From e82f7709568fa9b4aa6d1273cd94ef77e8205e74 Mon Sep 17 00:00:00 2001 From: Vadim Kurland Date: Fri, 23 Jul 2010 05:15:05 +0000 Subject: [PATCH] * PolicyCompiler_PrintRule.cpp: added support for iptables module "set" used to generate iptables command for rules with run-time AddressTable objects. This module is only available in iptables 1.4.1.1 and later, however some embedded platforms do not have it even though they ship later versions ofiptables (e.g. OpenWRT). Use of this module is controlled by a checkbox in the iptables "advanced" settings dialog which is off by default. This checkbox becomes disabled when iptables version is set to < 1.4.1.1. --- build_num | 2 +- doc/ChangeLog | 9 + src/gui/iptAdvancedDialog.cpp | 22 +- src/gui/iptadvanceddialog_q.ui | 59 +- src/gui/platforms.cpp | 1 + src/iptlib/OSConfigurator_linux24.cpp | 12 +- src/iptlib/OSConfigurator_linux24.h | 3 +- src/iptlib/PolicyCompiler_PrintRule.cpp | 28 +- src/iptlib/PolicyCompiler_ipt.cpp | 31 +- src/iptlib/PolicyCompiler_ipt.h | 2 + src/pflib/PolicyCompiler_pf.cpp | 6 +- src/res/help/en_US/release_notes_4.1.0.html | 48 ++ test/ipt/objects-for-regression-tests.fwb | 729 +++++++++++++++++++- 13 files changed, 875 insertions(+), 77 deletions(-) diff --git a/build_num b/build_num index bdaabae26..8fa16c2ec 100644 --- a/build_num +++ b/build_num @@ -1 +1 @@ -#define BUILD_NUM 3133 +#define BUILD_NUM 3134 diff --git a/doc/ChangeLog b/doc/ChangeLog index 61e0a8a85..8e0c3e901 100644 --- a/doc/ChangeLog +++ b/doc/ChangeLog @@ -1,5 +1,14 @@ 2010-07-22 Vadim Kurland + * PolicyCompiler_PrintRule.cpp: added support for iptables module + "set" used to generate iptables command for rules with run-time + AddressTable objects. This module is only available in iptables + 1.4.1.1 and later, however some embedded platforms do not have it + even though they ship later versions of iptables (e.g. OpenWRT). + Use of this module is controlled by a checkbox in the iptables + "advanced" settings dialog which is off by default. This checkbox + becomes disabled when iptables version is set to < 1.4.1.1. + * newClusterDialog_create.cpp (newClusterDialog::createNewCluster): fixed #1622 "Crash when configuring cluster". The GUI used to crash if user created a cluster copying rules of one of the cluster members diff --git a/src/gui/iptAdvancedDialog.cpp b/src/gui/iptAdvancedDialog.cpp index da6dc924e..a48f6fef5 100644 --- a/src/gui/iptAdvancedDialog.cpp +++ b/src/gui/iptAdvancedDialog.cpp @@ -81,13 +81,6 @@ iptAdvancedDialog::iptAdvancedDialog(QWidget *parent,FWObject *o) qDebug("%s",Resources::getTargetOptionStr( obj->getStr("host_OS"),"user_can_change_install_dir").c_str()); - if (!Resources::getTargetOptionBool( - obj->getStr("host_OS"), "user_can_change_install_dir")) - { - m_dialog->ipt_fw_dir->setEnabled(false); - //fwoptions->setStr("firewall_dir", ""); - } - //QString s = fwoptions->getStr("ipv4_6_order") data.registerOption(m_dialog->ipv4before, fwoptions, "ipv4_6_order", QStringList() << "IPv4 before IPv6" <<"ipv4_first" << "IPv6 before IPv4" << "ipv6_first"); @@ -145,6 +138,8 @@ iptAdvancedDialog::iptAdvancedDialog(QWidget *parent,FWObject *o) data.registerOption(m_dialog-> actionOnReject, fwoptions,"action_on_reject", slm); + data.registerOption(m_dialog->useModuleSet, fwoptions, "use_m_set"); + data.registerOption(m_dialog->mgmt_ssh, fwoptions, "mgmt_ssh"); data.registerOption(m_dialog->mgmt_addr, fwoptions, "mgmt_addr"); data.registerOption(m_dialog->add_mgmt_ssh_rule_when_stoped, @@ -210,6 +205,19 @@ iptAdvancedDialog::iptAdvancedDialog(QWidget *parent,FWObject *o) data.loadAll(); switchLOG_ULOG(); + if (!Resources::getTargetOptionBool( + obj->getStr("host_OS"), "user_can_change_install_dir")) + { + m_dialog->ipt_fw_dir->setEnabled(false); + //fwoptions->setStr("firewall_dir", ""); + } + + string version = obj->getStr("version"); + bool can_use_module_set = (XMLTools::version_compare(version, "1.4.1.1") >= 0); + if (!can_use_module_set) + m_dialog->useModuleSet->setChecked(false); + m_dialog->useModuleSet->setEnabled(can_use_module_set); + m_dialog->tabWidget->setCurrentIndex(0); } diff --git a/src/gui/iptadvanceddialog_q.ui b/src/gui/iptadvanceddialog_q.ui index 9e00144a8..5793074fc 100644 --- a/src/gui/iptadvanceddialog_q.ui +++ b/src/gui/iptadvanceddialog_q.ui @@ -100,11 +100,11 @@ Compiler - - + + - + @@ -220,7 +220,7 @@ - + If output file name is left blank, the file name is constructed of the firewall object name and extension ".fw" @@ -230,7 +230,7 @@ - + @@ -273,7 +273,7 @@ - + Generated script can be copied to the firewall machine under different name. If this field is left blank, the file name does not change. @@ -283,7 +283,7 @@ - + QFrame::HLine @@ -296,7 +296,7 @@ - + @@ -350,6 +350,19 @@ + + + + + 0 + 0 + + + + Accept ESTABLISHED and RELATED packets before the first rule + + + @@ -468,22 +481,16 @@ packets to IPv6 policies - - - - - 0 - 0 - - + + - Accept ESTABLISHED and RELATED packets before the first rule + Use module "set" for run-time Address Table objects (module is only available in iptables v 1.4.1.1 and later) - + QFrame::HLine @@ -496,7 +503,7 @@ packets to IPv6 policies - + @@ -536,14 +543,14 @@ packets to IPv6 policies - + Install the rule for ssh access from the management workstation when the firewall is stopped - + Qt::Vertical @@ -867,10 +874,10 @@ packets to IPv6 policies Prolog/Epilog - + 6 - + 6 @@ -1001,12 +1008,12 @@ packets to IPv6 policies Logging - - 6 - 20 + + 6 + diff --git a/src/gui/platforms.cpp b/src/gui/platforms.cpp index 02436f77d..34836dc5f 100644 --- a/src/gui/platforms.cpp +++ b/src/gui/platforms.cpp @@ -404,6 +404,7 @@ void getVersionsForPlatform(const QString &platform, std::list &res res.push_back(QStringPair("1.2.9", QObject::tr("1.2.9 to 1.2.11"))); res.push_back(QStringPair("1.3.0", QObject::tr("1.3.x"))); res.push_back(QStringPair("1.4.0", QObject::tr("1.4.0 or later"))); + res.push_back(QStringPair("1.4.1.1", QObject::tr("1.4.1.1 or later"))); res.push_back(QStringPair("1.4.3", QObject::tr("1.4.3 or later"))); } else { diff --git a/src/iptlib/OSConfigurator_linux24.cpp b/src/iptlib/OSConfigurator_linux24.cpp index 977ae73ab..03cec5ce1 100644 --- a/src/iptlib/OSConfigurator_linux24.cpp +++ b/src/iptlib/OSConfigurator_linux24.cpp @@ -76,6 +76,11 @@ OSConfigurator_linux24::OSConfigurator_linux24(FWObjectDatabase *_db, OSConfigurator(_db, fw, ipv6_policy) , os_data(fw->getStr("host_OS")) { command_wrappers = new Configlet(fw, "linux24", "run_time_wrappers"); + + FWOptions* fwopt = fw->getOptionsObject(); + string version = fw->getStr("version"); + can_use_module_set = (XMLTools::version_compare(version, "1.4.1.1") >= 0 && + fwopt->getBool("use_m_set")); } OSConfigurator_linux24::~OSConfigurator_linux24() @@ -468,7 +473,12 @@ string OSConfigurator_linux24::printRunTimeWrappers(FWObject *rule, */ bool wildcard_interface = false; - QString combined_command = addressTableWrapper(rule, command.c_str(), ipv6); + QString combined_command; + + if (can_use_module_set) + combined_command = command.c_str(); + else + combined_command = addressTableWrapper(rule, command.c_str(), ipv6); command_wrappers->clear(); command_wrappers->removeComments(); diff --git a/src/iptlib/OSConfigurator_linux24.h b/src/iptlib/OSConfigurator_linux24.h index 9c2e6739b..06bfc0015 100644 --- a/src/iptlib/OSConfigurator_linux24.h +++ b/src/iptlib/OSConfigurator_linux24.h @@ -48,7 +48,8 @@ namespace fwcompiler { OSData os_data; Configlet *command_wrappers; - + bool can_use_module_set; + std::map address_table_objects; // this vector is used to avoid duplication of virtual addresses for nat diff --git a/src/iptlib/PolicyCompiler_PrintRule.cpp b/src/iptlib/PolicyCompiler_PrintRule.cpp index 7d81777e3..cc0f4b739 100644 --- a/src/iptlib/PolicyCompiler_PrintRule.cpp +++ b/src/iptlib/PolicyCompiler_PrintRule.cpp @@ -96,13 +96,13 @@ string PolicyCompiler_ipt::PrintRule::_printSingleOptionWithNegation( ostringstream ostr; if (XMLTools::version_compare(version, "1.4.3")>=0) { - ostr << _printSingleObjectNegation(rel); + ostr << _printSingleObjectNegation(rel); ostr << option << " "; ostr << arg << " "; } else { ostr << option << " "; - ostr << _printSingleObjectNegation(rel); + ostr << _printSingleObjectNegation(rel); ostr << arg << " "; } return ostr.str(); @@ -1109,6 +1109,7 @@ string PolicyCompiler_ipt::PrintRule::_printDstService(RuleElementSrv *rel) string PolicyCompiler_ipt::PrintRule::_printSrcAddr(RuleElement *rel, Address *o) { + PolicyCompiler_ipt *ipt_comp=dynamic_cast(compiler); string res; if (AddressRange::cast(o)!=NULL) { @@ -1126,11 +1127,23 @@ string PolicyCompiler_ipt::PrintRule::_printSrcAddr(RuleElement *rel, Address * return res; } + + MultiAddressRunTime *atrt = MultiAddressRunTime::cast(o); + if (atrt!=NULL && atrt->getSubstitutionTypeName()==AddressTable::TYPENAME && + ipt_comp->can_use_module_set) + { + string set_match = "--set " + o->getName() + " src"; + ostringstream ostr; + ostr << "-m set " << _printSingleOptionWithNegation("", rel, set_match); + return ostr.str(); + } + return _printSingleOptionWithNegation(" -s", rel, _printAddr(o)); } string PolicyCompiler_ipt::PrintRule::_printDstAddr(RuleElement *rel, Address *o) { + PolicyCompiler_ipt *ipt_comp=dynamic_cast(compiler); string res; if (AddressRange::cast(o)!=NULL) { @@ -1147,6 +1160,17 @@ string PolicyCompiler_ipt::PrintRule::_printDstAddr(RuleElement *rel, Address * return res; } + + MultiAddressRunTime *atrt = MultiAddressRunTime::cast(o); + if (atrt!=NULL && atrt->getSubstitutionTypeName()==AddressTable::TYPENAME && + ipt_comp->can_use_module_set) + { + string set_match = "--set " + o->getName() + " dst"; + ostringstream ostr; + ostr << "-m set " << _printSingleOptionWithNegation("", rel, set_match); + return ostr.str(); + } + return _printSingleOptionWithNegation(" -d", rel, _printAddr(o)); } diff --git a/src/iptlib/PolicyCompiler_ipt.cpp b/src/iptlib/PolicyCompiler_ipt.cpp index dda61675e..65dd5e2c5 100644 --- a/src/iptlib/PolicyCompiler_ipt.cpp +++ b/src/iptlib/PolicyCompiler_ipt.cpp @@ -515,6 +515,11 @@ int PolicyCompiler_ipt::prolog() n++; } + string version = fw->getStr("version"); + can_use_module_set = (XMLTools::version_compare(version, "1.4.1.1") >= 0 && + fwopt->getBool("use_m_set")); + actually_used_module_set = false; + return n; } @@ -1006,12 +1011,23 @@ bool PolicyCompiler_ipt::singleItfNegation::processNext() bool PolicyCompiler_ipt::singleSrcNegation::processNext() { + PolicyCompiler_ipt *ipt_comp=dynamic_cast(compiler); PolicyRule *rule = getNext(); if (rule==NULL) return false; RuleElementSrc *srcrel = rule->getSrc(); /* ! A B C ACTION */ if (srcrel->getNeg() && srcrel->size()==1) { + // We call singleSrcNegation before we replace AddressTable + // objects with MultiAddressRunTime