[fwbuilder-commits] r2352 - in branches/v3_1: . doc src/iptlib test/ipt
Brought to you by:
mikehorn
From: <va...@in...> - 2010-01-15 22:16:58
|
Author: vadim Date: 2010-01-15 14:16:14 -0800 (Fri, 15 Jan 2010) New Revision: 2352 Modified: branches/v3_1/build_num branches/v3_1/doc/ChangeLog branches/v3_1/src/iptlib/PolicyCompiler_PrintRule.cpp branches/v3_1/src/iptlib/PolicyCompiler_ipt.cpp branches/v3_1/test/ipt/objects-for-regression-tests.fwb Log: * PolicyCompiler_ipt.cpp (processMultiAddressObjectsInRE::processNext): fixes #1086: incorrect processing of run time address tables. SourceForge bug 2932680. Rules with two run-time AddressTable objects in the same rule element (source or destination) were converted to the shell script that read addresses from the address table files, plus wrong iptables command that matched any to any. This change removes this extra command. Modified: branches/v3_1/build_num =================================================================== --- branches/v3_1/build_num 2010-01-15 20:39:34 UTC (rev 2351) +++ branches/v3_1/build_num 2010-01-15 22:16:14 UTC (rev 2352) @@ -1 +1 @@ -#define BUILD_NUM 2350 +#define BUILD_NUM 2351 Modified: branches/v3_1/doc/ChangeLog =================================================================== --- branches/v3_1/doc/ChangeLog 2010-01-15 20:39:34 UTC (rev 2351) +++ branches/v3_1/doc/ChangeLog 2010-01-15 22:16:14 UTC (rev 2352) @@ -1,5 +1,13 @@ 2010-01-15 vadim <va...@vk...> + * PolicyCompiler_ipt.cpp (processMultiAddressObjectsInRE::processNext): + fixes #1086: incorrect processing of run time address tables. + SourceForge bug 2932680. Rules with two run-time AddressTable + objects in the same rule element (source or destination) were + converted to the shell script that read addresses from the address + table files, plus wrong iptables command that matched any to any. + This change removes this extra command. + * OSConfigurator_linux24.cpp (OSConfigurator_linux24::printShellFunctions): fixes #1084 "if all user turns off all interface management and configuration checkboxes, the check_tools shell function is not Modified: branches/v3_1/src/iptlib/PolicyCompiler_PrintRule.cpp =================================================================== --- branches/v3_1/src/iptlib/PolicyCompiler_PrintRule.cpp 2010-01-15 20:39:34 UTC (rev 2351) +++ branches/v3_1/src/iptlib/PolicyCompiler_PrintRule.cpp 2010-01-15 22:16:14 UTC (rev 2352) @@ -1392,8 +1392,9 @@ compiler->output << _createChain(rule->getStr("ipt_chain")); compiler->output << _createChain(rule->getStr("ipt_target")); compiler->output - << dynamic_cast<OSConfigurator_linux24*>(compiler->osconfigurator)-> - printRunTimeWrappers(rule, PolicyRuleToString(rule), ipt_comp->ipv6); + << dynamic_cast<OSConfigurator_linux24*>( + compiler->osconfigurator)->printRunTimeWrappers( + rule, PolicyRuleToString(rule), ipt_comp->ipv6); } return true; } Modified: branches/v3_1/src/iptlib/PolicyCompiler_ipt.cpp =================================================================== --- branches/v3_1/src/iptlib/PolicyCompiler_ipt.cpp 2010-01-15 20:39:34 UTC (rev 2351) +++ branches/v3_1/src/iptlib/PolicyCompiler_ipt.cpp 2010-01-15 22:16:14 UTC (rev 2352) @@ -3825,7 +3825,7 @@ OSConfigurator_linux24 *osconf = dynamic_cast<OSConfigurator_linux24*>(compiler->osconfigurator); - RuleElement *re=RuleElement::cast( rule->getFirstByType(re_type) ); + RuleElement *re = RuleElement::cast( rule->getFirstByType(re_type) ); if (re->size()==1) { @@ -3845,9 +3845,9 @@ // this is DNSName converted to its run-time counterpart, // we do not need to touch it at all } - tmp_queue.push_back(rule); - return true; } + tmp_queue.push_back(rule); + return true; } list<MultiAddressRunTime*> cl; @@ -3860,29 +3860,36 @@ cl.push_back(atrt); } - if (!cl.empty()) + if (cl.empty()) { - RuleElement *nre; - RuleElement *ore=RuleElement::cast( rule->getFirstByType(re_type) ); - PolicyRule *r; - for (list<MultiAddressRunTime*>::iterator i=cl.begin(); i!