fixes #2031 FreeBSD - firewall script command to delete existing routes fails

src/pflib/RoutingCompiler_freebsd_writers.cpp

@@ -69,6 +69,7 @@ bool RoutingCompiler_freebsd::PrintRule::processNext()
     FWOptions* options = compiler->fw->getOptionsObject();
     if (options->getBool("generate_rc_conf_file"))
     {
+
         slurp();
         if (tmp_queue.size()==0) return false;
 

src/pflib/RoutingCompiler_openbsd.h

@@ -77,7 +77,6 @@ namespace fwcompiler
         class PrintRule : public RoutingRuleProcessor
         {
     protected:
-            bool        print_once_on_top;
             std::string current_rule_label;
             
             virtual std::string _printAddr(libfwbuilder::Address  *o);

src/pflib/RoutingCompiler_openbsd_writers.cpp

@@ -116,7 +116,6 @@ string RoutingCompiler_openbsd::PrintRule::_printAddr(Address  *o)
 RoutingCompiler_openbsd::PrintRule::PrintRule(const std::string &name) :
     RoutingRuleProcessor(name) 
 { 
-    print_once_on_top = true;
 }
 
 
@@ -124,15 +123,16 @@ bool RoutingCompiler_openbsd::PrintRule::processNext()
 {
     RoutingCompiler_openbsd *bsd_comp = 
         dynamic_cast<RoutingCompiler_openbsd*>(compiler);
-    RoutingRule *rule = getNext(); 
-    if (rule==NULL) return false;
 
-    tmp_queue.push_back(rule);
+    slurp();
+    if (tmp_queue.size()==0) return false;
 
-    if (print_once_on_top && !compiler->inSingleRuleCompileMode())
+
+    if (!compiler->inSingleRuleCompileMode())
     {
         Configlet routing_functions(compiler->fw,
-                                    "bsd", "routing_functions");
+                                    compiler->fw->getStr("host_OS"),
+                                    "routing_functions");
 
         // we should delete default route if we have a new one to
         // install. IF user did not define any routes that look like
@@ -154,10 +154,12 @@ bool RoutingCompiler_openbsd::PrintRule::processNext()
         compiler->output << routing_functions.expand().toStdString();
 
         bsd_comp->defined_restore_script_output = true;
-        print_once_on_top = false;
     }
     
-    // TODO: convert this into virtual function RoutingCompiler::printComment()
+
+    for (deque<Rule*>::iterator k=tmp_queue.begin(); k!=tmp_queue.end(); ++k) 
+    {
+        RoutingRule *rule = RoutingRule::cast( *k );
 
         string rl = rule->getLabel();
     
@@ -197,6 +199,7 @@ bool RoutingCompiler_openbsd::PrintRule::processNext()
             compiler->output << command_line;
     
         }
+    }
     return true;
 }
 

src/res/configlets/freebsd/routing_functions

@@ -0,0 +1,59 @@
+## -*- mode: shell-script; -*- 
+##
+## To be able to make changes to the part of configuration created
+## from this configlet you need to copy this file to the directory
+## fwbuilder/configlets/bsd/ in your home directory and modify it.
+## Double "##" comments are removed during processing but single "#"
+## comments are be retained and appear in the generated script. Empty
+## lines are removed as well.  
+##
+## Configlets support simple macro language with these constructs:
+## {{$var}} is variable expansion
+## {{if var}} is conditional operator.
+##
+
+# ============== ROUTING RULES ============== 
+
+TMPDIRNAME=`mktemp -d /tmp/.fwbuilder.XXXXXXXXXX` || exit 1
+TMPFILENAME="$TMPDIRNAME/.fwbuilder.out"
+
+#
+# This function stops stdout redirection
+# and sends previously saved output to terminal
+restore_script_output()
+{
+  exec 1>&3 2>&1
+  cat $TMPFILENAME
+  rm -rf $TMPDIRNAME
+}
+
+# if any routing rule fails we do our best to prevent freezing the firewall
+route_command_error()
+{
+  echo "Error: Routing rule $1 couldn't be activated"
+  echo "Recovering previous routing configuration..."
+  # delete current routing rules
+  netstat -rn -f inet | awk '$3 ~ /S/ && $NF !~ /lo0/ { print $0;}' | \
+      while read route gw rest; do route delete $route $gw; done
+  # restore old routing rules
+  (IFS="
+"; for route_cmd in $oldRoutes; do (IFS=' '; $route_cmd); done)
+  echo "...done"
+  restore_script_output
+  epilog_commands
+  exit 1
+}
+
+# redirect output to prevent ssh session from stalling
+exec 3>&1
+exec 1> $TMPFILENAME
+exec 2>&1
+
+oldRoutes=$(netstat -rn -f inet |  awk '/^$|Destination|Routing tables|Internet:/ {next;} {printf "route add %s %s\n",$1,$2;}')
+
+echo "Deleting routing rules previously set by user space processes..."
+netstat -rn -f inet | awk '$3 ~ /S/ { print $0;}' | grep -Ev {{$route_filter}} | \
+    while read route gw rest; do route delete $route $gw; done
+    
+echo "Activating routing rules..."
+