objects + FWObject *o = FWReference::getObject(srcrel->front()); + if (AddressTable::cast(o) && AddressTable::cast(o)->isRunTime() && + ipt_comp->can_use_module_set) + { + srcrel->setNeg(false); + srcrel->setBool("single_object_negation", true); + } + Address *src = compiler->getFirstSrc(rule); // note: src can be NULL if object in this rule element is a group // or MultiAddress @@ -1029,12 +1045,23 @@ bool PolicyCompiler_ipt::singleSrcNegation::processNext() bool PolicyCompiler_ipt::singleDstNegation::processNext() { + PolicyCompiler_ipt *ipt_comp=dynamic_cast(compiler); PolicyRule *rule = getNext(); if (rule==NULL) return false; RuleElementDst *dstrel = rule->getDst(); /* A ! B C ACTION */ if (dstrel->getNeg() && dstrel->size()==1) { + // We call singleSrcNegation before we replace AddressTable + // objects with MultiAddressRunTime objects + FWObject *o = FWReference::getObject(dstrel->front()); + if (AddressTable::cast(o) && AddressTable::cast(o)->isRunTime() && + ipt_comp->can_use_module_set) + { + dstrel->setNeg(false); + dstrel->setBool("single_object_negation", true); + } + Address *dst = compiler->getFirstDst(rule); if (dst!=NULL && dst->countInetAddresses(true)==1 && !compiler->complexMatch(dst, compiler->fw)) @@ -2558,7 +2585,6 @@ bool PolicyCompiler_ipt::specialCaseWithFW1::processNext() bool PolicyCompiler_ipt::specialCaseWithFWInDstAndOutbound::processNext() { - PolicyCompiler_ipt *ipt_comp = dynamic_cast(compiler); PolicyRule *rule=getNext(); if (rule==NULL) return false; Interface *itf = compiler->getFirstItf(rule); @@ -2922,7 +2948,6 @@ bool PolicyCompiler_ipt::decideOnChainIfSrcFW::processNext() * with an interface which is a bridge port. */ - RuleElementItf *itfre = rule->getItf(); Interface *rule_iface = compiler->getFirstItf(rule); if (rule_iface == NULL || rule_iface->isBridgePort()) { @@ -3022,7 +3047,6 @@ bool PolicyCompiler_ipt::decideOnChainIfDstFW::processNext() * with an interface which is a bridge port. */ - RuleElementItf *itfre = rule->getItf(); Interface *rule_iface = compiler->getFirstItf(rule); if (rule_iface == NULL || rule_iface->isBridgePort()) { @@ -3982,7 +4006,6 @@ bool PolicyCompiler_ipt::processMultiAddressObjectsInRE::processNext() return true; } - /* * iptables does not have target that would do nothing and would not * terminate processing of the packet (like NOP), so we create a new diff --git a/src/iptlib/PolicyCompiler_ipt.h b/src/iptlib/PolicyCompiler_ipt.h index cabcffa2c..1d9cb2e2b 100644 --- a/src/iptlib/PolicyCompiler_ipt.h +++ b/src/iptlib/PolicyCompiler_ipt.h @@ -66,6 +66,8 @@ protected: bool have_dynamic_interfaces; bool have_connmark; bool have_connmark_in_output; + bool can_use_module_set; + bool actually_used_module_set; std::string my_table; std::map tmp_chain_no; diff --git a/src/pflib/PolicyCompiler_pf.cpp b/src/pflib/PolicyCompiler_pf.cpp index eb2081cfb..e2d6ef45c 100644 --- a/src/pflib/PolicyCompiler_pf.cpp +++ b/src/pflib/PolicyCompiler_pf.cpp @@ -93,7 +93,11 @@ int PolicyCompiler_pf::prolog() return PolicyCompiler::prolog(); } - +/* + * this is very much like + * Compiler::swapMultiAddressObjectsInRE::processNext() except it also + * registers the table using registerTable() + */ bool PolicyCompiler_pf::swapAddressTableObjectsInRE::processNext() { PolicyCompiler_pf *pf_comp=dynamic_cast(compiler); diff --git a/src/res/help/en_US/release_notes_4.1.0.html b/src/res/help/en_US/release_notes_4.1.0.html index 41f5013f0..4579d222d 100644 --- a/src/res/help/en_US/release_notes_4.1.0.html +++ b/src/res/help/en_US/release_notes_4.1.0.html @@ -302,6 +302,40 @@

