();
     if (options->getBool("generate_rc_conf_file"))
     {
         interface_configuration_lines <<  "pfsync_enable=\"YES\"";
     } else
-        OSConfigurator_bsd::listAllPfsyncConfgLine(have_pfsync);
+        OSConfigurator_bsd::summaryConfigLinePfsync(have_pfsync);
 }
 
 /*
@@ -401,7 +401,7 @@ void OSConfigurator_freebsd::listAllPfsyncConfgLine(bool have_pfsync)
 		 up pfsync(4).
  */
 
-void OSConfigurator_freebsd::updatePfsyncInterface(
+void OSConfigurator_freebsd::interfaceConfigLinePfsync(
     Interface *iface, StateSyncClusterGroup *state_sync_group)
 {
     FWOptions* options = fw->getOptionsObject();
@@ -434,7 +434,7 @@ void OSConfigurator_freebsd::updatePfsyncInterface(
         interface_configuration_lines <<  configlet.expand();
 
     } else
-        OSConfigurator_bsd::updatePfsyncInterface(iface, state_sync_group);
+        OSConfigurator_bsd::interfaceConfigLinePfsync(iface, state_sync_group);
 }
 
 QString OSConfigurator_freebsd::printAllInterfaceConfigurationLines()

src/pflib/OSConfigurator_freebsd.h

@@ -56,33 +56,33 @@ namespace fwcompiler
                                        const std::string &var_name,
                                        Configlet *configlet);
 
-        virtual void listAllInterfacesConfigLine(QStringList intf_names,
+        virtual void summaryConfigLineIP(QStringList intf_names,
                                                  bool ipv6);
-        virtual void updateAddressesOfInterface(
+        virtual void interfaceConfigLineIP(
             libfwbuilder::Interface *iface,
             std::list<std::pair<libfwbuilder::InetAddr,libfwbuilder::InetAddr> >
             all_addresses);
 
 
-        virtual void listAllVlansConfgLine(QStringList vlan_names);
+        virtual void summaryConfigLineVlan(QStringList vlan_names);
 
-        virtual void updateVlansOfInterface(
+        virtual void interfaceConfigLineVlan(
             libfwbuilder::Interface *iface, QStringList vlan_names);
 
         // functions that generate bridge configuration
-        virtual void listAllBridgeConfgLine(QStringList vlan_names);
+        virtual void summaryConfigLineBridge(QStringList vlan_names);
 
-        virtual void updateBridgeOfInterface(
+        virtual void interfaceConfigLineBridge(
             libfwbuilder::Interface *iface, QStringList vlan_names);
 
         // functions that generate CARP interface configuration
-        virtual void listAllCARPConfgLine(QStringList carp_names);
-        virtual void updateCARPInterface(libfwbuilder::Interface *iface,
+        virtual void summaryConfigLineCARP(QStringList carp_names);
+        virtual void interfaceConfigLineCARP(libfwbuilder::Interface *iface,
                                          libfwbuilder::FWObject *failover_group);
 
         // functions that generate pfsync interface configuration
-        virtual void listAllPfsyncConfgLine(bool have_pfsync);
-        virtual void updatePfsyncInterface(
+        virtual void summaryConfigLinePfsync(bool have_pfsync);
+        virtual void interfaceConfigLinePfsync(
             libfwbuilder::Interface *iface,
             libfwbuilder::StateSyncClusterGroup *sync_group);
 

test/pf/firewall103.conf.orig

@@ -0,0 +1,25 @@
+
+set timeout udp.single 5
+
+#
+# Scrub rules
+#
+match all scrub (reassemble tcp no-df )
+match out all scrub (random-id min-ttl  1 max-mss  1460)
+
+
+# Tables: (1)
+table <tbl.r9998.d> { 10.1.1.81 , 10.3.14.81 , 192.168.1.1 } 
+
+# 
+# Rule  backup ssh access rule
+#    backup ssh access rule 
+pass in   quick inet proto tcp  from 10.3.14.30  to <tbl.r9998.d> port 22  label "RULE 9998 -- ACCEPT "  
+# 
+# Rule  0 (global)
+block  log  quick inet  from any  to any no state  label "RULE 0 -- DROP "  
+# 
+# Rule  fallback rule
+#    fallback rule 
+block  quick inet  from any  to any no state  label "RULE 10000 -- DROP "  
+

