onkelbeh/fwbuilder
1
0
Fork 0
mirror of https://github.com/fwbuilder/fwbuilder synced 2026-05-01 22:57:33 +02:00
Code Issues Releases Wiki Activity

SF bug #3439613. physdev module does not allow --physdev-out for

Browse Source 
non-bridged traffic anymore. We should add --physdev-is-bridged to
make sure this matches only bridged packets.
This commit is contained in:
Vadim Kurland 2011-11-21 12:16:59 -08:00
parent 28dba00586
commit f5759fa905
5 changed files with 94 additions and 16 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
doc/ChangeLog
View File

@ -1,3 +1,11 @@
2011-11-21 Vadim Kurland <vadim@netcitadel.com>
* PolicyCompiler_PrintRule.cpp (_printDirectionAndInterface): SF
bug #3439613. physdev module does not allow --physdev-out for
non-bridged traffic anymore. We should add --physdev-is-bridged to
make sure this matches only bridged packets.
2011-11-16 Vadim Kurland <vadim@netcitadel.com> 2011-11-16 Vadim Kurland <vadim@netcitadel.com>
* InetAddrMask.cpp (InetAddrMask::setNetworkAndBroadcastAddress): * InetAddrMask.cpp (InetAddrMask::setNetworkAndBroadcastAddress):

14
src/iptlib/PolicyCompiler_PrintRule.cpp
View File

@ -474,11 +474,21 @@ string PolicyCompiler_ipt::PrintRule::_printDirectionAndInterface(PolicyRule *ru
(version.empty() || (version.empty() ||
XMLTools::version_compare(version, "1.3.0")>=0)) XMLTools::version_compare(version, "1.3.0")>=0))
{ {
// http://www.netfilter.org/projects/iptables/files/changes-iptables-1.2.9.txt
// See SF bug #3439613
// https://sourceforge.net/tracker/index.php?func=detail&aid=3439613&group_id=5314&atid=1129518#
//
// physdev module does not allow --physdev-out for
// non-bridged traffic anymore. We should add
// --physdev-is-bridged to make sure this matches only
// bridged packets.
if (rule->getDirection()==PolicyRule::Inbound) if (rule->getDirection()==PolicyRule::Inbound)
res << "-m physdev --physdev-in" << iface_name; res << "-m physdev --physdev-in" << iface_name;
if (rule->getDirection()==PolicyRule::Outbound) if (rule->getDirection()==PolicyRule::Outbound)
res << "-m physdev --physdev-out" << iface_name; res << "-m physdev --physdev-is-bridged --physdev-out" << iface_name;
} else } else
{ {
if (rule->getDirection()==PolicyRule::Inbound) if (rule->getDirection()==PolicyRule::Inbound)

8
src/res/help/en_US/release_notes_5.0.1.html
View File

@ -346,6 +346,14 @@
</p> </p>
</li> </li>
<ul>
<li>
SF bug #3439613. physdev module does not allow --physdev-out
for non-bridged traffic anymore. We should add
--physdev-is-bridged to make sure this matches only bridged
packets.
</li>
</ul>
</ul> </ul>

