[fwbuilder-commits] r2769 - in branches/v4_0: . src/iptlib test/ipt test/pf
Brought to you by:
mikehorn
From: <va...@in...> - 2010-03-27 20:39:10
|
Author: vadim Date: 2010-03-27 13:39:20 -0700 (Sat, 27 Mar 2010) New Revision: 2769 Modified: branches/v4_0/build_num branches/v4_0/src/iptlib/PolicyCompiler_ipt.cpp branches/v4_0/test/ipt/cluster-tests.fwb branches/v4_0/test/pf/cluster-tests.fwb Log: working on #1360 "negation of cluster interfaces is broken" Modified: branches/v4_0/build_num =================================================================== --- branches/v4_0/build_num 2010-03-27 17:25:05 UTC (rev 2768) +++ branches/v4_0/build_num 2010-03-27 20:39:20 UTC (rev 2769) @@ -1 +1 @@ -#define BUILD_NUM 2767 +#define BUILD_NUM 2768 Modified: branches/v4_0/src/iptlib/PolicyCompiler_ipt.cpp =================================================================== --- branches/v4_0/src/iptlib/PolicyCompiler_ipt.cpp 2010-03-27 17:25:05 UTC (rev 2768) +++ branches/v4_0/src/iptlib/PolicyCompiler_ipt.cpp 2010-03-27 20:39:20 UTC (rev 2769) @@ -4258,6 +4258,9 @@ //add( new setChainForMangle("set chain for other rules in mangle")); add( new Logging1("check global logging override option")); + + add( new replaceClusterInterfaceInItf( + "replace cluster interfaces with member interfaces in the Interface rule element")); add( new singleItfNegation("negation in Itf if it holds single object")); add( new ItfNegation("process negation in Itf")); Modified: branches/v4_0/test/ipt/cluster-tests.fwb =================================================================== --- branches/v4_0/test/ipt/cluster-tests.fwb 2010-03-27 17:25:05 UTC (rev 2768) +++ branches/v4_0/test/ipt/cluster-tests.fwb 2010-03-27 20:39:20 UTC (rev 2769) @@ -1,6 +1,6 @@ <?xml version="1.0" encoding="utf-8"?> <!DOCTYPE FWObjectDatabase SYSTEM "fwbuilder.dtd"> -<FWObjectDatabase xmlns="http://www.fwbuilder.org/1.0/" version="16" lastModified="1268935347" id="root"> +<FWObjectDatabase xmlns="http://www.fwbuilder.org/1.0/" version="16" lastModified="1269721443" id="root"> <Library id="syslib000" color="#d4f8ff" name="Standard" comment="Standard objects" ro="True"> <AnyNetwork id="sysid0" name="Any" comment="Any Network" ro="False" address="0.0.0.0" netmask="0.0.0.0"/> <AnyIPService id="sysid1" protocol_num="0" name="Any" comment="Any IP Service" ro="False"/> @@ -1234,7 +1234,7 @@ </Library> <Library id="id1495X69605" color="#d2ffd0" name="User" comment="" ro="False"> <ObjectGroup id="id1502X69605" name="Clusters" comment="" ro="False"> - <Cluster id="id2366X75741" host_OS="secuwall" inactive="True" lastCompiled="1248670597" lastInstalled="0" lastModified="1264977121" platform="iptables" name="cluster1" comment="" ro="False"> + <Cluster id="id2366X75741" host_OS="secuwall" inactive="True" lastCompiled="1248670597" lastInstalled="0" lastModified="1269721449" platform="iptables" name="cluster1" comment="" ro="False"> <NAT id="id2370X75741" name="NAT" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True"> <NATRule id="id4606X78273" disabled="False" position="0" action="Translate" comment=""> <OSrc neg="False"> @@ -1290,15 +1290,123 @@ <ServiceRef ref="sysid1"/> </Srv> <Itf neg="False"> - <ObjectRef ref="id2847X69605"/> + <ObjectRef ref="id7784X43611"/> </Itf> <When neg="False"> <IntervalRef ref="sysid2"/> </When> <PolicyRuleOptions/> </PolicyRule> - <PolicyRule id="id2879X78273" disabled="False" log="False" position="2" action="Accept" direction="Both" comment="SSH Access to firewall is permitted only from internal network"> + <PolicyRule id="id7697X27234" disabled="False" group="" log="False" position="2" action="Accept" direction="Both" comment=""> <Src neg="False"> + <ObjectRef ref="sysid0"/> + </Src> + <Dst neg="False"> + <ObjectRef