test/pf/firewall103.fw.orig

@@ -0,0 +1,308 @@
+#!/bin/sh
+#
+#  This is automatically generated file. DO NOT MODIFY !
+#
+#  Firewall Builder  fwb_pf v4.2.0.3460
+#
+#  Generated Sun Feb  6 14:51:48 2011 PST by vadim
+#
+# files: * firewall103.fw /etc/fw/pf.fw
+# files:   firewall103.conf /etc/fw/path\ with\ space/pf.conf
+#
+# Compiled for pf 4.7
+#
+# bridge interface, static address, shell script format
+
+
+
+
+
+FWDIR=`dirname $0`
+
+IFCONFIG="/sbin/ifconfig"
+PFCTL="/sbin/pfctl"
+IPFW="/sbin/ipfw"
+IPF="/sbin/ipf"
+IPNAT="/sbin/ipnat"
+SYSCTL="/sbin/sysctl"
+LOGGER="/usr/bin/logger"
+
+log() {
+    echo "$1"
+    test -x "$LOGGER" && $LOGGER -p info "$1"
+}
+
+diff_intf() {
+    func=$1
+    list1=$2
+    list2=$3
+    cmd=$4
+    for intf in $list1
+    do
+        echo $list2 | grep -q $intf || {
+        # $vlan is absent in list 2
+            $func $intf $cmd
+        }
+    done
+}
+
+
+missing_address() {
+    address=$1
+    cmd=$2
+
+    oldIFS=$IFS
+    IFS="@"
+    set $address
+    addr=$1
+    interface=$2
+    IFS=$oldIFS
+
+    if echo "$addr" | grep -q ':'
+    then
+        inet="inet6"
+        addr=$(echo "$addr" | sed 's!/! prefixlen !')
+    else
+        inet="inet"
+        addr=$(echo "$addr" | sed 's!/! netmask !')
+    fi
+
+    parameter=""
+    test "$cmd" = "add" && {
+      echo "# Adding ip address: $interface $addr"
+      parameter="alias"
+    }
+    test "$cmd" = "del" && {
+      echo "# Removing ip address: $interface $addr"
+      parameter="delete"
+    }
+
+    $FWBDEBUG $IFCONFIG $interface $inet $addr $parameter
+    $FWBDEBUG $IFCONFIG $interface up
+}
+
+list_addresses_by_scope() {
+    interface=$1
+    scope=$2
+    ignore_list=$3
+
+    scope_regex="1"
+    if test -n "$scope"; then scope_regex=" \$0 !~ \"$scope\" "; fi
+
+    $IFCONFIG $interface | sed "s/%$interface//" | \
+      awk -v IGNORED="$ignore_list" \
+        "BEGIN {  
+           split(IGNORED,ignored_arr);
+           for (a in ignored_arr) {ignored_dict[ignored_arr[a]]=1;}
+         }
+         (/inet |inet6 / && $scope_regex && !(\$2 in ignored_dict)) {printf \"%s/%s\n\",\$2,\$4;}" | \
+        while read addr; do
+          echo "${addr}@$interface"
+        done | sort
+   
+}
+
+update_addresses_of_interface() {
+    ignore_list=$2
+    set $1 
+    interface=$1 
+    shift
+
+    FWB_ADDRS=$(
+      for addr in $*; do
+        echo "${addr}@$interface"
+      done | sort
+    )
+
+    CURRENT_ADDRS_ALL_SCOPES=""
+    CURRENT_ADDRS_GLOBAL_SCOPE=""
+
+    $IFCONFIG $interface >/dev/null 2>&1 && {
+      CURRENT_ADDRS_ALL_SCOPES=$(list_addresses_by_scope $interface '' "$ignore_list")
+      CURRENT_ADDRS_GLOBAL_SCOPE=$(list_addresses_by_scope $interface 'scopeid .*' "$ignore_list")
+    } || {
+      echo "# Interface $interface does not exist"
+      # Stop the script if we are not in test mode
+      test -z "$FWBDEBUG" && exit 1
+    }
+
+    diff_intf missing_address "$FWB_ADDRS" "$CURRENT_ADDRS_ALL_SCOPES" add
+    diff_intf missing_address "$CURRENT_ADDRS_GLOBAL_SCOPE" "$FWB_ADDRS" del
+}
+
+missing_vlan() {
+    vlan=$1
+    cmd=$2
+
+    oldIFS=$IFS
+    IFS="@"
+    set $vlan
+    subint=$1
+    parent=$2
+    IFS=$oldIFS
+
+    vlan_id=$(echo $subint | sed 's/vlan//')
+    test "$cmd" = "add" && {
+        echo "# Adding VLAN interface $subint (parent: $parent)"
+        $FWBDEBUG $IFCONFIG $subint vlan $vlan_id vlandev $parent
+        $FWBDEBUG $IFCONFIG $subint up
+    }
+    test "$cmd" = "rem" && {
+        echo "# Removing VLAN interface $subint (parent: $parent)"
+        $FWBDEBUG $IFCONFIG $subint vlan $vlan_id -vlandev
+        $FWBDEBUG $IFCONFIG $subint destroy
+    }
+}
+
+parse_fwb_vlans() {
+    set $1 
