onkelbeh/fwbuilder
1
0
Fork 0
mirror of https://github.com/fwbuilder/fwbuilder synced 2026-03-23 11:47:24 +01:00
Code Issues Releases Wiki Activity

* NATCompiler_ipt.cpp (VerifyRules2::processNext): fixed #1685

Browse Source 
"iptables redirecting NAT rules in the OUTPUT chain". NAT rules
should be allowed to translate from CustomService to TCP or UDP
service, provided CustomService object is configured with matching
protocol. See also change in libfwbuilder NATCompiler::classifyNATRule::processNext.
This commit is contained in:
Vadim Kurland 2010-08-19 19:21:16 +00:00
parent 4c60f2a610
commit d438b220a0
4 changed files with 361 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
build_num
View File

@ -1 +1 @@
#define BUILD_NUM 3237
#define BUILD_NUM 3238

6
doc/ChangeLog
View File

@ -8,6 +8,12 @@
will use PREROUTING and POSTROUTING in single compile mode but issue
a warning.
* NATCompiler_ipt.cpp (VerifyRules2::processNext): fixed #1685
"iptables redirecting NAT rules in the OUTPUT chain". NAT rules
should be allowed to translate from CustomService to TCP or UDP
service, provided CustomService object is configured with matching
protocol. See also change in libfwbuilder NATCompiler::classifyNATRule::processNext.
* NATCompiler_ipt.cpp (localNATRule::processNext): see #1685
"iptables redirecting NAT rules in the OUTPUT chain". This fix
makes it possible to create iptables NAT rule with target REDIRECT

2
src/iptlib/NATCompiler_ipt.cpp
View File

@ -669,7 +669,7 @@ bool NATCompiler_ipt::VerifyRules2::processNext()
return true;
}
if (!tsrv->isAny() && s1->getProtocolNumber()!=s2->getProtocolNumber())
if (!tsrv->isAny() && s1->getProtocolName()!=s2->getProtocolName())
{
compiler->abort(
rule,