ref="sysid0"/> + </Dst> + <Srv neg="False"> + <ServiceRef ref="sysid1"/> + </Srv> + <Itf neg="True"> + <ObjectRef ref="id2374X75741"/> + </Itf> + <When neg="False"> + <IntervalRef ref="sysid2"/> + </When> + <PolicyRuleOptions> + <Option name="stateless">False</Option> + </PolicyRuleOptions> + </PolicyRule> + <PolicyRule id="id36344X28692" disabled="False" group="" log="False" position="3" action="Accept" direction="Both" comment=""firewall is part of any" OFF"> + <Src neg="False"> + <ObjectRef ref="sysid0"/> + </Src> + <Dst neg="False"> + <ObjectRef ref="sysid0"/> + </Dst> + <Srv neg="False"> + <ServiceRef ref="sysid1"/> + </Srv> + <Itf neg="True"> + <ObjectRef ref="id2374X75741"/> + </Itf> + <When neg="False"> + <IntervalRef ref="sysid2"/> + </When> + <PolicyRuleOptions> + <Option name="connlimit_above_not">False</Option> + <Option name="connlimit_masklen">0</Option> + <Option name="connlimit_value">0</Option> + <Option name="firewall_is_part_of_any_and_networks">0</Option> + <Option name="hashlimit_burst">0</Option> + <Option name="hashlimit_dstlimit">False</Option> + <Option name="hashlimit_expire">0</Option> + <Option name="hashlimit_gcinterval">0</Option> + <Option name="hashlimit_max">0</Option> + <Option name="hashlimit_mode_dstip">False</Option> + <Option name="hashlimit_mode_dstport">False</Option> + <Option name="hashlimit_mode_srcip">False</Option> + <Option name="hashlimit_mode_srcport">False</Option> + <Option name="hashlimit_name"></Option> + <Option name="hashlimit_size">0</Option> + <Option name="hashlimit_suffix"></Option> + <Option name="hashlimit_value">0</Option> + <Option name="limit_burst">0</Option> + <Option name="limit_suffix"></Option> + <Option name="limit_value">0</Option> + <Option name="limit_value_not">False</Option> + <Option name="log_level"></Option> + <Option name="log_prefix"></Option> + <Option name="stateless">False</Option> + <Option name="ulog_nlgroup">1</Option> + </PolicyRuleOptions> + </PolicyRule> + <PolicyRule id="id65013X28692" disabled="False" group="" log="False" position="4" action="Accept" direction="Both" comment=""firewall is part of any" OFF"> + <Src neg="False"> + <ObjectRef ref="sysid0"/> + </Src> + <Dst neg="False"> + <ObjectRef ref="sysid0"/> + </Dst> + <Srv neg="False"> + <ServiceRef ref="sysid1"/> + </Srv> + <Itf neg="False"> + <ObjectRef ref="id2374X75741"/> + </Itf> + <When neg="False"> + <IntervalRef ref="sysid2"/> + </When> + <PolicyRuleOptions> + <Option name="connlimit_above_not">False</Option> + <Option name="connlimit_masklen">0</Option> + <Option name="connlimit_value">0</Option> + <Option name="firewall_is_part_of_any_and_networks">0</Option> + <Option name="hashlimit_burst">0</Option> + <Option name="hashlimit_dstlimit">False</Option> + <Option name="hashlimit_expire">0</Option> + <Option name="hashlimit_gcinterval">0</Option> + <Option name="hashlimit_max">0</Option> + <Option name="hashlimit_mode_dstip">False</Option> + <Option name="hashlimit_mode_dstport">False</Option> + <Option name="hashlimit_mode_srcip">False</Option> + <Option name="hashlimit_mode_srcport">False</Option> + <Option name="hashlimit_name"></Option> + <Option name="hashlimit_size">0</Option> + <Option name="hashlimit_suffix"></Option> + <Option name="hashlimit_value">0</Option> + <Option name="limit_burst">0</Option> + <Option name="limit_suffix"></Option> + <Option name="limit_value">0</Option> + <Option name="limit_value_not">False</Option> + <Option name="log_level"></Option> + <Option name="log_prefix"></Option> + <Option name="stateless">False</Option> + <Option name="ulog_nlgroup">1</Option> + </PolicyRuleOptions> + </PolicyRule> + <PolicyRule id="id2879X78273" disabled="False" log="False" position="5" action="Accept" direction="Both" comment="SSH