+    vlan_parent_interface=$1 
+    shift
+
+    FWB_VLANS=$(
+      for subint in $*; do
+        echo "${subint}@$vlan_parent_interface"
+      done | sort
+    )
+    echo $FWB_VLANS
+}
+
+parse_current_vlans() {
+    vlan_parent_interface=$1
+    $IFCONFIG -A | grep 'vlan: ' | sed 's/priority:.*parent interface://' | \
+    while read x vlan_id parent
+    do
+       test "$parent" = "$vlan_parent_interface" && echo "vlan$vlan_id@$parent"
+    done | sort
+}
+
+update_vlans_of_interface() {
+    args="$1"
+    set $1 
+    vlan_parent_interface=$1 
+
+    FWB_VLANS=$(parse_fwb_vlans "$args")
+    CURRENT_VLANS=$(parse_current_vlans $vlan_parent_interface)
+
+    $IFCONFIG $vlan_parent_interface up
+    diff_intf missing_vlan "$FWB_VLANS" "$CURRENT_VLANS" add
+    diff_intf missing_vlan "$CURRENT_VLANS" "$FWB_VLANS" rem
+}
+
+sync_vlan_interfaces() {
+    $IFCONFIG -A | awk -v IGNORED="$*" \
+        'BEGIN {
+           split(IGNORED,ignored_arr);
+           for (a in ignored_arr) {ii=ignored_arr[a]":"; ignored_dict[ii]=1;}
+         }
+         ($1 ~ /^vlan[0-9]/ && !($1 in ignored_dict)) {print $1;}' | sed 's/://' |\
+         while read intf; do
+            echo "# Deleting vlan interface $intf"
+             $FWBDEBUG $IFCONFIG $intf destroy
+         done
+
+    for intf in $*; do
+        $IFCONFIG $intf >/dev/null 2>&1 || {
+            echo "# Creating vlan interface $intf"
+            $FWBDEBUG $IFCONFIG $intf create
+        }
+    done
+}
+
+
+sync_carp_interfaces() {
+    $IFCONFIG -A | awk -v IGNORED="$*" \
+        'BEGIN {
+           split(IGNORED,ignored_arr);
+           for (a in ignored_arr) {ii=ignored_arr[a]":"; ignored_dict[ii]=1;}
+         }
+         ($1 ~ /^carp[0-9]/ && !($1 in ignored_dict)) {print $1;}' | sed 's/://' |\
+         while read intf; do
+            echo "# Deleting carp interface $intf"
+             $FWBDEBUG $IFCONFIG $intf destroy
+         done
+
+    for intf in $*; do
+        $IFCONFIG $intf >/dev/null 2>&1 || {
+            echo "# Creating carp interface $intf"
+            $SYSCTL -w net.inet.carp.allow=1
+            $FWBDEBUG $IFCONFIG $intf create
+        }
+    done
+}
+
+
+sync_pfsync_interfaces() {
+    $IFCONFIG -A | awk -v IGNORED="$*" \
+        'BEGIN {
+           split(IGNORED,ignored_arr);
+           for (a in ignored_arr) {ii=ignored_arr[a]":"; ignored_dict[ii]=1;}
+         }
+         ($1 ~ /^pfsync[0-9]/ && !($1 in ignored_dict)) {print $1;}' | sed 's/://' |\
+         while read intf; do
+            echo "# Deleting pfsync interface $intf"
+             $FWBDEBUG $IFCONFIG $intf destroy
+         done
+
+    for intf in $*; do
+        $IFCONFIG $intf >/dev/null 2>&1 || {
+            echo "# Creating pfsync interface $intf"
+            $FWBDEBUG $IFCONFIG $intf create
+        }
+    done
+}
+
+verify_interfaces() {
+    :
+    
+}
+
+set_kernel_vars() {
+    :
+    $SYSCTL -w net.inet.ip.forwarding=1
+}
+
+prolog_commands() {
+    :
+    
+}
+
+epilog_commands() {
+    :
+    
+}
+
+run_epilog_and_exit() {
+    epilog_commands
+    exit $1
+}
+
+configure_interfaces() {
+    :
+    sync_vlan_interfaces 
+    sync_bridge_interfaces bridge0
+    update_bridge_interface "bridge0 em2 em3"
+    sync_carp_interfaces 
+    sync_pfsync_interfaces 
+    update_addresses_of_interface "bridge0 192.168.1.1/0xffffff00" ""
+    update_addresses_of_interface "em0 10.3.14.81/0xffffff00" ""
+    update_addresses_of_interface "em1 10.1.1.81/0xffffff00" ""
+}
+
+log "Activating firewall script generated Sun Feb  6 14:51:48 2011 by vadim"
+
+set_kernel_vars
+configure_interfaces
+prolog_commands
+
+$PFCTL   \
+     -f \
+    /etc/fw/path\ with\ space/pf.conf || exit 1
+
+
+
+
+
+
+
+epilog_commands