355
test/ipt/objects-for-regression-tests.fwb
View File

@ -1,6 +1,6 @@
<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE FWObjectDatabase SYSTEM "fwbuilder.dtd">
<FWObjectDatabase xmlns="http://www.fwbuilder.org/1.0/" version="17" lastModified="1282242248" id="root">
<FWObjectDatabase xmlns="http://www.fwbuilder.org/1.0/" version="17" lastModified="1282244747" id="root">
<Library id="syslib000" color="#d4f8ff" name="Standard" comment="Standard objects" ro="True">
<AnyNetwork id="sysid0" name="Any" comment="Any Network" ro="False" address="0.0.0.0" netmask="0.0.0.0"/>
<AnyIPService id="sysid1" protocol_num="0" name="Any" comment="Any IP Service" ro="False"/>
@ -4725,6 +4725,39 @@
<CustomServiceCommand platform="pix"></CustomServiceCommand>
<CustomServiceCommand platform="unknown"></CustomServiceCommand>
</CustomService>
<CustomService id="id57956X8289" name="owner_anonymous tcp" comment="" ro="False" protocol="tcp" address_family="ipv4">
<CustomServiceCommand platform="fwsm"></CustomServiceCommand>
<CustomServiceCommand platform="iosacl"></CustomServiceCommand>
<CustomServiceCommand platform="ipf"></CustomServiceCommand>
<CustomServiceCommand platform="ipfw"></CustomServiceCommand>
<CustomServiceCommand platform="iptables">-m owner --uid-owner anonymous</CustomServiceCommand>
<CustomServiceCommand platform="pf"></CustomServiceCommand>
<CustomServiceCommand platform="pix"></CustomServiceCommand>
<CustomServiceCommand platform="procurve_acl"></CustomServiceCommand>
<CustomServiceCommand platform="unknown"></CustomServiceCommand>
</CustomService>
<CustomService id="id248805X9517" name="owner_anonymous udp" comment="" ro="False" protocol="udp" address_family="ipv4">
<CustomServiceCommand platform="fwsm"></CustomServiceCommand>
<CustomServiceCommand platform="iosacl"></CustomServiceCommand>
<CustomServiceCommand platform="ipf"></CustomServiceCommand>
<CustomServiceCommand platform="ipfw"></CustomServiceCommand>
<CustomServiceCommand platform="iptables">-m owner --uid-owner anonymous</CustomServiceCommand>
<CustomServiceCommand platform="pf"></CustomServiceCommand>
<CustomServiceCommand platform="pix"></CustomServiceCommand>
<CustomServiceCommand platform="procurve_acl"></CustomServiceCommand>
<CustomServiceCommand platform="unknown"></CustomServiceCommand>
</CustomService>
<CustomService id="id631131X9517" name="owner_anonymous" comment="" ro="False" protocol="any" address_family="ipv4">
<CustomServiceCommand platform="fwsm"></CustomServiceCommand>
<CustomServiceCommand platform="iosacl"></CustomServiceCommand>
<CustomServiceCommand platform="ipf"></CustomServiceCommand>
<CustomServiceCommand platform="ipfw"></CustomServiceCommand>
<CustomServiceCommand platform="iptables">-m owner --uid-owner anonymous</CustomServiceCommand>
<CustomServiceCommand platform="pf"></CustomServiceCommand>
<CustomServiceCommand platform="pix"></CustomServiceCommand>
<CustomServiceCommand platform="procurve_acl"></CustomServiceCommand>
<CustomServiceCommand platform="unknown"></CustomServiceCommand>
</CustomService>
</ServiceGroup>
</ServiceGroup>
<ObjectGroup id="stdid12_1" name="Firewalls" comment="" ro="False">
@ -8139,7 +8172,7 @@
<Option name="verify_interfaces">False</Option>
</FirewallOptions>
</Firewall>
<Firewall id="id3AFB66C6" host_OS="linux24" inactive="False" lastCompiled="1273779773" lastInstalled="1142003872" lastModified="1282242276" platform="iptables" version="" name="firewall2" comment="this object has several interfaces and shows different rules for NAT. Also testing policy rule options " ro="False">
<Firewall id="id3AFB66C6" host_OS="linux24" inactive="False" lastCompiled="1273779773" lastInstalled="1142003872" lastModified="1282244482" platform="iptables" version="" name="firewall2" comment="this object has several interfaces and shows different rules for NAT. Also testing policy rule options " ro="False">
