onkelbeh/fwbuilder
1
0
Fork 0
mirror of https://github.com/fwbuilder/fwbuilder synced 2025-10-15 15:08:26 +02:00
Code Issues Releases Wiki Activity

merge -r62:HEAD from branch inet-addr-changes

Browse Source
This commit is contained in:
Vadim Kurland 2008-04-26 19:13:45 +00:00
parent 907e272926
commit f5cebe98e2
44 changed files with 754 additions and 647 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

13
src/cisco_lib/Helper.cpp
View File

@ -167,7 +167,9 @@ string Helper::findInterfaceByNetzone(const InetAddr &addr) throw(string)
res_id=findInterfaceByAddress( addr );
if (res_id.empty())
throw( string("Can not find interface with network zone that includes address ") + addr.toString());
throw(
string("Can not find interface with network zone that includes "
"address ") + addr.toString());
return res_id;
}
@ -201,7 +203,11 @@ list<string> Helper::findInterfaceByNetzoneOrAll(RuleElement *re)
if (a==NULL)
{
Rule *rule = Rule::cast(re->getParent());
compiler->abort(string("findInterfaceByNetzoneOrAll failed to retrieve first object from the rule element; is argument not of the type RuleElementSrc or RuleElementDst ? Rule ") + rule->getLabel());
compiler->abort(
string("findInterfaceByNetzoneOrAll failed to retrieve first "
"object from the rule element; is argument not of "
"the type RuleElementSrc or RuleElementDst ? Rule ") +
rule->getLabel());
}
try
{
@ -220,7 +226,8 @@ list<string> Helper::findInterfaceByNetzoneOrAll(RuleElement *re)
if (supports_network_zones) compiler->warning(err);
FWObjectTypedChildIterator i = compiler->fw->findByType(Interface::TYPENAME);
FWObjectTypedChildIterator i = compiler->fw->findByType(
Interface::TYPENAME);
for ( ; i!=i.end(); ++i)
{
Interface *ifs = Interface::cast(*i);

9
src/cisco_lib/PolicyCompiler_cisco.cpp
View File

@ -112,9 +112,12 @@ void PolicyCompiler_cisco::addDefaultPolicyRule()
dbcopy->add(ssh,false);
cacheObj(ssh); // to keep cache consistent
Network *mgmt_workstation = Network::cast(dbcopy->create(Network::TYPENAME));
*mgmt_workstation = getCachedFwOpt()->getStr("mgmt_addr");
dbcopy->add(mgmt_workstation,false);
Network *mgmt_workstation = Network::cast(
dbcopy->create(Network::TYPENAME));
mgmt_workstation->setAddressNetmask(
getCachedFwOpt()->getStr("mgmt_addr"));
dbcopy->add(mgmt_workstation, false);
cacheObj(mgmt_workstation); // to keep cache consistent
r= PolicyRule::cast(dbcopy->create(PolicyRule::TYPENAME) );

2
src/fwbedit/fwbedit.cpp
View File

@ -724,7 +724,7 @@ int main(int argc, char * const *argv)
Network *o=Network::cast(nobj);
o->setName(name);
o->setAddress(InetAddr(addr1));
o->setNetmask(InetNetmask(addr2));
o->setNetmask(InetAddr(addr2));
}
else if (objtype==Firewall::TYPENAME)
{

