onkelbeh/fwbuilder
1
0
Fork 0
mirror of https://github.com/fwbuilder/fwbuilder synced 2026-03-23 03:37:15 +01:00
Code Issues Releases Wiki Activity

2009-03-24 vadim <vadim@vk.crocodile.org>

Browse Source 
* PolicyCompiler_pf_writers.cpp (PrintRule::_printAction): Added
support for anchor names with "/*" suffix for PF. Now the user can
create policy ruleset with name e.g. "ftp-proxy/*" and then set up
branching rule pointing to this ruleset. This ruleset is treated
by the program in a special way. First, it allows characters "/"
and "*" in the name of the ruleset (but only for PF firewalls).
Second, compiler does not create a .conf file with rules from this
ruleset, assuming that it will be controlled by external program
such as ftp-proxy. See man page ftp-proxy(8) for examples.
This commit is contained in:
Vadim Kurland 2009-03-24 07:31:48 +00:00
parent 932b4d2d34
commit f6d1b5b38d
7 changed files with 101 additions and 78 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
build_num
View File

@ -1 +1 @@
#define BUILD_NUM 788
#define BUILD_NUM 789

12
doc/ChangeLog
View File

@ -1,3 +1,15 @@
2009-03-24 vadim <vadim@vk.crocodile.org>
* PolicyCompiler_pf_writers.cpp (PrintRule::_printAction): Added
support for anchor names with "/*" suffix for PF. Now the user can
create policy ruleset with name e.g. "ftp-proxy/*" and then set up
branching rule pointing to this ruleset. This ruleset is treated
by the program in a special way. First, it allows characters "/"
and "*" in the name of the ruleset (but only for PF firewalls).
Second, compiler does not create a .conf file with rules from this
ruleset, assuming that it will be controlled by external program
such as ftp-proxy. See man page ftp-proxy(8) for examples.
2009-03-23 vadim <vadim@vk.crocodile.org>
* pf.cpp (main): fixed bug (no #): compiler for pf added code

41
src/gui/RuleSetDialog.cpp
View File

@ -61,6 +61,7 @@ RuleSetDialog::RuleSetDialog(ProjectPanel *project,
m_dialog = new Ui::RuleSetDialog_q;
m_dialog->setupUi(this);
obj = NULL;
platform = "";
}
RuleSetDialog::~RuleSetDialog()
@ -90,12 +91,11 @@ void RuleSetDialog::loadFWObject(FWObject *o)
m_dialog->top_rule_set->setChecked(s->isTop());
string platform = "";
FWObject *fw = o;
while (fw && fw->getTypeName()!="Firewall") fw = fw->getParent();
assert(fw!=NULL);
platform = fw->getStr("platform");
FWOptions *fwopt = Firewall::cast(fw)->getOptionsObject();
fwopt = Firewall::cast(fw)->getOptionsObject();
if (platform == "iptables")
{
@ -165,17 +165,27 @@ void RuleSetDialog::changed()
void RuleSetDialog::validate(bool *res)
{
*res=true;
if (!isTreeReadWrite(this,obj)) { *res=false; return; }
if (!validateName(this,obj,m_dialog->obj_name->text())) { *res=false; return; }
QRegExp rx("([a-zA-Z0-9_-+=@%^]+)");
*res = true;
if (!isTreeReadWrite(this, obj)) { *res = false; return; }
if (!validateName(this, obj, m_dialog->obj_name->text())) { *res = false; return; }
QString pattern("([a-zA-Z0-9_-+=@%^]+)");
// branch (anchor) names for PF may end with "/*"
if (platform == "pf")
pattern = "([a-zA-Z0-9_-+=@%^]+)(/\\*)?";
QRegExp rx(pattern);
if (!rx.exactMatch(m_dialog->obj_name->text()))
{
*res=false ;
QMessageBox::critical(this, "Firewall Builder",
tr("Rule set name '%1' is invalid. Only '[a-z][A-Z][0-9]_-+=@%^' characters are allowed.").arg( m_dialog->obj_name->text() ),
tr("&Continue"), 0, 0,
0 );
*res = false ;
QMessageBox::critical(
this,
"Firewall Builder",
tr("Rule set name '%1' is invalid. Only '[a-z][A-Z][0-9]_-+=@%^' characters are allowed.").arg( m_dialog->obj_name->text() ),
tr("&Continue"), 0, 0,
0 );
return ;
}
@ -195,14 +205,7 @@ void RuleSetDialog::applyChanges()
RuleSet *s = dynamic_cast<RuleSet*>(obj);
assert(s!=NULL);
string platform = "";
FWObject *fw = obj;
while (fw && fw->getTypeName()!="Firewall") fw = fw->getParent();
assert(fw!=NULL);
platform = fw->getStr("platform");
FWOptions *fwopt = Firewall::cast(fw)->getOptionsObject();
string oldname=obj->getName();
string oldname = obj->getName();
obj->setName( string(m_dialog->obj_name->text().toUtf8().constData()) );
obj->setComment(
string(m_dialog->comment->toPlainText().toUtf8().constData()) );