src/res/configlets/openbsd/routing_functions

@@ -14,9 +14,8 @@
 
 # ============== ROUTING RULES ============== 
 
-TMPDIRNAME="/tmp/.fwbuilder.tempdir.$$"
+TMPDIRNAME=`mktemp -d /tmp/.fwbuilder.XXXXXXXXXX` || exit 1
 TMPFILENAME="$TMPDIRNAME/.fwbuilder.out"
-(umask 077 && mkdir $TMPDIRNAME) || exit 1
 
 #
 # This function stops stdout redirection
@@ -34,7 +33,7 @@ route_command_error()
   echo "Error: Routing rule $1 couldn't be activated"
   echo "Recovering previous routing configuration..."
   # delete current routing rules
-  route -n show -inet | grep S | grep -Ev 'lo0' | \
+  route -n show -inet | awk '$3 ~ /S/ && $NF !~ /lo0/ { print $0;}' | \
       while read route gw rest; do route delete $route $gw; done
   # restore old routing rules
   (IFS="
@@ -53,7 +52,7 @@ exec 2>&1
 oldRoutes=$(route -n show -inet |  awk '{printf "route add %s %s\n",$1,$2;}')
 
 echo "Deleting routing rules previously set by user space processes..."
-route -n show -inet | grep S | grep -Ev {{route_filter}} | \
+route -n show -inet | grep S | grep -Ev {{$route_filter}} | \
     while read route gw rest; do route delete $route $gw; done
     
 echo "Activating routing rules..."

