onkelbeh/fwbuilder
1
0
Fork 0
mirror of https://github.com/fwbuilder/fwbuilder synced 2026-03-19 17:57:22 +01:00
Code Issues Releases Wiki Activity

see #2397 get rid of unnecessary chains and make sure terminating action (e.g. Accept) is added after targets generated for all non-terminating options (Tag, Classify and Route)

Browse Source
This commit is contained in:
Vadim Kurland 2011-05-12 18:43:31 -07:00
parent dd061e548f
commit bcd860d889
3 changed files with 102 additions and 100 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
src/iptlib/PolicyCompiler_PrintRule.cpp
View File

@ -616,9 +616,7 @@ string PolicyCompiler_ipt::PrintRule::_printLogPrefix(PolicyRule *rule,
{
FWObject *ruleset = rule->getParent();
char action[64];
strncpy(action,rule->getStr("stored_action").c_str(),sizeof(action));
for (char *cptr=action; *cptr; cptr++) *cptr=toupper(*cptr);
QString action = QString(rule->getStr("stored_action").c_str()).toUpper();
RuleElementItf *itf_re = rule->getItf(); assert(itf_re!=NULL);
FWObject *rule_iface = FWObjectReference::getObject(itf_re->front());
@ -637,7 +635,7 @@ string PolicyCompiler_ipt::PrintRule::_printLogPrefix(PolicyRule *rule,
s1 << pos;
return _printLogPrefix(s1.str(),
action,
action.toStdString(),
rule_iface_name,
rule->getStr("ipt_chain"),
ruleset->getName(),