3
src/gui/RuleSetDialog.h
View File

@ -32,6 +32,7 @@
#include <QWidget>
#include "fwbuilder/FWObject.h"
#include "fwbuilder/FWOptions.h"
class ProjectPanel;
@ -41,6 +42,8 @@ class RuleSetDialog : public QWidget
libfwbuilder::FWObject *obj;
bool init;
std::string platform;
libfwbuilder::FWOptions *fwopt;
Ui::RuleSetDialog_q *m_dialog;
ProjectPanel *m_project;

9
src/pf/pf.cpp
View File

@ -679,16 +679,15 @@ int main(int argc, char * const *argv)
]->Resources::getResourceStr("/FWBuilderResources/Target/family");
if (family=="solaris")
oscnf=new OSConfigurator_solaris(objdb , fwobjectname, false);
oscnf = new OSConfigurator_solaris(objdb , fwobjectname, false);
if (family=="openbsd")
{
cerr << "Calling OSConfigurator_openbsd" << endl;
oscnf=new OSConfigurator_openbsd(objdb , fwobjectname, false);
oscnf = new OSConfigurator_openbsd(objdb , fwobjectname, false);
}
if (family=="freebsd")
oscnf=new OSConfigurator_freebsd(objdb , fwobjectname, false);
oscnf = new OSConfigurator_freebsd(objdb , fwobjectname, false);
if (oscnf==NULL)
throw FWException(_("Unrecognized host OS ") +
@ -893,6 +892,8 @@ int main(int argc, char * const *argv)
string file_name = output_dir + conf_files[ruleset_name];
ostringstream *strm = fi->second;
if (ruleset_name.find("/*")!=string::npos) continue;
ofstream pf_file;
pf_file.exceptions(
ofstream::eofbit|ofstream::failbit|ofstream::badbit);

6
src/pflib/PolicyCompiler_pf_writers.cpp
View File

@ -124,7 +124,11 @@ void PolicyCompiler_pf::PrintRule::_printAction(PolicyRule *rule)
if (ruleset==NULL)
compiler->abort(string("Branching rule ") + rule->getLabel() +
" refers ruleset that does not exist");
compiler->output << "anchor " << ruleset->getName() << " ";
string ruleset_name = ruleset->getName();
if (ruleset_name.find("/*")!=string::npos)
compiler->output << "anchor \"" << ruleset_name << "\" ";
else
compiler->output << "anchor " << ruleset_name << " ";
break;
}
default:

106
test/pf/objects-for-regression-tests.fwb
View File

@ -1,6 +1,6 @@
<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE FWObjectDatabase SYSTEM "fwbuilder.dtd">
<FWObjectDatabase xmlns="http://www.fwbuilder.org/1.0/" version="10" lastModified="1237864567" id="root">
<FWObjectDatabase xmlns="http://www.fwbuilder.org/1.0/" version="10" lastModified="1237878936" id="root">
<Library id="sysid99" name="Deleted Objects" comment="" ro="False">
<ICMP6Service id="idE0C27650" code="0" type="1" name="ipv6 dest unreachable" comment="No route to destination" ro="False"/>
<Library id="id40E233F3" color="#FFFFFF" name="West Coast" comment="" ro="False">
@ -3906,7 +3906,7 @@
<Option name="use_tables">True</Option>
</FirewallOptions>
</Firewall>
<Firewall id="id3B0C6380" host_OS="openbsd" inactive="False" lastCompiled="1237869303" lastInstalled="0" lastModified="1237869296" platform="pf" version="" name="firewall4" comment="this object is used to test a configuration where firewall has dynamic address " ro="False">
<Firewall id="id3B0C6380" host_OS="openbsd" inactive="False" lastCompiled="1237879885" lastInstalled="0" lastModified="1237879862" platform="pf" version="" name="firewall4" comment="this object is used to test a configuration where firewall has dynamic address " ro="False">
<NAT id="id3B0C6381" name="NAT" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
<NATRule id="id3B0C6382" disabled="False" position="0" comment="">
<OSrc neg="False">
@ -4019,7 +4019,49 @@
</NATRule>
</NAT>
<Policy id="id3B0C639E" name="Policy" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
<PolicyRule id="id3B54F071" disabled="False" log="True" position="0" action="Deny" direction="Both" comment="">
<PolicyRule id="id16047X49036" disabled="False" group="" log="False" position="0" action="Branch" direction="Both" comment="">
<Src neg="False">
<ObjectRef ref="sysid0"/>
</Src>
<Dst neg="False">
<ObjectRef ref="sysid0"/>
</Dst>
<Srv neg="False">
<ServiceRef ref="sysid1"/>
</Srv>
<Itf neg="False">
<ObjectRef ref="sysid0"/>
</Itf>
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions>
<Option name="action_on_reject"></Option>
<Option name="branch_id">id16046X49036</Option>
<Option name="classify_str"></Option>
<Option name="custom_str"></Option>
<Option name="ipf_route_opt_addr"></Option>
<Option name="ipf_route_opt_if"></Option>
<Option name="ipf_route_option">route_through</Option>
<Option name="ipfw_classify_method">2</Option>
<Option name="ipfw_pipe_port_num">0</Option>
<Option name="ipfw_pipe_queue_num">0</Option>
<Option name="ipt_continue">False</Option>
<Option name="ipt_gw"></Option>
<Option name="ipt_iif"></Option>
<Option name="ipt_mark_connections">False</Option>
<Option name="ipt_oif"></Option>
<Option name="ipt_tee">False</Option>
<Option name="pf_fastroute">False</Option>
<Option name="pf_route_load_option">none</Option>
<Option name="pf_route_opt_addr"></Option>
<Option name="pf_route_opt_if"></Option>
<Option name="pf_route_option">route_through</Option>
<Option name="rule_name_accounting"></Option>
<Option name="stateless">True</Option>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id3B54F071" disabled="False" log="True" position="1" action="Deny" direction="Both" comment="">
<Src neg="True">
<ObjectRef ref="id3B022266"/>
</Src>
@ -4036,7 +4078,7 @@
<Option name="stateless">True</Option>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id3B0C63E3" disabled="False" log="True" position="1" action="Deny" direction="Inbound" comment="Anti-spoofing rule">
<PolicyRule id="id3B0C63E3" disabled="False" log="True" position="2" action="Deny" direction="Inbound" comment="Anti-spoofing rule">
<Src neg="False">
<ObjectRef ref="net-Internal_net"/>
<ObjectRef ref="id3B0C6380"/>
@ -4054,7 +4096,7 @@
<Option name="stateless">True</Option>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id3B0C63EB" disabled="False" log="True" position="2" action="Deny" direction="Outbound" comment="Anti-spoofing rule">
<PolicyRule id="id3B0C63EB" disabled="False" log="True" position="3" action="Deny" direction="Outbound" comment="Anti-spoofing rule">
<Src neg="True">
<ObjectRef ref="net-Internal_net"/>
<ObjectRef ref="id3B0C6380"/>
@ -4072,7 +4114,7 @@
<Option name="stateless">True</Option>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id3B0C639F" disabled="False" log="True" position="3" action="Accept" direction="Both" comment="hostF has the same IP address as firewal.">