test/pf/objects-for-regression-tests.fwb

@@ -1,6 +1,6 @@
 <?xml version="1.0" encoding="utf-8"?>
 <!DOCTYPE FWObjectDatabase SYSTEM "fwbuilder.dtd">
-<FWObjectDatabase xmlns="http://www.fwbuilder.org/1.0/" version="17" lastModified="1296779791" id="root">
+<FWObjectDatabase xmlns="http://www.fwbuilder.org/1.0/" version="17" lastModified="1296863964" id="root">
   <Library id="syslib000" color="#d4f8ff" name="Standard" comment="Standard objects" ro="True">
     <AnyNetwork id="sysid0" name="Any" comment="Any Network" ro="False" address="0.0.0.0" netmask="0.0.0.0"/>
     <AnyIPService id="sysid1" protocol_num="0" name="Any" comment="Any IP Service" ro="False"/>
@@ -20194,7 +20194,7 @@
           <Option name="verify_interfaces">True</Option>
         </FirewallOptions>
       </Firewall>
-      <Firewall id="id33080X19696" host_OS="freebsd" inactive="False" lastCompiled="1296525125" lastInstalled="1271995582" lastModified="1296779806" platform="pf" version="4.7" name="firewall101" comment="routing rules, rc.conf format" ro="False">
+      <Firewall id="id33080X19696" host_OS="freebsd" inactive="False" lastCompiled="1296525125" lastInstalled="1271995582" lastModified="1296863983" platform="pf" version="4.7" name="firewall101" comment="routing rules, shell script format" ro="False">
         <NAT id="id33129X19696" name="NAT" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
           <RuleSetOptions/>
         </NAT>
@@ -20298,6 +20298,209 @@
           <FWBDManagement enabled="False" identity="" port="-1"/>
           <PolicyInstallScript arguments="" command="" enabled="False"/>
         </Management>
+        <FirewallOptions>
+          <Option name="accept_new_tcp_with_no_syn">False</Option>
+          <Option name="activationCmd"></Option>
+          <Option name="admUser">root</Option>
+          <Option name="altAddress"></Option>
+          <Option name="check_shading">True</Option>
+          <Option name="cmdline">-xt</Option>
+          <Option name="compiler"></Option>
+          <Option name="conf1_file"></Option>
+          <Option name="conf_file_name_on_firewall">/etc/fw/path with space/pf.conf</Option>
+          <Option name="configure_carp_interfaces">False</Option>
+          <Option name="configure_interfaces">True</Option>
+          <Option name="configure_pfsync_interfaces">False</Option>
+          <Option name="configure_vlan_interfaces">False</Option>
+          <Option name="debug">False</Option>
+          <Option name="epilog_script"></Option>
+          <Option name="fallback_log">False</Option>
+          <Option name="firewall_dir">/etc</Option>
+          <Option name="freebsd_ip_forward">1</Option>
+          <Option name="generate_rc_conf_file">False</Option>
+          <Option name="generate_shell_script">True</Option>
+          <Option name="ignore_empty_groups">False</Option>
+          <Option name="in_out_code">true</Option>
+          <Option name="ipv4_6_order">ipv4_first</Option>
+          <Option name="log_prefix">RULE %N -- %A </Option>
+          <Option name="loopback_interface">lo0</Option>
+          <Option name="manage_virtual_addr">True</Option>
+          <Option name="mgmt_addr">10.3.14.30</Option>
+          <Option name="mgmt_ssh">True</Option>
+          <Option name="openbsd_ip_forward">1</Option>
+          <Option name="output_file"></Option>
+          <Option name="pass_all_out">false</Option>
+          <Option name="pf_adaptive_end">0</Option>
+          <Option name="pf_adaptive_start">0</Option>
+          <Option name="pf_do_limit_frags">False</Option>
+          <Option name="pf_do_limit_src_nodes">False</Option>
+          <Option name="pf_do_limit_states">False</Option>
+          <Option name="pf_do_limit_table_entries">False</Option>
+          <Option name="pf_do_limit_tables">False</Option>
+          <Option name="pf_do_scrub">True</Option>
+          <Option name="pf_do_timeout_frag">False</Option>
+          <Option name="pf_do_timeout_interval">False</Option>
+          <Option name="pf_flush_states">False</Option>
+          <Option name="pf_icmp_error">0</Option>
+          <Option name="pf_icmp_first">0</Option>
+          <Option name="pf_limit_frags">5000</Option>
+          <Option name="pf_limit_src_nodes">0</Option>
+          <Option name="pf_limit_states">10000</Option>
+          <Option name="pf_limit_table_entries">0</Option>
+          <Option name="pf_limit_tables">0</Option>
+          <Option name="pf_modulate_state">False</Option>
+          <Option name="pf_optimization"></Option>
+          <Option name="pf_other_first">0</Option>
+          <Option name="pf_other_multiple">0</Option>
+          <Option name="pf_other_single">0</Option>
+          <Option name="pf_scrub_fragm_crop">False</Option>
+          <Option name="pf_scrub_fragm_drop_ovl">False</Option>
+          <Option name="pf_scrub_maxmss">1460</Option>
+          <Option name="pf_scrub_minttl">1</Option>
+          <Option name="pf_scrub_no_df">True</Option>
+          <Option name="pf_scrub_random_id">True</Option>
+          <Option name="pf_scrub_reassemble">False</Option>
+          <Option name="pf_scrub_reassemble_tcp">True</Option>
+          <Option name="pf_scrub_use_maxmss">True</Option>
+          <Option name="pf_scrub_use_minttl">True</Option>
+          <Option name="pf_set_adaptive">False</Option>
+          <Option name="pf_set_icmp_error">False</Option>
+          <Option name="pf_set_icmp_first">False</Option>
+          <Option name="pf_set_other_first">False</Option>
+          <Option name="pf_set_other_multiple">False</Option>
+          <Option name="pf_set_other_single">False</Option>
+          <Option name="pf_set_tcp_closed">False</Option>
+          <Option name="pf_set_tcp_closing">False</Option>
+          <Option name="pf_set_tcp_established">False</Option>
+          <Option name="pf_set_tcp_finwait">False</Option>
+          <Option name="pf_set_tcp_first">False</Option>
+          <Option name="pf_set_tcp_opening">False</Option>
+          <Option name="pf_set_udp_first">False</Option>
