onkelbeh/fwbuilder
1
0
Fork 0
mirror of https://github.com/fwbuilder/fwbuilder synced 2026-03-19 17:57:22 +01:00
Code Issues Releases Wiki Activity

fixed #1374 Rule with group of interfaces in the "Interface" column is not compiled the same as when the same interfaces are placed there without group

Browse Source
This commit is contained in:
Vadim Kurland 2010-03-29 19:44:02 +00:00
parent e30c29ebd5
commit e7cf79af49
4 changed files with 174 additions and 29 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
build_num
View File

@ -1 +1 @@
#define BUILD_NUM 2780
#define BUILD_NUM 2781

14
src/iptlib/PolicyCompiler_ipt.cpp
View File

@ -3570,19 +3570,6 @@ bool PolicyCompiler_ipt::fillActionOnReject::processNext()
return true;
}
bool PolicyCompiler_ipt::expandGroupsInSrv::processNext()
{
PolicyRule *rule=getNext(); if (rule==NULL) return false;
RuleElementSrv *srv= rule->getSrv();
compiler->expandGroupsInRuleElement(srv);
tmp_queue.push_back(rule);
return true;
}
bool PolicyCompiler_ipt::splitRuleIfSrvAnyActionReject::processNext()
{
PolicyCompiler_ipt *ipt_comp=dynamic_cast<PolicyCompiler_ipt*>(compiler);
@ -4259,6 +4246,7 @@ void PolicyCompiler_ipt::compile()
add( new Logging1("check global logging override option"));
add( new expandGroupsInItf("expand groups in Interface" ));
add( new replaceClusterInterfaceInItf(
"replace cluster interfaces with member interfaces in the Interface rule element"));
add( new singleItfNegation("negation in Itf if it holds single object"));

6
src/iptlib/PolicyCompiler_ipt.h
View File

@ -699,12 +699,6 @@ protected:
*/
DECLARE_POLICY_RULE_PROCESSOR(checkUserServiceInWrongChains);
/**
* expand groups in Srv
*/
DECLARE_POLICY_RULE_PROCESSOR(expandGroupsInSrv);
/**
* split a rule if action Reject is used in a rule with
* Service 'any' and rule options do not specify what should