test/pf/firewall104.conf.orig

@@ -0,0 +1,25 @@
+
+set timeout udp.single 5
+
+#
+# Scrub rules
+#
+match all scrub (reassemble tcp no-df )
+match out all scrub (random-id min-ttl  1 max-mss  1460)
+
+
+# Tables: (1)
+table <tbl.r9998.d> { bridge0 , 10.1.1.81 , 10.3.14.81 } 
+
+# 
+# Rule  backup ssh access rule
+#    backup ssh access rule 
+pass in   quick inet proto tcp  from 10.3.14.30  to <tbl.r9998.d> port 22  label "RULE 9998 -- ACCEPT "  
+# 
+# Rule  0 (global)
+block  log  quick inet  from any  to any no state  label "RULE 0 -- DROP "  
+# 
+# Rule  fallback rule
+#    fallback rule 
+block  quick inet  from any  to any no state  label "RULE 10000 -- DROP "  
+

test/pf/firewall104.fw.orig

@@ -0,0 +1,307 @@
+#!/bin/sh
+#
+#  This is automatically generated file. DO NOT MODIFY !
+#
+#  Firewall Builder  fwb_pf v4.2.0.3460
+#
+#  Generated Sun Feb  6 14:51:49 2011 PST by vadim
+#
+# files: * firewall104.fw /etc/fw/pf.fw
+# files:   firewall104.conf /etc/fw/path\ with\ space/pf.conf
+#
+# Compiled for pf 4.7
+#
+# bridge interface, dynamic  address, shell script format
+
+
+
+
+
+FWDIR=`dirname $0`
+
+IFCONFIG="/sbin/ifconfig"
+PFCTL="/sbin/pfctl"
+IPFW="/sbin/ipfw"
+IPF="/sbin/ipf"
+IPNAT="/sbin/ipnat"
+SYSCTL="/sbin/sysctl"
+LOGGER="/usr/bin/logger"
+
+log() {
+    echo "$1"
+    test -x "$LOGGER" && $LOGGER -p info "$1"
+}
+
+diff_intf() {
+    func=$1
+    list1=$2
+    list2=$3
+    cmd=$4
+    for intf in $list1
+    do
+        echo $list2 | grep -q $intf || {
+        # $vlan is absent in list 2
+            $func $intf $cmd
+        }
+    done
+}
+
+
+missing_address() {
+    address=$1
+    cmd=$2
+
+    oldIFS=$IFS
+    IFS="@"
+    set $address
+    addr=$1
+    interface=$2
+    IFS=$oldIFS
+
+    if echo "$addr" | grep -q ':'
+    then
+        inet="inet6"
+        addr=$(echo "$addr" | sed 's!/! prefixlen !')
+    else
+        inet="inet"
+        addr=$(echo "$addr" | sed 's!/! netmask !')
+    fi
+
+    parameter=""
+    test "$cmd" = "add" && {
+      echo "# Adding ip address: $interface $addr"
+      parameter="alias"
+    }
+    test "$cmd" = "del" && {
+      echo "# Removing ip address: $interface $addr"
+      parameter="delete"
+    }
+
+    $FWBDEBUG $IFCONFIG $interface $inet $addr $parameter
+    $FWBDEBUG $IFCONFIG $interface up
+}
+
+list_addresses_by_scope() {
+    interface=$1
+    scope=$2
+    ignore_list=$3
+
+    scope_regex="1"
+    if test -n "$scope"; then scope_regex=" \$0 !~ \"$scope\" "; fi
+
+    $IFCONFIG $interface | sed "s/%$interface//" | \
+      awk -v IGNORED="$ignore_list" \
+        "BEGIN {  
+           split(IGNORED,ignored_arr);
+           for (a in ignored_arr) {ignored_dict[ignored_arr[a]]=1;}