426
src/gui/DiscoveryDruid.cpp
View File

@ -1,4 +1,4 @@
/*
/*
Firewall Builder
@ -18,14 +18,12 @@
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
To get a copy of the GNU General Public License, write to the Free Software
Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
*/
#include "fwbuilder_ph.h"
#include "config.h"
#include "global.h"
#include "utils.h"
@ -51,7 +49,7 @@
#include <qhostaddress.h>
#include <qhostinfo.h>
#include <qgroupbox.h>
#include <qmessagebox.h>
#include <qmessagebox.h>
#include "DiscoveryDruid.h"
@ -86,14 +84,14 @@ DiscoveryDruid::DiscoveryDruid(QWidget *parent, bool start_with_import) :
{
m_dialog = new Ui::DiscoveryDruid_q;
m_dialog->setupUi(this);
setControlWidgets(this, m_dialog->stackedWidget,
setControlWidgets(this, m_dialog->stackedWidget,
m_dialog->nextButton,
m_dialog->finishButton,
m_dialog->backButton,
m_dialog->cancelButton,
m_dialog->titleLabel);
dm_method = new QButtonGroup;
dm_method->addButton(m_dialog->dm_fromfile,0);
dm_method->addButton(m_dialog->dm_importdns,1);
@ -105,26 +103,26 @@ DiscoveryDruid::DiscoveryDruid(QWidget *parent, bool start_with_import) :
connect(m_dialog->dnscustom, SIGNAL( clicked(bool) ), this, SLOT( changedNameServer() ) );
connect(m_dialog->nameserverlist, SIGNAL( editTextChanged(QString) ), this, SLOT( changedNameServer() ) );
connect(m_dialog->nameserverline, SIGNAL( textChanged(QString) ), this, SLOT( changedNameServer() ) );
thread=NULL;
timer=new QTimer(this);
prg_timer=new QTimer(this);
unBar=NULL;
unProg=0;
connect(prg_timer,SIGNAL(timeout()),this,SLOT(updatePrg()));
setDiscoveryMethod_file();
flt_obj = new Filter();
flt_obj_d = new FilterDialog(this);
flt_obj_d->setFilter(flt_obj);
flt_last = new Filter();
flt_last_d = new FilterDialog(this);
flt_last_d->setFilter(flt_last);
flt_net = new Filter();
flt_net_d = new FilterDialog(this);
flt_net_d->setFilter(flt_net);
@ -140,7 +138,7 @@ DiscoveryDruid::DiscoveryDruid(QWidget *parent, bool start_with_import) :
m_dialog->dm_importdns->hide();
m_dialog->snmpdnsparameters->hide();
#endif
#ifndef HAVE_LIBSNMP
m_dialog->dm_usesnmp->setEnabled(false);
#endif
@ -195,14 +193,14 @@ void DiscoveryDruid::cancelClicked()
DiscoveryDruid::~DiscoveryDruid()
{
save();
delete flt_obj;
delete flt_last;
delete flt_net;
delete flt_obj_d;
delete flt_last_d;
delete flt_net_d;
delete m_dialog;
delete dm_method;
}
@ -355,7 +353,7 @@ void DiscoveryDruid::dnsFinish(QHostInfo host)
QList<QHostAddress> list = host.addresses();
unBar->hide();
if (userIsTyping)
{
//abandon the test result
@ -376,7 +374,7 @@ void DiscoveryDruid::dnsFinish(QHostInfo host)
QPalette palette = errMessage->palette();
palette.setColor(errMessage->foregroundRole(), Qt::darkRed);
errMessage->setPalette(palette);
errMessage->setText( "host name not found");
isSeedHostOK=false;
}
@ -385,22 +383,22 @@ void DiscoveryDruid::dnsFinish(QHostInfo host)
QPalette palette = errMessage->palette();
palette.setColor(errMessage->foregroundRole(), Qt::darkGreen);
errMessage->setPalette(palette);
errMessage->setText( "host name verified");
isSeedHostOK=true;
}
nextButton->setEnabled(isSNMPInclNetOK && isSeedHostOK);
nextButton->setEnabled(isSNMPInclNetOK && isSeedHostOK);
}
}
void DiscoveryDruid::changedSelected( const int &page )
{
switch (page)
{
case 1: // Reading file in hosts format
case 1: // Reading file in hosts format
{
setNextEnabled(page,false);
changedHostsFileName();
@ -444,7 +442,7 @@ void DiscoveryDruid::changedSelected( const int &page )
isSeedHostOK=false;
isSNMPInclNetOK=false;
changedSeedHost();
changedInclNet();
m_dialog->seedhostname->setFocus();
@ -499,7 +497,7 @@ void DiscoveryDruid::changedSelected( const int &page )
{
if (Networks.size()==0)
setBackEnabled(page,false);
fillListOfObjects();
fillObjects();
nextButton->setEnabled(m_dialog->objectlist->count ()>0 || m_dialog->networklist->count()>0);
@ -527,9 +525,9 @@ void DiscoveryDruid::changedSelected( const int &page )
finishButton->setFocus();
break;
}
default : {}
}
FromPage=page;
}
@ -576,18 +574,18 @@ void DiscoveryDruid::browseHostsFile()
dir=st->getWDir();
if (dir.isEmpty()) dir=st->getOpenFileDir();
if (dir.isEmpty()) dir="~";
QString s = QFileDialog::getOpenFileName(
this,
"Choose a file",
dir,
"All files (*.*)");
if (!s.isEmpty())
{
m_dialog->filename->setText(s);
}
}
void DiscoveryDruid::browseForImport()
@ -596,18 +594,18 @@ void DiscoveryDruid::browseForImport()
dir=st->getWDir();
if (dir.isEmpty()) dir=st->getOpenFileDir();
if (dir.isEmpty()) dir="~";
QString s = QFileDialog::getOpenFileName(
this,
"Choose a file",
dir,
"All files (*.*)");
if (!s.isEmpty())
{
m_dialog->import_filename->setText(s);
}
}
void DiscoveryDruid::updatePrg()
@ -616,7 +614,7 @@ void DiscoveryDruid::updatePrg()
{
unBar->setValue(unProg++);
}
}
void DiscoveryDruid::getNameServers()
@ -626,14 +624,14 @@ void DiscoveryDruid::getNameServers()
string domain_name=m_dialog->domainname->text().toLatin1().constData();
DNS_getNS_query *dns=new DNS_getNS_query(domain_name);
int n;
try
try
{
NullLogger nl;
SyncFlag stop_program(false);
ns_records=dns->getNS(domain_name, &nl, &stop_program);
m_dialog->dnsfromlist->setChecked(true);
} catch (FWException &ex)
} catch (FWException &ex)
{
//string(_("Could not find name servers for the domain: '"))+
//domain_name+"' ", ex.toString(), this);
@ -646,14 +644,14 @@ void DiscoveryDruid::getNameServers()
multimap<string,InetAddr>::iterator i;
m_dialog->nameserverlist->clear();
NameServers.clear();
for (n=0,i=ns_records.begin(); i!=ns_records.end(); ++n,++i)
for (n=0,i=ns_records.begin(); i!=ns_records.end(); ++n,++i)
{
string s = (*i).first + " (" + ((*i).second).toString() + ")";
QString qs = s.c_str();
m_dialog->nameserverlist->addItem(qs);
InetAddr *na=new InetAddr( (*i).second );
NameServers[qs] = *na;
}
@ -686,7 +684,7 @@ void DiscoveryDruid::setDiscoveryMethod_SNMP()
for (int i=0;i<WIZARD_PAGES;i++)
{
setAppropriate( i, WIZARD_SNMP_PAGES[i]);
}
}
}
void DiscoveryDruid::setDiscoveryMethod_Import()
@ -696,7 +694,7 @@ void DiscoveryDruid::setDiscoveryMethod_Import()
for (int i=0;i<WIZARD_PAGES;i++)
{
setAppropriate( i, WIZARD_IMPORT_PAGES[i]);
}
}
}
@ -707,17 +705,17 @@ void DiscoveryDruid::changedDiscoveryMethod(int c)
switch (c)
{
case 0:
case 0:
{
setDiscoveryMethod_file();
break;
}
case 1:
case 1:
{
setDiscoveryMethod_DNS();
break;
}
case 2:
case 2:
{
setDiscoveryMethod_SNMP();
break;
@ -738,14 +736,14 @@ void DiscoveryDruid::saveScanLog()
dir=st->getWDir();
if (dir.isEmpty()) dir=st->getOpenFileDir();
if (dir.isEmpty()) dir="~";
QString s = QFileDialog::getSaveFileName(
this,
"Choose a file",
dir,
"Text file (*.txt)");
if (!s.isEmpty())
{
if (s.endsWith(".txt"))
@ -769,16 +767,16 @@ void DiscoveryDruid::saveScanLog()
qDebug("--------------------------------");
f.close();
}
}
}
}
void DiscoveryDruid::startHostsScan()
{
if (thread!=NULL)
{
delete thread;
}
thread = new HostsFileImport(m_dialog->filename->text());
thread->setTargetWidget(this);
thread->start();
@ -813,7 +811,7 @@ void DiscoveryDruid::startConfigImport()
m_dialog->discoveryprogress->setMaximum(line_count);
// need to pick right platform string based on
// m_dialog->import_platform->currentItem()
// m_dialog->import_platform->currentItem()
string platform = "";
switch (m_dialog->import_platform->currentIndex())
{
@ -839,21 +837,21 @@ void DiscoveryDruid::startConfigImport()
InetAddr DiscoveryDruid::getNS()
{
string ns;
if (m_dialog->dnscustom->isChecked())
if (m_dialog->dnscustom->isChecked())
{
ns=m_dialog->nameserverline->text().toLatin1().constData();
ns=m_dialog->nameserverline->text().toLatin1().constData();
try
try
{
return InetAddr(ns);
} catch (FWException &ex)
} catch (FWException &ex)
{
/* perhaps not address but host name */
list<InetAddr> addr;
try
try
{
addr=DNS::getHostByName(ns);
} catch (FWException &ex)
} catch (FWException &ex)
{
return InetAddr();
}
@ -869,7 +867,7 @@ void DiscoveryDruid::startDNSScan()
{
InetAddr ns=getNS();
string domain_name=m_dialog->domainname->text().toLatin1().constData();
DNS_findA_query *q=new DNS_findA_query();
q->init(
domain_name, ns,
@ -877,13 +875,13 @@ void DiscoveryDruid::startDNSScan()
m_dialog->dnstimeout->value()
);
bop=q;
m_dialog->discoveryprogress->setMaximum(0);
unBar=m_dialog->discoveryprogress;
try
{
logger=bop->start_operation();
m_dialog->discoverylog->append("Reading DNS zone ...");
} catch(const FWException &ex)
@ -903,11 +901,11 @@ InetAddr DiscoveryDruid::getSeedHostAddress()
{
seed_host_addr=InetAddr(m_dialog->seedhostname->text().toLatin1().constData());
return seed_host_addr;
} catch(const FWException &ex)
} catch(const FWException &ex)
{
}
try
}
try
{
QString a = getAddrByName( m_dialog->seedhostname->text() );
return InetAddr( a.toLatin1().constData() );
@ -916,16 +914,16 @@ InetAddr DiscoveryDruid::getSeedHostAddress()
seed_host_addr = v.front();
return seed_host_addr;
#endif
} catch(const FWException &ex)
} catch(const FWException &ex)
{
}
}
}
return seed_host_addr;
}
void DiscoveryDruid::startSNMPScan()
{
#ifdef HAVE_LIBSNMP
#ifdef HAVE_LIBSNMP
bool use_incl=!m_dialog->snmpinaddr->text().isEmpty() && !m_dialog->snmpinmask->text().isEmpty();
@ -934,9 +932,9 @@ void DiscoveryDruid::startSNMPScan()
try
{
InetAddrMask in(
InetAddr(m_dialog->snmpinaddr->text().toLatin1().constData()),
InetNetmask(m_dialog->snmpinmask->text().toLatin1().constData())
);
InetAddr(m_dialog->snmpinaddr->text().toLatin1().constData()),
InetAddr(m_dialog->snmpinmask->text().toLatin1().constData())
);
include_networks.push_back(in);
}
catch (const FWException &ex)
@ -957,26 +955,26 @@ void DiscoveryDruid::startSNMPScan()
0,
0,
(use_incl) ? &include_networks : NULL);
m_dialog->discoveryprogress->setMaximum(0);
unBar=m_dialog->discoveryprogress;
bop=q;
try
{
logger=bop->start_operation();
m_dialog->discoverylog->append("Collecting data ...");
} catch(const FWException &ex)
{
delete q;
q=NULL;
}
#endif
}
void DiscoveryDruid::changedDomainName()
{
if (m_dialog->domainname->text().isEmpty())
@ -999,26 +997,26 @@ void DiscoveryDruid::changedNameServer()
nextButton->setEnabled(false);
QString s=m_dialog->nameserverline->text();
HostName=s;
if (s.isEmpty())
{
timer->stop();
m_dialog->DNSprogress_2->hide();
QPalette palette = m_dialog->nameserver_error->palette();
palette.setColor(m_dialog->nameserver_error->foregroundRole(), Qt::darkRed);
m_dialog->nameserver_error->setPalette(palette);
m_dialog->nameserver_error->setText("Enter valid host name or address.");
nextButton->setEnabled(false);
return;
}
if(isInetAddr(s))
{
timer->stop();
m_dialog->DNSprogress_2->hide();
QString rs=testInetAddr(s);
if (rs.isEmpty())
{
@ -1044,13 +1042,13 @@ void DiscoveryDruid::changedNameServer()
timer->start(1000);
errMessage=m_dialog->nameserver_error;
userIsTyping=false;
QPalette palette = errMessage->palette();
palette.setColor(errMessage->foregroundRole(), Qt::black);
errMessage->setPalette(palette);
errMessage->setText("DNS resolution in progress...");
unProg = 0;
}
}
@ -1086,7 +1084,7 @@ QString DiscoveryDruid::testInetAddr(const QString s)
try
{
InetAddr(s.toLatin1().constData());
} catch(const FWException &ex)
} catch(const FWException &ex)
{
res=ex.toString().c_str();
}
@ -1111,12 +1109,12 @@ void DiscoveryDruid::changedHostsFileName()
setNextEnabled(currentPage(),false);
}
}
void DiscoveryDruid::changedSNMPOptions()
{
}
void DiscoveryDruid::stopBackgroundProcess()
{
if (fwbdebug)
@ -1126,16 +1124,16 @@ void DiscoveryDruid::stopBackgroundProcess()
if (bop!=NULL && bop->isRunning())
{
m_dialog->discoverylog->append("Terminating task. Please wait...");
bop->stop_operation();
m_dialog->discoveryStopButton->setEnabled(false);
}
}
void DiscoveryDruid::addNetwork()
{
int count = m_dialog->networkresultlist->count();
int upd_max=(count > 10)?count/10:1;
int updc=upd_max;
@ -1144,23 +1142,23 @@ void DiscoveryDruid::addNetwork()
QListWidgetItem* item=(QListWidgetItem*)m_dialog->networkresultlist->item(0);
int i = 0;
while (item)
{
if (item->isSelected())
{
QString k=item->text();
if (!Networks[k].isSelected)
if (!Networks[k].isSelected)
{
Networks[k].isSelected=true;
m_dialog->networklist->addItem(item->text());
}
}
i++;
item=(QListWidgetItem*)m_dialog->networkresultlist->item(i);
if (updc--<=0)
{
pd.setValue(t);
@ -1168,7 +1166,7 @@ void DiscoveryDruid::addNetwork()
if (pd.wasCanceled())
{
break;
break;
}
updc=upd_max;
}
@ -1177,12 +1175,12 @@ void DiscoveryDruid::addNetwork()
nextButton->setEnabled(m_dialog->networklist->count ()>0 || Objects.size()>0);
}
void DiscoveryDruid::removeNetwork()
{
QListWidgetItem* item1=m_dialog->networklist->item(0);
QListWidgetItem* item2;
while (item1!=0)
{
item2=m_dialog->networklist->item(
@ -1196,19 +1194,19 @@ void DiscoveryDruid::removeNetwork()
}
nextButton->setEnabled(m_dialog->networklist->count ()>0 || Objects.size()>0);
}
void DiscoveryDruid::setNetworkFilter()
{
flt_net_d->exec();
flt_net_d->exec();
fillListOfNetworks();
}
void DiscoveryDruid::removeNetworkFilter()
{
flt_net->clear();
flt_net->clear();
fillListOfNetworks();
}
void DiscoveryDruid::addObject()
{
int count = m_dialog->objectresultlist->count();
@ -1220,7 +1218,7 @@ void DiscoveryDruid::addObject()
QListWidgetItem* item=(QListWidgetItem*)m_dialog->objectresultlist->item(0);
int i = 0;
while (item)
{
if (item->isSelected())
@ -1232,7 +1230,7 @@ void DiscoveryDruid::addObject()
m_dialog->objectlist->addItem(item->text());
}
}
i++;
item=(QListWidgetItem*)m_dialog->objectresultlist->item(i);
@ -1243,7 +1241,7 @@ void DiscoveryDruid::addObject()
if (pd.wasCanceled())
{
break;
break;
}
updc=upd_max;
}
@ -1251,7 +1249,7 @@ void DiscoveryDruid::addObject()
}
nextButton->setEnabled(m_dialog->objectlist->count ()>0 || m_dialog->networklist->count()>0);
}
void DiscoveryDruid::removeObject()
{
QListWidgetItem* item1=m_dialog->objectlist->item(0);
@ -1270,19 +1268,19 @@ void DiscoveryDruid::removeObject()
}
nextButton->setEnabled(m_dialog->objectlist->count ()>0 || m_dialog->networklist->count()>0);
}
void DiscoveryDruid::setLastFilter()
{
flt_last_d->exec();
flt_last_d->exec();
fillTypeChangingList();
}
void DiscoveryDruid::setObjectFilter()
{
flt_obj_d->exec();
flt_obj_d->exec();
fillListOfObjects();
}
void DiscoveryDruid::removeLastFilter()
{
flt_last->clear();
@ -1291,7 +1289,7 @@ void DiscoveryDruid::removeLastFilter()
void DiscoveryDruid::removeObjectFilter()
{
flt_obj->clear();
flt_obj->clear();
fillListOfObjects();
}
@ -1341,7 +1339,7 @@ void DiscoveryDruid::fillObjects()
ObjectDescriptor buf;
m_dialog->objectlist->clear();
bool f=false;
bool f=false;
QMap<QString,ObjectDescriptor >::iterator i;
for(i=Objects.begin(); i!=Objects.end(); ++i)
{
@ -1357,11 +1355,11 @@ void DiscoveryDruid::fillObjects()
void DiscoveryDruid::fillTypeChangingList()
{
ObjectDescriptor buf;
m_dialog->typeChangingList->clear();
QMap<QString,ObjectDescriptor >::iterator i;
for(i=Objects.begin(); i!=Objects.end(); ++i)
{
@ -1390,7 +1388,7 @@ void DiscoveryDruid::loadDataFromDNS()
Objects.clear();
map<string,set<InetAddr> > t = q->getResult();
for(map<string,set<InetAddr> >::iterator j = t.begin(); j!=t.end(); ++j)
{
ObjectDescriptor od;
@ -1406,12 +1404,12 @@ void DiscoveryDruid::loadDataFromDNS()
}
od.type =IPv4::TYPENAME;
od.isSelected=false;
if (od.sysname.empty())
{
od.sysname=string("h-") + od.addr.toString();
}
Objects[od.toString().c_str()]=od;
}
}
@ -1426,11 +1424,11 @@ void DiscoveryDruid::loadDataFromFile()
if (count > 0)
{
int upd_max=(count > 10)?count/10:1;
int updc=upd_max;
QProgressDialog pd(tr("Prepare objects ..."), tr("Cancel"), 0, count,this);
vector<ObjectDescriptor>::iterator i;
for(i = himport->hosts.begin(); i != himport->hosts.end(); ++i)
{
@ -1439,7 +1437,7 @@ void DiscoveryDruid::loadDataFromFile()
i->type=IPv4::TYPENAME;
}
i->isSelected=false;
Objects[i->toString().c_str()] = *i;
if (updc--<=0)
{
@ -1448,7 +1446,7 @@ void DiscoveryDruid::loadDataFromFile()
if (pd.wasCanceled())
{
break;
break;
}
updc=upd_max;
}
@ -1476,7 +1474,7 @@ void DiscoveryDruid::loadDataFromCrawler()
SNMPCrawler *q=(SNMPCrawler*)bop;
Objects.clear();
Networks.clear();
set<InetAddrMask>::iterator m;
set<InetAddrMask> s = q->getNetworks();
@ -1486,13 +1484,13 @@ void DiscoveryDruid::loadDataFromCrawler()
for (m=s.begin(); m!=s.end(); ++m)
{
ObjectDescriptor od;
od.sysname = m->toString();
od.addr = m->getAddress();
od.netmask = m->getNetmask();
od.type = Network::TYPENAME;
od.isSelected = false;
Networks[od.sysname.c_str()]= od ;
}
@ -1506,7 +1504,7 @@ void DiscoveryDruid::loadDataFromCrawler()
int cntr = 0;
map<InetAddr, CrawlerFind>::iterator j;
for(j = t.begin(); j!=t.end(); ++j,++cntr)
for(j = t.begin(); j!=t.end(); ++j,++cntr)
{
m_dialog->discoveryprogress->setValue( cntr );
@ -1535,7 +1533,7 @@ void DiscoveryDruid::loadDataFromCrawler()
}
Objects[od.toString().c_str()]=od;
set<string>::iterator si;
for(si=od.dns_info.aliases.begin();
si!=od.dns_info.aliases.end();
@ -1547,9 +1545,9 @@ void DiscoveryDruid::loadDataFromCrawler()
}
#endif
/*
(arg==0) ?
_("Network scan completed, click 'Next' to continue") :
_("There has been an error running the network scan. You can continue but data gathered by the scanner may be incomplete")
(arg==0) ?
_("Network scan completed, click 'Next' to continue") :
_("There has been an error running the network scan. You can continue but data gathered by the scanner may be incomplete")
*/
}
@ -1563,29 +1561,29 @@ void DiscoveryDruid::fillListOfNetworks()
if (count > 0)
{
int upd_max=(count > 10)?count/10:1;
int updc=upd_max;
QProgressDialog pd(tr("Copying results ..."), tr("Cancel"), 0, count,this);
QMap<QString, ObjectDescriptor>::iterator i;
for(i=Networks.begin();
i!=Networks.end();
++i)
{
if ( flt_net->test(i.value()) )
{
m_dialog->networkresultlist->addItem(new QListWidgetItem(i.key()));
if (updc--<=0)
{
pd.setValue(t);
qApp->processEvents();
if (pd.wasCanceled())
{
break;
break;
}
updc=upd_max;
}
@ -1597,34 +1595,34 @@ void DiscoveryDruid::fillListOfNetworks()
void DiscoveryDruid::fillListOfObjects()
{
m_dialog->objectresultlist->clear();
int t=0;
int count = Objects.size();
if (count > 0)
{
int upd_max=(count > 10)?count/10:1;
int updc=upd_max;
QProgressDialog pd(tr("Copying results ..."),
tr("Cancel"), 0,count,this);
QMap<QString,ObjectDescriptor >::iterator i;
for(i=Objects.begin(); i!=Objects.end(); ++i)
{
if ( flt_obj->test(i.value()) )
{
m_dialog->objectresultlist->addItem(new QListWidgetItem(i.key()));
if (updc--<=0)
{
pd.setValue(t);
qApp->processEvents();
if (pd.wasCanceled())
{
break;
break;
}
updc=upd_max;
}
@ -1633,7 +1631,7 @@ void DiscoveryDruid::fillListOfObjects()
}
}
}
void DiscoveryDruid::customEvent(QEvent *event)
{
int evtype=(int)event->type();
@ -1644,10 +1642,10 @@ void DiscoveryDruid::customEvent(QEvent *event)
} else if (evtype == DoneEv)
{
cancelButton->show();
timer->stop();
disconnect(timer,SIGNAL(timeout()),0,0);
updateLog();
m_dialog->logSaveButton->setEnabled(true);
@ -1668,7 +1666,7 @@ void DiscoveryDruid::customEvent(QEvent *event)
QString er = thread->getError();
delete thread;
thread=NULL;
switch (current_task)
{
case BT_HOSTS:
@ -1682,7 +1680,7 @@ void DiscoveryDruid::customEvent(QEvent *event)
else
{
backButton->setEnabled(true);
nextButton->setEnabled(false);
nextButton->setEnabled(false);
}
break;
case BT_IMPORT:
@ -1714,7 +1712,7 @@ void DiscoveryDruid::updateLog()
{
if (monitorOperation() > 0)
{
//m_dialog->discoveryprogress->setValue(prg++);
}
else
@ -1725,18 +1723,18 @@ void DiscoveryDruid::updateLog()
if (fwbdebug) qDebug("Crawler finished");
loadDataFromCrawler();
cancelButton->show();
FWException * ex=bop->get_latest_error();
if (ex!=NULL)
{
QMessageBox::critical(this,tr("Discovery error"), ex->toString().c_str());
//m_dialog->discoverylog->append(QString("\nLast exception: ")+ex->toString().c_str()+"\n");
//m_dialog->discoverylog->append(QString("\nLast exception: ")+ex->toString().c_str()+"\n");
}
if (Objects.size()>0 || Networks.size()>0)
{
if (Networks.size()==0)
if (Networks.size()==0)
setAppropriate( 8,0);
nextButton->setEnabled(true);
nextButton->setDefault(true);
@ -1748,7 +1746,7 @@ void DiscoveryDruid::updateLog()
nextButton->setEnabled(false);
backButton->setEnabled(true);
}
m_dialog->logSaveButton->setEnabled(true);
delete bop;
@ -1771,15 +1769,15 @@ void DiscoveryDruid::updateLog()
{
timer->stop();
disconnect(timer,SIGNAL(timeout()),0,0);
loadDataFromDNS();
cancelButton->show();
FWException * ex=bop->get_latest_error();
if (ex!=NULL)
{
{
QMessageBox::critical(this,tr("Discovery error"), ex->toString().c_str());
//m_dialog->discoverylog->append(QString("\nLast exception: ")+ex->toString().c_str()+"\n");
//m_dialog->discoverylog->append(QString("\nLast exception: ")+ex->toString().c_str()+"\n");
}
if (Objects.size()>0)
{
@ -1810,7 +1808,7 @@ void DiscoveryDruid::changedSeedHost()
userIsTyping=true;
errMessage=m_dialog->seedhosterror_message;
HostName=m_dialog->seedhostname->text();
if (HostName.isEmpty())
{
timer->stop();
@ -1834,19 +1832,19 @@ void DiscoveryDruid::changedSeedHost()
try
{
InetAddr(HostName.toLatin1().constData());
QPalette palette = m_dialog->seedhosterror_message->palette();
palette.setColor(m_dialog->seedhosterror_message->foregroundRole(), Qt::darkGreen);
m_dialog->seedhosterror_message->setPalette(palette);
m_dialog->seedhosterror_message->setText("Address verified");
isSeedHostOK=true;
} catch(const FWException &ex)
} catch(const FWException &ex)
{
QPalette palette = m_dialog->seedhosterror_message->palette();
palette.setColor(m_dialog->seedhosterror_message->foregroundRole(), Qt::darkRed);
m_dialog->seedhosterror_message->setPalette(palette);
m_dialog->seedhosterror_message->setText(ex.toString().c_str());
// need to return focus to the input field in case of error
//m_dialog->seedhostname->setFocus();
@ -1858,10 +1856,10 @@ void DiscoveryDruid::changedSeedHost()
QPalette palette = m_dialog->seedhosterror_message->palette();
palette.setColor(m_dialog->seedhosterror_message->foregroundRole(), Qt::darkRed);
m_dialog->seedhosterror_message->setPalette(palette);
m_dialog->seedhosterror_message->setText("Wrong IPv4 format");
isSeedHostOK=false;
}
}
else
@ -1882,7 +1880,7 @@ void DiscoveryDruid::changedSeedHost()
timer->start(1000);
}
}
nextButton->setEnabled(isSNMPInclNetOK && isSeedHostOK);
nextButton->setEnabled(isSNMPInclNetOK && isSeedHostOK);
}
void DiscoveryDruid::changedInclNet()
@ -1894,9 +1892,9 @@ void DiscoveryDruid::changedInclNet()
{
try
{
InetAddr a(m_dialog->snmpinaddr->text().toLatin1().constData());
InetNetmask n(m_dialog->snmpinmask->text().toLatin1().constData());
InetAddr n(m_dialog->snmpinmask->text().toLatin1().constData());
InetAddrMask(a,n);
m_dialog->confineerror_message->setText(" ");
@ -1906,7 +1904,7 @@ void DiscoveryDruid::changedInclNet()
isSNMPInclNetOK=false;
m_dialog->confineerror_message->setText(ex.toString().c_str());
}
}
else
{
@ -1918,23 +1916,23 @@ void DiscoveryDruid::changedInclNet()
else
{
m_dialog->confineerror_message->setText(" ");
isSNMPInclNetOK=true;
isSNMPInclNetOK=true;
}
}
nextButton->setEnabled(isSNMPInclNetOK && isSeedHostOK);
nextButton->setEnabled(isSNMPInclNetOK && isSeedHostOK);
}
int DiscoveryDruid::monitorOperation()
{
QString buf;
bool fl;
if (fwbdebug) qDebug("monitorOperation bop=%p isRunning=%d",
bop,(bop!=NULL)?bop->isRunning():-1);
fl=false;
while( logger->ready() )
while( logger->ready() )
{
buf= logger->getLine().c_str();
if (buf.endsWith('\n'))
@ -1958,15 +1956,15 @@ int DiscoveryDruid::monitorOperation()
return 0; // BackgroundOp has been disconnected
}
if (bop->isRunning())
if (bop->isRunning())
{
return 1;
}
// send signal "completed", argument is 0 if ok and -1 if error
FWException *ex=bop->get_latest_error();
if (ex)
if (ex)
{
buf= ex->toString().c_str();
if (buf.endsWith('\n'))
@ -2013,7 +2011,7 @@ void DiscoveryDruid::checkSNMPCommunity()
void DiscoveryDruid::changeTargetObject(const QString &buf)
{
QTreeWidgetItem* item=m_dialog->typeChangingList->topLevelItem(0);
while (item!=0)
@ -2055,14 +2053,14 @@ void DiscoveryDruid::typeFirewall()
void DiscoveryDruid::createRealObjects()
{
ObjectDescriptor od;
string type,name,a;
int t=0;
m_dialog->lastprogress->setValue(0);
m_dialog->lastprogress->setMaximum( Objects.size());
QMap<QString,ObjectDescriptor >::iterator i;
for(i=Networks.begin();
i!=Networks.end();
@ -2074,38 +2072,38 @@ void DiscoveryDruid::createRealObjects()
type = od.type;
name=od.sysname;
a = od.addr.toString().c_str();
Network *net=dynamic_cast<Network*>(
mw->createObject(type.c_str(),name.c_str())
);
assert(net!=NULL);
net->setName(name);
net->setAddress(InetAddr(a));
net->setNetmask(InetNetmask(InetAddr(a)));
net->setNetmask(InetAddr(InetAddr(a)));
mw->moveObject(m_dialog->libs->currentText(), net);
}
}
for(i=Objects.begin();
i!=Objects.end();
++i)
{
od=i.value();
type=od.type;
name=od.sysname;
a=od.addr.toString();
if(od.isSelected)
{
if (type==Host::TYPENAME || type==Firewall::TYPENAME)
if (type==Host::TYPENAME || type==Firewall::TYPENAME)
{
FWObject *o=NULL;
o=mw->createObject(type.c_str(),name.c_str());
o->setName(name);
if (od.interfaces.size()==0)
if (od.interfaces.size()==0)
{
Interface *itf= Interface::cast(
mw->createObject(o,Interface::TYPENAME,"nic1")
@ -2113,10 +2111,10 @@ void DiscoveryDruid::createRealObjects()
IPv4 *ipv4= IPv4::cast(
mw->createObject(itf,IPv4::TYPENAME,a.c_str())
);
ipv4->setAddress(InetAddr(a));
ipv4->setNetmask(InetNetmask());
ipv4->setNetmask(InetAddr());
} else
{
map<int,Interface>::const_iterator i;
@ -2164,7 +2162,7 @@ void DiscoveryDruid::createRealObjects()
assert(net!=NULL);
net->setName(name);
net->setAddress(InetAddr(a));
net->setNetmask(InetNetmask(InetAddr(a)));
net->setNetmask(InetAddr(InetAddr(a)));
mw->moveObject(m_dialog->libs->currentText(), net);
}else if (type==IPv4::TYPENAME)
{
@ -2174,7 +2172,7 @@ void DiscoveryDruid::createRealObjects()
assert(obj!=NULL);
obj->setName(name);
obj->setAddress(InetAddr(a));
obj->setNetmask(InetNetmask(InetAddr::getAllOnes()));
obj->setNetmask(InetAddr(InetAddr::getAllOnes()));
mw->moveObject(m_dialog->libs->currentText(), obj);
}
}
@ -2290,7 +2288,7 @@ ObjectDescriptor& ObjectDescriptor::operator=(const ObjectDescriptor& od) {
type = od.type;
isSelected = od.isSelected;
netmask = od.netmask;
return *this;
}
@ -2310,14 +2308,14 @@ void WorkerThread::setProgress(int p)
{
ProgressEvent *event=new ProgressEvent();
event->value=p;
QApplication::postEvent(Widget,event);
}
}
void WorkerThread::done()
{
DoneEvent *event=new DoneEvent();
QApplication::postEvent(Widget,event);
}
@ -2333,7 +2331,7 @@ void WorkerThread::run()
// ================================================================
HostsFileImport::HostsFileImport(const QString &f) :
HostsFileImport::HostsFileImport(const QString &f) :
WorkerThread()
{
file_name = f;
@ -2343,53 +2341,53 @@ void HostsFileImport::run()
{
*Log << "Discovery method:"
<< "Read file in hosts format. \n";
map<InetAddr, vector<string> > reverse_hosts;
HostsFile *hf;
/*
* read hosts file here
* read hosts file here
*/
hf=new HostsFile();
last_error="";
setProgress(10);
*Log << "Parsing file: " << file_name.toLatin1().constData() << "\n";
if (!file_name.isEmpty())
{
try
try
{
hf->parse( file_name.toAscii().constData() );
} catch ( FWException &ex )
} catch ( FWException &ex )
{
last_error = ex.toString().c_str();
*Log << "Exception: " << last_error.toAscii().constData() << "\n";
delete hf;
done();
return;
}
reverse_hosts=hf->getAll();
delete hf;
setProgress(50);
*Log << "Loading the list ...\n";
/*
* convert map format
*/
hosts.clear();
map<InetAddr,vector<string> >::iterator i;
int count=reverse_hosts.size();
int t=0;
for (i=reverse_hosts.begin(); i!=reverse_hosts.end(); ++i)
for (i=reverse_hosts.begin(); i!=reverse_hosts.end(); ++i)
{
ObjectDescriptor od;
od.addr = (*i).first;
od.sysname = ((*i).second).front();
hosts.push_back( od );
setProgress(50+(t++)*50/count);
}
}
@ -2445,6 +2443,6 @@ void ConfigImport::run()
{
*Log << "Can not import configuration for choosen platform\n";
}
done();
}

8
src/gui/DiscoveryDruid.h
View File

@ -67,10 +67,10 @@ class ObjectDescriptor
map<int, libfwbuilder::Interface> interfaces ;
string MAC_addr ;
libfwbuilder::HostEnt dns_info ;
libfwbuilder::InetAddr addr ;
libfwbuilder::InetNetmask netmask ;
string MAC_addr ;
libfwbuilder::HostEnt dns_info ;
libfwbuilder::InetAddr addr ;
libfwbuilder::InetAddr netmask ;
ObjectDescriptor();