181
test/ipt/cluster-tests.fwb
View File

@ -1,6 +1,6 @@
<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE FWObjectDatabase SYSTEM "fwbuilder.dtd">
<FWObjectDatabase xmlns="http://www.fwbuilder.org/1.0/" version="16" lastModified="1269723394" id="root">
<FWObjectDatabase xmlns="http://www.fwbuilder.org/1.0/" version="16" lastModified="1269889906" id="root">
<Library id="syslib000" color="#d4f8ff" name="Standard" comment="Standard objects" ro="True">
<AnyNetwork id="sysid0" name="Any" comment="Any Network" ro="False" address="0.0.0.0" netmask="0.0.0.0"/>
<AnyIPService id="sysid1" protocol_num="0" name="Any" comment="Any IP Service" ro="False"/>
@ -1234,7 +1234,7 @@
</Library>
<Library id="id1495X69605" color="#d2ffd0" name="User" comment="" ro="False">
<ObjectGroup id="id1502X69605" name="Clusters" comment="" ro="False">
<Cluster id="id2366X75741" host_OS="secuwall" inactive="True" lastCompiled="1248670597" lastInstalled="0" lastModified="1269721449" platform="iptables" name="cluster1" comment="" ro="False">
<Cluster id="id2366X75741" host_OS="secuwall" inactive="True" lastCompiled="1248670597" lastInstalled="0" lastModified="1269891680" platform="iptables" name="cluster1" comment="" ro="False">
<NAT id="id2370X75741" name="NAT" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
<NATRule id="id4606X78273" disabled="False" position="0" action="Translate" comment="">
<OSrc neg="False">
@ -1405,7 +1405,165 @@
<Option name="ulog_nlgroup">1</Option>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id2879X78273" disabled="False" log="False" position="5" action="Accept" direction="Both" comment="SSH Access to firewall is permitted&#10;only from internal network">
<PolicyRule id="id8117X67022" disabled="False" group="interface group test" log="False" position="5" action="Accept" direction="Both" comment="">
<Src neg="False">
<ObjectRef ref="sysid0"/>
</Src>
<Dst neg="False">
<ObjectRef ref="id2366X75741"/>
</Dst>
<Srv neg="False">
<ServiceRef ref="tcp-SSH"/>
</Srv>
<Itf neg="False">
<ObjectRef ref="id2374X75741"/>
<ObjectRef ref="id2379X75741"/>
</Itf>
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions>
<Option name="color">#C0BA44</Option>
<Option name="stateless">False</Option>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id39519X67022" disabled="False" group="interface group test" log="False" position="6" action="Accept" direction="Both" comment="">
<Src neg="False">
<ObjectRef ref="sysid0"/>
</Src>
<Dst neg="False">
<ObjectRef ref="id2366X75741"/>
</Dst>
<Srv neg="False">
<ServiceRef ref="tcp-SSH"/>
</Srv>
<Itf neg="False">
<ObjectRef ref="id39477X67022"/>
</Itf>
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions>
<Option name="color">#C0BA44</Option>
<Option name="connlimit_above_not">False</Option>
<Option name="connlimit_masklen">0</Option>
<Option name="connlimit_value">0</Option>
<Option name="firewall_is_part_of_any_and_networks"></Option>
<Option name="hashlimit_burst">0</Option>
<Option name="hashlimit_dstlimit">False</Option>
<Option name="hashlimit_expire">0</Option>
<Option name="hashlimit_gcinterval">0</Option>
<Option name="hashlimit_max">0</Option>
<Option name="hashlimit_mode_dstip">False</Option>
<Option name="hashlimit_mode_dstport">False</Option>
<Option name="hashlimit_mode_srcip">False</Option>
<Option name="hashlimit_mode_srcport">False</Option>
<Option name="hashlimit_name"></Option>
<Option name="hashlimit_size">0</Option>
<Option name="hashlimit_suffix"></Option>
<Option name="hashlimit_value">0</Option>
<Option name="limit_burst">0</Option>
<Option name="limit_suffix"></Option>
<Option name="limit_value">0</Option>
<Option name="limit_value_not">False</Option>
<Option name="log_level"></Option>
<Option name="log_prefix"></Option>
<Option name="stateless">False</Option>
<Option name="ulog_nlgroup">1</Option>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id103230X67022" disabled="False" group="interface group test" log="False" position="7" action="Accept" direction="Both" comment="&quot;firewall is part of any&quot; OFF">
<Src neg="False">
<ObjectRef ref="sysid0"/>
</Src>
<Dst neg="False">
<ObjectRef ref="id2366X75741"/>
</Dst>
<Srv neg="False">
<ServiceRef ref="tcp-SSH"/>
</Srv>
<Itf neg="False">
<ObjectRef ref="id2374X75741"/>
<ObjectRef ref="id2379X75741"/>
</Itf>
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions>
<Option name="color">#8BC065</Option>
<Option name="connlimit_above_not">False</Option>
<Option name="connlimit_masklen">0</Option>
<Option name="connlimit_value">0</Option>
<Option name="firewall_is_part_of_any_and_networks">0</Option>
<Option name="hashlimit_burst">0</Option>
<Option name="hashlimit_dstlimit">False</Option>
<Option name="hashlimit_expire">0</Option>
<Option name="hashlimit_gcinterval">0</Option>
<Option name="hashlimit_max">0</Option>
<Option name="hashlimit_mode_dstip">False</Option>
<Option name="hashlimit_mode_dstport">False</Option>
<Option name="hashlimit_mode_srcip">False</Option>
<Option name="hashlimit_mode_srcport">False</Option>
<Option name="hashlimit_name"></Option>
<Option name="hashlimit_size">0</Option>
<Option name="hashlimit_suffix"></Option>
<Option name="hashlimit_value">0</Option>
<Option name="limit_burst">0</Option>