<NAT id="id3AFB66C7" name="NAT" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
<NATRule id="id3AFB66C8" disabled="False" position="0" action="Translate" comment="">
<OSrc neg="False">
@ -9257,6 +9290,69 @@
</TSrv>
<NATRuleOptions/>
</NATRule>
<NATRule id="id58000X8289" disabled="False" group="" position="50" action="Translate" comment="">
<OSrc neg="False">
<ObjectRef ref="id3AFB66C6"/>
</OSrc>
<ODst neg="False">
<ObjectRef ref="sysid0"/>
</ODst>
<OSrv neg="False">
<ServiceRef ref="id57956X8289"/>
</OSrv>
<TSrc neg="False">
<ObjectRef ref="sysid0"/>
</TSrc>
<TDst neg="False">
<ObjectRef ref="id3AFB66C6"/>
</TDst>
<TSrv neg="False">
<ServiceRef ref="id1195021X6573"/>
</TSrv>
<NATRuleOptions/>
</NATRule>
<NATRule id="id248774X9517" disabled="False" group="" position="51" action="Translate" comment="">
<OSrc neg="False">
<ObjectRef ref="id3AFB66C6"/>
</OSrc>
<ODst neg="False">
<ObjectRef ref="sysid0"/>
</ODst>
<OSrv neg="False">
<ServiceRef ref="id248805X9517"/>
</OSrv>
<TSrc neg="False">
<ObjectRef ref="sysid0"/>
</TSrc>
<TDst neg="False">
<ObjectRef ref="id3AFB66C6"/>
</TDst>
<TSrv neg="False">
<ServiceRef ref="id1195021X6573"/>
</TSrv>
<NATRuleOptions/>
</NATRule>
<NATRule id="id439713X9517" disabled="False" group="" position="52" action="Translate" comment="">
<OSrc neg="False">
<ObjectRef ref="id3AFB66C6"/>
</OSrc>
<ODst neg="False">
<ObjectRef ref="sysid0"/>
</ODst>
<OSrv neg="False">
<ServiceRef ref="id248805X9517"/>
</OSrv>
<TSrc neg="False">
<ObjectRef ref="sysid0"/>
</TSrc>
<TDst neg="False">
<ObjectRef ref="id3AFB66C6"/>
</TDst>
<TSrv neg="False">
<ServiceRef ref="udp-DNS"/>
</TSrv>
<NATRuleOptions/>
</NATRule>
<RuleSetOptions/>
</NAT>
<Policy id="id3AFB66E4" name="Policy" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
@ -54975,6 +55071,261 @@ echo '%FWBPROMPT%'; sh /tmp/%FWSCRIPT%
<Option name="verify_interfaces">True</Option>
</FirewallOptions>
</Firewall>
<Firewall id="id630768X9517" host_OS="linux24" inactive="False" lastCompiled="0" lastInstalled="0" lastModified="1282244903" platform="iptables" version="" name="firewall92" comment="rules for the TOR transparent proxy per&#10;https://trac.torproject.org/projects/tor/wiki/TheOnionRouter/TransparentProxy&#10;See ticket 1685&#10;" ro="False">
<NAT id="id630772X9517" name="NAT" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
<NATRule id="id630812X9517" disabled="False" group="" position="0" action="Translate" comment="">
<OSrc neg="False">
<ObjectRef ref="id630768X9517"/>
</OSrc>
<ODst neg="False">
<ObjectRef ref="sysid0"/>
</ODst>
<OSrv neg="False">
<ServiceRef ref="id248805X9517"/>
</OSrv>
<TSrc neg="False">
<ObjectRef ref="sysid0"/>
</TSrc>
<TDst neg="False">
<ObjectRef ref="id630768X9517"/>
</TDst>
<TSrv neg="False">
<ServiceRef ref="udp-DNS"/>
</TSrv>
<NATRuleOptions/>
</NATRule>
<NATRule id="id630920X9517" disabled="False" group="" position="1" action="Translate" comment="">
<OSrc neg="False">
<ObjectRef ref="id630768X9517"/>
</OSrc>
<ODst neg="False">
<ObjectRef ref="sysid0"/>
</ODst>
<OSrv neg="False">
<ServiceRef ref="id57956X8289"/>
</OSrv>
<TSrc neg="False">
<ObjectRef ref="sysid0"/>
</TSrc>
<TDst neg="False">
<ObjectRef ref="id630768X9517"/>
</TDst>
<TSrv neg="False">
<ServiceRef ref="id1195021X6573"/>
</TSrv>
<NATRuleOptions/>
</NATRule>
<NATRule id="id630866X9517" disabled="False" group="" position="2" action="Translate" comment="">
<OSrc neg="False">
<ObjectRef ref="id630768X9517"/>
</OSrc>
<ODst neg="False">
<ObjectRef ref="sysid0"/>
</ODst>
<OSrv neg="False">
<ServiceRef ref="id248805X9517"/>
</OSrv>
<TSrc neg="False">
<ObjectRef ref="sysid0"/>
</TSrc>