22
test/ipt/firewall23-1.fw.orig
View File

@ -2,9 +2,9 @@
# #
# This is automatically generated file. DO NOT MODIFY ! # This is automatically generated file. DO NOT MODIFY !
# #
# Firewall Builder fwb_ipt v5.0.1.3585 # Firewall Builder fwb_ipt v5.0.1.3588
# #
# Generated Thu Nov 10 11:57:29 2011 PST by vadim # Generated Mon Nov 21 11:50:27 2011 PST by vadim
# #
# files: * firewall23-1.fw /etc/fw/firewall23-1.fw # files: * firewall23-1.fw /etc/fw/firewall23-1.fw
# #
@ -321,19 +321,19 @@ script_body() {
# #
echo "Rule 13 (eth2)" echo "Rule 13 (eth2)"
# #
$IPTABLES -t mangle -A POSTROUTING -m physdev --physdev-out eth2 -p tcp -m tcp -d 192.168.1.0/24 --dport 22 -j CLASSIFY --set-class 1:12 $IPTABLES -t mangle -A POSTROUTING -m physdev --physdev-is-bridged --physdev-out eth2 -p tcp -m tcp -d 192.168.1.0/24 --dport 22 -j CLASSIFY --set-class 1:12
# #
# Rule 14 (eth3) # Rule 14 (eth3)
# #
echo "Rule 14 (eth3)" echo "Rule 14 (eth3)"
# #
$IPTABLES -t mangle -A POSTROUTING -m physdev --physdev-out eth3 -p tcp -m tcp -d 192.168.1.0/24 --dport 22 -j CLASSIFY --set-class 2:12 $IPTABLES -t mangle -A POSTROUTING -m physdev --physdev-is-bridged --physdev-out eth3 -p tcp -m tcp -d 192.168.1.0/24 --dport 22 -j CLASSIFY --set-class 2:12
# #
# Rule 15 (eth2) # Rule 15 (eth2)
# #
echo "Rule 15 (eth2)" echo "Rule 15 (eth2)"
# #
$IPTABLES -t mangle -A POSTROUTING -m physdev --physdev-out eth2 -p tcp -m tcp -d 192.168.1.0/24 --dport 22 -j CLASSIFY --set-class 1:12 $IPTABLES -t mangle -A POSTROUTING -m physdev --physdev-is-bridged --physdev-out eth2 -p tcp -m tcp -d 192.168.1.0/24 --dport 22 -j CLASSIFY --set-class 1:12
# ================ Table 'filter', rule set Policy # ================ Table 'filter', rule set Policy
# #
@ -416,8 +416,8 @@ script_body() {
# #
echo "Rule 8 (eth2,eth3)" echo "Rule 8 (eth2,eth3)"
# #
$IPTABLES -A FORWARD -m physdev --physdev-out eth2 -d 192.168.1.0/24 -m state --state NEW -j ACCEPT $IPTABLES -A FORWARD -m physdev --physdev-is-bridged --physdev-out eth2 -d 192.168.1.0/24 -m state --state NEW -j ACCEPT
$IPTABLES -A FORWARD -m physdev --physdev-out eth3 -d 192.168.1.0/24 -m state --state NEW -j ACCEPT $IPTABLES -A FORWARD -m physdev --physdev-is-bridged --physdev-out eth3 -d 192.168.1.0/24 -m state --state NEW -j ACCEPT
# #
# Rule 9 (eth2,eth3) # Rule 9 (eth2,eth3)
# #
@ -430,7 +430,7 @@ script_body() {
# #
echo "Rule 10 (eth2)" echo "Rule 10 (eth2)"
# #
$IPTABLES -A FORWARD -m physdev --physdev-out eth2 -d 224.0.0.0/4 -m state --state NEW -j ACCEPT $IPTABLES -A FORWARD -m physdev --physdev-is-bridged --physdev-out eth2 -d 224.0.0.0/4 -m state --state NEW -j ACCEPT
# #
# Rule 11 (eth2) # Rule 11 (eth2)
# #
@ -442,13 +442,13 @@ script_body() {
# #
echo "Rule 12 (eth3)" echo "Rule 12 (eth3)"
# #
$IPTABLES -A FORWARD -m physdev --physdev-out eth3 -s 192.168.1.10 -d 224.0.0.0/4 -m state --state NEW -j ACCEPT $IPTABLES -A FORWARD -m physdev --physdev-is-bridged --physdev-out eth3 -s 192.168.1.10 -d 224.0.0.0/4 -m state --state NEW -j ACCEPT
# #
# Rule 15 (eth2) # Rule 15 (eth2)
# #
echo "Rule 15 (eth2)" echo "Rule 15 (eth2)"
# #
$IPTABLES -A FORWARD -m physdev --physdev-out eth2 -p tcp -m tcp -d 192.168.1.0/24 --dport 22 -j LOG --log-level debug $IPTABLES -A FORWARD -m physdev --physdev-is-bridged --physdev-out eth2 -p tcp -m tcp -d 192.168.1.0/24 --dport 22 -j LOG --log-level debug
# #
# Rule 16 (global) # Rule 16 (global)
# #
@ -586,7 +586,7 @@ test -z "$cmd" && {
case "$cmd" in case "$cmd" in
start) start)
log "Activating firewall script generated Thu Nov 10 11:57:29 2011 by vadim" log "Activating firewall script generated Mon Nov 21 11:50:27 2011 by vadim"
check_tools check_tools
prolog_commands prolog_commands
check_run_time_address_table_files check_run_time_address_table_files

