[fwbuilder-commits] r2352 - in branches/v3_1: . doc src/iptlib test/ipt
Brought to you by:
mikehorn
Menu
▾
▴
[fwbuilder-commits] r2352 - in branches/v3_1: . doc src/iptlib test/ipt
|
From: <va...@in...> - 2010-01-15 22:16:58
|
Author: vadim
Date: 2010-01-15 14:16:14 -0800 (Fri, 15 Jan 2010)
New Revision: 2352
Modified:
branches/v3_1/build_num
branches/v3_1/doc/ChangeLog
branches/v3_1/src/iptlib/PolicyCompiler_PrintRule.cpp
branches/v3_1/src/iptlib/PolicyCompiler_ipt.cpp
branches/v3_1/test/ipt/objects-for-regression-tests.fwb
Log:
* PolicyCompiler_ipt.cpp (processMultiAddressObjectsInRE::processNext):
fixes #1086: incorrect processing of run time address tables.
SourceForge bug 2932680. Rules with two run-time AddressTable
objects in the same rule element (source or destination) were
converted to the shell script that read addresses from the address
table files, plus wrong iptables command that matched any to any.
This change removes this extra command.
Modified: branches/v3_1/build_num
===================================================================
--- branches/v3_1/build_num 2010-01-15 20:39:34 UTC (rev 2351)
+++ branches/v3_1/build_num 2010-01-15 22:16:14 UTC (rev 2352)
@@ -1 +1 @@
-#define BUILD_NUM 2350
+#define BUILD_NUM 2351
Modified: branches/v3_1/doc/ChangeLog
===================================================================
--- branches/v3_1/doc/ChangeLog 2010-01-15 20:39:34 UTC (rev 2351)
+++ branches/v3_1/doc/ChangeLog 2010-01-15 22:16:14 UTC (rev 2352)
@@ -1,5 +1,13 @@
2010-01-15 vadim <va...@vk...>
+ * PolicyCompiler_ipt.cpp (processMultiAddressObjectsInRE::processNext):
+ fixes #1086: incorrect processing of run time address tables.
+ SourceForge bug 2932680. Rules with two run-time AddressTable
+ objects in the same rule element (source or destination) were
+ converted to the shell script that read addresses from the address
+ table files, plus wrong iptables command that matched any to any.
+ This change removes this extra command.
+
* OSConfigurator_linux24.cpp (OSConfigurator_linux24::printShellFunctions):
fixes #1084 "if all user turns off all interface management and
configuration checkboxes, the check_tools shell function is not
Modified: branches/v3_1/src/iptlib/PolicyCompiler_PrintRule.cpp
===================================================================
--- branches/v3_1/src/iptlib/PolicyCompiler_PrintRule.cpp 2010-01-15 20:39:34 UTC (rev 2351)
+++ branches/v3_1/src/iptlib/PolicyCompiler_PrintRule.cpp 2010-01-15 22:16:14 UTC (rev 2352)
@@ -1392,8 +1392,9 @@
compiler->output << _createChain(rule->getStr("ipt_chain"));
compiler->output << _createChain(rule->getStr("ipt_target"));
compiler->output
- << dynamic_cast<OSConfigurator_linux24*>(compiler->osconfigurator)->
- printRunTimeWrappers(rule, PolicyRuleToString(rule), ipt_comp->ipv6);
+ << dynamic_cast<OSConfigurator_linux24*>(
+ compiler->osconfigurator)->printRunTimeWrappers(
+ rule, PolicyRuleToString(rule), ipt_comp->ipv6);
}
return true;
}
Modified: branches/v3_1/src/iptlib/PolicyCompiler_ipt.cpp
===================================================================
--- branches/v3_1/src/iptlib/PolicyCompiler_ipt.cpp 2010-01-15 20:39:34 UTC (rev 2351)
+++ branches/v3_1/src/iptlib/PolicyCompiler_ipt.cpp 2010-01-15 22:16:14 UTC (rev 2352)
@@ -3825,7 +3825,7 @@
OSConfigurator_linux24 *osconf =
dynamic_cast<OSConfigurator_linux24*>(compiler->osconfigurator);
- RuleElement *re=RuleElement::cast( rule->getFirstByType(re_type) );
+ RuleElement *re = RuleElement::cast( rule->getFirstByType(re_type) );
if (re->size()==1)
{
@@ -3845,9 +3845,9 @@
// this is DNSName converted to its run-time counterpart,