196
src/gui/FWObjectPropertiesFactory.cpp
View File

@ -1,4 +1,4 @@
/*
/*
Firewall Builder
@ -17,14 +17,12 @@
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
To get a copy of the GNU General Public License, write to the Free Software
Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
*/
#include "fwbuilder_ph.h"
#include "config.h"
#include "global.h"
#include "utils_no_qt.h"
@ -88,13 +86,13 @@ QString FWObjectPropertiesFactory::getObjectProperties(FWObject *obj)
QString res;
QTextStream str(&res, QIODevice::WriteOnly);
try {
try
{
if (IPv4::isA(obj))
{
str << Address::cast(obj)->getAddress().toString().c_str();
str << IPv4::cast(obj)->getAddress().toString().c_str();
str << "/";
str << Address::cast(obj)->getNetmask().toString().c_str();
str << IPv4::cast(obj)->getNetmask().toString().c_str();
} else if (physAddress::isA(obj))
{
@ -103,7 +101,7 @@ QString FWObjectPropertiesFactory::getObjectProperties(FWObject *obj)
{
str << QObject::tr("DNS record: ")
<< DNSName::cast(obj)->getSourceName().c_str();
} else if (AddressTable::isA(obj))
} else if (AddressTable::isA(obj))
{
str << QObject::tr("Address Table: ")
<< AddressTable::cast(obj)->getSourceName().c_str();
@ -122,16 +120,16 @@ QString FWObjectPropertiesFactory::getObjectProperties(FWObject *obj)
QDateTime dt;
time_t t;
t=obj->getInt("lastModified");dt.setTime_t(t);
QString t_modified = (t)? dt.toString():"-";
t=obj->getInt("lastCompiled");dt.setTime_t(t);
QString t_compiled = (t)? dt.toString():"-";
t=obj->getInt("lastInstalled");dt.setTime_t(t);
QString t_installed = (t)? dt.toString():"-";
str << platform << "(" << readableVersion << ") / " << hostOS;
} else if (Host::isA(obj))
@ -139,10 +137,10 @@ QString FWObjectPropertiesFactory::getObjectProperties(FWObject *obj)
str << Address::cast(obj)->getAddress().toString().c_str();
FWObject *co=obj->getFirstByType("Interface");
if (co!=NULL)
if (co!=NULL)
{
physAddress *paddr=(Interface::cast(co))->getPhysicalAddress();
if (paddr!=NULL)
if (paddr!=NULL)
str << " " << paddr->getPhysAddress().c_str();
}
@ -163,12 +161,18 @@ QString FWObjectPropertiesFactory::getObjectProperties(FWObject *obj)
} else if (Interface::isA(obj))
{
physAddress *paddr=(Interface::cast(obj))->getPhysicalAddress();
if (paddr!=NULL)
Interface *intf = Interface::cast(obj);
FWObjectTypedChildIterator j = obj->findByType(IPv4::TYPENAME);
for ( ; j!=j.end(); ++j)
{
str << " ";
str << paddr->getPhysAddress().c_str();
IPv4 *intf = IPv4::cast(*j);
str << getObjectProperties(*j);
str << "<br>";
}
str << " MAC: ";
physAddress *paddr = intf->getPhysicalAddress();
if (paddr!=NULL)
str << paddr->getPhysAddress().c_str();
} else if (IPService::isA(obj))
{
@ -191,7 +195,7 @@ QString FWObjectPropertiesFactory::getObjectProperties(FWObject *obj)
str << sps << ":" << spe << " / ";
str << dps << ":" << dpe;
} else if (TagService::isA(obj))
} else if (TagService::isA(obj))
{
str << "Pattern: \"" << obj->getStr("tagcode").c_str() << "\"" ;
} else if (Interval::isA(obj))
@ -257,14 +261,14 @@ QString FWObjectPropertiesFactory::getObjectPropertiesDetailed(FWObject *obj,
if (accentName) str += "</font>";
str += "<br>\n";
try {
try
{
if (IPv4::isA(obj))
{
if (showPath && !tooltip) str += "<b>Path: </b>" + path + "<br>\n";
str += Address::cast(obj)->getAddress().toString().c_str();
str += IPv4::cast(obj)->getAddress().toString().c_str();
str += "/";
str += Address::cast(obj)->getNetmask().toString().c_str();
str += IPv4::cast(obj)->getNetmask().toString().c_str();
} else if (physAddress::isA(obj))
{
@ -285,7 +289,7 @@ QString FWObjectPropertiesFactory::getObjectPropertiesDetailed(FWObject *obj,
str += MultiAddress::cast(obj)->getSourceName().c_str();
str += "<br>\n";
str += (MultiAddress::cast(obj)->isRunTime())?QObject::tr("Run-time"):QObject::tr("Compile-time");
} else if (AddressRange::isA(obj))
{
if (showPath && !tooltip) str += "<b>Path: </b>" + path + "<br>\n";
@ -297,16 +301,16 @@ QString FWObjectPropertiesFactory::getObjectPropertiesDetailed(FWObject *obj,
{
if (showPath && !tooltip) str += "<b>Path: </b>" + path + "<br>\n";
str += Address::cast(obj)->getAddress().toString().c_str() ;
FWObject *co=obj->getFirstByType("Interface");
if (co!=NULL)
FWObjectTypedChildIterator j = obj->findByType(
Interface::TYPENAME);
for ( ; j!=j.end(); ++j)
{
physAddress *paddr=(Interface::cast(co))->getPhysicalAddress();
if (paddr!=NULL)
str += QString(" ") + paddr->getPhysAddress().c_str() ;
Interface *intf = Interface::cast(*j);
str += (*j)->getName().c_str();
str += ": ";
str += getObjectProperties(*j);
str += "<br>";
}
} else if (Network::isA(obj))
{
if (showPath && !tooltip) str += "<b>Path: </b>" + path + "<br>\n";
@ -330,7 +334,7 @@ QString FWObjectPropertiesFactory::getObjectPropertiesDetailed(FWObject *obj,
{
str += "&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;.&nbsp;.&nbsp;.&nbsp;";
break;
} else
} else
{
FWObject *o1=*i;
if (FWReference::cast(o1)!=NULL)
@ -345,25 +349,25 @@ QString FWObjectPropertiesFactory::getObjectPropertiesDetailed(FWObject *obj,
QString version = obj->getStr("version").c_str();
QString readableVersion = getVersionString(platform,version);
QString hostOS = obj->getStr("host_OS").c_str();
QDateTime dt;
time_t lm=obj->getInt("lastModified");
time_t lc=obj->getInt("lastCompiled");
time_t li=obj->getInt("lastInstalled");
dt.setTime_t(lm);
QString t_modified = (lm)? dt.toString():"-";
if (lm>lc && lm>li) t_modified=QString("<b>")+t_modified+"</b>";
dt.setTime_t(lc);
QString t_compiled = (lc)? dt.toString():"-";
if (lc>lm && lc>li) t_compiled=QString("<b>")+t_compiled+"</b>";
dt.setTime_t(li);
QString t_installed = (li)? dt.toString():"-";
if (li>lc && li>lm) t_installed=QString("<b>")+t_installed+"</b>";
if (showPath && !tooltip) str += "<b>Path: </b>" + path + "<br>\n";
str += "<table cellspacing=\"0\" cellpadding=\"0\">";
@ -373,23 +377,39 @@ QString FWObjectPropertiesFactory::getObjectPropertiesDetailed(FWObject *obj,
readableVersion + "</td></tr>\n";
str += QString("<tr><td>Host OS:</td><td>") +
hostOS + "</td></tr>\n";
str += QString("<tr><td>Modified:</td><td>") +
t_modified + "</td></tr>\n";
str += QString("<tr><td>Compiled:</td><td>") +
t_compiled + "</td></tr>\n";
str += QString("<tr><td>Installed:</td><td>") +
t_installed + "</td></tr>\n";
str += "</table>";
} else if (Interface::isA(obj))
{
str+=QObject::tr("<b>Path:</b> ")+ path +"<br>\n";
str += QObject::tr("<b>Path:</b> ")+ path +"<br>\n";
FWObjectTypedChildIterator j = obj->findByType(IPv4::TYPENAME);
for ( ; j!=j.end(); ++j)
{
IPv4 *intf = IPv4::cast(*j);
str += getObjectProperties(*j);
str += "<br>";
}
physAddress *paddr=(Interface::cast(obj))->getPhysicalAddress();
if (paddr!=NULL)
{
str += "MAC: ";
str += paddr->getPhysAddress().c_str() ;
str += "<br>";
}
QString q;
if (Interface::constcast(obj)->isDyn()) q=" dyn";
if (Interface::constcast(obj)->isUnnumbered()) q=" unnum";
if (Interface::constcast(obj)->isBridgePort()) q=" bridge port";
FWObject *p=obj;
while (p!=NULL && !Firewall::isA(p)) p=p->getParent();
if (p!=NULL && (p->getStr("platform")=="pix" || p->getStr("platform")=="fwsm"))
@ -402,19 +422,11 @@ QString FWObjectPropertiesFactory::getObjectPropertiesDetailed(FWObject *obj,
}
if (Interface::constcast(obj)->isUnprotected()) q=q+" unp";
if (q!="") str += " (" + q + ")";
str += "<br>\n";
if (showPath && !tooltip) str += "<b>Path: </b>" + path + "<br>\n";
physAddress *paddr=(Interface::cast(obj))->getPhysicalAddress();
if (paddr!=NULL)
{
str += " ";
str += paddr->getPhysAddress().c_str() ;
}
} else if (CustomService::isA(obj))
{
@ -468,7 +480,7 @@ QString FWObjectPropertiesFactory::getObjectPropertiesDetailed(FWObject *obj,
str += QString("<tr><td>destination port range</td><td>%1:%2</td></tr>\n")
.arg(dps).arg(dpe);
str += "</table>";
} else if (TagService::isA(obj))
} else if (TagService::isA(obj))
{
str += QObject::tr("Pattern: \"%1\"").arg(obj->getStr("tagcode").c_str());
} else if (Interval::isA(obj))
@ -496,13 +508,13 @@ QString FWObjectPropertiesFactory::getRuleActionProperties(PolicyRule *rule)
if (rule!=NULL)
{
string act = rule->getActionAsString();
FWObject *o = rule;
while (o!=NULL && Firewall::cast(o)==NULL) o=o->getParent();
assert(o!=NULL);
Firewall *f=Firewall::cast(o);
string platform=f->getStr("platform");
FWOptions *ropt = rule->getOptionsObject();
string editor=Resources::getActionEditor(platform,act);
@ -543,7 +555,7 @@ QString FWObjectPropertiesFactory::getRuleActionProperties(PolicyRule *rule)
case PolicyRule::Pipe :
if (platform=="ipfw")
{
par = QString("divert ") +
par = QString("divert ") +
ropt->getStr("ipfw_pipe_port_num").c_str();
}
break;
@ -564,7 +576,7 @@ QString FWObjectPropertiesFactory::getRuleActionProperties(PolicyRule *rule)
a = ropt->getStr("ipf_route_option");
if (!a.empty())
{
par = par + " "+
par = par + " "+
getScreenName(a.c_str(),
getRouteOptions_pf_ipf( platform.c_str() ));
}
@ -589,9 +601,9 @@ QString FWObjectPropertiesFactory::getRuleActionProperties(PolicyRule *rule)
default : {}
}
}
}
return par;
}
@ -600,7 +612,7 @@ QString FWObjectPropertiesFactory::getRuleActionPropertiesRich(PolicyRule *rule)
FWObject *p=rule;
while (p!=NULL && !Firewall::isA(p)) p=p->getParent();
assert(p!=NULL);
string platform=p->getStr("platform");
string platform=p->getStr("platform");
QString act = getActionNameForPlatform(rule->getAction(),platform.c_str());
QString par = getRuleActionProperties(rule);
@ -615,7 +627,7 @@ QString FWObjectPropertiesFactory::getRuleActionPropertiesRich(PolicyRule *rule)
QString FWObjectPropertiesFactory::getPolicyRuleOptions(Rule *rule)
{
QString res;
if (rule!=NULL)
{
res="";
@ -625,7 +637,7 @@ QString FWObjectPropertiesFactory::getPolicyRuleOptions(Rule *rule)
Firewall *f=Firewall::cast(o);
string platform=f->getStr("platform");
FWOptions *ropt = rule->getOptionsObject();
if (platform=="iptables")
{
if (!ropt->getStr("log_prefix").empty())
@ -646,26 +658,26 @@ QString FWObjectPropertiesFactory::getPolicyRuleOptions(Rule *rule)
res+=QObject::tr("<b>Netlink group :</b> ");
res+=QString(ropt->getStr("ulog_nlgroup").c_str())+"<br>\n";
}
if (ropt->getInt("limit_value")>0)
{
res+=QObject::tr("<b>Limit Value :</b> ");
res+=QString(ropt->getStr("limit_value").c_str())+"<br>\n";
}
if (!ropt->getStr("limit_suffix").empty())
{
res+=QObject::tr("<b>Limit suffix :</b> ");
res+=getScreenName(ropt->getStr("limit_suffix").c_str(),
getLimitSuffixes(platform.c_str()))+"<br>\n";
}
if (ropt->getInt("limit_burst")>0)
{
res+=QObject::tr("<b>Limit burst :</b> ");
res+=QString(ropt->getStr("limit_burst").c_str())+"<br>\n";
}
res+="<ul>";
if (ropt->getBool("firewall_is_part_of_any_and_networks"))
{
@ -679,8 +691,8 @@ QString FWObjectPropertiesFactory::getPolicyRuleOptions(Rule *rule)
res+="<br>\n";
}
res+="</ul>";
}else if (platform=="ipf")
}else if (platform=="ipf")
{
if (!ropt->getStr("ipf_log_facility").empty())
{
@ -688,14 +700,14 @@ QString FWObjectPropertiesFactory::getPolicyRuleOptions(Rule *rule)
res+=getScreenName(ropt->getStr("ipf_log_facility").c_str(),
getLogFacilities(platform.c_str()))+"<br>\n";
}
if (!ropt->getStr("log_level").empty())
{
res+=QObject::tr("<b>Log level :</b> ");
res+=getScreenName(ropt->getStr("log_level").c_str(),
getLogLevels(platform.c_str()))+"<br>\n";
}
res+="<ul>";
if (ropt->getBool("ipf_return_icmp_as_dest"))
{
@ -715,43 +727,43 @@ QString FWObjectPropertiesFactory::getPolicyRuleOptions(Rule *rule)
res+="<br>\n";
}
res+="</ul>";
}else if (platform=="pf")
{
if (!ropt->getStr("log_prefix").empty())
{
res+=QObject::tr("<b>Log prefix :</b> ");
res+=QString(ropt->getStr("log_prefix").c_str())+"<br>\n";
}
if (ropt->getInt("pf_rule_max_state")>0)
{
res+=QObject::tr("<b>Max state :</b> ");
res+=QString(ropt->getStr("pf_rule_max_state").c_str())+"<br>\n";
}
res+="<ul>";
if (ropt->getBool("stateless"))
{
res+=QObject::tr("<li><b>Stateless</b></li> ");
res+="<br>\n";
}
if (ropt->getBool("pf_source_tracking"))
{
res+=QObject::tr("<li><b>Source tracking</b></li> ");
res+="<br>\n";
res+=QObject::tr("<b>Max src nodes :</b> ");
res+=QString(ropt->getStr("pf_max_src_nodes").c_str())+"<br>\n";
res+=QObject::tr("<b>Max src states:</b> ");
res+=QString(ropt->getStr("pf_max_src_states").c_str())+"<br>\n";
}
res+="</ul>";
}else if (platform=="ipfw")
{
res+="<ul>";
@ -761,17 +773,17 @@ QString FWObjectPropertiesFactory::getPolicyRuleOptions(Rule *rule)
res+="<br>\n";
}
res+="</ul>";
}else if (platform=="pix" || platform=="fwsm")
{
string vers="version_"+f->getStr("version");
res+=QObject::tr("<u><b>Ver:%1</b></u><br>\n").arg(vers.c_str());
if ( Resources::platform_res[platform]->getResourceBool(
"/FWBuilderResources/Target/options/"+vers+"/pix_rule_syslog_settings"))
{
if (!ropt->getStr("log_level").empty())
{
res+=QObject::tr("<b>Log level :</b> ");
@ -783,7 +795,7 @@ QString FWObjectPropertiesFactory::getPolicyRuleOptions(Rule *rule)
res+=QObject::tr("<b>Log interval :</b> ");
res+=QString(ropt->getStr("log_interval").c_str())+"<br>\n";
}
res+="<ul>";
if (ropt->getBool("disable_logging_for_this_rule"))
{
@ -791,19 +803,19 @@ QString FWObjectPropertiesFactory::getPolicyRuleOptions(Rule *rule)
res+="<br>\n";
}
res+="</ul>";
}
}
}
}
return res;
}
QString FWObjectPropertiesFactory::getNATRuleOptions(Rule *rule)
{
QString res;
if (rule!=NULL)
{
res="";
@ -816,7 +828,7 @@ QString FWObjectPropertiesFactory::getNATRuleOptions(Rule *rule)
if (fwbdebug)
qDebug(QString("getNATRuleOptions: platform: %2").arg(platform.c_str()).toAscii().constData());
if (platform=="pf")
{
if (ropt->getBool("pf_bitmask")) res+=QObject::tr("bitmask");
@ -827,7 +839,7 @@ QString FWObjectPropertiesFactory::getNATRuleOptions(Rule *rule)
if (ropt->getBool("pf_static_port")) res+=QObject::tr("static-port");
}
}
return res;
}

6
src/gui/IPv4Dialog.cpp
View File

@ -169,7 +169,7 @@ void IPv4Dialog::validate(bool *res)
{
try
{
InetNetmask( m_dialog->netmask->text().toLatin1().constData() );
InetAddr( m_dialog->netmask->text().toLatin1().constData() );
} catch (FWException &ex)
{
*res=false;
@ -212,10 +212,10 @@ void IPv4Dialog::applyChanges()
try
{
s->setNetmask(
InetNetmask(m_dialog->netmask->text().toLatin1().constData()) );
InetAddr(m_dialog->netmask->text().toLatin1().constData()) );
} catch (FWException &ex) { }
} else
s->setNetmask(InetNetmask());
s->setNetmask(InetAddr());
mw->updateObjName(obj,QString::fromUtf8(oldname.c_str()));

8
src/gui/Importer.cpp
View File

@ -247,7 +247,7 @@ void Importer::addInterfaceAddress(const std::string &a,
aname);
current_interface->setUnnumbered(false);
IPv4::cast(nobj)->setAddress( InetAddr(a) );
IPv4::cast(nobj)->setNetmask( InetNetmask(nm) );
IPv4::cast(nobj)->setNetmask( InetAddr(nm) );
*logger << "Interface address: " << a << "/" << nm << "\n";
}
@ -826,7 +826,7 @@ FWObject* Importer::createAddress(const std::string &addr,
std::string name = std::string("h-") + addr;
a = Address::cast(createObject(IPv4::TYPENAME, name));
a->setAddress(InetAddr(addr));
a->setNetmask(InetNetmask(InetAddr::getAllOnes()));
a->setNetmask(InetAddr(InetAddr::getAllOnes()));
a->setComment(comment);
all_objects[sig] = a;
*logger << "Address object: " << name << "\n";
@ -847,7 +847,7 @@ FWObject* Importer::createAddress(const std::string &addr,
try
{
net->setNetmask( InetNetmask(netmask) );
net->setNetmask( InetAddr(netmask) );
} catch (FWException &ex)
{
if (netmask.find('.')!=std::string::npos)
@ -866,7 +866,7 @@ FWObject* Importer::createAddress(const std::string &addr,
try
{
str >> nm_len;
net->setNetmask( InetNetmask(nm_len) );
net->setNetmask( InetAddr(nm_len) );
} catch (std::exception& e)
{
// could not convert netmask as simple integer

6
src/gui/InterfaceData.cpp
View File

@ -62,9 +62,9 @@ void InterfaceData::guessLabel(const string &platform)
void InterfaceData::guessSecurityLevel(const string &platform)
{
InetAddrMask n10(InetAddr("10.0.0.0"), InetNetmask("255.0.0.0"));
InetAddrMask n172(InetAddr("172.16.0.0"), InetNetmask("255.240.0.0"));
InetAddrMask n192(InetAddr("192.168.0.0"), InetNetmask("255.255.0.0"));
InetAddrMask n10(InetAddr("10.0.0.0"), InetAddr("255.0.0.0"));
InetAddrMask n172(InetAddr("172.16.0.0"), InetAddr("255.240.0.0"));
InetAddrMask n192(InetAddr("192.168.0.0"), InetAddr("255.255.0.0"));
securityLevel=-1;

4
src/gui/NetworkDialog.cpp
View File

@ -125,7 +125,7 @@ void NetworkDialog::validate(bool *res)
}
try
{
InetNetmask( m_dialog->netmask->text().toLatin1().constData() );
InetAddr( m_dialog->netmask->text().toLatin1().constData() );
} catch (FWException &ex)
{
*res=false;
@ -159,7 +159,7 @@ void NetworkDialog::applyChanges()
s->setAddress(
InetAddr(m_dialog->address->text().toLatin1().constData()) );
s->setNetmask(
InetNetmask(m_dialog->netmask->text().toLatin1().constData()) );
InetAddr(m_dialog->netmask->text().toLatin1().constData()) );
} catch (FWException &ex)
{
/* exception thrown if user types illegal m_dialog->address or m_dialog->netmask */

4
src/gui/newFirewallDialog.cpp
View File

@ -595,7 +595,7 @@ void newFirewallDialog::addInterface()
try
{
InetAddr(addr.toLatin1().constData());
InetNetmask(netm.toLatin1().constData());
InetAddr(netm.toLatin1().constData());
}
catch (FWException &ex)
{
@ -812,7 +812,7 @@ void newFirewallDialog::finishClicked()
QString addrname=QString("%1:%2:ip").arg(m_dialog->obj_name->text()).arg(name);
IPv4 *oa = IPv4::cast(mw->createObject(oi, IPv4::TYPENAME,addrname));
oa->setAddress( InetAddr(addr.toLatin1().constData()) );
oa->setNetmask( InetNetmask(netmask.toLatin1().constData()) );
oa->setNetmask( InetAddr(netmask.toLatin1().constData()) );
}
// updateObjName has a side effect: it causes redraw of the ruleset
// views in the main window

4
src/gui/newHostDialog.cpp
View File

@ -503,7 +503,7 @@ void newHostDialog::addInterface()
try
{
InetAddr(addr.toLatin1().constData());
InetNetmask(netm.toLatin1().constData());
InetAddr(netm.toLatin1().constData());
}
catch (FWException &ex)
{
@ -632,7 +632,7 @@ void newHostDialog::finishClicked()
mw->createObject(oi, IPv4::TYPENAME,addrname)
);
oa->setAddress( InetAddr(addr.toLatin1().constData()) );
oa->setNetmask( InetNetmask(netmask.toLatin1().constData()) );
oa->setNetmask( InetAddr(netmask.toLatin1().constData()) );
}
mw->updateObjName(oi,"","",false);