Access to firewall is permitted only from internal network"> + <Src neg="False"> <ObjectRef ref="id3DC75CE7-1"/> </Src> <Dst neg="False"> @@ -1315,7 +1423,7 @@ </When> <PolicyRuleOptions/> </PolicyRule> - <PolicyRule id="id2862X78273" disabled="False" log="True" position="3" action="Accept" direction="Both" comment="Firewall uses one of the machines on internal network for DNS"> + <PolicyRule id="id2862X78273" disabled="False" log="True" position="6" action="Accept" direction="Both" comment="Firewall uses one of the machines on internal network for DNS"> <Src neg="False"> <ObjectRef ref="id2366X75741"/> </Src> @@ -1333,7 +1441,7 @@ </When> <PolicyRuleOptions/> </PolicyRule> - <PolicyRule id="id2845X78273" disabled="False" log="True" position="4" action="Deny" direction="Both" comment="All other attempts to connect to the firewall are denied and logged"> + <PolicyRule id="id2845X78273" disabled="False" log="True" position="7" action="Deny" direction="Both" comment="All other attempts to connect to the firewall are denied and logged"> <Src neg="False"> <ObjectRef ref="sysid0"/> </Src> @@ -1351,7 +1459,7 @@ </When> <PolicyRuleOptions/> </PolicyRule> - <PolicyRule id="id2828X78273" disabled="False" log="False" position="5" action="Accept" direction="Both" comment=""> + <PolicyRule id="id2828X78273" disabled="False" log="False" position="8" action="Accept" direction="Both" comment=""> <Src neg="False"> <ObjectRef ref="id3DC75CE7-1"/> </Src> @@ -1369,7 +1477,7 @@ </When> <PolicyRuleOptions/> </PolicyRule> - <PolicyRule id="id2811X78273" disabled="False" log="True" position="6" action="Deny" direction="Both" comment=""> + <PolicyRule id="id2811X78273" disabled="False" log="True" position="9" action="Deny" direction="Both" comment=""> <Src neg="False"> <ObjectRef ref="sysid0"/> </Src> @@ -1392,13 +1500,13 @@ <Routing id="id2371X75741" name="Routing" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True"> <RuleSetOptions/> </Routing> - <Interface id="id2374X75741" dedicated_failover="False" dyn="False" label="" security_level="0" unnum="False" unprotected="False" name="vrrp0" comment="" ro="False"> - <IPv4 id="id2375X75741" name="cluster1:vrrp0:ip" comment="" ro="False" address="172.24.0.1" netmask="255.255.0.0"/> + <Interface id="id2374X75741" dedicated_failover="False" dyn="False" label="cluster1 eth0" mgmt="False" security_level="0" unnum="False" unprotected="False" name="eth0" comment="" ro="False"> + <IPv4 id="id2375X75741" name="cluster1:eth0:ip" comment="" ro="False" address="172.24.0.1" netmask="255.255.0.0"/> <InterfaceOptions> <Option name="iface_mtu">1500</Option> <Option name="type">vrrp</Option> </InterfaceOptions> - <FailoverClusterGroup id="id2377X75741" type="vrrp" name="cluster1:vrrp0:members" comment=""> + <FailoverClusterGroup id="id2377X75741" type="vrrp" name="cluster1:eth0:members" comment=""> <ObjectRef ref="id4030X2906"/> <ObjectRef ref="id4055X2906"/> <ClusterGroupOptions> @@ -1407,25 +1515,38 @@ </ClusterGroupOptions> </FailoverClusterGroup> </Interface> - <Interface id="id2379X75741" dedicated_failover="False" dyn="False" label="" security_level="0" unnum="False" unprotected="False" name="vrrp1" comment="" ro="False"> - <IPv4 id="id2380X75741" name="cluster1:vrrp1:ip" comment="" ro="False" address="192.168.1.1" netmask="255.255.255.0"/> + <Interface id="id2379X75741" dedicated_failover="False" dyn="False" label="" mgmt="False" security_level="0" unnum="False" unprotected="False" name="eth1" comment="" ro="False"> + <IPv4 id="id2380X75741" name="cluster1:eth1:ip" comment="" ro="False" address="192.168.1.1" netmask="255.255.255.0"/> <InterfaceOptions> <Option name="iface_mtu">1500</Option> <Option name="type">vrrp</Option> </InterfaceOptions> - <FailoverClusterGroup id="id2382X75741" master_iface="id4033X2906" type="vrrp" name="cluster1:vrrp1:members" comment=""> + <FailoverClusterGroup id="id2382X75741" master_iface="id4033X2906" type="vrrp" name="cluster1:eth1:members" comment=""> <ObjectRef ref="id4033X2906"/> <ObjectRef ref="id4058X2906"/> <ClusterGroupOptions/> </FailoverClusterGroup> </Interface> - <Interface id="id3213X42281" dedicated_failover="False" dyn="False" security_level="0" unnum="False" unprotected="False" name="vrrp2" comment="" ro="False"> + <Interface id="id3213X42281" dedicated_failover="False" dyn="False" label="" mgmt="False" security_level="0" unnum="False" unprotected="False" name="eth2" comment="" ro="False"> <InterfaceOptions> <Option name="iface_mtu">1500</Option> <Option name="type">vrrp</Option> <Option name="vrrp_secret">my_secret</Option> </InterfaceOptions> </Interface> + <Interface id="id7784X43611" dedicated_failover="False" dyn="False" label="cluster1 lo" mgmt="False" security_level="0" unnum="False" unprotected="False" name="lo" comment="" ro="False"> + <IPv4 id="id7858X43611" name="cluster1:lo:ip" comment="" ro="False" address="127.0.0.1" netmask="255.0.0.0"/> + <InterfaceOptions> + <Option name="iface_mtu">1500</Option> + <Option name="iface_type">ethernet</Option> + <Option name="type">ethernet</Option> + </InterfaceOptions> + <FailoverClusterGroup id="id7818X43611" type="vrrp" name="Failover group" comment=""> + <ObjectRef ref="id4038X2906"/> + <ObjectRef ref="id4061X2906"/> + <ClusterGroupOptions/> + </FailoverClusterGroup> + </Interface> <FirewallOptions/> <StateSyncClusterGroup id="id2372X75741" type="conntrack" name="State Sync Group" comment=""> <ObjectRef ref="id4030X2906"/> Modified: branches/v4_0/test/pf/cluster-tests.fwb =================================================================== --- branches/v4_0/test/pf/cluster-tests.fwb 2010-03-27 17:25:05 UTC (rev 2768) +++ branches/v4_0/test/pf/cluster-tests.fwb 2010-03-27 20:39:20 UTC (rev 2769) @@ -1616,7 +1616,7 @@ </Library> <Library id="id1495X69605" color="#d2ffd0" name="User" comment="" ro="False"> <ObjectGroup id="id1502X69605" name="Clusters" comment="" ro="False"> - <Cluster id="id3631X95766" host_OS="openbsd" inactive="False" lastCompiled="1248551815" lastInstalled="0" lastModified="1266373876" platform="pf" name="pf_cluster_1" comment=" " ro="False"> + <Cluster id="id3631X95766" host_OS="openbsd" inactive="False" lastCompiled="1248551815" lastInstalled="0" lastModified="1269718315" platform="pf" name="pf_cluster_1" comment=" " ro="False"> <NAT id="id3640X95766" name="NAT" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True"> <NATRule id="id3162X39764" disabled="False" position="0" action="Translate" comment=""> <OSrc neg="False"> @@ -1910,7 +1910,7 @@ <Option name="stateless">False</Option> </PolicyRuleOptions> </PolicyRule> - <PolicyRule id="id5942X26920" disabled="False" log="True" position="5" action="Deny" direction="Both" comment=""> + <PolicyRule id="id39043X28773" disabled="False" group="" log="False" position="5" action="Accept" direction="Inbound" comment=""> <Src neg="False"> <ObjectRef ref="sysid0"/> </Src> @@ -1920,6 +1920,26 @@ <Srv neg="False"> <ServiceRef ref="sysid1"/> </Srv> + <Itf neg="True"> + <ObjectRef ref="id3642X95766"/> + </Itf> + <When neg="False"> + <IntervalRef ref="sysid2"/> + </When> + <PolicyRuleOptions> + <Option name="stateless">False</Option> + </PolicyRuleOptions> + </PolicyRule> + <PolicyRule id="id5942X26920" disabled="False" log="True" position="6" action="Deny" direction="Both" comment=""> + <Src neg="False"> + <ObjectRef ref="sysid0"/> + </Src> + <Dst neg="False"> + <ObjectRef ref="sysid0"/> + </Dst> + <Srv neg="False"> + <ServiceRef ref="sysid1"/> + </Srv> <Itf neg="False"> <ObjectRef ref="sysid0"/> </Itf> |