// we do not need to touch it at all
}
- tmp_queue.push_back(rule);
- return true;
}
+ tmp_queue.push_back(rule);
+ return true;
}
list<MultiAddressRunTime*> cl;
@@ -3860,29 +3860,36 @@
cl.push_back(atrt);
}
- if (!cl.empty())
+ if (cl.empty())
{
- RuleElement *nre;
- RuleElement *ore=RuleElement::cast( rule->getFirstByType(re_type) );
- PolicyRule *r;
- for (list<MultiAddressRunTime*>::iterator i=cl.begin(); i!=cl.end(); i++)
- {
- MultiAddressRunTime *atrt = *i;
- r= compiler->dbcopy->createPolicyRule();
- compiler->temp_ruleset->add(r);
- r->duplicate(rule);
- nre=RuleElement::cast( r->getFirstByType(re_type) );
- nre->clearChildren();
- nre->addRef( atrt );
- r->setStr("address_table_file",atrt->getSourceName());
- osconf->registerMultiAddressObject(atrt);
- tmp_queue.push_back(r);
+ tmp_queue.push_back(rule);
+ return true;
+ }
- ore->removeRef( *i );
- }
+ RuleElement *nre;
+ RuleElement *ore = re;
+ PolicyRule *r;
+ for (list<MultiAddressRunTime*>::iterator i=cl.begin(); i!=cl.end(); i++)
+ {
+ MultiAddressRunTime *atrt = *i;
+ r= compiler->dbcopy->createPolicyRule();
+ compiler->temp_ruleset->add(r);
+ r->duplicate(rule);
+ nre=RuleElement::cast( r->getFirstByType(re_type) );
+ nre->clearChildren();
+ nre->addRef( atrt );
+ r->setStr("address_table_file",atrt->getSourceName());
+ osconf->registerMultiAddressObject(atrt);
+ tmp_queue.push_back(r);
+
+ ore->removeRef( *i );
}
- tmp_queue.push_back(rule);
+ // if rule element contained only run-time address tables, it should
+ // be empty by now. There is no need to continue with this rule then.
+ if ( ! re->isAny())
+ tmp_queue.push_back(rule);
+
return true;
}
Modified: branches/v3_1/test/ipt/objects-for-regression-tests.fwb
===================================================================
--- branches/v3_1/test/ipt/objects-for-regression-tests.fwb 2010-01-15 20:39:34 UTC (rev 2351)
+++ branches/v3_1/test/ipt/objects-for-regression-tests.fwb 2010-01-15 22:16:14 UTC (rev 2352)
@@ -26814,7 +26814,7 @@
<Option name="verify_interfaces">True</Option>
</FirewallOptions>
</Firewall>
- <Firewall id="id44EC18128791" host_OS="linux24" inactive="False" lastCompiled="1247364146" lastInstalled="0" lastModified="1243319947" platform="iptables" version="" name="firewall41" comment="testing rule shadowing with run-time objects, rules with such objects should be ignored " ro="False">
+ <Firewall id="id44EC18128791" host_OS="linux24" inactive="False" lastCompiled="1247364146" lastInstalled="0" lastModified="1263593206" platform="iptables" version="" name="firewall41" comment="testing rule shadowing with run-time objects, rules with such objects should be ignored " ro="False">
<NAT id="id44EC18168791" name="NAT" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
<RuleSetOptions/>
</NAT>
@@ -26893,6 +26893,25 @@
<Option name="stateless">True</Option>
</PolicyRuleOptions>
</PolicyRule>
+ <PolicyRule id="id212774X97815" disabled="False" group="" log="True" position="4" action="Accept" direction="Both" comment="testing for bug #1086 when two run-time objects are used in the rule, compiler adds blank command that blocks (permits) any to any ">
+ <Src neg="False">
+ <ObjectRef ref="id44EC18128791"/>
+ </Src>
+ <Dst neg="False">
+ <ObjectRef ref="id44F7056328576"/>
+ <ObjectRef ref="id4389EE9118346"/>
+ </Dst>
+ <Srv neg="False">
+ <ServiceRef ref="sysid1"/>
+ </Srv>
+ <Itf neg="False">
+ <ObjectRef ref="sysid0"/>
+ </Itf>
+ <When neg="False">
+ <IntervalRef ref="sysid2"/>
+ </When>
+ <PolicyRuleOptions/>
+ </PolicyRule>
<RuleSetOptions/>
</Policy>
<Routing id="id44EC18178791" name="Routing" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True">
|