8
src/iosacl/PolicyCompiler_iosacl.cpp
View File

@ -109,14 +109,14 @@ int PolicyCompiler_iosacl::prolog()
{
if (netmask.find(".")!=string::npos)
{
InetNetmask nm(netmask);
InetAddr nm(netmask);
nm.getLength(); // to avoid warning abt unused var
} else
{
int nm_length;
istringstream str(netmask);
str >> nm_length;
InetNetmask nm(nm_length);
InetAddr nm(nm_length);
netmask = nm.toString();
}
} catch(FWException &ex)
@ -143,10 +143,10 @@ int PolicyCompiler_iosacl::prolog()
// cisco uses "wildcards" instead of netmasks
//long nm = InetNetmask(netmask).to32BitInt();
//long nm = InetAddr(netmask).to32BitInt();
//struct in_addr na;
//na.s_addr = ~nm;
InetAddr nnm( ~(InetNetmask(netmask)) );
InetAddr nnm( ~(InetAddr(netmask)) );
output << clearACLcmd << " " << temp_acl << endl;
output << "ip access-list extended " << temp_acl << endl;

6
src/iosacl/PolicyCompiler_iosacl_writers.cpp
View File

@ -372,7 +372,7 @@ string PolicyCompiler_iosacl::PrintRule::_printAddr(libfwbuilder::Address *o)
ostringstream str;
InetAddr srcaddr=o->getAddress();
InetNetmask srcmask=o->getNetmask();
InetAddr srcmask=o->getNetmask();
if (Interface::cast(o)!=NULL)
{
@ -382,11 +382,11 @@ string PolicyCompiler_iosacl::PrintRule::_printAddr(libfwbuilder::Address *o)
return string("interface ") + interface_->getLabel() + " ";
}
srcmask=InetNetmask(InetAddr::getAllOnes());
srcmask=InetAddr(InetAddr::getAllOnes());
}
if (IPv4::cast(o)!=NULL)
srcmask=InetNetmask(InetAddr::getAllOnes());
srcmask=InetAddr(InetAddr::getAllOnes());
if (srcaddr.isAny() && srcmask.isAny())

30
src/ipt/NATCompiler_PrintRule.cpp
View File

@ -460,30 +460,30 @@ string NATCompiler_ipt::PrintRule::_printAddr(Address *o,bool print_mask,bool p
ostr << a1.toString() << "-" << a2.toString();
} else
{
const InetAddr& addr=o->getAddress();
const InetNetmask& mask=o->getNetmask();
const InetAddr& addr = o->getAddress();
const InetAddr& mask = o->getNetmask();
Interface *iface = Interface::cast(o);
if (iface!=NULL)
{
if (iface->isDyn() && iface->getBool("use_var_address"))
{
ostr << "$" << ipt_comp->getInterfaceVarName(iface) << " ";
return ostr.str();
}
ostr << addr.toString();
return ostr.str();
}
if (addr == InetAddr::getAny() && mask == InetAddr::getAny())
{
ostr << "0/0";
} else
{
Interface *iface;
if ( (iface=Interface::cast(o))!=NULL )
{
if (iface->isDyn() && iface->getBool("use_var_address"))
{
ostr << "$" << ipt_comp->getInterfaceVarName(iface) << " ";
return ostr.str();
}
ostr << addr.toString();
return ostr.str();
}
ostr << addr.toString();
if (print_mask &&
dynamic_cast<InetAddrMask*>(o)->dimension()!=1 &&
Address::cast(o)->dimension()!=1 &&
!mask.isHostMask())
{
ostr << "/" << mask.getLength();

4
src/ipt/NATCompiler_ipt.cpp
View File

@ -189,7 +189,7 @@ void NATCompiler_ipt::_expandInterface(Interface *iface,
{
if (physAddress::cast(*j)!=NULL) continue;
InetAddrMask *ipv4 = dynamic_cast<InetAddrMask*>(*j);
const InetAddrMask *ipv4 = Address::cast(*j)->getAddressObjectInetAddrMask();
if (ipv4!=NULL && use_mac && pa!=NULL)
{
combinedAddress *ca=new combinedAddress(dbcopy,true);
@ -234,7 +234,7 @@ bool NATCompiler_ipt::ConvertLoadBalancingRules::processNext()
FWObject *obj = NULL;
if (FWReference::cast(o)!=NULL)
obj=FWReference::cast(o)->getPointer();
InetAddrMask *a = dynamic_cast<InetAddrMask*>(obj);
const InetAddrMask *a = Address::cast(obj)->getAddressObjectInetAddrMask();
al.push_back( a->getAddressPtr() );
}

5
src/ipt/OSConfigurator_linux24.cpp
View File

@ -261,7 +261,8 @@ void OSConfigurator_linux24::addVirtualAddressForNAT(const Address *addr)
Interface *iface = Interface::cast(vaddr->getParent());
assert(iface!=NULL);
InetAddrMask *vaddr_addr = dynamic_cast<InetAddrMask*>(vaddr);
const InetAddrMask *vaddr_addr = Address::cast(
vaddr)->getAddressObjectInetAddrMask();
assert(vaddr_addr!=NULL);
ostr << "add_addr " << addr->getAddress().toString() << " "
@ -361,7 +362,7 @@ void OSConfigurator_linux24::configureInterfaces()
FWObjectTypedChildIterator j=iface->findByType(IPv4::TYPENAME);
for ( ; j!=j.end(); ++j )
{
InetAddrMask *iaddr = dynamic_cast<InetAddrMask*>(*j);
const InetAddrMask *iaddr = Address::cast(*j)->getAddressObjectInetAddrMask();
output << "add_addr " << iaddr->getAddress().toString() << " "
<< iaddr->getNetmask().getLength() << " "

65
src/ipt/PolicyCompiler_PrintRule.cpp
View File

@ -907,7 +907,7 @@ string PolicyCompiler_ipt::PrintRule::_printAddr(Address *o)
}
const InetAddr& addr = o->getAddress();
const InetNetmask& mask = o->getNetmask();
const InetAddr& mask = o->getNetmask();
if (addr.isAny() && mask.isAny())
{
@ -917,7 +917,7 @@ string PolicyCompiler_ipt::PrintRule::_printAddr(Address *o)
ostr << addr.toString();
if (Interface::cast(o)==NULL &&
dynamic_cast<InetAddrMask*>(o)->dimension() > 1 &&
Address::cast(o)->dimension() > 1 &&
!mask.isHostMask())
{
ostr << "/" << mask.getLength();
@ -1108,26 +1108,51 @@ string PolicyCompiler_ipt::PrintRule::PolicyRuleToString(PolicyRule *rule)
if (!src->isAny())
{
string physaddress="";
if (physAddress::isA(src))
physaddress= physAddress::cast(src)->getPhysAddress();
if (combinedAddress::isA(src))
physaddress= combinedAddress::cast(src)->getPhysAddress();
if ( ! physaddress.empty())
if (physAddress::isA(src) || combinedAddress::isA(src))
{
command_line << " -m mac --mac-source " << _printSingleObjectNegation(srcrel);
command_line << physaddress;
}
/*
* fool-proof: this is last resort check for situation when user created IPv4 object
* for the interface but left it with empty address ( 0.0.0.0 ).
string physaddress = "";
if (physAddress::isA(src))
{
physaddress = physAddress::cast(src)->getPhysAddress();
if (physaddress.empty())
{
compiler->warning("Empty MAC address in rule " +
rule->getLabel());
physaddress = "00:00:00:00:00:00";
}
}
if (combinedAddress::isA(src))
physaddress = combinedAddress::cast(src)->getPhysAddress();
/* physAddress component of combinedAddress can be empty. For example
* this happens when an object with both IP and MAC addresses is found
* in "source" and rule is determined to go into OUTPUT chain. On the
* other hand, if physAddress object has no MAC address, it is always
* an error.
*/
if ( ! physaddress.empty() && src->getAddress()==InetAddr())
{
;
if (!physaddress.empty())
{
command_line << " -m mac --mac-source "
<< _printSingleObjectNegation(srcrel);
command_line << physaddress;
}
/*
* fool-proof: this is last resort check for situation when user
* created IPv4 object for the interface but left it with empty
* address ( 0.0.0.0 ).
*
* note that combinedAddress inherits IPv4 and therefore
* combinedAddress::hasInetAddress returns true;
*
*/
if (src->hasInetAddress() && !src->getAddress().isAny())
{
command_line << " -s " << _printSingleObjectNegation(srcrel);
command_line << _printAddr(src);
}
} else
{
command_line << " -s " << _printSingleObjectNegation(srcrel);

19
src/ipt/PolicyCompiler_ipt.cpp
View File

@ -181,7 +181,7 @@ void PolicyCompiler_ipt::_expandInterface(Interface *iface,
}
if (physAddress::cast(*j)!=NULL)
{
pa=physAddress::cast(*j);
pa = physAddress::cast(*j);
continue;
}
lother.push_back(*j);
@ -229,16 +229,17 @@ void PolicyCompiler_ipt::_expandInterface(Interface *iface,
std::list<FWObject*>::iterator j=lipaddr.begin();
for ( ; j!=lipaddr.end(); j++)
{
InetAddrMask *ipv4 = dynamic_cast<InetAddrMask*>(*j);
const InetAddrMask *ipv4 = Address::cast(*j)->getAddressObjectInetAddrMask();
if (use_mac)
{
combinedAddress *ca=new combinedAddress();
combinedAddress *ca = new combinedAddress();
dbcopy->add(ca);
cacheObj(ca);
ca->setName( "CA("+iface->getName()+")" );
ca->setAddress( ipv4->getAddress() );
ca->setNetmask( ipv4->getNetmask() );
ca->setPhysAddress( pa->getPhysAddress() );
ol.push_back(ca);
} else
ol.push_back(*j);
@ -338,7 +339,7 @@ int PolicyCompiler_ipt::prolog()
bcast255->setId(BCAST_255_OBJ_ID);
bcast255->setName("Broadcast_addr");
bcast255->setAddress(InetAddr::getAllOnes());
bcast255->setNetmask(InetNetmask(InetAddr::getAllOnes()));
bcast255->setNetmask(InetAddr(InetAddr::getAllOnes()));
dbcopy->add(bcast255);
cacheObj(bcast255);
@ -1722,7 +1723,7 @@ bool PolicyCompiler_ipt::bridgingFw::checkForMatchingBroadcastAndMulticast(
FWObjectTypedChildIterator k = iface->findByType(IPv4::TYPENAME);
for ( ; k!=k.end(); ++k )
{
InetAddrMask *ipv4 = dynamic_cast<InetAddrMask*>(*k);
const InetAddrMask *ipv4 = Address::cast(*k)->getAddressObjectInetAddrMask();
/*
* bug #780345: if interface has netmask 255.255.255.255, its own
@ -2999,10 +3000,16 @@ bool PolicyCompiler_ipt::checkMACinOUTPUTChain::processNext()
Address *src =compiler->getFirstSrc(rule); assert(src);
if (physAddress::isA(src))
compiler->abort(_("Can not match on MAC address of the firewall in rule ")+rule->getLabel());
compiler->abort("Can not match on MAC address of the firewall "
"in rule " + rule->getLabel());
if (combinedAddress::isA(src))
{
compiler->warning("Can not match on MAC address of the firewall "
"(chain OUTPUT) "
"in rule " + rule->getLabel());
combinedAddress::cast(src)->setPhysAddress("");
}
}
return true;

4
src/ipt/RoutingCompiler_ipt_writers.cpp
View File

@ -79,7 +79,7 @@ string RoutingCompiler_ipt::PrintRule::_printAddr(Address *o)
}
InetAddr addr;
InetNetmask mask;
InetAddr mask;
try {
addr=o->getAddress();
mask = o->getNetmask();
@ -111,7 +111,7 @@ string RoutingCompiler_ipt::PrintRule::_printAddr(Address *o)
ostr << addr.toString();
if (Interface::cast(o)==NULL &&
dynamic_cast<InetAddrMask*>(o)->dimension() > 1 &&
Address::cast(o)->dimension() > 1 &&
!mask.isHostMask())
{
ostr << "/" << mask.getLength();

12
src/ipt/combinedAddress.cpp
View File

@ -23,6 +23,9 @@
*/
#include <assert.h>
#include <iostream>
#include <fwbuilder/libfwbuilder-config.h>
#include <combinedAddress.h>
@ -46,7 +49,7 @@ std::string combinedAddress::getPhysAddress() const
void combinedAddress::setPhysAddress(const std::string &s)
{
physAddress=s;
physAddress = s;
}
bool combinedAddress::isAny() const
@ -54,3 +57,10 @@ bool combinedAddress::isAny() const
return (IPv4::isAny() && physAddress=="");
}
FWObject& combinedAddress::shallowDuplicate(const FWObject *other,
bool preserve_id) throw(FWException)
{
physAddress = dynamic_cast<const combinedAddress*>(other)->physAddress;
return IPv4::shallowDuplicate(other, preserve_id);
}

4
src/ipt/combinedAddress.h
View File

@ -48,6 +48,10 @@ class combinedAddress : public IPv4
combinedAddress(const FWObject *root,bool prepopulate);
virtual ~combinedAddress();
virtual FWObject& shallowDuplicate(const FWObject *obj,
bool preserve_id = true)
throw(FWException);
std::string getPhysAddress() const;
void setPhysAddress(const std::string &s);

4
src/ipt/ipt.cpp
View File

@ -349,7 +349,7 @@ _("Dynamic interface %s should not have an IP address object attached to it. Thi
} else
{
list<FWObject*> la=iface->getByType(IPv4::TYPENAME);
list<FWObject*> la = iface->getByType(IPv4::TYPENAME);
if ( iface->isRegular() && la.empty() )
{
char errstr[256];
@ -360,7 +360,7 @@ _("Dynamic interface %s should not have an IP address object attached to it. Thi
for (list<FWObject*>::iterator j=la.begin(); j!=la.end(); ++j)
{
InetAddrMask *ipv4 = dynamic_cast<InetAddrMask*>(*j);
const InetAddrMask *ipv4 = IPv4::cast(*j)->getAddressObjectInetAddrMask();
if ( ipv4->getAddress().isAny())
{

44
src/pf/pf.cpp
View File

@ -313,20 +313,26 @@ int main(int argc, char * const *argv)
if (l3.size()>0)
{
char errstr[256];
for (list<FWObject*>::iterator j=l3.begin(); j!=l3.end(); ++j)
for (list<FWObject*>::iterator j=l3.begin();
j!=l3.end(); ++j)
{
if ( objdb->findAllReferences(*j).size()!=0 )
{
sprintf(errstr,
_("Dynamic interface %s has an IP address that is used in the firewall policy rule.\n"),
"Dynamic interface %s has an IP address that"
"is used in the firewall policy rule.\n",
iface->getName().c_str() );
throw FWException(errstr);
}
}
sprintf(errstr,
_("Dynamic interface %s should not have an IP address object attached to it. This IP address object will be ignored.\n"),
"Dynamic interface %s should not have an IP address"
" object attached to it. This IP address object "
"will be ignored.\n",
iface->getName().c_str() );
cerr << errstr;
for (list<FWObject*>::iterator j=l3.begin(); j!=l3.end(); ++j)
for (list<FWObject*>::iterator j=l3.begin();
j!=l3.end(); ++j)
iface->remove(*j);
}
} else
@ -357,47 +363,49 @@ _("Dynamic interface %s should not have an IP address object attached to it. Thi
}
FWOptions* options=fw->getOptionsObject();
FWOptions* options = fw->getOptionsObject();
string s;
string firewall_dir=options->getStr("firewall_dir");
string firewall_dir = options->getStr("firewall_dir");
if (firewall_dir=="") firewall_dir="/etc/fw";
string prolog_place = options->getStr("prolog_place");
if (prolog_place.empty()) prolog_place = "fw_file"; // old default
string pre_hook= fw->getOptionsObject()->getStr("prolog_script");
string pre_hook = fw->getOptionsObject()->getStr("prolog_script");
bool debug=options->getBool("debug");
string shell_dbg=(debug)?"-x":"" ;
string pfctl_dbg=(debug)?"-v ":"";
bool debug = options->getBool("debug");
string shell_dbg = (debug)?"-x":"" ;
string pfctl_dbg = (debug)?"-v ":"";
string pfctl_f_option="-f ";
string pfctl_f_option = "-f ";
// if (fw->getStr("version")=="obsd_3.2") pfctl_f_option="-f ";
if (fw->getStr("version")=="obsd_lt_3.2") pfctl_f_option="-R ";
Preprocessor_pf* prep=new Preprocessor_pf(objdb , fwobjectname);
Preprocessor_pf* prep = new Preprocessor_pf(objdb , fwobjectname);
prep->compile();
/*
* Process firewall options, build OS network configuration script
*/
OSConfigurator *oscnf=NULL;
string family=Resources::os_res[fw->getStr("host_OS")]->Resources::getResourceStr("/FWBuilderResources/Target/family");
string family = Resources::os_res[fw->getStr("host_OS")
]->Resources::getResourceStr("/FWBuilderResources/Target/family");
if (family=="solaris")
oscnf=new OSConfigurator_solaris(objdb , fwobjectname);
if (family=="openbsd")
{
cerr << "Calling OSConfigurator_openbsd" << endl;
oscnf=new OSConfigurator_openbsd(objdb , fwobjectname);
}
if (family=="freebsd")
oscnf=new OSConfigurator_freebsd(objdb , fwobjectname);
if (oscnf==NULL)
throw FWException(_("Unrecognized host OS ")+fw->getStr("host_OS")+" (family "+family+")");
throw FWException(_("Unrecognized host OS ") +
fw->getStr("host_OS")+" (family "+family+")");
oscnf->prolog();

33
src/pflib/NATCompiler_ipf_writers.cpp
View File

@ -38,6 +38,7 @@
#include "fwbuilder/Interface.h"
#include "fwbuilder/IPv4.h"
#include "fwbuilder/Firewall.h"
#include "fwbuilder/DNSName.h"
#include <iostream>
@ -73,8 +74,24 @@ void NATCompiler_ipf::PrintRule::_printAddr_L(Address *o, bool print_netmask)
{
FWOptions* options=compiler->fw->getOptionsObject();
MultiAddressRunTime *atrt = MultiAddressRunTime::cast(o);
if (atrt!=NULL)
{
if (atrt->getSubstitutionTypeName()==DNSName::TYPENAME)
{
compiler->output << atrt->getSourceName() << " ";
return;
}
// at this time we only support two types of MultiAddress
// objects: AddressTable and DNSName. Both should be converted
// to MultiAddressRunTime at this point. If we get some other
// kind of MultiAddressRunTime object, we do not know what to do
// with it so we stop.
assert(atrt==NULL);
}
InetAddr addr=o->getAddress();
InetNetmask mask=o->getNetmask();
InetAddr mask=o->getNetmask();
if (Interface::cast(o)!=NULL && Interface::cast(o)->isDyn())
{
@ -87,10 +104,10 @@ void NATCompiler_ipf::PrintRule::_printAddr_L(Address *o, bool print_netmask)
}
if (Interface::cast(o)!=NULL && ! Interface::cast(o)->isDyn())
mask = InetNetmask(InetAddr::getAllOnes());
mask = InetAddr(InetAddr::getAllOnes());
if (dynamic_cast<InetAddrMask*>(o)->dimension()==1)
mask = InetNetmask(InetAddr::getAllOnes());
if (o->dimension()==1)
mask = InetAddr(InetAddr::getAllOnes());
if (addr.isAny() && mask.isAny())
{
@ -109,13 +126,13 @@ void NATCompiler_ipf::PrintRule::_printAddr_L(Address *o, bool print_netmask)
void NATCompiler_ipf::PrintRule::_printAddr_R(Address *o, bool print_netmask)
{
InetAddr addr = o->getAddress();
InetNetmask mask = o->getNetmask();
InetAddr mask = o->getNetmask();
if (Interface::cast(o) != NULL)
mask = InetNetmask(InetAddr::getAllOnes());
mask = InetAddr(InetAddr::getAllOnes());
if (dynamic_cast<InetAddrMask*>(o)->dimension()==1)
mask = InetNetmask(InetAddr::getAllOnes());
if (o->dimension()==1)
mask = InetAddr(InetAddr::getAllOnes());
if (addr.isAny() && print_netmask && mask.isHostMask())
{