<PolicyRule id="id3B0C639F" disabled="False" log="True" position="4" action="Accept" direction="Both" comment="hostF has the same IP address as firewal.">
<Src neg="False">
<ObjectRef ref="sysid0"/>
</Src>
@ -4092,7 +4134,7 @@
<Option name="id"></Option>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id3B0C63B4" disabled="False" log="True" position="4" action="Deny" direction="Both" comment="">
<PolicyRule id="id3B0C63B4" disabled="False" log="True" position="5" action="Deny" direction="Both" comment="">
<Src neg="True">
<ObjectRef ref="host-hostA"/>
<ObjectRef ref="host-hostB"/>
@ -4114,7 +4156,7 @@
<Option name="stateless">True</Option>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id3B0C63A9" disabled="False" log="True" position="5" action="Deny" direction="Both" comment="testing negation in the policy rule">
<PolicyRule id="id3B0C63A9" disabled="False" log="True" position="6" action="Deny" direction="Both" comment="testing negation in the policy rule">
<Src neg="True">
<ObjectRef ref="host-hostA"/>
<ObjectRef ref="host-hostB"/>
@ -4136,7 +4178,7 @@
<Option name="stateless">True</Option>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id3B0C63BF" disabled="True" log="True" position="6" action="Deny" direction="Both" comment="testing negation in service field">
<PolicyRule id="id3B0C63BF" disabled="True" log="True" position="7" action="Deny" direction="Both" comment="testing negation in service field">
<Src neg="False">
<ObjectRef ref="sysid0"/>
</Src>
@ -4159,7 +4201,7 @@
<Option name="stateless">True</Option>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id3B0C63CB" disabled="False" log="False" position="7" action="Accept" direction="Both" comment="'masquerading' rule">
<PolicyRule id="id3B0C63CB" disabled="False" log="False" position="8" action="Accept" direction="Both" comment="'masquerading' rule">
<Src neg="False">
<ObjectRef ref="net-Internal_net"/>
</Src>
@ -4179,48 +4221,6 @@
<Option name="id"></Option>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id16047X36408" disabled="False" group="" log="True" position="8" action="Branch" direction="Both" comment="">
<Src neg="False">
<ObjectRef ref="sysid0"/>
</Src>
<Dst neg="False">
<ObjectRef ref="sysid0"/>
</Dst>
<Srv neg="False">
<ServiceRef ref="sysid1"/>
</Srv>
<Itf neg="False">
<ObjectRef ref="sysid0"/>
</Itf>
<When neg="False">
<IntervalRef ref="sysid2"/>
</When>
<PolicyRuleOptions>
<Option name="action_on_reject"></Option>
<Option name="branch_id">id16059X36408</Option>
<Option name="classify_str"></Option>
<Option name="custom_str"></Option>
<Option name="ipf_route_opt_addr"></Option>
<Option name="ipf_route_opt_if"></Option>
<Option name="ipf_route_option">route_through</Option>
<Option name="ipfw_classify_method">2</Option>
<Option name="ipfw_pipe_port_num">0</Option>
<Option name="ipfw_pipe_queue_num">0</Option>
<Option name="ipt_continue">False</Option>
<Option name="ipt_gw"></Option>
<Option name="ipt_iif"></Option>
<Option name="ipt_mark_connections">False</Option>
<Option name="ipt_oif"></Option>
<Option name="ipt_tee">False</Option>
<Option name="pf_fastroute">False</Option>
<Option name="pf_route_load_option">none</Option>
<Option name="pf_route_opt_addr"></Option>
<Option name="pf_route_opt_if"></Option>
<Option name="pf_route_option">route_through</Option>
<Option name="rule_name_accounting"></Option>
<Option name="stateless">True</Option>
</PolicyRuleOptions>
</PolicyRule>
<PolicyRule id="id3B0C63D5" disabled="False" log="True" position="9" action="Deny" direction="Both" comment="'catch all' rule">
<Src neg="False">
<ObjectRef ref="sysid0"/>
@ -4243,7 +4243,7 @@
</PolicyRuleOptions>
</PolicyRule>
</Policy>
<Policy id="id16059X36408" name="ftp-proxy" comment="" ro="False" ipv4_rule_set="True" ipv6_rule_set="False" top_rule_set="False"/>
<Policy id="id16046X49036" name="ftp-proxy/*" comment="" ro="False" ipv4_rule_set="True" ipv6_rule_set="False" top_rule_set="False"/>
<Routing id="id3B0C6380-routing" name="Routing" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True"/>
<Interface id="id3B0C63DF" bridgeport="False" dyn="False" security_level="100" unnum="False" unprotected="False" name="eth0" comment="" ro="False">
<IPv4 id="id3B0C63DF-ipv4" name="address" comment="" ro="False" address="192.168.1.1" netmask="255.255.255.0"/>