+         }
+         (/inet |inet6 / && $scope_regex && !(\$2 in ignored_dict)) {printf \"%s/%s\n\",\$2,\$4;}" | \
+        while read addr; do
+          echo "${addr}@$interface"
+        done | sort
+   
+}
+
+update_addresses_of_interface() {
+    ignore_list=$2
+    set $1 
+    interface=$1 
+    shift
+
+    FWB_ADDRS=$(
+      for addr in $*; do
+        echo "${addr}@$interface"
+      done | sort
+    )
+
+    CURRENT_ADDRS_ALL_SCOPES=""
+    CURRENT_ADDRS_GLOBAL_SCOPE=""
+
+    $IFCONFIG $interface >/dev/null 2>&1 && {
+      CURRENT_ADDRS_ALL_SCOPES=$(list_addresses_by_scope $interface '' "$ignore_list")
+      CURRENT_ADDRS_GLOBAL_SCOPE=$(list_addresses_by_scope $interface 'scopeid .*' "$ignore_list")
+    } || {
+      echo "# Interface $interface does not exist"
+      # Stop the script if we are not in test mode
+      test -z "$FWBDEBUG" && exit 1
+    }
+
+    diff_intf missing_address "$FWB_ADDRS" "$CURRENT_ADDRS_ALL_SCOPES" add
+    diff_intf missing_address "$CURRENT_ADDRS_GLOBAL_SCOPE" "$FWB_ADDRS" del
+}
+
+missing_vlan() {
+    vlan=$1
+    cmd=$2
+
+    oldIFS=$IFS
+    IFS="@"
+    set $vlan
+    subint=$1
+    parent=$2
+    IFS=$oldIFS
+
+    vlan_id=$(echo $subint | sed 's/vlan//')
+    test "$cmd" = "add" && {
+        echo "# Adding VLAN interface $subint (parent: $parent)"
+        $FWBDEBUG $IFCONFIG $subint vlan $vlan_id vlandev $parent
+        $FWBDEBUG $IFCONFIG $subint up
+    }
+    test "$cmd" = "rem" && {
+        echo "# Removing VLAN interface $subint (parent: $parent)"
+        $FWBDEBUG $IFCONFIG $subint vlan $vlan_id -vlandev
+        $FWBDEBUG $IFCONFIG $subint destroy
+    }
+}
+
+parse_fwb_vlans() {
+    set $1 
+    vlan_parent_interface=$1 
+    shift
+
+    FWB_VLANS=$(
+      for subint in $*; do
+        echo "${subint}@$vlan_parent_interface"
+      done | sort
+    )
+    echo $FWB_VLANS
+}
+
+parse_current_vlans() {
+    vlan_parent_interface=$1
+    $IFCONFIG -A | grep 'vlan: ' | sed 's/priority:.*parent interface://' | \
+    while read x vlan_id parent
+    do
+       test "$parent" = "$vlan_parent_interface" && echo "vlan$vlan_id@$parent"
+    done | sort
+}
+
+update_vlans_of_interface() {
+    args="$1"
+    set $1 
+    vlan_parent_interface=$1 
+
+    FWB_VLANS=$(parse_fwb_vlans "$args")
+    CURRENT_VLANS=$(parse_current_vlans $vlan_parent_interface)
+
+    $IFCONFIG $vlan_parent_interface up
+    diff_intf missing_vlan "$FWB_VLANS" "$CURRENT_VLANS" add
+    diff_intf missing_vlan "$CURRENT_VLANS" "$FWB_VLANS" rem
+}
+
+sync_vlan_interfaces() {
+    $IFCONFIG -A | awk -v IGNORED="$*" \
+        'BEGIN {
+           split(IGNORED,ignored_arr);
+           for (a in ignored_arr) {ii=ignored_arr[a]":"; ignored_dict[ii]=1;}
+         }
+         ($1 ~ /^vlan[0-9]/ && !($1 in ignored_dict)) {print $1;}' | sed 's/://' |\
+         while read intf; do
+            echo "# Deleting vlan interface $intf"
+             $FWBDEBUG $IFCONFIG $intf destroy
+         done
+
+    for intf in $*; do
+        $IFCONFIG $intf >/dev/null 2>&1 || {
+            echo "# Creating vlan interface $intf"
+            $FWBDEBUG $IFCONFIG $intf create
+        }
+    done
+}
+
+
+sync_carp_interfaces() {
+    $IFCONFIG -A | awk -v IGNORED="$*" \
+        'BEGIN {
+           split(IGNORED,ignored_arr);
+           for (a in ignored_arr) {ii=ignored_arr[a]":"; ignored_dict[ii]=1;}
+         }
+         ($1 ~ /^carp[0-9]/ && !($1 in ignored_dict)) {print $1;}' | sed 's/://' |\
+         while read intf; do
+            echo "# Deleting carp interface $intf"
+             $FWBDEBUG $IFCONFIG $intf destroy
+         done
+
+    for intf in $*; do
+        $IFCONFIG $intf >/dev/null 2>&1 || {
+            echo "# Creating carp interface $intf"
+            $SYSCTL -w net.inet.carp.allow=1
+            $FWBDEBUG $IFCONFIG $intf create
+        }
+    done
+}
+
+
+sync_pfsync_interfaces() {
+    $IFCONFIG -A | awk -v IGNORED="$*" \
+        'BEGIN {
+           split(IGNORED,ignored_arr);
+           for (a in ignored_arr) {ii=ignored_arr[a]":"; ignored_dict[ii]=1;}
+         }
+         ($1 ~ /^pfsync[0-9]/ && !($1 in ignored_dict)) {print $1;}' | sed 's/://' |\
+         while read intf; do
+            echo "# Deleting pfsync interface $intf"
+             $FWBDEBUG $IFCONFIG $intf destroy
+         done
+
+    for intf in $*; do
+        $IFCONFIG $intf >/dev/null 2>&1 || {
+            echo "# Creating pfsync interface $intf"
+            $FWBDEBUG $IFCONFIG $intf create
+        }
+    done
+}
+
+verify_interfaces() {
+    :
+    
+}
+
+set_kernel_vars() {
+    :
+    $SYSCTL -w net.inet.ip.forwarding=1
+}
+
+prolog_commands() {
+    :
+    
+}
+
+epilog_commands() {
+    :
+    
+}
+
+run_epilog_and_exit() {
+    epilog_commands
+    exit $1
+}
+
+configure_interfaces() {
+    :
+    sync_vlan_interfaces 
+    sync_bridge_interfaces bridge0
+    update_bridge_interface "bridge0 em2 em3"
+    sync_carp_interfaces 
+    sync_pfsync_interfaces 
+    update_addresses_of_interface "em0 10.3.14.81/0xffffff00" ""
+    update_addresses_of_interface "em1 10.1.1.81/0xffffff00" ""
+}
+
+log "Activating firewall script generated Sun Feb  6 14:51:49 2011 by vadim"
+
+set_kernel_vars
+configure_interfaces
+prolog_commands
+
+$PFCTL   \
+     -f \
+    /etc/fw/path\ with\ space/pf.conf || exit 1
+
+
+
+
+
+
+
+epilog_commands