15
src/pflib/NATCompiler_pf.cpp
View File

@ -97,8 +97,7 @@ int NATCompiler_pf::prolog()
loopback_address->setName("__loopback_address__");
loopback_address->setId("__loopback_address_id__");
dynamic_cast<InetAddrMask*>(loopback_address)->setAddress(
InetAddr::getLoopbackAddr());
IPv4::cast(loopback_address)->setAddress(InetAddr::getLoopbackAddr());
dbcopy->add(loopback_address,false);
cacheObj(loopback_address);
@ -390,8 +389,8 @@ bool NATCompiler_pf::addVirtualAddress::processNext()
else return true;
assert(a!=NULL);
if ( ! a->isAny() && a->getId()!=compiler->getFwId() ) {
if ( ! a->isAny() && a->getId()!=compiler->getFwId() )
{
list<FWObject*> l2=compiler->fw->getByType(Interface::TYPENAME);
for (list<FWObject*>::iterator i=l2.begin(); i!=l2.end(); ++i)
{
@ -973,11 +972,11 @@ void NATCompiler_pf::compile()
"replace references to the firewall in TSrc" ) );
add( new ReplaceObjectsTDst( "replace objects in TDst" ) );
if ( manage_virtual_addr ) {
add( new addVirtualAddress("add virtual addresses for NAT rules"));
}
add( new ExpandMultipleAddresses( "expand multiple addresses" ) );
if ( manage_virtual_addr )
add( new addVirtualAddress("add virtual addresses for NAT rules"));
add( new checkForUnnumbered("check for unnumbered interfaces" ) );
add( new checkForDynamicInterfacesOfOtherObjects(
"check for dynamic interfaces of other hosts and firewalls"));

8
src/pflib/NATCompiler_pf_writers.cpp
View File

@ -326,7 +326,7 @@ void NATCompiler_pf::PrintRule::_printAddr(FWObject *o)
Address *a = Address::cast(o);
InetAddr addr=a->getAddress();
InetNetmask mask=a->getNetmask();
InetAddr mask=a->getNetmask();
if (Interface::cast(o)!=NULL)
{
@ -337,12 +337,12 @@ void NATCompiler_pf::PrintRule::_printAddr(FWObject *o)
return;
}
mask = InetNetmask(InetAddr::getAllOnes());
mask = InetAddr(InetAddr::getAllOnes());
}
if (dynamic_cast<InetAddrMask*>(o)->dimension()==1)
if (Address::cast(o)->dimension()==1)
{
mask = InetNetmask(InetAddr::getAllOnes());
mask = InetAddr(InetAddr::getAllOnes());
}
if (addr.isAny() && mask.isAny())

6
src/pflib/OSConfigurator_freebsd.cpp
View File

@ -90,7 +90,7 @@ void OSConfigurator_freebsd::addVirtualAddressForNAT(const Address *addr)
FWObject *iaddr = findAddressFor(addr, fw );
if (iaddr!=NULL)
{
InetAddrMask *iaddr_addr = dynamic_cast<InetAddrMask*>(iaddr);
Address *iaddr_addr = Address::cast(iaddr);
assert(iaddr_addr!=NULL);
Interface *iface = Interface::cast(iaddr->getParent());
assert(iface!=NULL);
@ -238,10 +238,10 @@ void OSConfigurator_freebsd::configureInterfaces()
if (!iface->isRegular()) continue;
FWObjectTypedChildIterator j=iface->findByType(IPv4::TYPENAME);
FWObjectTypedChildIterator j = iface->findByType(IPv4::TYPENAME);
for ( ; j!=j.end(); ++j )
{
InetAddrMask *iaddr = dynamic_cast<InetAddrMask*>(*j);
Address *iaddr = Address::cast(*j);
output << "add_addr " << iaddr->getAddress().toString() << " "
<< iaddr->getNetmask().toString() << " "
<< iface->getName() << endl;

4
src/pflib/OSConfigurator_macosx.cpp
View File

@ -84,7 +84,7 @@ void OSConfigurator_macosx::addVirtualAddressForNAT(const Address *addr)
FWObject *iaddr = findAddressFor(addr, fw );
if (iaddr!=NULL)
{
InetAddrMask *iaddr_addr = dynamic_cast<InetAddrMask*>(iaddr);
Address *iaddr_addr = Address::cast(iaddr);
assert(iaddr_addr!=NULL);
Interface *iface = Interface::cast(iaddr->getParent());
assert(iface!=NULL);
@ -176,7 +176,7 @@ void OSConfigurator_macosx::configureInterfaces()
FWObjectTypedChildIterator j=iface->findByType(IPv4::TYPENAME);
for ( ; j!=j.end(); ++j )
{
InetAddrMask *iaddr = dynamic_cast<InetAddrMask*>(*j);
Address *iaddr = Address::cast(*j);
output << "add_addr " << iaddr->getAddress().toString() << " "
<< iaddr->getNetmask().toString() << " "
<< iface->getName() << endl;

13
src/pflib/OSConfigurator_openbsd.cpp
View File

@ -87,12 +87,14 @@ void OSConfigurator_openbsd::addVirtualAddressForNAT(const Network *nw)
void OSConfigurator_openbsd::addVirtualAddressForNAT(const Address *addr)
{
if (virtual_addresses.empty() ||
find(virtual_addresses.begin(),virtual_addresses.end(),addr->getAddress())==virtual_addresses.end())
find(virtual_addresses.begin(),
virtual_addresses.end(),
addr->getAddress()) == virtual_addresses.end())
{
FWObject *iaddr = findAddressFor(addr, fw );
if (iaddr!=NULL)
{
InetAddrMask *iaddr_addr = dynamic_cast<InetAddrMask*>(iaddr);
Address *iaddr_addr = Address::cast(iaddr);
assert(iaddr_addr!=NULL);
Interface *iface = Interface::cast(iaddr->getParent());
assert(iface!=NULL);
@ -103,7 +105,8 @@ void OSConfigurator_openbsd::addVirtualAddressForNAT(const Address *addr)
virtual_addresses.push_back(addr->getAddress());
} else
warning(_("Can not add virtual address ") + addr->getAddress().toString() );
warning(_("Can not add virtual address ") +
addr->getAddress().toString() );
}
}
@ -119,7 +122,7 @@ void OSConfigurator_openbsd::addVirtualAddressForNAT(const Address *addr)
FWObjectTypedChildIterator j=iface->findByType(IPv4::TYPENAME);
for ( ; j!=j.end(); ++j )
{
InetAddrMask *iaddr = dynamic_cast<InetAddrMask*>(*j);
Address *iaddr = Address::cast(*j);
if ( ipv4->belongs( addr->getAddress() ) )
{
output << "ifconfig "
@ -213,7 +216,7 @@ void OSConfigurator_openbsd::configureInterfaces()
FWObjectTypedChildIterator j=iface->findByType(IPv4::TYPENAME);
for ( ; j!=j.end(); ++j )
{
InetAddrMask *iaddr = dynamic_cast<InetAddrMask*>(*j);
Address *iaddr = Address::cast(*j);
output << "add_addr " << iaddr->getAddress().toString() << " "
<< iaddr->getNetmask().toString() << " "
<< iface->getName() << endl;

4
src/pflib/OSConfigurator_solaris.cpp
View File

@ -101,7 +101,7 @@ void OSConfigurator_solaris::addVirtualAddressForNAT(const Address *addr)
FWObject *iaddr = findAddressFor(addr, fw );
if (iaddr!=NULL)
{
InetAddrMask *iaddr_addr = dynamic_cast<InetAddrMask*>(iaddr);
Address *iaddr_addr = Address::cast(iaddr);
assert(iaddr_addr!=NULL);
Interface *iface=Interface::cast(iaddr->getParent());
assert(iface!=NULL);
@ -192,7 +192,7 @@ void OSConfigurator_solaris::configureInterfaces()
FWObjectTypedChildIterator j=iface->findByType(IPv4::TYPENAME);
for ( ; j!=j.end(); ++j )
{
InetAddrMask *iaddr = dynamic_cast<InetAddrMask*>(*j);
Address *iaddr = Address::cast(*j);
output << "add_addr " << iaddr->getAddress().toString() << " "
<< iaddr->getNetmask().toString() << " "
<< iface->getName() << endl;

8
src/pflib/PolicyCompiler_ipf_writers.cpp
View File

@ -268,7 +268,7 @@ void PolicyCompiler_ipf::PrintRule::_printAddr(Address *o,bool neg)
}
InetAddr addr=o->getAddress();
InetNetmask mask=o->getNetmask();
InetAddr mask=o->getNetmask();
if (options->getBool("dynAddr") &&
Interface::cast(o)!=NULL && Interface::cast(o)->isDyn())
@ -279,12 +279,12 @@ void PolicyCompiler_ipf::PrintRule::_printAddr(Address *o,bool neg)
}
if (Interface::cast(o)!=NULL) {
mask = InetNetmask(InetAddr::getAllOnes());
mask = InetAddr(InetAddr::getAllOnes());
}
if (dynamic_cast<InetAddrMask*>(o)->dimension()==1)
if (o->dimension()==1)
{
mask = InetNetmask(InetAddr::getAllOnes());
mask = InetAddr(InetAddr::getAllOnes());
}
if (addr.isAny() && mask.isAny())

8
src/pflib/PolicyCompiler_ipfw_writers.cpp
View File

@ -291,13 +291,13 @@ void PolicyCompiler_ipfw::PrintRule::_printAddr(Address *o,bool neg)
}
InetAddr addr=o->getAddress();
InetNetmask mask=o->getNetmask();
InetAddr mask=o->getNetmask();
if (Interface::cast(o)!=NULL)
mask = InetNetmask(InetAddr::getAllOnes());
mask = InetAddr(InetAddr::getAllOnes());
if (dynamic_cast<InetAddrMask*>(o)->dimension()==1)
mask = InetNetmask(InetAddr::getAllOnes());
if (o->dimension()==1)
mask = InetAddr(InetAddr::getAllOnes());
if (addr.isAny() && mask.isAny())
{

6
src/pflib/PolicyCompiler_pf.cpp
View File

@ -389,7 +389,7 @@ void PolicyCompiler_pf::addDefaultPolicyRule()
string mgmt_addr = getCachedFwOpt()->getStr("mgmt_addr");
InetAddr addr;
InetNetmask netmask(InetAddr::getAllOnes());
InetAddr netmask(InetAddr::getAllOnes());
try
{
addr = InetAddr(mgmt_addr);
@ -401,11 +401,11 @@ void PolicyCompiler_pf::addDefaultPolicyRule()
int o1,o2,o3,o4;
if(sscanf(nm.c_str(), "%3u.%3u.%3u.%3u", &o1, &o2, &o3, &o4)==4)
{
netmask = InetNetmask(nm);
netmask = InetAddr(nm);
} else
{
sscanf(nm.c_str(),"%u",&o1);
netmask = InetNetmask(o1);
netmask = InetAddr(o1);
}
}
} catch(FWException &ex)

14
src/pflib/PolicyCompiler_pf_writers.cpp
View File

@ -195,14 +195,14 @@ void PolicyCompiler_pf::PrintRule::_printRouteOptions(PolicyRule *rule)
}
try
{
InetNetmask roaddr_netmask;
InetAddr roaddr_netmask;
string n = roaddr.substr(sp+1);
if (n.find('.')!=std::string::npos)
{
roaddr_netmask = InetNetmask(n);
roaddr_netmask = InetAddr(n);
} else
{
roaddr_netmask = InetNetmask(
roaddr_netmask = InetAddr(
atoi(n.c_str()));
}
if (roaddr_netmask.getLength()==32)
@ -597,7 +597,7 @@ void PolicyCompiler_pf::PrintRule::_printAddr(Address *o,bool neg)
}
InetAddr addr=o->getAddress();
InetNetmask mask=o->getNetmask();
InetAddr mask=o->getNetmask();
if (Interface::cast(o)!=NULL)
{
@ -608,12 +608,12 @@ void PolicyCompiler_pf::PrintRule::_printAddr(Address *o,bool neg)
return;
}
mask = InetNetmask(InetAddr::getAllOnes());
mask = InetAddr(InetAddr::getAllOnes());
}
if (dynamic_cast<InetAddrMask*>(o)->dimension()==1)
if (o->dimension()==1)
{
mask = InetNetmask(InetAddr::getAllOnes());
mask = InetAddr(InetAddr::getAllOnes());
}
if (addr.isAny() && mask.isAny())

6
src/pflib/TableFactory.cpp
View File

@ -213,11 +213,11 @@ string TableFactory::PrintTables()
throw(FWException("table object must be an address: '"+o->getTypeName()+"'"));
InetAddr addr=A->getAddress();
InetNetmask mask=A->getNetmask();
InetAddr mask=A->getNetmask();
if (dynamic_cast<InetAddrMask*>(A)->dimension()==1)
if (A->dimension()==1)
{
mask = InetNetmask(InetAddr::getAllOnes());
mask = InetAddr(InetAddr::getAllOnes());
}
output << addr.toString();

46
src/pix/NATCompiler_pix.cpp
View File

@ -421,8 +421,8 @@ bool NATCompiler_pix::verifyRuleElements::processNext()
if (Network::isA(odst) && Network::isA(tdst))
{
InetNetmask n1=(Interface::cast(odst))?InetNetmask(InetAddr::getAllOnes()):odst->getNetmask();
InetNetmask n2=(Interface::cast(tdst))?InetNetmask(InetAddr::getAllOnes()):tdst->getNetmask();
InetAddr n1=(Interface::cast(odst))?InetAddr(InetAddr::getAllOnes()):odst->getNetmask();
InetAddr n2=(Interface::cast(tdst))?InetAddr(InetAddr::getAllOnes()):tdst->getNetmask();
if ( !(n1==n2) )
compiler->abort(
@ -1269,7 +1269,7 @@ bool NATCompiler_pix::DetectOverlappingGlobalPoolsAndStaticRules::processNext()
if (natcmd->type== INTERFACE)
{
addr.setNetmask(InetNetmask(InetAddr::getAllOnes()));
addr.setNetmask(InetAddr(InetAddr::getAllOnes()));
}
if ( checkOverlapping( addr, outa->getAddress()) ||
@ -1313,8 +1313,8 @@ bool NATCompiler_pix::DetectDuplicateNAT::processNext()
// InetAddr a1=natcmd->o_addr->getAddress();
// InetAddr a2=nc->o_addr->getAddress();
//
// InetNetmask m1=natcmd->o_addr->getInetNetmask();
// InetNetmask m2=nc->o_addr->getNetmask();
// InetAddr m1=natcmd->o_addr->getInetAddr();
// InetAddr m2=nc->o_addr->getNetmask();
if ( int1->getId()==int2->getId() &&
natcmd->o_src==nc->o_src &&
@ -1379,18 +1379,30 @@ bool NATCompiler_pix::DetectOverlappingStatics::processNext()
{
if ( *(sc->osrv) == *(scmd->osrv) &&
*(sc->tsrv) == *(scmd->tsrv) &&
*(sc->osrc) == *(scmd->osrc) &&
( ! getOverlap(*(scmd->iaddr), *(sc->iaddr)).empty() ||
! getOverlap(*(scmd->oaddr), *(sc->oaddr)).empty() ) )
compiler->abort(
"Static NAT rules overlap or are redundant : rules "+
sc->rule+" and "+scmd->rule+" : "+
"outside address: "+
scmd->oaddr->getAddress().toString()+"/"+
scmd->oaddr->getNetmask().toString()+
" inside address: "+
scmd->iaddr->getAddress().toString()+"/"+
scmd->iaddr->getNetmask().toString());
*(sc->osrc) == *(scmd->osrc))
{
const InetAddrMask *ia1 =
scmd->iaddr->getAddressObjectInetAddrMask();
const InetAddrMask *ia2 =
sc->iaddr->getAddressObjectInetAddrMask();
const InetAddrMask *oa1 =
scmd->oaddr->getAddressObjectInetAddrMask();
const InetAddrMask *oa2 =
sc->oaddr->getAddressObjectInetAddrMask();
if ( ! getOverlap(*(ia1), *(ia2)).empty() ||
! getOverlap(*(oa1), *(oa2)).empty() )
compiler->abort(
"Static NAT rules overlap or are redundant: rules "+
sc->rule+" and "+scmd->rule+" : "+
"outside address: "+
scmd->oaddr->getAddress().toString()+"/"+
scmd->oaddr->getNetmask().toString()+
" inside address: "+
scmd->iaddr->getAddress().toString()+"/"+
scmd->iaddr->getNetmask().toString());
}
}
}
}

2
src/pix/NATCompiler_pix.h
View File

@ -420,7 +420,7 @@ namespace fwcompiler {
typedef struct {
std::string iface1, iface2;
libfwbuilder::InetAddr addr;
libfwbuilder::InetNetmask mask;
libfwbuilder::InetAddr mask;
} nonat_static_parameters;
std::deque<nonat_static_parameters> all_nonat_statics;
public:

2
src/pix/NATCompiler_pix_writers.cpp
View File

@ -450,7 +450,7 @@ bool NATCompiler_pix::PrintRule::processNext()
StaticCmd *scmd=pix_comp->static_commands[ rule->getInt("sc_cmd") ];
InetAddr outa=scmd->oaddr->getAddress();
InetNetmask outm=scmd->oaddr->getNetmask();
InetAddr outm=scmd->oaddr->getNetmask();
InetAddr insa=scmd->iaddr->getAddress();
/*
* we verify that odst and tdst have the same size in verifyRuleElements,

4
src/pix/PolicyCompiler_pix.cpp
View File

@ -123,14 +123,14 @@ int PolicyCompiler_pix::prolog()
{
if (netmask.find(".")!=string::npos)
{
InetNetmask nm(netmask);
InetAddr nm(netmask);
nm.isAny(); // to avoid warning abt unused var
} else
{
int nm_length;
istringstream str(netmask);
str >> nm_length;
InetNetmask nm(nm_length);
InetAddr nm(nm_length);
netmask = nm.toString();
}
} catch(FWException &ex)

8
src/pix/PolicyCompiler_pix_writers.cpp
View File

@ -164,7 +164,7 @@ bool PolicyCompiler_pix::PrintObjectGroupsAndClearCommands::processNext()
InetAddr addr=a->getAddress();
pix_comp->output << " network-object ";
if (Network::cast(obj)!=NULL) {
InetNetmask mask=a->getNetmask();
InetAddr mask=a->getNetmask();
pix_comp->output << addr.toString() << " ";
pix_comp->output << mask.toString() << " ";
} else {
@ -353,7 +353,7 @@ string PolicyCompiler_pix::PrintRule::_printAddr(libfwbuilder::Address *o)
ostringstream str;
InetAddr srcaddr=o->getAddress();
InetNetmask srcmask=o->getNetmask();
InetAddr srcmask=o->getNetmask();
if (Interface::cast(o)!=NULL)
{
@ -363,11 +363,11 @@ string PolicyCompiler_pix::PrintRule::_printAddr(libfwbuilder::Address *o)
return string("interface ") + interface_->getLabel() + " ";
}
srcmask=InetNetmask(InetAddr::getAllOnes());
srcmask=InetAddr(InetAddr::getAllOnes());
}
if (IPv4::cast(o)!=NULL)
srcmask=InetNetmask(InetAddr::getAllOnes());
srcmask=InetAddr(InetAddr::getAllOnes());
if (srcaddr.isAny() && srcmask.isAny())