58
test/ipt/test-shadowing-3.fw.orig
View File

@ -2,9 +2,9 @@
# #
# This is automatically generated file. DO NOT MODIFY ! # This is automatically generated file. DO NOT MODIFY !
# #
# Firewall Builder fwb_ipt v5.0.1.3585 # Firewall Builder fwb_ipt v5.0.1.3588
# #
# Generated Thu Nov 10 11:59:25 2011 PST by vadim # Generated Mon Nov 21 11:52:38 2011 PST by vadim
# #
# files: * test-shadowing-3.fw /etc/test-shadowing-3.fw # files: * test-shadowing-3.fw /etc/test-shadowing-3.fw
# #
@ -18,6 +18,10 @@
# test-shadowing-3:Policy_5:0: error: Rule 'Policy_5 0 (eth0)' shadows rule 'Policy_5 1 (eth0)' below it # test-shadowing-3:Policy_5:0: error: Rule 'Policy_5 0 (eth0)' shadows rule 'Policy_5 1 (eth0)' below it
# test-shadowing-3:Policy_6:0: error: Rule 'Policy_6 0 (global)' shadows rule 'Policy_6 1 (global)' below it
# test-shadowing-3:Policy_7:0: error: Rule 'Policy_7 0 (global)' shadows rule 'Policy_7 1 (global)' below it
FWBDEBUG="" FWBDEBUG=""
@ -431,6 +435,54 @@ script_body() {
# #
# 30/sec # 30/sec
$IPTABLES -A Policy_5 -o eth0 -s 192.168.1.0/24 -m state --state NEW -m hashlimit --hashlimit 30/second --hashlimit-mode srcip --hashlimit-name test -j ACCEPT $IPTABLES -A Policy_5 -o eth0 -s 192.168.1.0/24 -m state --state NEW -m hashlimit --hashlimit 30/second --hashlimit-mode srcip --hashlimit-name test -j ACCEPT
# ================ Table 'filter', rule set Policy_6
#
# Rule Policy_6 0 (global)
#
echo "Rule Policy_6 0 (global)"
#
# test-shadowing-3:Policy_6:0: error: Rule 'Policy_6 0 (global)' shadows rule 'Policy_6 1 (global)' below it
$IPTABLES -N Policy_6
$IPTABLES -A Policy_6 -i + -s 192.168.11.0/24 -j DROP
#
# Rule Policy_6 1 (global)
#
echo "Rule Policy_6 1 (global)"
#
$IPTABLES -A Policy_6 -i + -s 192.168.11.10/31 -j DROP
# ================ Table 'filter', rule set Policy_7
#
# Rule Policy_7 0 (global)
#
echo "Rule Policy_7 0 (global)"
#
# test-shadowing-3:Policy_7:0: error: Rule 'Policy_7 0 (global)' shadows rule 'Policy_7 1 (global)' below it
$IPTABLES -N Policy_7
$IPTABLES -A Policy_7 -i + -s 192.168.11.10/31 -j DROP
#
# Rule Policy_7 1 (global)
#
echo "Rule Policy_7 1 (global)"
#
$IPTABLES -A Policy_7 -i + -s 192.168.11.11 -j DROP
# ================ Table 'filter', rule set Policy_8
#
# Rule Policy_8 0 (global)
#
echo "Rule Policy_8 0 (global)"
#
# even though this is a trivial case,
# I had a bug with handling networks with netmask /31 that broke it
$IPTABLES -N Policy_8
$IPTABLES -A Policy_8 -i + -s 24.56.78.90 -j DROP
#
# Rule Policy_8 1 (global)
#
echo "Rule Policy_8 1 (global)"
#
$IPTABLES -A Policy_8 -i + -s 222.222.222.0/24 -j DROP
# ================ Table 'filter', rule set Policy # ================ Table 'filter', rule set Policy
# #
# Rule 0 (eth0) # Rule 0 (eth0)
@ -500,7 +552,7 @@ test -z "$cmd" && {
case "$cmd" in case "$cmd" in
start) start)
log "Activating firewall script generated Thu Nov 10 11:59:25 2011 by vadim" log "Activating firewall script generated Mon Nov 21 11:52:38 2011 by vadim"
check_tools check_tools
prolog_commands prolog_commands
check_run_time_address_table_files check_run_time_address_table_files