test/pf/firewall105.conf.orig

@@ -0,0 +1,25 @@
+
+set timeout udp.single 5
+
+#
+# Scrub rules
+#
+match all scrub (reassemble tcp no-df )
+match out all scrub (random-id min-ttl  1 max-mss  1460)
+
+
+# Tables: (1)
+table <tbl.r9998.d> { 10.1.1.81 , 10.3.14.81 , 192.168.1.1 } 
+
+# 
+# Rule  backup ssh access rule
+#    backup ssh access rule 
+pass in   quick inet proto tcp  from 10.3.14.30  to <tbl.r9998.d> port 22  label "RULE 9998 -- ACCEPT "  
+# 
+# Rule  0 (global)
+block  log  quick inet  from any  to any no state  label "RULE 0 -- DROP "  
+# 
+# Rule  fallback rule
+#    fallback rule 
+block  quick inet  from any  to any no state  label "RULE 10000 -- DROP "  
+

test/pf/firewall105.fw.orig

@@ -0,0 +1,36 @@
+#
+#  This is automatically generated file. DO NOT MODIFY !
+#
+#  Firewall Builder  fwb_pf v4.2.0.3460
+#
+#  Generated Sun Feb  6 14:51:51 2011 PST by vadim
+#
+# files: * firewall105.fw /etc/fw/pf.fw
+# files:   firewall105.conf /etc/fw/path\ with\ space/pf.conf
+#
+# Compiled for pf 4.7
+#
+# bridge interface, static address, rc.conf format
+
+
+
+gateway_enable="YES"
+
+
+
+cloned_interfaces="bridge0"
+
+ipv6_network_interfaces="bridge0 em0 em1"
+network_interfaces="bridge0 em0 em1"
+pfsync_enable="YES"
+ifconfig_bridge0="addm em2 stp em2 addm em3 stp em3 up 192.168.1.1 netmask 0xffffff00"
+ifconfig_em0="10.3.14.81 netmask 0xffffff00"
+ifconfig_em1="10.1.1.81 netmask 0xffffff00"
+ifconfig_em2="up"
+ifconfig_em3="up"
+
+pf_enable="YES"
+pf_rules="/etc/fw/path\ with\ space/pf.conf"
+
+
+