253
test/iosacl/objects.fwb
View File

@ -1,17 +1,17 @@
<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE FWObjectDatabase SYSTEM "fwbuilder.dtd">
<FWObjectDatabase xmlns="http://www.fwbuilder.org/1.0/" version="4" id="root">
<FWObjectDatabase xmlns="http://www.fwbuilder.org/1.0/" version="4" lastModified="1208635848" id="root">
<Library color="#d2ffd0" id="id4511636323682" name="User">
<ObjectGroup id="id4511636423682" name="Objects">
<ObjectGroup id="id4511636523682" name="Addresses">
<IPv4 address="10.3.14.10" id="id451164E423682" name="baby.vk.crocodile.org" netmask="255.255.255.255"/>
<IPv4 address="10.3.14.102" id="id451164F923682" name="h-10.3.14.102" netmask="255.255.255.255"/>
<IPv4 address="10.3.14.255" id="id451164FA23682" name="h-10.3.14.255" netmask="255.255.255.255"/>
<IPv4 address="10.3.14.53" id="id451164FB23682" name="h-10.3.14.53" netmask="255.255.255.255"/>
<IPv4 address="10.3.14.65" id="id451164FC23682" name="h-10.3.14.65" netmask="255.255.255.255"/>
<IPv4 address="10.3.14.43" id="id451164FD23682" name="neo.vk.crocodile.org" netmask="255.255.255.255"/>
<IPv4 address="10.3.14.30" id="id4511653423682" name="tower.vk.crocodile.org" netmask="255.255.255.255"/>
<IPv4 address="10.3.14.41" id="id4511653523682" name="x1.vk.crocodile.org" netmask="255.255.255.255"/>
<IPv4 id="id451164E423682" name="baby.vk.crocodile.org" address="10.3.14.10" netmask="255.255.255.255"/>
<IPv4 id="id451164F923682" name="h-10.3.14.102" address="10.3.14.102" netmask="255.255.255.255"/>
<IPv4 id="id451164FA23682" name="h-10.3.14.255" address="10.3.14.255" netmask="255.255.255.255"/>
<IPv4 id="id451164FB23682" name="h-10.3.14.53" address="10.3.14.53" netmask="255.255.255.255"/>
<IPv4 id="id451164FC23682" name="h-10.3.14.65" address="10.3.14.65" netmask="255.255.255.255"/>
<IPv4 id="id451164FD23682" name="neo.vk.crocodile.org" address="10.3.14.43" netmask="255.255.255.255"/>
<IPv4 id="id4511653423682" name="tower.vk.crocodile.org" address="10.3.14.30" netmask="255.255.255.255"/>
<IPv4 id="id4511653523682" name="x1.vk.crocodile.org" address="10.3.14.41" netmask="255.255.255.255"/>
</ObjectGroup>
<ObjectGroup id="id4511636623682" name="DNS Names"/>
<ObjectGroup id="id4511636723682" name="Address Tables"/>
@ -30,11 +30,11 @@
<ObjectGroup id="id4511636923682" name="Hosts">
<Host id="id451164EB23682" name="beaver">
<Interface bridgeport="False" dyn="False" id="id451164EF23682" name="lo" security_level="100" unnum="False" unprotected="False">
<IPv4 address="127.0.0.1" id="id451164F023682" name="beaver:lo:ip" netmask="255.0.0.0"/>
<IPv4 id="id451164F023682" name="beaver:lo:ip" address="127.0.0.1" netmask="255.0.0.0"/>
</Interface>
<Interface bridgeport="False" dyn="False" id="id451164F523682" name="eth0" security_level="0" unnum="False" unprotected="False">
<IPv4 address="10.3.14.40" id="id451164F723682" name="beaver:eth0:ip1" netmask="255.255.255.0"/>
<IPv4 address="192.168.123.123" id="id451164F823682" name="beaver:eth0:ip2" netmask="255.255.255.0"/>
<IPv4 id="id451164F723682" name="beaver:eth0:ip1" address="10.3.14.40" netmask="255.255.255.0"/>
<IPv4 id="id451164F823682" name="beaver:eth0:ip2" address="192.168.123.123" netmask="255.255.255.0"/>
<physAddress address="00:30:48:20:16:10" id="id451164F623682" name="beaver:eth0:mac"/>
</Interface>
<HostOptions>
@ -97,7 +97,7 @@
<ServiceGroup id="id4511637323682" name="TagServices"/>
</ServiceGroup>
<ObjectGroup id="id4511637423682" name="Firewalls">
<Firewall comment="" host_OS="ios" id="id46412B5226577" inactive="False" lastCompiled="1185060662" lastInstalled="0" lastModified="1178760458" name="testios1" platform="iosacl" ro="False" version="12.x">
<Firewall comment="" host_OS="ios" id="id46412B5226577" inactive="False" lastCompiled="1185060662" lastInstalled="0" lastModified="1208635848" name="testios1" platform="iosacl" ro="False" version="12.x">
<NAT id="id46412B5626577"/>
<Policy id="id46412B5526577">
<PolicyRule action="Deny" comment="anti-spoofing" direction="Inbound" disabled="False" id="id464154BB29061" log="True" position="0">
@ -351,7 +351,7 @@
<Option name="stateless">False</Option>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule action="Accept" comment="" direction="Both" disabled="False" id="id464147C929061" log="False" position="12">
<PolicyRule action="Accept" comment="interface ethernet1 has address on network 10.10.10.0/24,&#10;therefore net-10.10.10 is behind the router and we do&#10;not need to put rules 12-18 in outbound acl of eth0" direction="Both" disabled="False" id="id464147C929061" log="False" position="12">
<Src neg="False">
<ObjectRef ref="id4641456629061"/>
</Src>
@ -521,13 +521,13 @@
</Policy>
<Routing id="id46412B5726577"/>
<Interface bridgeport="False" dyn="False" id="id46412B5826577" label="" name="ethernet0" security_level="50" unnum="False" unprotected="False">
<IPv4 address="1.1.1.1" id="id46412B5926577" name="testios1:ethernet0:ip" netmask="255.255.255.0"/>
<IPv4 id="id46412B5926577" name="testios1:ethernet0:ip" address="1.1.1.1" netmask="255.255.255.0"/>
</Interface>
<Interface bridgeport="False" comment="" dyn="False" id="id46412B5A26577" label="" mgmt="False" name="ethernet1" security_level="100" unnum="False" unprotected="True">
<IPv4 address="10.10.10.1" id="id46412B5B26577" name="testios1:ethernet1:ip" netmask="255.255.255.0"/>
<IPv4 id="id46412B5B26577" name="testios1:ethernet1:ip" address="10.10.10.1" netmask="255.255.255.0"/>
</Interface>
<Interface bridgeport="False" comment="" dyn="False" id="id4642828219184" label="" mgmt="False" name="ethernet2" security_level="100" unnum="False" unprotected="True">
<IPv4 address="3.3.3.3" comment="" id="id4642828319184" name="testios1:ethernet2:ip" netmask="255.255.255.0"/>
<IPv4 comment="" id="id4642828319184" name="testios1:ethernet2:ip" address="3.3.3.3" netmask="255.255.255.0"/>
</Interface>
<Management address="10.10.10.1">
<SNMPManagement enabled="False" snmp_read_community="" snmp_write_community=""/>
@ -538,9 +538,10 @@
<Option name="accept_established">true</Option>
<Option name="accept_new_tcp_with_no_syn">true</Option>
<Option name="add_check_state_rule">true</Option>
<Option name="admUser"/>
<Option name="altAddress"/>
<Option name="admUser"></Option>
<Option name="altAddress"></Option>
<Option name="check_shading">False</Option>
<Option name="compiler"></Option>
<Option name="configure_interfaces">true</Option>
<Option name="eliminate_duplicates">true</Option>
<Option name="firewall_dir">/etc</Option>
@ -553,21 +554,21 @@
<Option name="iosacl_acl_basic">True</Option>
<Option name="iosacl_acl_no_clear">False</Option>
<Option name="iosacl_acl_substitution">False</Option>
<Option name="iosacl_acl_temp_addr"/>
<Option name="iosacl_acl_temp_addr"></Option>
<Option name="iosacl_add_clear_statements">true</Option>
<Option name="iosacl_assume_fw_part_of_any">true</Option>
<Option name="iosacl_epilog_script"/>
<Option name="iosacl_epilog_script"></Option>
<Option name="iosacl_include_comments">True</Option>
<Option name="iosacl_logging_buffered">False</Option>
<Option name="iosacl_logging_buffered_level"/>
<Option name="iosacl_logging_buffered_level"></Option>
<Option name="iosacl_logging_console">False</Option>
<Option name="iosacl_logging_console_level"/>
<Option name="iosacl_logging_console_level"></Option>
<Option name="iosacl_logging_timestamp">False</Option>
<Option name="iosacl_logging_trap_level"/>
<Option name="iosacl_prolog_script"/>
<Option name="iosacl_logging_trap_level"></Option>
<Option name="iosacl_prolog_script"></Option>
<Option name="iosacl_regroup_commands">False</Option>
<Option name="iosacl_syslog_facility"/>
<Option name="iosacl_syslog_host"/>
<Option name="iosacl_syslog_facility"></Option>
<Option name="iosacl_syslog_host"></Option>
<Option name="limit_value">0</Option>
<Option name="linux24_ip_forward">1</Option>
<Option name="load_modules">true</Option>
@ -577,10 +578,10 @@
<Option name="loopback_interface">lo0</Option>
<Option name="macosx_ip_forward">1</Option>
<Option name="manage_virtual_addr">true</Option>
<Option name="mgmt_addr"/>
<Option name="mgmt_addr"></Option>
<Option name="mgmt_ssh">False</Option>
<Option name="openbsd_ip_forward">1</Option>
<Option name="output_file"/>
<Option name="output_file"></Option>
<Option name="pass_all_out">false</Option>
<Option name="pf_limit_frags">5000</Option>
<Option name="pf_limit_states">10000</Option>
@ -602,7 +603,7 @@
<Option name="prompt1">$ </Option>
<Option name="prompt2"> # </Option>
<Option name="solaris_ip_forward">1</Option>
<Option name="sshArgs"/>
<Option name="sshArgs"></Option>
<Option name="ulog_nlgroup">1</Option>
<Option name="verify_interfaces">true</Option>
</FirewallOptions>
@ -759,10 +760,10 @@
</Policy>
<Routing id="id4641321026611"/>
<Interface bridgeport="False" dyn="False" id="id4641321126611" label="" name="ethernet0" security_level="50" unnum="False" unprotected="False">
<IPv4 address="1.1.1.1" id="id4641321326611" name="testios20:ethernet0:ip" netmask="255.255.255.0"/>
<IPv4 id="id4641321326611" name="testios20:ethernet0:ip" address="1.1.1.1" netmask="255.255.255.0"/>
</Interface>
<Interface bridgeport="False" comment="" dyn="False" id="id4641321426611" label="" mgmt="False" name="ethernet1" network_zone="sysid0" security_level="100" unnum="False" unprotected="False">
<IPv4 address="10.10.10.1" id="id4641321626611" name="testios20:ethernet1:ip" netmask="255.255.255.0"/>
<IPv4 id="id4641321626611" name="testios20:ethernet1:ip" address="10.10.10.1" netmask="255.255.255.0"/>
</Interface>
<Management address="10.10.10.1">
<SNMPManagement enabled="False" snmp_read_community="" snmp_write_community=""/>
@ -773,10 +774,10 @@
<Option name="accept_established">true</Option>
<Option name="accept_new_tcp_with_no_syn">true</Option>
<Option name="add_check_state_rule">true</Option>
<Option name="admUser"/>
<Option name="altAddress"/>
<Option name="admUser"></Option>
<Option name="altAddress"></Option>
<Option name="check_shading">False</Option>
<Option name="compiler"/>
<Option name="compiler"></Option>
<Option name="configure_interfaces">true</Option>
<Option name="eliminate_duplicates">true</Option>
<Option name="firewall_dir">/etc</Option>
@ -789,21 +790,21 @@
<Option name="iosacl_acl_basic">True</Option>
<Option name="iosacl_acl_no_clear">False</Option>
<Option name="iosacl_acl_substitution">False</Option>
<Option name="iosacl_acl_temp_addr"/>
<Option name="iosacl_acl_temp_addr"></Option>
<Option name="iosacl_add_clear_statements">true</Option>
<Option name="iosacl_assume_fw_part_of_any">true</Option>
<Option name="iosacl_epilog_script"/>
<Option name="iosacl_epilog_script"></Option>
<Option name="iosacl_include_comments">True</Option>
<Option name="iosacl_logging_buffered">False</Option>
<Option name="iosacl_logging_buffered_level"/>
<Option name="iosacl_logging_buffered_level"></Option>
<Option name="iosacl_logging_console">False</Option>
<Option name="iosacl_logging_console_level"/>
<Option name="iosacl_logging_console_level"></Option>
<Option name="iosacl_logging_timestamp">False</Option>
<Option name="iosacl_logging_trap_level"/>
<Option name="iosacl_prolog_script"/>
<Option name="iosacl_logging_trap_level"></Option>
<Option name="iosacl_prolog_script"></Option>
<Option name="iosacl_regroup_commands">False</Option>
<Option name="iosacl_syslog_facility"/>
<Option name="iosacl_syslog_host"/>
<Option name="iosacl_syslog_facility"></Option>
<Option name="iosacl_syslog_host"></Option>
<Option name="limit_value">0</Option>
<Option name="linux24_ip_forward">1</Option>
<Option name="load_modules">true</Option>
@ -813,10 +814,10 @@
<Option name="loopback_interface">lo0</Option>
<Option name="macosx_ip_forward">1</Option>
<Option name="manage_virtual_addr">true</Option>
<Option name="mgmt_addr"/>
<Option name="mgmt_addr"></Option>
<Option name="mgmt_ssh">False</Option>
<Option name="openbsd_ip_forward">1</Option>
<Option name="output_file"/>
<Option name="output_file"></Option>
<Option name="pass_all_out">false</Option>
<Option name="pf_limit_frags">5000</Option>
<Option name="pf_limit_states">10000</Option>
@ -838,7 +839,7 @@
<Option name="prompt1">$ </Option>
<Option name="prompt2"> # </Option>
<Option name="solaris_ip_forward">1</Option>
<Option name="sshArgs"/>
<Option name="sshArgs"></Option>
<Option name="ulog_nlgroup">1</Option>
<Option name="verify_interfaces">true</Option>
</FirewallOptions>
@ -1267,10 +1268,10 @@
</Policy>
<Routing id="id464265C512807"/>
<Interface bridgeport="False" dyn="False" id="id464265C612807" label="" name="ethernet0" security_level="50" unnum="False" unprotected="False">
<IPv4 address="1.1.1.1" id="id464265C812807" name="testios2:ethernet0:ip" netmask="255.255.255.0"/>
<IPv4 id="id464265C812807" name="testios2:ethernet0:ip" address="1.1.1.1" netmask="255.255.255.0"/>
</Interface>
<Interface bridgeport="False" comment="" dyn="False" id="id464265C912807" label="" mgmt="True" name="ethernet1" security_level="100" unnum="False" unprotected="False">
<IPv4 address="10.10.10.1" id="id464265CB12807" name="testios2:ethernet1:ip" netmask="255.255.255.0"/>
<IPv4 id="id464265CB12807" name="testios2:ethernet1:ip" address="10.10.10.1" netmask="255.255.255.0"/>
</Interface>
<Management address="10.10.10.1">
<SNMPManagement enabled="False" snmp_read_community="" snmp_write_community=""/>
@ -1281,8 +1282,8 @@
<Option name="accept_established">true</Option>
<Option name="accept_new_tcp_with_no_syn">true</Option>
<Option name="add_check_state_rule">true</Option>
<Option name="admUser"/>
<Option name="altAddress"/>
<Option name="admUser"></Option>
<Option name="altAddress"></Option>
<Option name="check_shading">False</Option>
<Option name="configure_interfaces">true</Option>
<Option name="eliminate_duplicates">true</Option>
@ -1299,18 +1300,18 @@
<Option name="iosacl_acl_temp_addr">10.10.10.0/24</Option>
<Option name="iosacl_add_clear_statements">true</Option>
<Option name="iosacl_assume_fw_part_of_any">true</Option>
<Option name="iosacl_epilog_script"/>
<Option name="iosacl_epilog_script"></Option>
<Option name="iosacl_include_comments">True</Option>
<Option name="iosacl_logging_buffered">False</Option>
<Option name="iosacl_logging_buffered_level"/>
<Option name="iosacl_logging_buffered_level"></Option>
<Option name="iosacl_logging_console">False</Option>
<Option name="iosacl_logging_console_level"/>
<Option name="iosacl_logging_console_level"></Option>
<Option name="iosacl_logging_timestamp">False</Option>
<Option name="iosacl_logging_trap_level"/>
<Option name="iosacl_prolog_script"/>
<Option name="iosacl_logging_trap_level"></Option>
<Option name="iosacl_prolog_script"></Option>
<Option name="iosacl_regroup_commands">False</Option>
<Option name="iosacl_syslog_facility"/>
<Option name="iosacl_syslog_host"/>
<Option name="iosacl_syslog_facility"></Option>
<Option name="iosacl_syslog_host"></Option>
<Option name="limit_value">0</Option>
<Option name="linux24_ip_forward">1</Option>
<Option name="load_modules">true</Option>
@ -1320,10 +1321,10 @@
<Option name="loopback_interface">lo0</Option>
<Option name="macosx_ip_forward">1</Option>
<Option name="manage_virtual_addr">true</Option>
<Option name="mgmt_addr"/>
<Option name="mgmt_addr"></Option>
<Option name="mgmt_ssh">False</Option>
<Option name="openbsd_ip_forward">1</Option>
<Option name="output_file"/>
<Option name="output_file"></Option>
<Option name="pass_all_out">false</Option>
<Option name="pf_limit_frags">5000</Option>
<Option name="pf_limit_states">10000</Option>
@ -1345,7 +1346,7 @@
<Option name="prompt1">$ </Option>
<Option name="prompt2"> # </Option>
<Option name="solaris_ip_forward">1</Option>
<Option name="sshArgs"/>
<Option name="sshArgs"></Option>
<Option name="ulog_nlgroup">1</Option>
<Option name="verify_interfaces">true</Option>
</FirewallOptions>
@ -1516,19 +1517,19 @@
</Policy>
<Routing id="id46435A0316989"/>
