[fwbuilder-commits] r3239 - in branches/v4_1: . doc src/iptlib test/ipt
Brought to you by:
mikehorn
From: <va...@in...> - 2010-08-19 19:21:26
|
Author: vadim Date: 2010-08-19 12:21:16 -0700 (Thu, 19 Aug 2010) New Revision: 3239 Modified: branches/v4_1/build_num branches/v4_1/doc/ChangeLog branches/v4_1/src/iptlib/NATCompiler_ipt.cpp branches/v4_1/test/ipt/objects-for-regression-tests.fwb Log: * NATCompiler_ipt.cpp (VerifyRules2::processNext): fixed #1685 "iptables redirecting NAT rules in the OUTPUT chain". NAT rules should be allowed to translate from CustomService to TCP or UDP service, provided CustomService object is configured with matching protocol. See also change in libfwbuilder NATCompiler::classifyNATRule::processNext. Modified: branches/v4_1/build_num =================================================================== --- branches/v4_1/build_num 2010-08-19 18:40:48 UTC (rev 3238) +++ branches/v4_1/build_num 2010-08-19 19:21:16 UTC (rev 3239) @@ -1 +1 @@ -#define BUILD_NUM 3237 +#define BUILD_NUM 3238 Modified: branches/v4_1/doc/ChangeLog =================================================================== --- branches/v4_1/doc/ChangeLog 2010-08-19 18:40:48 UTC (rev 3238) +++ branches/v4_1/doc/ChangeLog 2010-08-19 19:21:16 UTC (rev 3239) @@ -8,6 +8,12 @@ will use PREROUTING and POSTROUTING in single compile mode but issue a warning. + * NATCompiler_ipt.cpp (VerifyRules2::processNext): fixed #1685 + "iptables redirecting NAT rules in the OUTPUT chain". NAT rules + should be allowed to translate from CustomService to TCP or UDP + service, provided CustomService object is configured with matching + protocol. See also change in libfwbuilder NATCompiler::classifyNATRule::processNext. + * NATCompiler_ipt.cpp (localNATRule::processNext): see #1685 "iptables redirecting NAT rules in the OUTPUT chain". This fix makes it possible to create iptables NAT rule with target REDIRECT Modified: branches/v4_1/src/iptlib/NATCompiler_ipt.cpp =================================================================== --- branches/v4_1/src/iptlib/NATCompiler_ipt.cpp 2010-08-19 18:40:48 UTC (rev 3238) +++ branches/v4_1/src/iptlib/NATCompiler_ipt.cpp 2010-08-19 19:21:16 UTC (rev 3239) @@ -669,7 +669,7 @@ return true; } - if (!tsrv->isAny() && s1->getProtocolNumber()!=s2->getProtocolNumber()) + if (!tsrv->isAny() && s1->getProtocolName()!=s2->getProtocolName()) { compiler->abort( rule, Modified: branches/v4_1/test/ipt/objects-for-regression-tests.fwb =================================================================== --- branches/v4_1/test/ipt/objects-for-regression-tests.fwb 2010-08-19 18:40:48 UTC (rev 3238) +++ branches/v4_1/test/ipt/objects-for-regression-tests.fwb 2010-08-19 19:21:16 UTC (rev 3239) @@ -1,6 +1,6 @@ <?xml version="1.0" encoding="utf-8"?> <!DOCTYPE FWObjectDatabase SYSTEM "fwbuilder.dtd"> -<FWObjectDatabase xmlns="http://www.fwbuilder.org/1.0/" version="17" lastModified="1282242248" id="root"> +<FWObjectDatabase xmlns="http://www.fwbuilder.org/1.0/" version="17" lastModified="1282244747" id="root"> <Library id="syslib000" color="#d4f8ff" name="Standard" comment="Standard objects" ro="True"> <AnyNetwork id="sysid0" name="Any" comment="Any Network" ro="False" address="0.0.0.0" netmask="0.0.0.0"/> <AnyIPService id="sysid1" protocol_num="0" name="Any" comment="Any IP Service" ro="False"/> @@ -4725,6 +4725,39 @@ <CustomServiceCommand platform="pix"></CustomServiceCommand> <CustomServiceCommand platform="unknown"></CustomServiceCommand> </CustomService> + <CustomService id="id57956X8289" name="owner_anonymous tcp" comment="" ro="False" protocol="tcp" address_family="ipv4"> + <CustomServiceCommand platform="fwsm"></CustomServiceCommand> + <CustomServiceCommand platform="iosacl"></CustomServiceCommand> + <CustomServiceCommand platform="ipf"></CustomServiceCommand> + <CustomServiceCommand platform="ipfw"></CustomServiceCommand> + <CustomServiceCommand platform="iptables">-m owner --uid-owner anonymous</CustomServiceCommand> + <CustomServiceCommand platform="pf"></CustomServiceCommand> + <CustomServiceCommand platform="pix"></CustomServiceCommand> + <CustomServiceCommand platform="procurve_acl"></CustomServiceCommand> + <CustomServiceCommand platform="unknown"></CustomServiceCommand> + </CustomService> + <CustomService id="id248805X9517" name="owner_anonymous udp" comment="" ro="False" protocol="udp" address_family="ipv4"> + <CustomServiceCommand platform="fwsm"></CustomServiceCommand> + <CustomServiceCommand platform="iosacl"></CustomServiceCommand> + <CustomServiceCommand platform="ipf"></CustomServiceCommand> + <CustomServiceCommand platform="ipfw"></CustomServiceCommand> + <CustomServiceCommand platform="iptables">-m owner --uid-owner anonymous</CustomServiceCommand> + <CustomServiceCommand platform="pf"></CustomServiceCommand> + <CustomServiceCommand platform="pix"></CustomServiceCommand> + <CustomServiceCommand platform="procurve_acl"></CustomServiceCommand> + <CustomServiceCommand platform="unknown"></CustomServiceCommand> + </CustomService> + <CustomService id="id631131X9517" name="owner_anonymous" comment="" ro="False" protocol="any" address_family="ipv4"> + <CustomServiceCommand platform="fwsm"></CustomServiceCommand> + <CustomServiceCommand platform="iosacl"></CustomServiceCommand> + <CustomServiceCommand platform="ipf"></CustomServiceCommand> + <CustomServiceCommand platform="ipfw"></CustomServiceCommand> + <CustomServiceCommand platform="iptables">-m owner --uid-owner anonymous</CustomServiceCommand> + <CustomServiceCommand platform="pf"></CustomServiceCommand> + <CustomServiceCommand platform="pix"></CustomServiceCommand> + <CustomServiceCommand platform="procurve_acl"></CustomServiceCommand> + <CustomServiceCommand platform="unknown"></CustomServiceCommand> + </CustomService> </ServiceGroup> </ServiceGroup> <ObjectGroup id="stdid12_1" name="Firewalls" comment="" ro="False"> @@ -8139,7 +8172,7 @@ <Option name="verify_interfaces">False</Option> </FirewallOptions> </Firewall> - <Firewall id="id3AFB66C6" host_OS="linux24" inactive="False" lastCompiled="1273779773" lastInstalled="1142003872" lastModified="1282242276" platform="iptables" version="" name="firewall2" comment="this object has several interfaces and shows different rules for NAT. Also testing policy rule options " ro="False"> + <Firewall id="id3AFB66C6" host_OS="linux24" inactive="False" lastCompiled="1273779773" lastInstalled="1142003872" lastModified="1282244482" platform="iptables" version="" name="firewall2" comment="this object has several interfaces and shows different rules for NAT. Also testing policy rule options " ro="False"> <NAT id="id3AFB66C7" name="NAT" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True"> <NATRule id="id3AFB66C8" disabled="False" position="0" action="Translate" comment=""> <OSrc neg="False"> @@ -9257,6 +9290,69 @@ </TSrv> <NATRuleOptions/> </NATRule> + <NATRule id="id58000X8289" disabled="False" group="" position="50" action="Translate" comment=""> + <OSrc neg="False"> + <ObjectRef ref="id3AFB66C6"/> + </OSrc> + <ODst neg="False"> + <ObjectRef ref="sysid0"/> + </ODst> + <OSrv neg="False"> + <ServiceRef ref="id57956X8289"/> + </OSrv> + <TSrc neg="False"> + <ObjectRef ref="sysid0"/> + </TSrc> + <TDst neg="False"> + <ObjectRef ref="id3AFB66C6"/> + </TDst> + <TSrv neg="False"> + <ServiceRef ref="id1195021X6573"/> + </TSrv> + <NATRuleOptions/> + </NATRule> + <NATRule id="id248774X9517" disabled="False" group="" position="51" action="Translate" comment=""> + <OSrc neg="False"> + <ObjectRef ref="id3AFB66C6"/> + </OSrc> + <ODst neg="False"> + <ObjectRef ref="sysid0"/> + </ODst> + <OSrv neg="False"> + <ServiceRef ref="id248805X9517"/> + </OSrv> + <TSrc neg="False"> + <ObjectRef ref="sysid0"/> + </TSrc> + <TDst neg="False"> + <ObjectRef ref="id3AFB66C6"/> + </TDst> + <TSrv neg="False"> + <ServiceRef ref="id1195021X6573"/> + </TSrv> + <NATRuleOptions/> + </NATRule> + <NATRule id="id439713X9517" disabled="False" group="" position="52" action="Translate" comment=""> + <OSrc neg="False"> + <ObjectRef ref="id3AFB66C6"/> + </OSrc> + <ODst neg="False"> + <ObjectRef ref="sysid0"/> + </ODst> + <OSrv neg="False"> + <ServiceRef ref="id248805X9517"/> + </OSrv> + <TSrc neg="False"> + <ObjectRef ref="sysid0"/> + </TSrc> + <TDst neg="False"> + <ObjectRef ref="id3AFB66C6"/> + </TDst> + <TSrv neg="False"> + <ServiceRef ref="udp-DNS"/> + </TSrv> + <NATRuleOptions/> + </NATRule> <RuleSetOptions/> </NAT> <Policy id="id3AFB66E4" name="Policy" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True"> @@ -54975,6 +55071,261 @@ <Option name="verify_interfaces">True</Option> </FirewallOptions> </Firewall> + <Firewall id="id630768X9517" host_OS="linux24" inactive="False" lastCompiled="0" lastInstalled="0" lastModified="1282244903" platform="iptables" version="" name="firewall92" comment="rules for the TOR transparent proxy per https://trac.torproject.org/projects/tor/wiki/TheOnionRouter/TransparentProxy See ticket 1685 " ro="False"> + <NAT id="id630772X9517" name="NAT" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True"> + <NATRule id="id630812X9517" disabled="False" group="" position="0" action="Translate" comment=""> + <OSrc neg="False"> + <ObjectRef ref="id630768X9517"/> + </OSrc> + <ODst neg="False"> + <ObjectRef ref="sysid0"/> + </ODst> + <OSrv neg="False"> + <ServiceRef ref="id248805X9517"/> + </OSrv> + <TSrc neg="False"> + <ObjectRef ref="sysid0"/> + </TSrc> + <TDst neg="False"> + <ObjectRef ref="id630768X9517"/> + </TDst> + <TSrv neg="False"> + <ServiceRef ref="udp-DNS"/> + </TSrv> + <NATRuleOptions/> + </NATRule> + <NATRule id="id630920X9517" disabled="False" group="" position="1" action="Translate" comment=""> + <OSrc neg="False"> + <ObjectRef ref="id630768X9517"/> + </OSrc> + <ODst neg="False"> + <ObjectRef ref="sysid0"/> + </ODst> + <OSrv neg="False"> + <ServiceRef ref="id57956X8289"/> + </OSrv> + <TSrc neg="False"> + <ObjectRef ref="sysid0"/> + </TSrc> + <TDst neg="False"> + <ObjectRef ref="id630768X9517"/> + </TDst> + <TSrv neg="False"> + <ServiceRef ref="id1195021X6573"/> + </TSrv> + <NATRuleOptions/> + </NATRule> + <NATRule id="id630866X9517" disabled="False" group="" position="2" action="Translate" comment=""> + <OSrc neg="False"> + <ObjectRef ref="id630768X9517"/> + </OSrc> + <ODst neg="False"> + <ObjectRef ref="sysid0"/> + </ODst> + <OSrv neg="False"> + <ServiceRef ref="id248805X9517"/> + </OSrv> + <TSrc neg="False"> + <ObjectRef ref="sysid0"/> + </TSrc> + <TDst neg="False"> + <ObjectRef ref="id630768X9517"/> + </TDst> + <TSrv neg="False"> + <ServiceRef ref="id1195021X6573"/> + </TSrv> + <NATRuleOptions/> + </NATRule> + <RuleSetOptions/> + </NAT> + <Policy id="id630770X9517" name="Policy" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True"> + <PolicyRule id="id631046X9517" disabled="False" log="False" position="0" action="Accept" direction="Outbound" comment=""> + <Src neg="False"> + <ObjectRef ref="id630768X9517"/> + </Src> + <Dst neg="False"> + <ObjectRef ref="sysid0"/> + </Dst> + <Srv neg="False"> + <ServiceRef ref="id57956X8289"/> + <ServiceRef ref="id248805X9517"/> + </Srv> + <Itf neg="False"> + <ObjectRef ref="sysid0"/> + </Itf> + <When neg="False"> + <IntervalRef ref="sysid2"/> + </When> + <PolicyRuleOptions> + <Option name="stateless">False</Option> + </PolicyRuleOptions> + </PolicyRule> + <PolicyRule id="id1009773X9517" disabled="False" group="" log="False" position="1" action="Branch" direction="Outbound" comment="matching module owner here and tcp and udp ports in the branch"> + <Src neg="False"> + <ObjectRef ref="id630768X9517"/> + </Src> + <Dst neg="False"> + <ObjectRef ref="sysid0"/> + </Dst> + <Srv neg="False"> + <ServiceRef ref="id631131X9517"/> + </Srv> + <Itf neg="False"> + <ObjectRef ref="sysid0"/> + </Itf> + <When neg="False"> + <IntervalRef ref="sysid2"/> + </When> + <PolicyRuleOptions> + <Option name="action_on_reject"></Option> + <Option name="branch_id">id1009662X9517</Option> + <Option name="classify_str"></Option> + <Option name="custom_str"></Option> + <Option name="ipf_route_opt_addr"></Option> + <Option name="ipf_route_opt_if"></Option> + <Option name="ipf_route_option">route_through</Option> + <Option name="ipfw_classify_method">2</Option> + <Option name="ipfw_pipe_port_num">0</Option> + <Option name="ipfw_pipe_queue_num">0</Option> + <Option name="ipt_branch_in_mangle">False</Option> + <Option name="ipt_continue">False</Option> + <Option name="ipt_gw"></Option> + <Option name="ipt_iif"></Option> + <Option name="ipt_mark_connections">False</Option> + <Option name="ipt_oif"></Option> + <Option name="ipt_tee">False</Option> + <Option name="pf_fastroute">False</Option> + <Option name="pf_route_load_option">none</Option> + <Option name="pf_route_opt_addr"></Option> + <Option name="pf_route_opt_if"></Option> + <Option name="pf_route_option">none</Option> + <Option name="rule_name_accounting"></Option> + <Option name="stateless">True</Option> + </PolicyRuleOptions> + </PolicyRule> + <PolicyRule id="id631140X9517" disabled="False" group="" log="True" position="2" action="Deny" direction="Outbound" comment="this only matches module owner"> + <Src neg="False"> + <ObjectRef ref="id630768X9517"/> + </Src> + <Dst neg="False"> + <ObjectRef ref="sysid0"/> + </Dst> + <Srv neg="False"> + <ServiceRef ref="id631131X9517"/> + </Srv> + <Itf neg="False"> + <ObjectRef ref="sysid0"/> + </Itf> + <When neg="False"> + <IntervalRef ref="sysid2"/> + </When> + <PolicyRuleOptions> + <Option name="stateless">True</Option> + </PolicyRuleOptions> + </PolicyRule> + <RuleSetOptions/> + </Policy> + <Policy id="id1009662X9517" name="Policy_1" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="False"> + <PolicyRule id="id1009688X9517" disabled="False" log="True" position="0" action="Deny" direction="Outbound" comment=""> + <Src neg="False"> + <ObjectRef ref="id630768X9517"/> + </Src> + <Dst neg="False"> + <ObjectRef ref="sysid0"/> + </Dst> + <Srv neg="False"> + <ServiceRef ref="udp-DNS"/> + <ServiceRef ref="id1195021X6573"/> + </Srv> + <Itf neg="False"> + <ObjectRef ref="sysid0"/> + </Itf> + <When neg="False"> + <IntervalRef ref="sysid2"/> + </When> + <PolicyRuleOptions> + <Option name="stateless">True</Option> + </PolicyRuleOptions> + </PolicyRule> + <RuleSetOptions/> + </Policy> + <Routing id="id630774X9517" name="Routing" comment="" ro="False" ipv4_rule_set="False" ipv6_rule_set="False" top_rule_set="True"> + <RuleSetOptions/> + </Routing> + <Interface id="id630776X9517" dedicated_failover="False" dyn="False" label="" security_level="0" unnum="False" unprotected="False" name="eth0" comment="" ro="False"> + <IPv4 id="id630777X9517" name="firewall92:eth0:ip" comment="" ro="False" address="192.0.2.1" netmask="255.255.255.0"/> + <InterfaceOptions/> + </Interface> + <Interface id="id630778X9517" dedicated_failover="False" dyn="False" label="" security_level="100" unnum="False" unprotected="False" name="eth1" comment="" ro="False"> + <IPv4 id="id630779X9517" name="firewall92:eth1:ip" comment="" ro="False" address="192.168.1.1" netmask="255.255.255.0"/> + <InterfaceOptions/> + </Interface> + <Management address="0.0.0.0"> + <SNMPManagement enabled="False" snmp_read_community="" snmp_write_community=""/> + <FWBDManagement enabled="False" identity="" port="-1"/> + <PolicyInstallScript arguments="" command="" enabled="False"/> + </Management> + <FirewallOptions> + <Option name="accept_established">True</Option> + <Option name="accept_new_tcp_with_no_syn">True</Option> + <Option name="action_on_reject"></Option> + <Option name="activationCmd"></Option> + <Option name="add_mgmt_ssh_rule_when_stoped">False</Option> + <Option name="add_rules_for_ipv6_neighbor_discovery">False</Option> + <Option name="admUser"></Option> + <Option name="altAddress"></Option> + <Option name="bridging_fw">False</Option> + <Option name="check_shading">False</Option> + <Option name="clamp_mss_to_mtu">False</Option> + <Option name="classify_mark_terminating">False</Option> + <Option name="clear_unknown_interfaces">False</Option> + <Option name="cmdline"></Option> + <Option name="compiler"></Option> + <Option name="configure_bonding_interfaces">False</Option> + <Option name="configure_bridge_interfaces">False</Option> + <Option name="configure_interfaces">True</Option> + <Option name="configure_vlan_interfaces">False</Option> + <Option name="debug">False</Option> + <Option name="drop_invalid">False</Option> + <Option name="epilog_script"></Option> + <Option name="firewall_dir"></Option> + <Option name="firewall_is_part_of_any_and_networks">True</Option> + <Option name="flush_and_set_default_policy">True</Option> + <Option name="ignore_empty_groups">False</Option> + <Option name="ipv4_6_order">ipv4_first</Option> + <Option name="limit_suffix"></Option> + <Option name="limit_value">0</Option> + <Option name="linux24_ip_forward">1</Option> + <Option name="load_modules">True</Option> + <Option name="local_nat">True</Option> + <Option name="log_all">False</Option> + <Option name="log_invalid">False</Option> + <Option name="log_ip_opt">False</Option> + <Option name="log_level">info</Option> + <Option name="log_prefix">RULE %N -- %A </Option> + <Option name="log_tcp_opt">False</Option> + <Option name="log_tcp_seq">False</Option> + <Option name="loopback_interface">lo</Option> + <Option name="manage_virtual_addr">True</Option> + <Option name="mgmt_addr"></Option> + <Option name="mgmt_ssh">False</Option> + <Option name="modules_dir">/lib/modules/`uname -r`/kernel/net/</Option> + <Option name="output_file"></Option> + <Option name="prolog_place">top</Option> + <Option name="prolog_script"></Option> + <Option name="scpArgs"></Option> + <Option name="script_name_on_firewall"></Option> + <Option name="sshArgs"></Option> + <Option name="ulog_cprange">0</Option> + <Option name="ulog_nlgroup">1</Option> + <Option name="ulog_qthreshold">1</Option> + <Option name="use_ULOG">False</Option> + <Option name="use_iptables_restore">False</Option> + <Option name="use_m_set">False</Option> + <Option name="use_numeric_log_levels">False</Option> + <Option name="verify_interfaces">True</Option> + </FirewallOptions> + </Firewall> </ObjectGroup> <IntervalGroup id="stdid11_1" name="Time" comment="" ro="False"> <Interval id="id3D6864D0" days_of_week="0,1" from_day="-1" from_hour="1" from_minute="1" from_month="-1" from_weekday="0" from_year="-1" to_day="-1" to_hour="2" to_minute="2" to_month="-1" to_weekday="1" to_year="-1" name="test time 1" comment="" ro="False"/> |