<TDst neg="False">
<ObjectRef ref="id630768X9517"/>
</TDst>
<TSrv neg="False">
<ServiceRef ref="id1195021X6573"/>
</TSrv>
<NATRuleOptions/>
</NATRule>
<RuleSetOptions/>
</NAT>
<Policy id="id630770X9517" name="Policy" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
<PolicyRule id="id631046X9517" disabled="False" log="False" position="0" action="Accept" direction="Outbound" comment="">
<Src neg="False">
<ObjectRef ref="id630768X9517"/>
</Src>
<Dst neg="False">
<ObjectRef ref="sysid0"/>
</Dst>
<Srv neg="False">
<ServiceRef ref="id57956X8289"/>
<ServiceRef ref="id248805X9517"/>
</Srv>
<Itf neg="False">
<ObjectRef ref="sysid0"/>
</Itf>
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions>
<Option name="stateless">False</Option>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id1009773X9517" disabled="False" group="" log="False" position="1" action="Branch" direction="Outbound" comment="matching module owner here&#10;and tcp and udp ports in the branch">
<Src neg="False">
<ObjectRef ref="id630768X9517"/>
</Src>
<Dst neg="False">
<ObjectRef ref="sysid0"/>
</Dst>
<Srv neg="False">
<ServiceRef ref="id631131X9517"/>
</Srv>
<Itf neg="False">
<ObjectRef ref="sysid0"/>
</Itf>
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions>
<Option name="action_on_reject"></Option>
<Option name="branch_id">id1009662X9517</Option>
<Option name="classify_str"></Option>
<Option name="custom_str"></Option>
<Option name="ipf_route_opt_addr"></Option>
<Option name="ipf_route_opt_if"></Option>
<Option name="ipf_route_option">route_through</Option>
<Option name="ipfw_classify_method">2</Option>
<Option name="ipfw_pipe_port_num">0</Option>
<Option name="ipfw_pipe_queue_num">0</Option>
<Option name="ipt_branch_in_mangle">False</Option>
<Option name="ipt_continue">False</Option>
<Option name="ipt_gw"></Option>
<Option name="ipt_iif"></Option>
<Option name="ipt_mark_connections">False</Option>
<Option name="ipt_oif"></Option>
<Option name="ipt_tee">False</Option>
<Option name="pf_fastroute">False</Option>
<Option name="pf_route_load_option">none</Option>
<Option name="pf_route_opt_addr"></Option>
<Option name="pf_route_opt_if"></Option>
<Option name="pf_route_option">none</Option>
<Option name="rule_name_accounting"></Option>
<Option name="stateless">True</Option>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id631140X9517" disabled="False" group="" log="True" position="2" action="Deny" direction="Outbound" comment="this only matches module owner">
<Src neg="False">
<ObjectRef ref="id630768X9517"/>
</Src>
<Dst neg="False">
<ObjectRef ref="sysid0"/>
</Dst>
<Srv neg="False">
<ServiceRef ref="id631131X9517"/>
</Srv>
<Itf neg="False">
<ObjectRef ref="sysid0"/>
</Itf>
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions>
<Option name="stateless">True</Option>
</PolicyRuleOptions>
</PolicyRule>
<RuleSetOptions/>
</Policy>
<Policy id="id1009662X9517" name="Policy_1" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="False">
<PolicyRule id="id1009688X9517" disabled="False" log="True" position="0" action="Deny" direction="Outbound" comment="">
<Src neg="False">
<ObjectRef ref="id630768X9517"/>
</Src>
<Dst neg="False">
<ObjectRef ref="sysid0"/>
</Dst>
<Srv neg="False">
<ServiceRef ref="udp-DNS"/>
<ServiceRef ref="id1195021X6573"/>
</Srv>
<Itf neg="False">
<ObjectRef ref="sysid0"/>
</Itf>
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions>
<Option name="stateless">True</Option>
</PolicyRuleOptions>
</PolicyRule>
<RuleSetOptions/>
</Policy>
<Routing id="id630774X9517" name="Routing" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
<RuleSetOptions/>
</Routing>
<Interface id="id630776X9517" dedicated_failover="False" dyn="False" label="" security_level="0" unnum="False" unprotected="False" name="eth0" comment="" ro="False">