<Interface bridgeport="False" comment="" dyn="False" id="id46435A0416989" label="" mgmt="False" name="Ethernet1/0" security_level="0" unnum="False" unprotected="False">
<IPv4 address="192.168.171.2" id="id46435A0516989" name="c3620:Ethernet1/0:ip" netmask="255.255.255.0"/>
<IPv4 id="id46435A0516989" name="c3620:Ethernet1/0:ip" address="192.168.171.2" netmask="255.255.255.0"/>
</Interface>
<Interface bridgeport="False" comment="" dyn="False" id="id46435A0616989" label="" mgmt="False" name="Ethernet1/1" security_level="100" unnum="False" unprotected="False">
<IPv4 address="0.0.0.0" id="id46435A0716989" name="c3620:Ethernet1/1:ip" netmask="255.255.255.255"/>
<IPv4 id="id46435A0716989" name="c3620:Ethernet1/1:ip" address="0.0.0.0" netmask="255.255.255.255"/>
</Interface>
<Interface bridgeport="False" comment="" dyn="False" id="id46435A0816989" label="" mgmt="True" name="FastEthernet0/0" security_level="100" unnum="False" unprotected="False">
<IPv4 address="10.3.14.201" id="id46435A0916989" name="c3620:FastEthernet0/0:ip" netmask="255.255.255.0"/>
<IPv4 id="id46435A0916989" name="c3620:FastEthernet0/0:ip" address="10.3.14.201" netmask="255.255.255.0"/>
</Interface>
<Interface bridgeport="False" comment="" dyn="False" id="id46435A0A16989" label="" mgmt="False" name="Null0" security_level="100" unnum="False" unprotected="True">
<IPv4 address="0.0.0.0" id="id46435A0B16989" name="c3620:Null0:ip" netmask="255.255.255.255"/>
<IPv4 id="id46435A0B16989" name="c3620:Null0:ip" address="0.0.0.0" netmask="255.255.255.255"/>
</Interface>
<Interface bridgeport="False" comment="" dyn="False" id="id46435A0C16989" label="" mgmt="False" name="Serial1/0" security_level="100" unnum="False" unprotected="True">
<IPv4 address="0.0.0.0" id="id46435A0D16989" name="c3620:Serial1/0:ip" netmask="255.255.255.255"/>
<IPv4 id="id46435A0D16989" name="c3620:Serial1/0:ip" address="0.0.0.0" netmask="255.255.255.255"/>
</Interface>
<Management address="10.3.14.201">
<SNMPManagement enabled="False" snmp_read_community="" snmp_write_community=""/>
@ -1539,8 +1540,8 @@
<Option name="accept_established">true</Option>
<Option name="accept_new_tcp_with_no_syn">true</Option>
<Option name="add_check_state_rule">true</Option>
<Option name="admUser"/>
<Option name="altAddress"/>
<Option name="admUser"></Option>
<Option name="altAddress"></Option>
<Option name="check_shading">False</Option>
<Option name="configure_interfaces">true</Option>
<Option name="eliminate_duplicates">true</Option>
@ -1552,21 +1553,21 @@
<Option name="iosacl_acl_basic">True</Option>
<Option name="iosacl_acl_no_clear">False</Option>
<Option name="iosacl_acl_substitution">False</Option>
<Option name="iosacl_acl_temp_addr"/>
<Option name="iosacl_acl_temp_addr"></Option>
<Option name="iosacl_add_clear_statements">true</Option>
<Option name="iosacl_assume_fw_part_of_any">true</Option>
<Option name="iosacl_epilog_script"/>
<Option name="iosacl_epilog_script"></Option>
<Option name="iosacl_include_comments">True</Option>
<Option name="iosacl_logging_buffered">False</Option>
<Option name="iosacl_logging_buffered_level"/>
<Option name="iosacl_logging_buffered_level"></Option>
<Option name="iosacl_logging_console">False</Option>
<Option name="iosacl_logging_console_level"/>
<Option name="iosacl_logging_console_level"></Option>
<Option name="iosacl_logging_timestamp">False</Option>
<Option name="iosacl_logging_trap_level"/>
<Option name="iosacl_prolog_script"/>
<Option name="iosacl_logging_trap_level"></Option>
<Option name="iosacl_prolog_script"></Option>
<Option name="iosacl_regroup_commands">False</Option>
<Option name="iosacl_syslog_facility"/>
<Option name="iosacl_syslog_host"/>
<Option name="iosacl_syslog_facility"></Option>
<Option name="iosacl_syslog_host"></Option>
<Option name="limit_value">0</Option>
<Option name="linux24_ip_forward">1</Option>
<Option name="load_modules">true</Option>
@ -1579,7 +1580,7 @@
<Option name="mgmt_addr">10.3.14.40</Option>
<Option name="mgmt_ssh">True</Option>
<Option name="openbsd_ip_forward">1</Option>
<Option name="output_file"/>
<Option name="output_file"></Option>
<Option name="pass_all_out">false</Option>
<Option name="pf_limit_frags">5000</Option>
<Option name="pf_limit_states">10000</Option>
@ -1601,7 +1602,7 @@
<Option name="prompt1">$ </Option>
<Option name="prompt2"> # </Option>
<Option name="solaris_ip_forward">1</Option>
<Option name="sshArgs"/>
<Option name="sshArgs"></Option>
<Option name="ulog_nlgroup">1</Option>
<Option name="verify_interfaces">true</Option>
</FirewallOptions>
@ -1611,7 +1612,7 @@
</Library>
<Library id="sysid99" name="Deleted Objects" ro="False">
<ObjectRef ref="sysid0"/>
<IPv4 address="10.10.10.1" comment="" id="id463FF31019380" name="test-ipt:eth0:ip" netmask="255.255.255.0"/>
<IPv4 comment="" id="id463FF31019380" name="test-ipt:eth0:ip" address="10.10.10.1" netmask="255.255.255.0"/>
<Interface bridgeport="False" comment="" dyn="False" id="id4511651D23682" label="" mgmt="False" name="imq1" security_level="100" unnum="True" unprotected="False"/>
<Firewall comment="Similar to fw 1, but the firewall is used as DHCP and DNS server for internal network.&#10;This firewall has two interfaces. Eth0 faces outside and has a dynamic address; eth1 faces inside.&#10;Policy includes basic rules to permit unrestricted outbound access and anti-spoofing rules. Access to the firewall is permitted only from internal network and only using SSH. The firewall can send DNS queries to servers out on the Internet. Another rule permits DNS queries from internal network to the firewall. Special rules permit DHCP requests from internal network and replies sent by the firewall." host_OS="freebsd" id="id453D8A6D12118" lastCompiled="0" lastInstalled="0" lastModified="1178678949" name="ipf" platform="ipf" ro="False" version="">
<NAT id="id453D8AE412118">
@ -1694,27 +1695,27 @@
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions>
<Option name="action_on_reject"/>
<Option name="classify_str"/>
<Option name="custom_str"/>
<Option name="ipf_route_opt_addr"/>
<Option name="action_on_reject"></Option>
<Option name="classify_str"></Option>
<Option name="custom_str"></Option>
<Option name="ipf_route_opt_addr"></Option>
<Option name="ipf_route_opt_if">le1</Option>
<Option name="ipf_route_option">route_through</Option>
<Option name="ipfw_classify_method">2</Option>
<Option name="ipfw_pipe_port_num">0</Option>
<Option name="ipfw_pipe_queue_num">0</Option>
<Option name="ipt_continue">False</Option>
<Option name="ipt_gw"/>
<Option name="ipt_iif"/>
<Option name="ipt_gw"></Option>
<Option name="ipt_iif"></Option>
<Option name="ipt_mark_connections">False</Option>
<Option name="ipt_mark_prerouting">False</Option>
<Option name="ipt_oif"/>
<Option name="ipt_oif"></Option>
<Option name="ipt_tee">False</Option>
<Option name="pf_fastroute">False</Option>
<Option name="pf_route_opt_addr"/>
<Option name="pf_route_opt_if"/>
<Option name="pf_route_opt_addr"></Option>
<Option name="pf_route_opt_if"></Option>
<Option name="pf_route_option">route_through</Option>
<Option name="rule_name_accounting"/>
<Option name="rule_name_accounting"></Option>
<Option name="stateless">True</Option>
</PolicyRuleOptions>
</PolicyRule>
@ -1835,10 +1836,10 @@
<Routing id="id453D8AF312118"/>
<Interface bridgeport="False" comment="" dyn="True" id="id453D8AF412118" label="" mgmt="False" name="le0" security_level="0" unnum="False" unprotected="False"/>
<Interface bridgeport="False" comment="" dyn="False" id="id453D8AF512118" label="" mgmt="True" name="le1" security_level="100" unnum="False" unprotected="False">
<IPv4 address="192.168.1.1" comment="" id="id453D8AF712118" name="ipf:le1:ip" netmask="255.255.255.0"/>
<IPv4 comment="" id="id453D8AF712118" name="ipf:le1:ip" address="192.168.1.1" netmask="255.255.255.0"/>
</Interface>
<Interface bridgeport="False" comment="" dyn="False" id="id453D8AF812118" label="loopback" mgmt="False" name="lo" security_level="100" unnum="False" unprotected="False">
<IPv4 address="127.0.0.1" comment="" id="id453D8AFA12118" name="ipf:lo:ip" netmask="255.0.0.0"/>
<IPv4 comment="" id="id453D8AFA12118" name="ipf:lo:ip" address="127.0.0.1" netmask="255.0.0.0"/>
</Interface>
<Management address="0.0.0.0">
<SNMPManagement enabled="False" snmp_read_community="" snmp_write_community=""/>
@ -1929,27 +1930,27 @@
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions>
<Option name="action_on_reject"/>
<Option name="classify_str"/>
<Option name="custom_str"/>
<Option name="ipf_route_opt_addr"/>
<Option name="ipf_route_opt_if"/>
<Option name="action_on_reject"></Option>
<Option name="classify_str"></Option>
<Option name="custom_str"></Option>
<Option name="ipf_route_opt_addr"></Option>
<Option name="ipf_route_opt_if"></Option>
<Option name="ipf_route_option">Route through</Option>
<Option name="ipfw_classify_method">2</Option>
<Option name="ipfw_pipe_port_num">0</Option>
<Option name="ipfw_pipe_queue_num">0</Option>
<Option name="ipt_continue">False</Option>
<Option name="ipt_gw"/>
<Option name="ipt_iif"/>
<Option name="ipt_gw"></Option>
<Option name="ipt_iif"></Option>
<Option name="ipt_mark_connections">False</Option>
<Option name="ipt_mark_prerouting">False</Option>
<Option name="ipt_oif">vlan1</Option>
<Option name="ipt_tee">False</Option>
<Option name="pf_fastroute">False</Option>
<Option name="pf_route_opt_addr"/>
<Option name="pf_route_opt_if"/>
<Option name="pf_route_opt_addr"></Option>
<Option name="pf_route_opt_if"></Option>
<Option name="pf_route_option">Route through</Option>
<Option name="rule_name_accounting"/>
<Option name="rule_name_accounting"></Option>
<Option name="stateless">True</Option>
</PolicyRuleOptions>
</PolicyRule>
@ -1970,27 +1971,27 @@
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions>
<Option name="action_on_reject"/>
<Option name="classify_str"/>
<Option name="custom_str"/>
<Option name="ipf_route_opt_addr"/>
<Option name="ipf_route_opt_if"/>
<Option name="action_on_reject"></Option>
<Option name="classify_str"></Option>
<Option name="custom_str"></Option>
<Option name="ipf_route_opt_addr"></Option>
<Option name="ipf_route_opt_if"></Option>
<Option name="ipf_route_option">Route through</Option>
<Option name="ipfw_classify_method">2</Option>
<Option name="ipfw_pipe_port_num">0</Option>
<Option name="ipfw_pipe_queue_num">0</Option>
<Option name="ipt_continue">False</Option>
<Option name="ipt_gw"/>
<Option name="ipt_iif"/>
<Option name="ipt_gw"></Option>
<Option name="ipt_iif"></Option>
<Option name="ipt_mark_connections">False</Option>
<Option name="ipt_mark_prerouting">False</Option>
<Option name="ipt_oif">eth1</Option>
<Option name="ipt_tee">False</Option>
<Option name="pf_fastroute">False</Option>
<Option name="pf_route_opt_addr"/>
<Option name="pf_route_opt_if"/>
<Option name="pf_route_opt_addr"></Option>
<Option name="pf_route_opt_if"></Option>
<Option name="pf_route_option">Route through</Option>
<Option name="rule_name_accounting"/>
<Option name="rule_name_accounting"></Option>
<Option name="stateless">True</Option>
</PolicyRuleOptions>
</PolicyRule>
@ -2037,11 +2038,11 @@
</Policy>
<Routing id="id4511651323682"/>
<Interface bridgeport="False" dyn="False" id="id4511651623682" name="lo" security_level="100" unnum="False" unprotected="False">
<IPv4 address="127.0.0.1" id="id4511651723682" name="test-ipt:lo:ip" netmask="255.0.0.0"/>
<IPv4 id="id4511651723682" name="test-ipt:lo:ip" address="127.0.0.1" netmask="255.0.0.0"/>
</Interface>
<Interface bridgeport="False" comment="" dyn="False" id="id4511651923682" label="" mgmt="False" name="teql0" security_level="100" unnum="True" unprotected="False"/>
<Interface bridgeport="False" comment="" dyn="False" id="id4511651B23682" label="" mgmt="False" name="imq0" security_level="100" unnum="False" unprotected="False">
<IPv4 address="192.168.1.1" comment="" id="id463FFA2619380" name="test-ipt:imq0:ip" netmask="255.255.255.0"/>
<IPv4 comment="" id="id463FFA2619380" name="test-ipt:imq0:ip" address="192.168.1.1" netmask="255.255.255.0"/>
</Interface>
<Interface bridgeport="False" comment="" dyn="True" id="id4511652023682" label="" mgmt="False" name="eth0" security_level="100" unnum="False" unprotected="False">
<physAddress address="00:12:17:03:B9:81" id="id4511652123682" name="test-ipt:eth0:mac"/>
@ -2053,11 +2054,11 @@
<physAddress address="00:12:17:03:B9:81" id="id4511652923682" name="test-ipt:vlan0:mac"/>
</Interface>
<Interface bridgeport="False" dyn="False" id="id4511652D23682" name="vlan1" security_level="0" unnum="False" unprotected="False">
<IPv4 address="24.6.139.57" id="id4511652F23682" name="test-ipt:vlan1:ip" netmask="255.255.248.0"/>
<IPv4 id="id4511652F23682" name="test-ipt:vlan1:ip" address="24.6.139.57" netmask="255.255.248.0"/>
<physAddress address="00:E0:18:A8:80:1E" id="id4511652E23682" name="test-ipt:vlan1:mac"/>
</Interface>
<Interface bridgeport="False" dyn="False" id="id4511653223682" name="br0" security_level="100" unnum="False" unprotected="False">
<IPv4 address="10.10.10.2" comment="" id="id463FF31119380" name="test-ipt:br0:ip" netmask="255.255.255.0"/>
<IPv4 comment="" id="id463FF31119380" name="test-ipt:br0:ip" address="10.10.10.2" netmask="255.255.255.0"/>
<physAddress address="00:12:17:03:B9:81" id="id4511653323682" name="test-ipt:br0:mac"/>
</Interface>
<Management address="10.10.10.2">
@ -2068,27 +2069,27 @@
<FirewallOptions>
<Option name="accept_established">True</Option>
<Option name="accept_new_tcp_with_no_syn">True</Option>
<Option name="action_on_reject"/>
<Option name="activationCmd"/>
<Option name="admUser"/>
<Option name="altAddress"/>
<Option name="action_on_reject"></Option>
<Option name="activationCmd"></Option>
<Option name="admUser"></Option>
<Option name="altAddress"></Option>
<Option name="bridging_fw">False</Option>
<Option name="check_shading">False</Option>
<Option name="clamp_mss_to_mtu">False</Option>
<Option name="classify_mark_terminating">False</Option>
<Option name="cmdline"/>
<Option name="compiler"/>
<Option name="cmdline"></Option>
<Option name="compiler"></Option>
<Option name="configure_interfaces">True</Option>
<Option name="debug">False</Option>
<Option name="drop_invalid">False</Option>
<Option name="eliminate_duplicates">true</Option>
<Option name="epilog_script"/>
<Option name="epilog_script"></Option>
<Option name="firewall_dir">/etc</Option>
<Option name="firewall_is_part_of_any_and_networks">True</Option>
<Option name="freebsd_ip_forward">1</Option>
<Option name="ignore_empty_groups">False</Option>
<Option name="in_out_code">true</Option>
<Option name="limit_suffix"/>
<Option name="limit_suffix"></Option>
<Option name="limit_value">0</Option>
<Option name="linux24_ip_forward">1</Option>
<Option name="load_modules">True</Option>
@ -2103,10 +2104,10 @@
<Option name="loopback_interface">lo0</Option>
<Option name="macosx_ip_forward">1</Option>
<Option name="manage_virtual_addr">True</Option>
<Option name="mgmt_addr"/>
<Option name="mgmt_addr"></Option>
<Option name="mgmt_ssh">False</Option>
<Option name="openbsd_ip_forward">1</Option>
<Option name="output_file"/>
<Option name="output_file"></Option>
<Option name="pass_all_out">false</Option>
<Option name="pf_limit_frags">5000</Option>
<Option name="pf_limit_states">10000</Option>
@ -2126,14 +2127,14 @@
<Option name="pix_syslog_device_id_supported">false</Option>
<Option name="pix_use_acl_remarks">true</Option>
<Option name="prolog_place">top</Option>
<Option name="prolog_script"/>
<Option name="prolog_script"></Option>
<Option name="prompt1">$ </Option>
<Option name="prompt2"> # </Option>
<Option name="snmp_contact">root</Option>
<Option name="snmp_description">Linux SVEASOFT 2.4.20 #2 Wed Nov 17 11:49:43 CET 2004 mips</Option>
<Option name="snmp_location">Unknown</Option>
<Option name="solaris_ip_forward">1</Option>
<Option name="sshArgs"/>
<Option name="sshArgs"></Option>
<Option name="ulog_cprange">0</Option>
<Option name="ulog_nlgroup">1</Option>
<Option name="ulog_qthreshold">1</Option>