<Option name="limit_suffix"></Option>
<Option name="limit_value">0</Option>
<Option name="limit_value_not">False</Option>
<Option name="log_level"></Option>
<Option name="log_prefix"></Option>
<Option name="stateless">False</Option>
<Option name="ulog_nlgroup">1</Option>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id103183X67022" disabled="False" group="interface group test" log="False" position="8" action="Accept" direction="Both" comment="&quot;firewall is part of any&quot; OFF">
<Src neg="False">
<ObjectRef ref="sysid0"/>
</Src>
<Dst neg="False">
<ObjectRef ref="id2366X75741"/>
</Dst>
<Srv neg="False">
<ServiceRef ref="tcp-SSH"/>
</Srv>
<Itf neg="False">
<ObjectRef ref="id39477X67022"/>
</Itf>
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions>
<Option name="color">#8BC065</Option>
<Option name="connlimit_above_not">False</Option>
<Option name="connlimit_masklen">0</Option>
<Option name="connlimit_value">0</Option>
<Option name="firewall_is_part_of_any_and_networks">0</Option>
<Option name="hashlimit_burst">0</Option>
<Option name="hashlimit_dstlimit">False</Option>
<Option name="hashlimit_expire">0</Option>
<Option name="hashlimit_gcinterval">0</Option>
<Option name="hashlimit_max">0</Option>
<Option name="hashlimit_mode_dstip">False</Option>
<Option name="hashlimit_mode_dstport">False</Option>
<Option name="hashlimit_mode_srcip">False</Option>
<Option name="hashlimit_mode_srcport">False</Option>
<Option name="hashlimit_name"></Option>
<Option name="hashlimit_size">0</Option>
<Option name="hashlimit_suffix"></Option>
<Option name="hashlimit_value">0</Option>
<Option name="limit_burst">0</Option>
<Option name="limit_suffix"></Option>
<Option name="limit_value">0</Option>
<Option name="limit_value_not">False</Option>
<Option name="log_level"></Option>
<Option name="log_prefix"></Option>
<Option name="stateless">False</Option>
<Option name="ulog_nlgroup">1</Option>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id2879X78273" disabled="False" log="False" position="9" action="Accept" direction="Both" comment="SSH Access to firewall is permitted&#10;only from internal network">
<Src neg="False">
<ObjectRef ref="id3DC75CE7-1"/>
</Src>
@ -1423,7 +1581,7 @@
</When>
<PolicyRuleOptions/>
</PolicyRule>
<PolicyRule id="id2862X78273" disabled="False" log="True" position="6" action="Accept" direction="Both" comment="Firewall uses one of the machines&#10;on internal network for DNS">
<PolicyRule id="id2862X78273" disabled="False" log="True" position="10" action="Accept" direction="Both" comment="Firewall uses one of the machines&#10;on internal network for DNS">
<Src neg="False">
<ObjectRef ref="id2366X75741"/>
</Src>
@ -1441,7 +1599,7 @@
</When>
<PolicyRuleOptions/>
</PolicyRule>
<PolicyRule id="id2845X78273" disabled="False" log="True" position="7" action="Deny" direction="Both" comment="All other attempts to connect to&#10;the firewall are denied and logged">
<PolicyRule id="id2845X78273" disabled="False" log="True" position="11" action="Deny" direction="Both" comment="All other attempts to connect to&#10;the firewall are denied and logged">
<Src neg="False">
<ObjectRef ref="sysid0"/>
</Src>
@ -1459,7 +1617,7 @@
</When>
<PolicyRuleOptions/>
</PolicyRule>
<PolicyRule id="id2828X78273" disabled="False" log="False" position="8" action="Accept" direction="Both" comment="">
<PolicyRule id="id2828X78273" disabled="False" log="False" position="12" action="Accept" direction="Both" comment="">
<Src neg="False">
<ObjectRef ref="id3DC75CE7-1"/>
</Src>
@ -1477,7 +1635,7 @@
</When>
<PolicyRuleOptions/>
</PolicyRule>
<PolicyRule id="id2811X78273" disabled="False" log="True" position="9" action="Deny" direction="Both" comment="">
<PolicyRule id="id2811X78273" disabled="False" log="True" position="13" action="Deny" direction="Both" comment="">
<Src neg="False">
<ObjectRef ref="sysid0"/>
</Src>
@ -1515,7 +1673,7 @@
</ClusterGroupOptions>
</FailoverClusterGroup>
</Interface>
<Interface id="id2379X75741" dedicated_failover="False" dyn="False" label="" mgmt="False" security_level="0" unnum="False" unprotected="False" name="eth1" comment="" ro="False">
<Interface id="id2379X75741" dedicated_failover="False" dyn="False" label="cluster1 eth1" mgmt="False" security_level="0" unnum="False" unprotected="False" name="eth1" comment="" ro="False">
<IPv4 id="id2380X75741" name="cluster1:eth1:ip" comment="" ro="False" address="192.168.1.1" netmask="255.255.255.0"/>
<InterfaceOptions>
<Option name="iface_mtu">1500</Option>
@ -5010,7 +5168,12 @@
</ObjectGroup>
<ObjectGroup id="id1498X69605" name="DNS Names" comment="" ro="False"/>
<ObjectGroup id="id1499X69605" name="Address Tables" comment="" ro="False"/>
<ObjectGroup id="id1500X69605" name="Groups" comment="" ro="False"/>
<ObjectGroup id="id1500X69605" name="Groups" comment="" ro="False">
<ObjectGroup id="id39477X67022" name="cl1 intf 0,1" comment="" ro="False">
<ObjectRef ref="id2374X75741"/>
<ObjectRef ref="id2379X75741"/>
</ObjectGroup>
</ObjectGroup>
<ObjectGroup id="id1501X69605" name="Hosts" comment="" ro="False"/>
<ObjectGroup id="id1503X69605" name="Networks" comment="" ro="False">
<Network id="id95767X57559" name="net-172.24.1" comment="" ro="False" address="172.24.1.0" netmask="255.255.255.0"/>