test/pf/firewall106.conf.orig

@@ -0,0 +1,25 @@
+
+set timeout udp.single 5
+
+#
+# Scrub rules
+#
+match all scrub (reassemble tcp no-df )
+match out all scrub (random-id min-ttl  1 max-mss  1460)
+
+
+# Tables: (1)
+table <tbl.r9998.d> { bridge0 , 10.1.1.81 , 10.3.14.81 } 
+
+# 
+# Rule  backup ssh access rule
+#    backup ssh access rule 
+pass in   quick inet proto tcp  from 10.3.14.30  to <tbl.r9998.d> port 22  label "RULE 9998 -- ACCEPT "  
+# 
+# Rule  0 (global)
+block  log  quick inet  from any  to any no state  label "RULE 0 -- DROP "  
+# 
+# Rule  fallback rule
+#    fallback rule 
+block  quick inet  from any  to any no state  label "RULE 10000 -- DROP "  
+

test/pf/firewall106.fw.orig

@@ -0,0 +1,43 @@
+#
+#  This is automatically generated file. DO NOT MODIFY !
+#
+#  Firewall Builder  fwb_pf v4.2.0.3460
+#
+#  Generated Sun Feb  6 14:51:52 2011 PST by vadim
+#
+# files: * firewall106.fw /etc/fw/pf.fw
+# files:   firewall106.conf /etc/fw/path\ with\ space/pf.conf
+#
+# Compiled for pf 4.7
+#
+# bridge interface, dynamic  address, rc.conf format
+
+# firewall106:Routing:1: error: Gateway and interface are both empty in the rule
+# firewall106:Routing:1: error: Rules 0 (main) and 1 (main) define routes to the same destination 0.0.0.0/0.0.0.0 via different gateways. This configuration is not supported for freebsd
+
+gateway_enable="YES"
+
+
+
+cloned_interfaces="bridge0"
+
+ipv6_network_interfaces="bridge0 em0 em1"
+network_interfaces="bridge0 em0 em1"
+pfsync_enable="YES"
+ifconfig_bridge0="addm em2 stp em2 addm em3 stp em3 up DHCP"
+ifconfig_em0="10.3.14.81 netmask 0xffffff00"
+ifconfig_em1="10.1.1.81 netmask 0xffffff00"
+ifconfig_em2="up"
+ifconfig_em3="up"
+
+pf_enable="YES"
+pf_rules="/etc/fw/path\ with\ space/pf.conf"
+
+static_routes="id160577X13467 id160599X13467 id160621X13467 id160643X13467 id160668X13467 id160687X13467"
+route_id160577X13467="default  10.1.1.1 "
+route_id160599X13467="default  "
+route_id160621X13467="192.168.171.2  10.1.1.1 "
+route_id160643X13467="22.22.22.0/24  10.1.1.1 "
+route_id160668X13467="22.22.22.0/24  10.1.1.1 "
+route_id160687X13467="33.33.33.0/24  10.1.1.1 "
+

test/pf/pf_cluster_4_rc.conf.local

@@ -3,7 +3,7 @@
 #
 #  Firewall Builder  fwb_pf v4.2.0.3460
 #
-#  Generated Sun Feb  6 14:52:15 2011 PST by vadim
+#  Generated Sun Feb  6 15:05:40 2011 PST by vadim
 #
 # files: * pf_cluster_4_rc.conf.local /etc/pf_cluster_4_rc.conf.local
 # files:   pf_cluster_4_pf.conf /etc/pf_cluster_4_pf.conf