2
test/ipt/do-diff
View File

@ -7,7 +7,7 @@ if which opendiff > /dev/null 2>&1; then
elif which tkdiff > /dev/null 2>&1; then
TOOL="tkdiff -b -B "
else
TOOL="diff -b -B "
TOOL="diff -U 8 -b -B "
fi
${TOOL} firewall${N}.fw.orig firewall${N}.fw

68
test/ipt/objects-for-regression-tests.fwb
View File

@ -1,6 +1,6 @@
<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE FWObjectDatabase SYSTEM "fwbuilder.dtd">
<FWObjectDatabase xmlns="http://www.fwbuilder.org/1.0/" version="4" lastModified="1206322269" id="root">
<FWObjectDatabase xmlns="http://www.fwbuilder.org/1.0/" version="4" lastModified="1208501354" id="root">
<Library color="#d2ffd0" comment="User defined objects" id="syslib001" name="User">
<ObjectGroup id="stdid01_1" name="Objects">
<ObjectGroup id="stdid01_1_og_ats_1" name="Address Tables">
@ -324,8 +324,8 @@
</HostOptions>
</Host>
<Host comment="" id="host-hostA" name="hostA">
<Interface bridgeport="False" dyn="False" id="host-hostA-i" name="unknown" security_level="100" unnum="False" unprotected="False">
<IPv4 id="host-hostA-i-ipv4" name="address" address="192.168.1.10" netmask="255.255.255.255"/>
<Interface bridgeport="False" comment="" dyn="False" id="host-hostA-i" label="" name="eth0" security_level="100" unnum="False" unprotected="False">
<IPv4 id="host-hostA-i-ipv4" name="hostA:eth0:ip" address="192.168.1.10" netmask="255.255.255.255"/>
</Interface>
<Management address="192.168.1.10">
<SNMPManagement enabled="False" snmp_read_community="public" snmp_write_community=""/>
@ -668,9 +668,9 @@
</HostOptions>
</Host>
<Host comment="this host has the same IP address as firewall 'firewall', plus it has MAC address.&#10;Testing for a combination of &quot;--mac --source-mac&quot; in the OUTPUT chain.&#10;" id="id3F14DFB8" name="fw-with-mac-1">
<Interface bridgeport="False" comment="" dyn="False" id="id3F14DFB9" label="" mgmt="False" name="host-with-mac-1:1" security_level="100" unnum="False" unprotected="False">
<IPv4 comment="" id="id3F14DFBA" name="host-with-mac-1/addr" address="192.168.1.1" netmask="255.255.255.0"/>
<physAddress address="00:10:4b:de:e9:6f" id="id3F14DFBB" name="host-with-mac-1:1-pa"/>
<Interface bridgeport="False" comment="" dyn="False" id="id3F14DFB9" label="" mgmt="False" name="fw-with-mac-1:1" security_level="100" unnum="False" unprotected="False">
<IPv4 comment="" id="id3F14DFBA" name="fw-with-mac-1:fw-with-mac-1:1:ip" address="192.168.1.1" netmask="255.255.255.0"/>
<physAddress address="00:10:4b:de:e9:6f" id="id3F14DFBB" name="fw-with-mac-1:fw-with-mac-1:1:mac"/>
</Interface>
<Management address="192.168.1.10">
<SNMPManagement enabled="False" snmp_read_community="" snmp_write_community=""/>
@ -988,7 +988,7 @@
</ServiceGroup>
</ServiceGroup>
<ObjectGroup id="stdid12_1" name="Firewalls">
<Firewall comment="this is simple firewall with two interfaces. Test regular policy rules, including IP_fragments rule&#10;" host_OS="linux24" id="fw-firewall2" inactive="False" lastCompiled="1188096924" lastInstalled="1142003872" lastModified="1206322269" name="firewall" platform="iptables" ro="False" version="">
<Firewall comment="this is simple firewall with two interfaces. Test regular policy rules, including IP_fragments rule&#10;" host_OS="linux24" id="fw-firewall2" inactive="False" lastCompiled="1188096924" lastInstalled="1142003872" lastModified="1208501354" name="firewall" platform="iptables" ro="False" version="">
<NAT id="nat-firewall2">
<NATRule comment="" disabled="False" id="nat-firewall2-0" position="0">
<OSrc neg="False">
@ -2732,7 +2732,7 @@
<Option name="verify_interfaces">True</Option>
</FirewallOptions>
</Firewall>
<Firewall comment="this object is used to test all kinds of negation in policy and NAT rules" host_OS="linux24" id="id3AF5AA0A" inactive="False" lastCompiled="1188096933" lastInstalled="1142003872" lastModified="1158818477" name="firewall1" platform="iptables" ro="False" version="">
<Firewall comment="this object is used to test all kinds of negation in policy and NAT rules" host_OS="linux24" id="id3AF5AA0A" inactive="False" lastCompiled="1188096933" lastInstalled="1142003872" lastModified="1208501354" name="firewall1" platform="iptables" ro="False" version="">
<NAT id="id3AF5AA0D">
<NATRule disabled="False" id="id3C98491C" position="0">
<OSrc neg="False">
@ -4013,19 +4013,19 @@
</Policy>
<Routing id="id3AF5AA0A-routing"/>
<Interface bridgeport="False" comment="" dyn="False" id="id3AF5AA96" label="" mgmt="True" name="eth0" security_level="100" unnum="False" unprotected="False">
<IPv4 id="id3AF5AA96-ipv4" name="address" address="192.168.1.1" netmask="255.255.255.0"/>
<IPv4 comment="" id="id3AF5AA96-ipv4" name="eth0:address" address="192.168.1.1" netmask="255.255.255.0"/>
</Interface>
<Interface bridgeport="False" dyn="False" id="id3AF5AA99" name="eth1" security_level="0" unnum="False" unprotected="False">
<IPv4 id="id3AF5AA99-ipv4" name="address" address="22.22.22.22" netmask="255.255.255.0"/>
<IPv4 comment="" id="id3AF5AA99-ipv4" name="eth1:address" address="22.22.22.22" netmask="255.255.255.0"/>
</Interface>
<Interface bridgeport="False" dyn="False" id="id3B0B4BC8" name="eth2" security_level="100" unnum="False" unprotected="False">
<IPv4 id="id3B0B4BC8-ipv4" name="address" address="192.168.2.1" netmask="255.255.255.0"/>
<IPv4 comment="" id="id3B0B4BC8-ipv4" name="eth2:address" address="192.168.2.1" netmask="255.255.255.0"/>
</Interface>
<Interface bridgeport="False" dyn="False" id="id3B0B4D35" name="lo" security_level="100" unnum="False" unprotected="False">
<IPv4 id="id3B0B4D35-ipv4" name="address" address="127.0.0.1" netmask="255.0.0.0"/>
<IPv4 comment="" id="id3B0B4D35-ipv4" name="lo:address" address="127.0.0.1" netmask="255.0.0.0"/>
</Interface>
<Interface bridgeport="False" dyn="False" id="id3B11F434" name="eth3" security_level="0" unnum="False" unprotected="False">
<IPv4 id="id3B11F434-ipv4" name="address" address="22.22.23.23" netmask="255.255.255.0"/>
<IPv4 comment="" id="id3B11F434-ipv4" name="eth3:address" address="22.22.23.23" netmask="255.255.255.0"/>
</Interface>
<Management address="192.168.1.1">
<SNMPManagement enabled="False" snmp_read_community="public" snmp_write_community=""/>
@ -4117,7 +4117,7 @@
<Option name="verify_interfaces">False</Option>
</FirewallOptions>
</Firewall>
<Firewall comment="this object has several interfaces and shows different rules for NAT. Also testing policy rule options " host_OS="linux24" id="id3AFB66C6" inactive="False" lastCompiled="1188315148" lastInstalled="1142003872" lastModified="1197388709" name="firewall2" platform="iptables" ro="False" version="">
<Firewall comment="this object has several interfaces and shows different rules for NAT. Also testing policy rule options " host_OS="linux24" id="id3AFB66C6" inactive="False" lastCompiled="1188315148" lastInstalled="1142003872" lastModified="1208501354" name="firewall2" platform="iptables" ro="False" version="">
<NAT id="id3AFB66C7">
<NATRule disabled="False" id="id3AFB66C8" position="0">
<OSrc neg="False">
@ -5688,7 +5688,7 @@
<Option name="verify_interfaces">False</Option>
</FirewallOptions>
</Firewall>
<Firewall comment="this object is used to test negation in policy rules with &quot;Assume firewall is part of 'Any'&quot; turned OFF" host_OS="linux24" id="id3B0226B6" inactive="False" lastCompiled="1196093755" lastInstalled="1142003872" lastModified="1196093903" name="firewall3" platform="iptables" ro="False" version="">
<Firewall comment="this object is used to test negation in policy rules with &quot;Assume firewall is part of 'Any'&quot; turned OFF" host_OS="linux24" id="id3B0226B6" inactive="False" lastCompiled="1196093755" lastInstalled="1142003872" lastModified="1208501354" name="firewall3" platform="iptables" ro="False" version="">
<NAT id="id3B0226B7">
<NATRule disabled="False" id="id3B0226B8" position="0">
<OSrc neg="False">
@ -6341,7 +6341,7 @@
<Option name="verify_interfaces">False</Option>
</FirewallOptions>
</Firewall>
<Firewall comment="this object is used to test a configuration where firewall has dynamic address " host_OS="linux24" id="id3B0C6380" inactive="False" lastCompiled="1188097179" lastInstalled="1142003872" lastModified="1184801731" name="firewall4" platform="iptables" ro="False" version="">
<Firewall comment="this object is used to test a configuration where firewall has dynamic address " host_OS="linux24" id="id3B0C6380" inactive="False" lastCompiled="1188097179" lastInstalled="1142003872" lastModified="1208501354" name="firewall4" platform="iptables" ro="False" version="">
<NAT id="id3B0C6381">
<NATRule disabled="False" id="id3B0C6382" position="0">
<OSrc neg="False">
@ -7128,7 +7128,7 @@
<Option name="verify_interfaces">False</Option>
</FirewallOptions>
</Firewall>
<Firewall comment="testing firewall_is_part_of_any_and_networks&#10;also testing SNAT and DNAT rules when external interface&#10;has dynamic address&#10;&#10;dynamic interface ppp0 has an address object attached to it&#10;(interface used to be static and had an address, then got&#10;converted to dynamic but address object is still there). Compiler&#10;should ignore this address object and issue a warning.&#10;" host_OS="linux24" id="id3B19BEE6" lastCompiled="1204560061" lastInstalled="1142003872" lastModified="1204560033" name="firewall5" platform="iptables" ro="False">
<Firewall comment="testing firewall_is_part_of_any_and_networks&#10;also testing SNAT and DNAT rules when external interface&#10;has dynamic address&#10;&#10;dynamic interface ppp0 has an address object attached to it&#10;(interface used to be static and had an address, then got&#10;converted to dynamic but address object is still there). Compiler&#10;should ignore this address object and issue a warning.&#10;" host_OS="linux24" id="id3B19BEE6" lastCompiled="1204560061" lastInstalled="1142003872" lastModified="1208501354" name="firewall5" platform="iptables" ro="False">
<NAT id="id3B19BEE7">
<NATRule disabled="False" id="id3CFD9EE2" position="0">
<OSrc neg="False">
@ -9413,7 +9413,7 @@
<Option name="verify_interfaces">False</Option>
</FirewallOptions>
</Firewall>
<Firewall comment="testing rules with broadcasts and multicasts and action-on-reject 'TCP reset'. &#10;&#10;This is BRIDGING FIREWALL &#10;Firewall is part of any is OFF&#10;&#10;Interfaces eth0 and eth1 are parts of the bridge; Interface eth2 is external interface (doing NAT and routing on this interface) Interface eth3 is connected to protected network and is used to manage firewall. This is rather realistic configuration for the bridging firewall " host_OS="linux24" id="id3D94D4F8" inactive="False" lastCompiled="1188096947" lastInstalled="1142003872" lastModified="1171611400" name="firewall11" platform="iptables" ro="False" version="">
<Firewall comment="testing rules with broadcasts and multicasts and action-on-reject 'TCP reset'. &#10;&#10;This is BRIDGING FIREWALL &#10;Firewall is part of any is OFF&#10;&#10;Interfaces eth0 and eth1 are parts of the bridge; Interface eth2 is external interface (doing NAT and routing on this interface) Interface eth3 is connected to protected network and is used to manage firewall. This is rather realistic configuration for the bridging firewall " host_OS="linux24" id="id3D94D4F8" inactive="False" lastCompiled="1188096947" lastInstalled="1142003872" lastModified="1208501354" name="firewall11" platform="iptables" ro="False" version="">
<NAT id="id3D94D4F9">
<NATRule disabled="True" id="id3E854D22" position="0">
<OSrc neg="False">
@ -10271,7 +10271,7 @@
<Option name="verify_interfaces">False</Option>
</FirewallOptions>
</Firewall>
<Firewall comment="Testing empty groups thing&#10;" host_OS="linux24" id="id3DE68A18" lastCompiled="1188096961" lastInstalled="1142003872" lastModified="0" name="firewall13" platform="iptables" ro="False">
<Firewall comment="Testing empty groups thing&#10;" host_OS="linux24" id="id3DE68A18" lastCompiled="1188096961" lastInstalled="1142003872" lastModified="1208501354" name="firewall13" platform="iptables" ro="False">
<NAT id="id3DE68A19">
<NATRule disabled="False" id="id3DE68AFA" position="0">
<OSrc neg="False">
@ -10787,7 +10787,7 @@
<Option name="verify_interfaces">False</Option>
</FirewallOptions>
</Firewall>
<Firewall comment="testing translation from outside to the web server on DMZ, need to see what happens if clients on internal net connect to the NATted address of this server. This is a kind of &quot;NAT back to the same subnet&quot; with a twist.&#10;&#10;This firewall also has option &quot;local NAT&quot; enabled. NAT rules 0,2-7 should generate code in the OUTPUT and POSTROUTING chains.&#10;" host_OS="linux24" id="id3E189481" lastCompiled="1188096980" lastInstalled="1142003872" lastModified="0" name="firewall16" platform="iptables" ro="False" version="">
<Firewall comment="testing translation from outside to the web server on DMZ, need to see what happens if clients on internal net connect to the NATted address of this server. This is a kind of &quot;NAT back to the same subnet&quot; with a twist.&#10;&#10;This firewall also has option &quot;local NAT&quot; enabled. NAT rules 0,2-7 should generate code in the OUTPUT and POSTROUTING chains.&#10;" host_OS="linux24" id="id3E189481" lastCompiled="1188096980" lastInstalled="1142003872" lastModified="1208501354" name="firewall16" platform="iptables" ro="False" version="">
<NAT id="id3E189482">
<NATRule comment="should generate code in both PREROUTING&#10;and OUTPUT chain because option &quot;local NAT&quot;&#10;is enabled" disabled="False" id="id3E189483" position="0">
<OSrc neg="False">
@ -12225,7 +12225,7 @@
<Option name="verify_interfaces">True</Option>
</FirewallOptions>
</Firewall>
<Firewall comment="testing firewall_is_part_of_any_and_networks&#10;also testing SNAT and DNAT rules when external interface&#10;has dynamic address&#10;&#10;dynamic interface ppp0 has an address object attached to it&#10;(interface used to be static and had an address, then got&#10;converted to dynamic but address object is still there). Compiler&#10;should ignore this address object and issue a warning.&#10;" host_OS="linux24" id="id3EFBC648" lastCompiled="1188097016" lastInstalled="1142003872" lastModified="1142003913" name="firewall20" platform="iptables" ro="False" version="">
<Firewall comment="testing firewall_is_part_of_any_and_networks&#10;also testing SNAT and DNAT rules when external interface&#10;has dynamic address&#10;&#10;dynamic interface ppp0 has an address object attached to it&#10;(interface used to be static and had an address, then got&#10;converted to dynamic but address object is still there). Compiler&#10;should ignore this address object and issue a warning.&#10;" host_OS="linux24" id="id3EFBC648" lastCompiled="1188097016" lastInstalled="1142003872" lastModified="1208501354" name="firewall20" platform="iptables" ro="False" version="">
<NAT id="id3EFBC649">
<NATRule disabled="False" id="id3EFBC64A" position="0">
<OSrc neg="False">
@ -12764,7 +12764,7 @@
<Option name="verify_interfaces">True</Option>
</FirewallOptions>
</Firewall>
<Firewall comment="two dynamic interfaces in the same policy or NAT rule&#10;" host_OS="linux24" id="id3F29FAAD" lastCompiled="1188097023" lastInstalled="1142003872" lastModified="0" name="firewall21" platform="iptables" ro="False">
<Firewall comment="two dynamic interfaces in the same policy or NAT rule&#10;" host_OS="linux24" id="id3F29FAAD" lastCompiled="1188097023" lastInstalled="1142003872" lastModified="1208501354" name="firewall21" platform="iptables" ro="False">
<NAT id="id3F29FAAE">
<NATRule disabled="False" id="id3F2A008C" position="0">
<OSrc neg="False">
@ -12953,7 +12953,7 @@
<Option name="verify_interfaces">False</Option>
</FirewallOptions>
</Firewall>
<Firewall comment="testing NAT rules using custom services&#10;" host_OS="linux24" id="id3FADB89A" lastCompiled="1188097029" lastInstalled="1142003872" lastModified="1142003913" name="firewall22" platform="iptables" ro="False" version="1.2.9">
<Firewall comment="testing NAT rules using custom services&#10;" host_OS="linux24" id="id3FADB89A" lastCompiled="1188097029" lastInstalled="1142003872" lastModified="1208501354" name="firewall22" platform="iptables" ro="False" version="1.2.9">
<NAT id="id3FADB89B">
<NATRule disabled="False" id="id3FADBAA3" position="0">
<OSrc neg="False">
@ -13149,7 +13149,7 @@
<Option name="verify_interfaces">True</Option>
</FirewallOptions>
</Firewall>
<Firewall comment="&#10;This is BRIDGING FIREWALL&#10;&#10;" host_OS="linux24" id="id3FB32E8E" lastCompiled="1188097036" lastInstalled="1142003872" lastModified="1142003859" name="firewall23" platform="iptables" ro="False">
<Firewall comment="&#10;This is BRIDGING FIREWALL&#10;&#10;" host_OS="linux24" id="id3FB32E8E" lastCompiled="1188097036" lastInstalled="1142003872" lastModified="1208501354" name="firewall23" platform="iptables" ro="False">
<NAT id="id3FB32E8F"/>
<Policy id="id3FB32EAC">
<PolicyRule action="Accept" direction="Inbound" disabled="False" id="id3FB33184" log="False" position="0">
@ -13547,7 +13547,7 @@
<Option name="verify_interfaces">False</Option>
</FirewallOptions>
</Firewall>
<Firewall comment="testing rules on unnumbered interface tun*&#10;" host_OS="linux24" id="id402B23A8" lastCompiled="1188097050" lastInstalled="1142003872" lastModified="0" name="firewall24" platform="iptables" ro="False">
<Firewall comment="testing rules on unnumbered interface tun*&#10;" host_OS="linux24" id="id402B23A8" lastCompiled="1188097050" lastInstalled="1142003872" lastModified="1208501354" name="firewall24" platform="iptables" ro="False">
<NAT id="id402B23A9"/>
<Policy id="id402B23AA">
<PolicyRule action="Accept" direction="Inbound" disabled="False" id="id402B2413" log="False" position="0">
@ -14229,7 +14229,7 @@ echo '%FWBPROMPT%'; sh /tmp/%FWSCRIPT%
<Option name="verify_interfaces">true</Option>
</FirewallOptions>
</Firewall>
<Firewall comment="this firewall uses iptables-restore format. Firewall has wildcard interface ppp*; script is generated dynamically and then piped to iptables-restore&#10;" host_OS="linux24" id="id417C680B" lastCompiled="1188097057" lastInstalled="1142003872" lastModified="1142003913" name="firewall25" platform="iptables" ro="False" version="">
<Firewall comment="this firewall uses iptables-restore format. Firewall has wildcard interface ppp*; script is generated dynamically and then piped to iptables-restore&#10;" host_OS="linux24" id="id417C680B" lastCompiled="1188097057" lastInstalled="1142003872" lastModified="1208501354" name="firewall25" platform="iptables" ro="False" version="">
<NAT id="id417C688D">
<NATRule disabled="False" id="id417C688E" position="0">
<OSrc neg="False">
@ -14762,7 +14762,7 @@ echo '%FWBPROMPT%'; sh /tmp/%FWSCRIPT%
<Option name="verify_interfaces">True</Option>
</FirewallOptions>
</Firewall>
<Firewall comment="this firewall uses iptables-restore format&#10;One interface has dynamic address, script uses echo to generated iptables commands and then pipes them to iptables-restore" host_OS="linux24" id="id418C4609" lastCompiled="1188097064" lastInstalled="1142003872" lastModified="1142003913" name="firewall26" platform="iptables" ro="False" version="">
<Firewall comment="this firewall uses iptables-restore format&#10;One interface has dynamic address, script uses echo to generated iptables commands and then pipes them to iptables-restore" host_OS="linux24" id="id418C4609" lastCompiled="1188097064" lastInstalled="1142003872" lastModified="1208501354" name="firewall26" platform="iptables" ro="False" version="">
<NAT id="id418C468B">
<NATRule disabled="False" id="id418C468C" position="0">
<OSrc neg="False">
@ -15293,7 +15293,7 @@ echo '%FWBPROMPT%'; sh /tmp/%FWSCRIPT%
<Option name="verify_interfaces">True</Option>
</FirewallOptions>
</Firewall>
<Firewall comment="this firewall uses iptables-restore format&#10;all interfaces have static addresses, script pipes iptables commands straight to iptables-restore" host_OS="linux24" id="id4183D041" inactive="False" lastCompiled="1197477543" lastInstalled="1142003872" lastModified="1197477519" name="firewall27" platform="iptables" ro="False" version="">
<Firewall comment="this firewall uses iptables-restore format&#10;all interfaces have static addresses, script pipes iptables commands straight to iptables-restore" host_OS="linux24" id="id4183D041" inactive="False" lastCompiled="1197477543" lastInstalled="1142003872" lastModified="1208501354" name="firewall27" platform="iptables" ro="False" version="">
<NAT id="id4183D0C3">
<NATRule disabled="False" id="id4183D0C4" position="0">
<OSrc neg="False">
@ -16012,7 +16012,7 @@ echo '%FWBPROMPT%'; sh /tmp/%FWSCRIPT%
<Option name="verify_interfaces">False</Option>
</FirewallOptions>
</Firewall>
<Firewall comment="two dynamic interfaces in the same policy or NAT rule. Interfaces have a dot in their names&#10;" host_OS="linux24" id="id41D2945B" lastCompiled="1188097084" lastInstalled="1142003872" lastModified="0" name="firewall29" platform="iptables" ro="False" version="">
<Firewall comment="two dynamic interfaces in the same policy or NAT rule. Interfaces have a dot in their names&#10;" host_OS="linux24" id="id41D2945B" lastCompiled="1188097084" lastInstalled="1142003872" lastModified="1208501354" name="firewall29" platform="iptables" ro="False" version="">
<NAT id="id41D29482">
<NATRule disabled="False" id="id41D29483" position="0">
<OSrc neg="False">
@ -16570,7 +16570,7 @@ echo '%FWBPROMPT%'; sh /tmp/%FWSCRIPT%
<Option name="verify_interfaces">False</Option>
</FirewallOptions>
</Firewall>
<Firewall comment="testing AddressTable" host_OS="linux24" id="id43868A331434" lastCompiled="1188097112" lastInstalled="1142003872" lastModified="1205611789" name="firewall32" platform="iptables" ro="False" version="">
<Firewall comment="testing AddressTable" host_OS="linux24" id="id43868A331434" lastCompiled="1188097112" lastInstalled="1142003872" lastModified="1208501354" name="firewall32" platform="iptables" ro="False" version="">
<NAT id="id43868A6D1434">
<NATRule disabled="False" id="id43868A6E1434" position="0">
<OSrc neg="False">
@ -16771,7 +16771,7 @@ echo '%FWBPROMPT%'; sh /tmp/%FWSCRIPT%
<Option name="verify_interfaces">False</Option>
</FirewallOptions>
</Firewall>
<Firewall comment="testing DNSName object" host_OS="linux24" id="id43867C1018346" lastCompiled="1188097121" lastInstalled="1142003872" lastModified="1205119254" name="firewall33" platform="iptables" ro="False" version="">
<Firewall comment="testing DNSName object" host_OS="linux24" id="id43867C1018346" lastCompiled="1188097121" lastInstalled="1142003872" lastModified="1208501354" name="firewall33" platform="iptables" ro="False" version="">
<NAT id="id43867C4818346">
<NATRule disabled="False" id="id43867C4918346" position="0">
<OSrc neg="False">
@ -20013,7 +20013,7 @@ echo '%FWBPROMPT%'; sh /tmp/%FWSCRIPT%
<Option name="verify_interfaces">False</Option>
</FirewallOptions>
</Firewall>
<Firewall comment="&#10;This is BRIDGING FIREWALL&#10;Testing module physdev&#10;" host_OS="linux24" id="id440C055614846" lastCompiled="1188097043" lastInstalled="1142003872" lastModified="1163136879" name="firewall23-1" platform="iptables" ro="False" version="1.3.0">
<Firewall comment="&#10;This is BRIDGING FIREWALL&#10;Testing module physdev&#10;" host_OS="linux24" id="id440C055614846" lastCompiled="1188097043" lastInstalled="1142003872" lastModified="1208501354" name="firewall23-1" platform="iptables" ro="False" version="1.3.0">
<NAT id="id440C062B14846"/>
<Policy id="id440C055C14846">
<PolicyRule action="Accept" direction="Inbound" disabled="False" id="id440C055D14846" log="False" position="0">
@ -22086,7 +22086,7 @@ echo '%FWBPROMPT%'; sh /tmp/%FWSCRIPT%
<Option name="verify_interfaces">true</Option>
</FirewallOptions>
</Firewall>
<Firewall comment="testing shadowing detection&#10;compiler runs with -xt flag&#10;firewall is assumed to be part of any" host_OS="linux24" id="id4513DEA62143" inactive="False" lastCompiled="1188097253" lastInstalled="0" lastModified="1158818614" name="test-shadowing-1" platform="iptables" ro="False" version="">
<Firewall comment="testing shadowing detection&#10;compiler runs with -xt flag&#10;firewall is assumed to be part of any" host_OS="linux24" id="id4513DEA62143" inactive="False" lastCompiled="1188097253" lastInstalled="0" lastModified="1208501354" name="test-shadowing-1" platform="iptables" ro="False" version="">
<NAT id="id4513DEAA2143"/>
<Policy id="id4513DEA92143">
<PolicyRule action="Accept" comment="shades rule below" direction="Outbound" disabled="False" id="id4513DECC2143" log="False" position="0">
@ -22369,7 +22369,7 @@ echo '%FWBPROMPT%'; sh /tmp/%FWSCRIPT%
<Option name="verify_interfaces">True</Option>
</FirewallOptions>
</Firewall>
<Firewall comment="testing shadowing detection&#10;compiler runs with -xt flag&#10;firewall is NOT assumed to be part of any" host_OS="linux24" id="id451488C42143" inactive="False" lastCompiled="1188097259" lastInstalled="0" lastModified="1158818614" name="test-shadowing-2" platform="iptables" ro="False" version="">
<Firewall comment="testing shadowing detection&#10;compiler runs with -xt flag&#10;firewall is NOT assumed to be part of any" host_OS="linux24" id="id451488C42143" inactive="False" lastCompiled="1188097259" lastInstalled="0" lastModified="1208501354" name="test-shadowing-2" platform="iptables" ro="False" version="">
<NAT id="id451489072143"/>
<Policy id="id451488CA2143">
<PolicyRule action="Accept" comment="shades rule below" direction="Outbound" disabled="False" id="id451488CB2143" log="False" position="0">