=cl.end(); i++) - { - MultiAddressRunTime *atrt = *i; - r= compiler->dbcopy->createPolicyRule(); - compiler->temp_ruleset->add(r); - r->duplicate(rule); - nre=RuleElement::cast( r->getFirstByType(re_type) ); - nre->clearChildren(); - nre->addRef( atrt ); - r->setStr("address_table_file",atrt->getSourceName()); - osconf->registerMultiAddressObject(atrt); - tmp_queue.push_back(r); + tmp_queue.push_back(rule); + return true; + } - ore->removeRef( *i ); - } + RuleElement *nre; + RuleElement *ore = re; + PolicyRule *r; + for (list<MultiAddressRunTime*>::iterator i=cl.begin(); i!=cl.end(); i++) + { + MultiAddressRunTime *atrt = *i; + r= compiler->dbcopy->createPolicyRule(); + compiler->temp_ruleset->add(r); + r->duplicate(rule); + nre=RuleElement::cast( r->getFirstByType(re_type) ); + nre->clearChildren(); + nre->addRef( atrt ); + r->setStr("address_table_file",atrt->getSourceName()); + osconf->registerMultiAddressObject(atrt); + tmp_queue.push_back(r); + + ore->removeRef( *i ); } - tmp_queue.push_back(rule); + // if rule element contained only run-time address tables, it should + // be empty by now. There is no need to continue with this rule then. + if ( ! re->isAny()) + tmp_queue.push_back(rule); + return true; } Modified: branches/v3_1/test/ipt/objects-for-regression-tests.fwb =================================================================== --- branches/v3_1/test/ipt/objects-for-regression-tests.fwb 2010-01-15 20:39:34 UTC (rev 2351) +++ branches/v3_1/test/ipt/objects-for-regression-tests.fwb 2010-01-15 22:16:14 UTC (rev 2352) @@ -26814,7 +26814,7 @@ <Option name="verify_interfaces">True</Option> </FirewallOptions> </Firewall> - <Firewall id="id44EC18128791" host_OS="linux24" inactive="False" lastCompiled="1247364146" lastInstalled="0" lastModified="1243319947" platform="iptables" version="" name="firewall41" comment="testing rule shadowing with run-time objects, rules with such objects should be ignored " ro="False"> + <Firewall id="id44EC18128791" host_OS="linux24" inactive="False" lastCompiled="1247364146" lastInstalled="0" lastModified="1263593206" platform="iptables" version="" name="firewall41" comment="testing rule shadowing with run-time objects, rules with such objects should be ignored " ro="False"> <NAT id="id44EC18168791" name="NAT" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True"> <RuleSetOptions/> </NAT> @@ -26893,6 +26893,25 @@ <Option name="stateless">True</Option> </PolicyRuleOptions> </PolicyRule> + <PolicyRule id="id212774X97815" disabled="False" group="" log="True" position="4" action="Accept" direction="Both" comment="testing for bug #1086 when two run-time objects are used in the rule, compiler adds blank command that blocks (permits) any to any "> + <Src neg="False"> + <ObjectRef ref="id44EC18128791"/> + </Src> + <Dst neg="False"> + <ObjectRef ref="id44F7056328576"/> + <ObjectRef ref="id4389EE9118346"/> + </Dst> + <Srv neg="False"> + <ServiceRef ref="sysid1"/> + </Srv> + <Itf neg="False"> + <ObjectRef ref="sysid0"/> + </Itf> + <When neg="False"> + <IntervalRef ref="sysid2"/> + </When> + <PolicyRuleOptions/> + </PolicyRule> <RuleSetOptions/> </Policy> <Routing id="id44EC18178791" name="Routing" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True"> |