<IPv4 id="id630777X9517" name="firewall92:eth0:ip" comment="" ro="False" address="192.0.2.1" netmask="255.255.255.0"/>
<InterfaceOptions/>
</Interface>
<Interface id="id630778X9517" dedicated_failover="False" dyn="False" label="" security_level="100" unnum="False" unprotected="False" name="eth1" comment="" ro="False">
<IPv4 id="id630779X9517" name="firewall92:eth1:ip" comment="" ro="False" address="192.168.1.1" netmask="255.255.255.0"/>
<InterfaceOptions/>
</Interface>
<Management address="0.0.0.0">
<SNMPManagement enabled="False" snmp_read_community="" snmp_write_community=""/>
<FWBDManagement enabled="False" identity="" port="-1"/>
<PolicyInstallScript arguments="" command="" enabled="False"/>
</Management>
<FirewallOptions>
<Option name="accept_established">True</Option>
<Option name="accept_new_tcp_with_no_syn">True</Option>
<Option name="action_on_reject"></Option>
<Option name="activationCmd"></Option>
<Option name="add_mgmt_ssh_rule_when_stoped">False</Option>
<Option name="add_rules_for_ipv6_neighbor_discovery">False</Option>
<Option name="admUser"></Option>
<Option name="altAddress"></Option>
<Option name="bridging_fw">False</Option>
<Option name="check_shading">False</Option>
<Option name="clamp_mss_to_mtu">False</Option>
<Option name="classify_mark_terminating">False</Option>
<Option name="clear_unknown_interfaces">False</Option>
<Option name="cmdline"></Option>
<Option name="compiler"></Option>
<Option name="configure_bonding_interfaces">False</Option>
<Option name="configure_bridge_interfaces">False</Option>
<Option name="configure_interfaces">True</Option>
<Option name="configure_vlan_interfaces">False</Option>
<Option name="debug">False</Option>
<Option name="drop_invalid">False</Option>
<Option name="epilog_script"></Option>
<Option name="firewall_dir"></Option>
<Option name="firewall_is_part_of_any_and_networks">True</Option>
<Option name="flush_and_set_default_policy">True</Option>
<Option name="ignore_empty_groups">False</Option>
<Option name="ipv4_6_order">ipv4_first</Option>
<Option name="limit_suffix"></Option>
<Option name="limit_value">0</Option>
<Option name="linux24_ip_forward">1</Option>
<Option name="load_modules">True</Option>
<Option name="local_nat">True</Option>
<Option name="log_all">False</Option>
<Option name="log_invalid">False</Option>
<Option name="log_ip_opt">False</Option>
<Option name="log_level">info</Option>
<Option name="log_prefix">RULE %N -- %A </Option>
<Option name="log_tcp_opt">False</Option>
<Option name="log_tcp_seq">False</Option>
<Option name="loopback_interface">lo</Option>
<Option name="manage_virtual_addr">True</Option>
<Option name="mgmt_addr"></Option>
<Option name="mgmt_ssh">False</Option>
<Option name="modules_dir">/lib/modules/`uname -r`/kernel/net/</Option>
<Option name="output_file"></Option>
<Option name="prolog_place">top</Option>
<Option name="prolog_script"></Option>
<Option name="scpArgs"></Option>
<Option name="script_name_on_firewall"></Option>
<Option name="sshArgs"></Option>
<Option name="ulog_cprange">0</Option>
<Option name="ulog_nlgroup">1</Option>
<Option name="ulog_qthreshold">1</Option>
<Option name="use_ULOG">False</Option>
<Option name="use_iptables_restore">False</Option>
<Option name="use_m_set">False</Option>
<Option name="use_numeric_log_levels">False</Option>
<Option name="verify_interfaces">True</Option>
</FirewallOptions>
</Firewall>
</ObjectGroup>
<IntervalGroup id="stdid11_1" name="Time" comment="" ro="False">
<Interval id="id3D6864D0" days_of_week="0,1" from_day="-1" from_hour="1" from_minute="1" from_month="-1" from_weekday="0" from_year="-1" to_day="-1" to_hour="2" to_minute="2" to_month="-1" to_weekday="1" to_year="-1" name="test time 1" comment="" ro="False"/>