195
src/iptlib/PolicyCompiler_ipt.cpp
View File

@ -298,9 +298,21 @@ string PolicyCompiler_ipt::getNewChainName(PolicyRule *rule,
string suffix = rule->getStr("subrule_suffix");
if (!suffix.empty()) str << "_" << suffix;
string chain_name = str.str();
int n = rule_chain_no[chain_name];
n++;
rule_chain_no[chain_name] = n;
// if (n > 1)
// {
// str << "_" << n;
// }
string full_chain_name = str.str();
chain_no++;
return str.str();
return full_chain_name;
}
void PolicyCompiler_ipt::_expand_interface(Rule *rule,
@ -508,6 +520,9 @@ bool PolicyCompiler_ipt::dropTerminatingTargets::processNext()
}
/*
* see #2367 #2397 TODO: this rule processor is not used anymore, remove.
*
*
* This rule processor converts non-terminating targets CLASSIFY and
* MARK to terminating targets (equivalent) by splitting the rule and
* adding one more rule with target ACCEPT.
@ -611,9 +626,63 @@ bool PolicyCompiler_ipt::splitIfTagClassifyOrRoute::processNext()
PolicyCompiler_ipt *ipt_comp = dynamic_cast<PolicyCompiler_ipt*>(compiler);
PolicyRule *r;
if (ipt_comp->my_table=="mangle" &&
(rule->getTagging() || rule->getClassification() || rule->getRouting()))
int number_of_options = 0;
if (rule->getTagging()) number_of_options++;
if (rule->getClassification()) number_of_options++;
if (rule->getRouting()) number_of_options++;
if (ipt_comp->my_table=="mangle" && number_of_options > 0)
{
RuleElementSrc *nsrc;
RuleElementDst *ndst;
RuleElementSrv *nsrv;
RuleElementItf *nitfre;
PolicyRule *r, *r2;
string this_chain = rule->getStr("ipt_chain");
string new_chain = this_chain;
nsrc = rule->getSrc();
ndst = rule->getDst();
nsrv = rule->getSrv();
nitfre = rule->getItf();
if (
(! nsrc->isAny() || ! ndst->isAny() || ! nsrv->isAny() || ! nitfre->isAny()) &&
(
number_of_options > 1 ||
(
! rule->getRouting() && rule->getAction() != PolicyRule::Continue
)
)
)
{
new_chain = ipt_comp->getNewTmpChainName(rule);
r = compiler->dbcopy->createPolicyRule();
compiler->temp_ruleset->add(r);
r->duplicate(rule);
r->setStr("subrule_suffix", "ntt");
r->setStr("ipt_target", new_chain);
r->setClassification(false);
r->setRouting(false);
r->setTagging(false);
r->setLogging(false);
r->setAction(PolicyRule::Continue);
tmp_queue.push_back(r);
nsrc = rule->getSrc(); nsrc->reset();
ndst = rule->getDst(); ndst->reset();
nsrv = rule->getSrv(); nsrv->reset();
nitfre = rule->getItf(); nitfre->reset();
ruleopt = rule->getOptionsObject();
ruleopt->setInt("limit_value",-1);
ruleopt->setInt("limit_value",-1);
ruleopt->setInt("connlimit_value",-1);
ruleopt->setInt("hashlimit_value",-1);
ruleopt->setBool("stateless",true);
rule->setLogging(false);
}
if (rule->getTagging())
{
r = compiler->dbcopy->createPolicyRule();
@ -622,6 +691,9 @@ bool PolicyCompiler_ipt::splitIfTagClassifyOrRoute::processNext()
r->setClassification(false);
r->setRouting(false);
rule->setTagging(false);
r->setStr("ipt_chain", new_chain);
r->setStr("upstream_rule_chain", this_chain);
r->setAction(PolicyRule::Continue);
tmp_queue.push_back(r);
}
@ -633,20 +705,28 @@ bool PolicyCompiler_ipt::splitIfTagClassifyOrRoute::processNext()
rule->setClassification(false);
r->setRouting(false);
r->setTagging(false);
r->setStr("ipt_chain", new_chain);
r->setStr("upstream_rule_chain", this_chain);
r->setAction(PolicyRule::Continue);
tmp_queue.push_back(r);
}
if (rule->getRouting())
/*
* Target ROUTE is terminating unless parameter "--continue"
* is present. We add "--continue" if action is Continue,
* otherwise the rule does not need to be split and we carry
* action Accept further.
*/
if (rule->getRouting() || rule->getAction() != PolicyRule::Continue)
{
r = compiler->dbcopy->createPolicyRule();
compiler->temp_ruleset->add(r);
r->duplicate(rule);
r->setClassification(false);
rule->setRouting(false);
r->setTagging(false);
tmp_queue.push_back(r);
rule->setClassification(false);
rule->setTagging(false);
rule->setStr("ipt_chain", new_chain);
rule->setStr("upstream_rule_chain", this_chain);
tmp_queue.push_back(rule);
}
} else
tmp_queue.push_back(rule);
@ -1852,75 +1932,6 @@ bool PolicyCompiler_ipt::splitIfTagAndConnmark::processNext()
} else
tmp_queue.push_back(rule);
#if 0
RuleElementItf *itf_re = rule->getItf(); assert(itf_re!=NULL);
RuleElementSrc *nsrc;
RuleElementDst *ndst;
RuleElementSrv *nsrv;
RuleElementInterval *nint;
if (rule->getTagging() && ruleopt->getBool("ipt_mark_connections"))
{
PolicyRule *r, *r1;
string this_chain = rule->getStr("ipt_chain");
string new_chain = ipt_comp->getNewChainName(rule, NULL);
r = compiler->dbcopy->createPolicyRule();
compiler->temp_ruleset->add(r);
r->duplicate(rule);
r->setStr("ipt_target", new_chain);
r->setClassification(false);
r->setRouting(false);
r->setTagging(false);
r->setLogging(false);
r->setAction(PolicyRule::Continue);
r->setLogging(false);
ruleopt = r->getOptionsObject();
tmp_queue.push_back(r);
r= compiler->dbcopy->createPolicyRule();
compiler->temp_ruleset->add(r);
r->duplicate(rule);
r->setStr("ipt_chain",new_chain);
r->setStr("upstream_rule_chain",this_chain);
ipt_comp->registerChain(new_chain);
ipt_comp->insertUpstreamChain(this_chain, new_chain);
ruleopt =r->getOptionsObject();
ruleopt->setBool("stateless",true);
r->setBool("force_state_check",false);
ruleopt->setInt("limit_value",-1);
ruleopt->setInt("connlimit_value",-1);
ruleopt->setInt("hashlimit_value",-1);
nsrc=r->getSrc(); nsrc->reset();
ndst=r->getDst(); ndst->reset();
nsrv=r->getSrv(); nsrv->reset();
if ( (nint=r->getWhen())!=NULL ) nint->reset();
tmp_queue.push_back(r);
r1= compiler->dbcopy->createPolicyRule();
compiler->temp_ruleset->add(r1);
r1->duplicate(r);
r1->setStr("ipt_target", "CONNMARK");
r1->setAction(PolicyRule::Continue); // ###
r1->setClassification(false);
r1->setRouting(false);
r1->setTagging(false);
r1->setLogging(false);
ruleopt =r1->getOptionsObject();
ruleopt->setStr("CONNMARK_arg", "--save-mark");
tmp_queue.push_back(r1);
ipt_comp->have_connmark = true;
} else
tmp_queue.push_back(rule);
#endif
return true;
}
@ -4274,10 +4285,7 @@ void PolicyCompiler_ipt::compile()
add( new checkForUnsupportedCombinationsInMangle(
"Check for unsupported Tag+Route and Classify+Route combinations"));
add( new splitIfTagClassifyOrRoute(
"Split rule if it uses tagging, classification or routing options"));
add( new Route("process route rules"));
add( new storeAction("store original action of this rule"));
add( new Logging1("check global logging override option"));
@ -4347,6 +4355,13 @@ void PolicyCompiler_ipt::compile()
add( new Logging2("process logging"));
// #2367 #2397
add( new splitIfTagClassifyOrRoute(
"Split rule if it uses tagging, classification or routing options"));
add( new splitIfTagAndConnmark("Tag+CONNMARK combo"));
add( new Route("process route rules"));
/*
* this is just a patch for those who do not understand how does
* "assume firewall is part of any" work. It also eliminates redundant
@ -4366,14 +4381,8 @@ void PolicyCompiler_ipt::compile()
add( new swapMultiAddressObjectsInDst(
" swap MultiAddress -> MultiAddressRunTime in Dst"));
// #2367
add( new splitTagClassifyOrRouteIfAction(
"split rules with options Tag, Classify or Route when action "
"is not Continue" ) );
add( new splitIfTagAndConnmark("Tag+CONNMARK combo"));
add( new accounting("Accounting") );
add( new splitIfSrcAny("split rule if src is any") );
if (my_table == "mangle")
@ -4511,12 +4520,6 @@ void PolicyCompiler_ipt::compile()
add( new optimize2("optimization 2") );
// add( new splitTagClassifyOrRouteIfAction(
// "split rules with options Tag, Classify or Route when action "
// "is not Continue" ) );
// add( new splitIfTagAndConnmark("Tag+CONNMARK combo"));
// add( new accounting("Accounting") );
add( new prepareForMultiport("prepare for multiport") );

1
src/iptlib/PolicyCompiler_ipt.h
View File

@ -75,6 +75,7 @@ protected:
std::string my_table;
std::map<std::string, int> tmp_chain_no;
std::map<std::string, int> rule_chain_no;
std::map<std::string, int> chain_usage_counter;
std::map<std::string, std::string> ipset_tables;