+          <Option name="pf_set_udp_multiple">False</Option>
+          <Option name="pf_set_udp_single">True</Option>
+          <Option name="pf_state_policy"></Option>
+          <Option name="pf_tcp_closed">0</Option>
+          <Option name="pf_tcp_closing">0</Option>
+          <Option name="pf_tcp_established">0</Option>
+          <Option name="pf_tcp_finwait">0</Option>
+          <Option name="pf_tcp_first">0</Option>
+          <Option name="pf_tcp_opening">0</Option>
+          <Option name="pf_timeout_frag">30</Option>
+          <Option name="pf_timeout_interval">10</Option>
+          <Option name="pf_udp_first">0</Option>
+          <Option name="pf_udp_multiple">0</Option>
+          <Option name="pf_udp_single">5</Option>
+          <Option name="prolog_place">fw_file</Option>
+          <Option name="prolog_script"></Option>
+          <Option name="scpArgs"></Option>
+          <Option name="script_name_on_firewall">/etc/fw/pf.fw</Option>
+          <Option name="sshArgs"></Option>
+        </FirewallOptions>
+      </Firewall>
+      <Firewall id="id33316X5965" host_OS="freebsd" inactive="False" lastCompiled="1296525125" lastInstalled="1271995582" lastModified="1296863968" platform="pf" version="4.7" name="firewall102" comment="routing rules, rc.conf format" ro="False">
+        <NAT id="id33365X5965" name="NAT" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
+          <RuleSetOptions/>
+        </NAT>
+        <Policy id="id33334X5965" name="Policy" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
+          <PolicyRule id="id33336X5965" disabled="False" group="" log="True" position="0" action="Deny" direction="Both" comment="">
+            <Src neg="False">
+              <ObjectRef ref="sysid0"/>
+            </Src>
+            <Dst neg="False">
+              <ObjectRef ref="sysid0"/>
+            </Dst>
+            <Srv neg="False">
+              <ServiceRef ref="sysid1"/>
+            </Srv>
+            <Itf neg="False">
+              <ObjectRef ref="sysid0"/>
+            </Itf>
+            <When neg="False">
+              <IntervalRef ref="sysid2"/>
+            </When>
+            <PolicyRuleOptions>
+              <Option name="stateless">True</Option>
+            </PolicyRuleOptions>
+          </PolicyRule>
+          <RuleSetOptions/>
+        </Policy>
+        <Routing id="id33368X5965" name="Routing" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
+          <RoutingRule id="id33370X5965" disabled="False" group="" metric="0" position="0" comment="setting default via gateway&#10;line 2 comment&#10;">
+            <RDst neg="False">
+              <ObjectRef ref="sysid0"/>
+            </RDst>
+            <RGtw neg="False">
+              <ObjectRef ref="id33008X21143"/>
+            </RGtw>
+            <RItf neg="False">
+              <ObjectRef ref="sysid0"/>
+            </RItf>
+            <RoutingRuleOptions/>
+          </RoutingRule>
+          <RoutingRule id="id33388X5965" disabled="False" group="" metric="0" position="1" comment="empty rule&#10;">
+            <RDst neg="False">
+              <ObjectRef ref="sysid0"/>
+            </RDst>
+            <RGtw neg="False">
+              <ObjectRef ref="sysid0"/>
+            </RGtw>
+            <RItf neg="False">
+              <ObjectRef ref="sysid0"/>
+            </RItf>
+            <RoutingRuleOptions/>
+          </RoutingRule>
+          <RoutingRule id="id33406X5965" disabled="False" group="" metric="0" position="2" comment="">
+            <RDst neg="False">
+              <ObjectRef ref="id79492X23273"/>
+            </RDst>
+            <RGtw neg="False">
+              <ObjectRef ref="id33008X21143"/>
+            </RGtw>
+            <RItf neg="False">
+              <ObjectRef ref="sysid0"/>
+            </RItf>
+            <RoutingRuleOptions/>
+          </RoutingRule>
+          <RoutingRule id="id33424X5965" disabled="False" group="" metric="3" position="3" comment="">
+            <RDst neg="False">
+              <ObjectRef ref="id3B665641"/>
+            </RDst>
+            <RGtw neg="False">
+              <ObjectRef ref="id33008X21143"/>
+            </RGtw>
+            <RItf neg="False">
+              <ObjectRef ref="sysid0"/>
+            </RItf>
+            <RoutingRuleOptions/>
+          </RoutingRule>
+          <RoutingRule id="id33442X5965" disabled="False" group="" metric="0" position="4" comment="">
+            <RDst neg="False">
+              <ObjectRef ref="id3B665641"/>
+              <ObjectRef ref="id3B665643"/>
+            </RDst>
+            <RGtw neg="False">
+              <ObjectRef ref="id33008X21143"/>
+            </RGtw>
+            <RItf neg="False">
+              <ObjectRef ref="sysid0"/>
+            </RItf>
+            <RoutingRuleOptions/>
+          </RoutingRule>
+          <RuleSetOptions/>
+        </Routing>
+        <Interface id="id33324X5965" dedicated_failover="False" dyn="False" label="" mgmt="True" security_level="100" unnum="False" unprotected="False" name="em0" comment="" ro="False">
+          <IPv4 id="id33327X5965" name="firewall102:em0:ip" comment="" ro="False" address="10.3.14.81" netmask="255.255.255.0"/>
+          <InterfaceOptions/>
+        </Interface>
+        <Interface id="id33329X5965" dedicated_failover="False" dyn="False" label="" security_level="100" unnum="False" unprotected="False" name="em1" comment="" ro="False">
+          <IPv4 id="id33332X5965" name="firewall102:em1:ip" comment="" ro="False" address="10.1.1.81" netmask="255.255.255.0"/>
+          <InterfaceOptions/>
+        </Interface>
+        <Management address="0.0.0.0">
+          <SNMPManagement enabled="False" snmp_read_community="" snmp_write_community=""/>
+          <FWBDManagement enabled="False" identity="" port="-1"/>
+          <PolicyInstallScript arguments="" command="" enabled="False"/>
+        </Management>
         <FirewallOptions>
           <Option name="accept_new_tcp_with_no_syn">False</Option>
           <Option name="activationCmd"></Option>