+
  • +

    + Most dialogs were adjusted to make sure they fit on the screen 1024x768 +

    +
    • + +
  • +

    + fixed #1612 "File/Open should create + new project panel". If user has some unsaved changes in the + default project panel (the one with no associated file) and then + uses File/Open menu to open another data file, the file should + open in a new project panel. +

    +
    • + +
  • +

    + fixed #1611 "File/New should create new project panel". Like + #1612, open new data file in a new project panel if current + project panel has no data file associated with it but has + unsaved changes. +

    +
    • + +
  • +

    + fixed #1622 "Crash when configuring cluster". The GUI used to + crash if user created a cluster copying rules of one of the + cluster members while that rule set was opened in the rule set + view. +

    +
    • + @@ -473,6 +507,20 @@

    +
  • +

    + Added support for iptables module "set" used to generate + iptables command for rules with run-time AddressTable + objects. This module is only available in iptables 1.4.1.1 and + later, however some embedded platforms do not have it even + though they ship later versions of iptables (e.g. OpenWRT). Use + of this module is controlled by a checkbox in the iptables + "advanced" settings dialog which is off by default. This + checkbox becomes disabled when iptables version is set to < + 1.4.1.1. +

    +
    • + diff --git a/test/ipt/objects-for-regression-tests.fwb b/test/ipt/objects-for-regression-tests.fwb index 39002c003..6473222dc 100644 --- a/test/ipt/objects-for-regression-tests.fwb +++ b/test/ipt/objects-for-regression-tests.fwb @@ -1,6 +1,6 @@ - + @@ -6671,7 +6671,7 @@ - + @@ -7947,33 +7947,35 @@ - + + + + - - - - - - - - - - - - - - - - - - - - - - + + + + + + + + + + + + + + + + + + + + + @@ -7982,16 +7984,7 @@ - - - - - - - - - @@ -53360,6 +53353,674 @@ echo '%FWBPROMPT%'; sh /tmp/%FWSCRIPT% + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +